- The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
- The only firewall to identify, control and inspect SSL encrypted traffic and applications.
- The only firewall to provide graphical visualization of applications on the network with detailed user, group and network-level data categorized by sessions, bytes, ports, threats and time.
- The only firewall with real-time (line-rate, low latency) protection against viruses, spyware and application vulnerabilities based on a stream-based threat prevention engine.
- The only firewall that can transparently integrate with Microsoft Active Directory, enabling visibility into application usage by individual user names or groups.
- The only firewall with line-rate, low-latency performance for all services, even under load.
- The only firewall to offer a true in-line transparent deployment option for seamless integration into an existing network infrastructure.
Palo Alto Networks next-generation firewalls rely on a unique Single Pass Parallel Processing (SP3) Architecture. SP3 solves the performance problems that plague today’s security infrastructure, combining two complementary components:
Single Pass Software
Single pass software performs operations once per packet. Networking functions, policy lookup, signature matching and application identification and decoding happen simultaneously, cutting processing overhead substantially.
The content scanning step in Palo Alto Networks’ Single Pass software is stream-based, and uses uniform signature matching to detect and block threats. Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software scans content only once to avoid introducing latency.
Parallel Processing Hardware
Palo Alto firewalls use Parallel Processing hardware to ensure Single Pass software’s performance. With separate data and control planes, heavy utilization of one won’t negatively impact the other. Though an administrator may be running a very processor-intensive report, for example, the activity doesn’t hinder the firewall’s ability to process packets. Parallel Processing hardware also uses discrete, specialized processing groups that work in harmony to perform critical functions.
 |
|
Deployment
Palo Alto acknowledges that you may be reluctant to trust newly installed equipment right away, so they’ve planned three deployment options. First, the gear can be deployed out-of-band to monitor traffic and give customers an accounting of the applications that are running on the network.
It also can be deployed inline with traffic and perform functions strictly supplemental to existing firewalls. This doesn’t require any re-architecting of the network’s demilitarized zone. It gives you a chance to analyze your traffic and determine the policies you want to set for each type.
Last, the device can be deployed inline as a replacement for existing firewalls but with additional capabilities.
More:
Palo Alto Networks Product Line
Firewall Feature Overview Datasheet (PDF)
Whitepaper: It’s Time to Fix the Firewall (PDF)
Additional Palo Alto Networks Whitepapers
Additional Demos
CTO Interview: Security analyst Richard Stiennon interviews Palo Alto Networks CTO Nir Zuk at RSA 2009 (video)
Palo Alto and the Next-generation Firewall...
Next-generation Firewall Technology...
