Clicky

Palo Alto Networks | Next Generation Firewall
Palo Alto Networks
Firewalls 

PAN Firewalls

Select PAN firewall below based upon throughput

Open all Close all
  • under 2 Gbps
    PA-200 - 100 Mbps Firewall throughput, 4 x 10/100/1000
    PA-200 - 100 Mbps Firewall throughput, 4 x 10/100/1000
    Alt image
    Stacks Image 18975
    The Palo Alto Networks PA-200 is ideally suited for small offices or branch offices. It offers a separate processor for control and dataplane. 16 GB SSD enables full visibility and reporting tools. Logging survives a network outage! 2.5 GB DRAM is dedicated to the control processor and 1.5 GB DRAM is dedicated to the dataplane processor.

    Cooling is done with an ultra-quiet 12dB fan and the dimensions are 9" x 7" x 1.7".
    • 100 Mbps firewall throughput(App-ID enabled)
    • 50 Mbps threat prevention throughput
    • 50 Mbps IPSec VPN throughput
    • 64,000 max sessions (IPv4 or IPv6)
    • 1,000 connections per second
    • 25 max site to site tunnels
    • 25 max GP tunnels
    • 10 max security zones
    • 250 max number of security rules

    * All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    Alt image
    Stacks Image 18996
    Features not supported on PA-200:
    • Virtual systems
    • Jumbo frames
    • Link aggregation
    • Limited to HA-lite (Passive HA without session synch)
    NEW - PA-220 - 500 Mbps Firewall throughput, 8 x 10/100/1000
    Stacks Image 377508
    The PA-220 provides you interactive visibility and control of applications, users, and content at throughput speeds of up to 500 Mbps. You get redundant power input for increased reliability, a fanless design for quiet operation, and solid state disks to remove any moving parts. The PA-220 also simplifies the deployments of large numbers of firewalls through the USB port.
    • 500 Mbps firewall throughput (App-ID enabled)
    • 150 Mbps threat prevention throughput
    • 100 Mbps IPSec VPN throughput
    • 64,000 max sessions
    • 4,200 new sessions per second
    • 250 IPSec VPN tunnels/tunnel interfaces
    • 3 virtual routers
    • 15 security zones
    • 250 max number of policies
    PA-500 - 250 Mbps Firewall throughput, 8 x 10/100/1000
    PA-500 - 250 Mbps Firewall throughput, 8 x 10/100/1000
    Alt image
    Stacks Image 19014
    The Palo Alto Networks PA-500 is ideally suited for Internet gateway deployments within medium to large branch offices and medium sized enterprises. The PA-500 manages network traffic flows with high performance processing and dedicated memory for networking, security, threat prevention and management. A high speed backplane smooths the pathway between processors and the separation of data and control plane ensures that management access is always available, irrespective of the traffic load.
    • 250 Mbps firewall throughput (App-ID enabled)
    • 100 Mbps threat prevention throughput
    • 50 Mbps IPSec VPN throughput
    • 64,000 max sessions (IPv4 or IPv6)
    • 7,500 new sessions per second
    • 250 IPSec site to site tunnels
    • 100 max tunnels (GP)
    • 3 virtual routers
    • N/A virtual systems (base/max)
    • 20 max security zones
    • 1,000 max number of security rules

    * All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    NEW - PA-820 - 940 Mbps Firewall Throughput
    Stacks Image 377538
    The PA-820 firewall appliance provides advanced visibility and control of applications, users, and content. USB port allows rapid deployment of large numbers of firewalls with consistent configuration.

    The PA-820 has (4) 10/100/1000 and (8) Gigabit SFP I/O ports with a single power supply.
    PA-820 (4) 10/100/1000, (8) Gigabit SFP
    • 940 Mbps firewall throughput (App-ID enabled)
    • 610 Mbps threat prevention throughput
    • 400 Mbps IPSec VPN throughput
    • 128,000 max sessions
    • 8,300 new sessions per second
    • 1000 IPSec VPN tunnels/tunnel interfaces
    • 5 virtual routers
    • 30 security zones
    • 1,500 max number of policies
    NEW - PA-850 - 1.9 Gbps Firewall Throughput
    Stacks Image 377540
    The PA-850 firewall appliance provides advanced visibility and control of applications, users, and content at throughput speeds of up to 1.9 Gbps and with I/O options of up to four 10 Gigabit SFP+ ports. Redundant power supplies provide hardware resiliency, and the USB port allows rapid deployment of large numbers of firewalls with consistent configuration.

    PA-850 options::
    PA-850 (4) 10/100/1000, (8) Gigabit SFP or
    PA-850 (4) 10/100/1000, (4) Gigabit SFP, (4) 10 Gigabit SFP+
    PA-850 (4) 10/100/1000, (8) Gigabit SFP or
    PA-850 (4) 10/100/1000, (4) Gigabit SFP, (4) 10 Gigabit SFP+
    • 1.9 Gbps firewall throughput (App-ID enabled)
    • 780 Mbps threat prevention throughput
    • 400 Mbps IPSec VPN throughput
    • 192,000 max sessions
    • 9,500 new sessions per second
    • 1000 IPSec VPN tunnels/tunnel interfaces
    • 5 virtual routers
    • 40 security zones
    • 1,500 max number of policies
  • 2 to 10 Gbps
    PA-3020 - 2 Gbps, 12 x 10/100/1000 + 8 SFP optical
    PA-3020 - 2 Gbps firewall throughput, 12 x 10/100/1000 + 8 SFP optical
    Alt image
    Stacks Image 19116
    • 2 Gbps firewall throughput (App-ID enabled) **
    • 1 Gbps threat prevention throughput
    • 500 Mbps IPSec VPN throughput
    • 250,000 max sessions (IPv4 or IPv6)
    • 50,000 new sessions per second
    • 1,000 Max site to site tunnels
    • 1,000 Max GP tunnels (SSL and IPSec)
    • 10 virtual routers
    • 1/6 virtual systems (base/max ***)
    • 40 security zones
    • 2,500 max number of security rules
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
    PA-3050 - 4 Gbps, 12 x 10/100/1000 + 8 SFP optical
    PA-3050 - 4 Gbps firewall throughput, 12 x 10/100/1000 + 8 SFP optical
    Alt image
    Stacks Image 19134
    • 4 Gbps firewall throughput (App-ID enabled) **
    • 2 Gbps threat prevention throughput
    • 500 Mbps IPSec VPN throughput
    • 500,000 max sessions (IPv4 or IPv6)
    • 50,000 new connections per second
    • 2,000 max IPSec VPN tunnels
    • 2,000 max GP tunnels
    • 10 virtual routers
    • 1/6 virtual systems (base/max ***)
    • 40 security zones
    • 5,000 max number of policies
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
    PA-3060 - 4 Gbps, (8) 10/100/1000, (8) Gigabit SFP, (2) 10 Gigabit SFP+
    PA-3060 - 4 Gbps firewall throughput, (8) 10/100/1000, (8) Gigabit SFP, (2) 10 Gigabit SFP+
    NOTE: The PA-3060 shares the performance metrics of the PA-3050, has different interfaces, optional redundant AC power, front to back airflow and is 1.5U.
    Alt image
    Stacks Image 19157
    • 4 Gbps firewall throughput (App-ID enabled) **
    • 2 Gbps threat prevention throughput
    • 500 Mbps IPSec VPN throughput
    • 500,000 max sessions (IPv4 or IPv6)
    • 50,000 new connections per second
    • 2,000 max IPSec VPN tunnels
    • 2,000 max GP tunnels
    • 10 virtual routers
    • 1/6 virtual systems (base/max ***)
    • 40 security zones
    • 5,000 max number of policies
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
    PA-5020 - 5 Gbps, 12 x 10/100/1000, 8 x Gigabit SFP
    PA-5020 - 5 Gbps firewall throughput, 12 x 10/100/1000, 8 x Gigabit SFP
    Alt image
    Stacks Image 19233
    • 5 Gbps firewall throughput (App-ID enabled) **
    • 2 Gbps threat prevention throughput
    • 2 Gbps IPSec VPN throughput
    • 1,000,000 max sessions
    • 120,000 new sessions per second
    • 2,000 IPSec VPN tunnels/tunnel interfaces
    • 5,000 SSL VPN Users
    • 20 virtual routers
    • 10/20 virtual systems (base/max ***)
    • 80 security zones
    • 10,000 max number of policies
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
    PA-5050 - 10 Gbps, 12 x 10/100/1000, 8 x Gigabit SFP, 4 x 10 Gigabit SFP+
    PA-5050 - 10 Gbps firewall throughput, 12 x 10/100/1000, 8 x Gigabit SFP, 4 x 10 Gigabit SFP+
    Alt image
    Stacks Image 19322
    • 10 Gbps firewall throughput (App-ID enabled **)
    • 5 Gbps threat prevention throughput
    • 4 Gbps IPSec VPN throughput
    • 2,000,000 max sessions
    • 120,000 new sessions per second
    • 4,000 IPSec VPN tunnels/tunnel interfaces
    • 10,000 SSL VPN Users
    • 125 virtual routers
    • 25/125 virtual systems (base/max ***)
    • 500 security zones
    • 20,000 max number of policies
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
  • Over 10 Gbps
    PA-5060 - 20 Gbps, 12 x 10/100/1000, 8 x Gigabit SFP, 4 x 10 Gigabit SFP+
    PA-5060 - 20 Gbps firewall throughput, 12 x 10/100/1000, 8 x Gigabit SFP, 4 x 10 Gigabit SFP+
    Alt image
    Stacks Image 19348
    • 20 Gbps firewall throughput (App-ID enabled **)
    • 10 Gbps threat prevention throughput
    • 4 Gbps IPSec VPN throughput
    • 4,000,000 max sessions
    • 120,000 new sessions per second
    • 8,000 IPSec VPN tunnels/tunnel interfaces
    • 20,000 SSL VPN Users
    • 225 virtual routers
    • 25/225 virtual systems (base/max ***)
    • 900 security zones
    • 40,000 max number of policies
    ** All performance and capacities are measured under ideal testing conditions using PAN-OS 6.0.
    *** Adding virtual systems to the base quantity requires a separately purchased license.
    NEW - PA-5220 - 18.5 Gbps firewall throughput
    PA-5220 – (4)100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4) 40G QSFP+
    Palo Alto Networks® PA-5200 Series of next-generation firewall appliances is comprised of the PA-5260, the PA-5250 and the PA-5220, which target at high-speed data center, internet gateway, and service provider deployments.

    The PA-5200 Series delivers up to 72 Gbps of throughput using dedicated processing and memory for the key functional areas of networking, security, threat prevention and management.
    Stacks Image 377559
    NEW - PA-5250 - 35.9 Gbps firewall throughput
    PA-5260 | PA-5250 - (4) 100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4)
    40G/100G QSFP28
    Stacks Image 377567
    NEW - PA-5260 - 72.2 Gbps firewall throughput
    PA-5260 | PA-5250 - (4) 100/1000/10G Cu, (16) Gig/10Gig SFP/SFP+, (4)
    40G/100G QSFP28
    Stacks Image 377569
    PA-7050 system - 120 Gbps, 72 x 10/100/1000 + 48 x SFP + 24 x SFP+
    PA-7050 system - 120 Gbps firewall throughput, 72 x1 0/100/1000 + 48 x SFP + 24 x SFP+
    PA-7050-NPC - 20 Gbps firewall throughput, 12 x 10/100/1000 + 8 x SFP + 4 x SFP+ (Each PA-7050
    supports up to six NPCs)
    Alt image
    Stacks Image 19376
    The Palo Alto Networks® PA-7050 is designed to protect data centers and high-speed networks with firewall throughput of up to 120 Gbps and full threat prevention at speeds of up to 100 Gbps. The PA-7050 is a modular chassis, allowing you to scale performance and capacity by adding up to six network processing cards as your requirements change; yet it is a single system, making it as easy to manage as all of
    your other appliances.
  • Virtual
    The Palo Alto Networks VM-Series comprises three virtualized next-generation firewall models – VM-100, VM-200, and VM-300, supported on VMware ESXi 4.1 and ESXi 5.0 platforms. 2, 4 or 8 CPU cores on the virtualized server platforms can be assigned for next-generation firewall processing. Up to 1 Gbps firewall throughput with App-ID enabled can be supported with 4 CPU cores running. To ensure that management is accessible under periods of heavy traffic, the data plane and the control plane are separated. In addition, Palo Alto Network’s single-pass software architecture offers a unique architecture that processes functions in a single pass to reduce latency.

    The VM-Series runs PAN-OSTM, a security-specific operating system that safely enables intra-virtual machine traffic, protects against all known and unknown threats, and integrates flexibly in the virtualized environment at layers 1, 2 or 3. In addition, the PAN-OS next-generation firewall capabilities provide the ability to tie security policies to virtual machine adds, moves and changes and enable the orchestration of security policies in lock step with virtual workload creation.
    Alt image
    Stacks Image 19460
    Alt image
    Stacks Image 19462
  • Mgmt Software

    M-100

    Organizations which prefer to deploy Panorama on high performance dedicated hardware, or would like to separate the Panorama management and logging functions for increased scale and performance, can use the M-100 hardware appliance to meet their needs.
    Alt image
    Stacks Image 19484

    Virtual Appliance

    Panorama can be deployed as a virtual appliance on VMware (ESX(i), allowing organizations to support their virtualization initiatives and consolidate rack space to save costs and space.
    Panorama is optional. All PAN firewalls have direct management capability via a browser and/or CLI (ssh).

    Centralized Management

    Panorama is a centralized security management system that provides global control over a network of Palo Alto Networks next-generation firewalls. Using the same look and feel that the individual device management interface carries, Panorama eliminates any learning curve associated with switching from one mechanism to another.

    Centralized policy management

    Panorama allows administrators to control all aspects of the devices and/or virtual systems under management (security, NAT, QoS, policy based forwarding, decryption, application override, captive portal, and DoS protection). Using pre- and post-rules, Panorama administrators can enforce shared policies while allowing local policy flexibility. Rules in between the pre- and post-rules can be edited locally or by a Panorama administrator who has switched to the local firewall context.

    Simplifying firewall deployments and updates

    Panorama enables organizations to centrally manage device software and associated updates: SSL-VPN clients, GlobalProtect clients, dynamic content updates (Applications, Threats and antivirus), and software licenses.

    Centralized logging and reporting

    View logs and run reports across dynamic or locally queried data aggregated from managed devices. Distributed reporting can be done without a need to forward logs from firewalls to Panorama. Aggregate user activity reports can be run for mobile users that travel between branches. This will report the users activity regardless of where they are currently located globally.

    Log storage and high availability

    Using NFS, organizations can use Panorama to expand the log storage for long-term event investigation and analysis. Reliability is ensured through high-availability which will provide fail over of central management.
  • Legacy
    PA-2xxx Series
    PA-2020 - 500 Mbps firewall throughput, 12 x 10/100/1000 + 2 SFP
    PA-2050 - 1 Gbps firewall throughput, 16 x 10/100/1000 + 4 SFP
    Alt image
    Stacks Image 259603
    PA-4xxx Series
    Alt image
    Stacks Image 19533

NOTE: Got any questions about selecting the best PAN firewall for your needs, please contact us!

Subscriptions 

PAN Subscriptions

  • Threat Prevention (IDP/AV/malware)

    Palo Alto Networks IDP Capabilities

    Drive-by downloads are increasingly popular yet very difficult to protect against. Unsuspecting users can inadvertently download malware without knowing, merely by visiting their favorite web page and clicking on an image. Palo Alto Networks next generation firewalls can identify drive-by downloads and present users with a warning to ensure that the download action is desired.
    Unlike many current solutions that may use a single CPU or an ASIC/CPU combination to try and deliver enterprise performance, Palo Alto Networks utilizes a purpose-built platform that uses dedicated processing for threat prevention along with function-specific processing and dedicated memory for networking, security and management. Using four dedicated types of processing means that key functions are not competing for processing cycles with other security functions, as is the case in a single CPU hardware architecture. The end result is low latency, high performance throughput with all security services enabled.
    The Palo Alto Networks threat research team is a world-class research organization dedicated to the discovery and analysis of threats, applications and their respective network behavior. Through internal research, third party relationships with software vendors (e.g., Microsoft) and the same research organizations used by other leading security vendors, customers are assured that Palo Alto Networks is providing them with the best network threat protection and application coverage.
  • URL Filtering
    Palo Alto Networks includes and optional feature license to enable URL filtering. Unlike other competitive offerings that are user based, this is licensed on a per chassis basis which offers amazing price savings and fully protects all users. URL filtering is based upon both a locally cached large database for performance and hosted / cloud based support for even more URLs.

    Select Palo Alto Networks URL filtering from us as a viable and cost effect alternative to Websense Enterprise or Websense Express. URL filtering is licensed by the chassis (unlimited users) and not per seat making it a more affordable alternative. URL filtering works in conjunction with User-ID for user based and/or group policy setting.

    Stand-alone URL filtering solutions are insufficient control mechanisms because they are easily bypassed with external proxies (PHproxy, CGIproxy), circumventors (TOR, UltraSurf, Hamachi) and remote desktop access tools (Yoics!, RDP, SSH).
    PAN URL test site works with Palo Alto Networks URL filtering directly from Palo Alto Networks.

    Filtering Capabilities

    Blocked sites (web site blacklisting)
    Allowed sites (web site whitelisting)
    Blocking proxy sites, malware sites and other risky sites
    Blocked based on categories (e.g. porn, nudity, weapons, gambling and over 70+ categories)
    Allow just appropriate web sites
    Coached and password override options
    User and/or group membership based policies
    Facilitate SSL decryptions polices
    Customizable URL database categories
    On box reporting, no separate database or reporting servers!
    URL Activity Reporting and Logging

    A set of pre-defined or fully customized URL filtering reports provides IT departments with visibility into URL filtering and related web activity including:

    User activity reports

    An individual user activity report shows applications used, URL categories visited, web sites visited, and a detailed report of all URLs visited over a specified period of time.

    URL activity reports

    A variety of top 50 reports that display URL categories visited, URL users, web sites visited, blocked categories, blocked users, blocked sites and more.

    Real-time logging

    Logs can be filtered through an easy-to- use query tool that uses log fields and regular expressions to analyze traffic, threat or configuration incidents. Log filters can be saved and exported and for more in-depth analysis and archival, logs can also be sent to a syslog server.

    FAQs - PAN URL

    Lets start with the basics, both do URL filtering. Both support using categories to allow or disallow access (e.g. nudity, gambling, etc.) Palo Alto Networks (PAN) is complemented with a cloud service for dealing with less common URLs beyond the millions maintained on the chassis.
    - You pay a single recurring license for the chassis, no per user fees (translation: you save money now and later)
    - You don't need a separate reporting system for the database
    - No OS backups, database backups to worry about
    - No Windows or other OS patches to deal with
    - Web 2.0 is more about applications than URLs, you get a single pass high-speed solution that adds next generation application awareness
    - HA for High Availability, sure, of course
    - You can support remote user policy control with PAN Global Protect
    - PAN includes decryption to further deal with evasion
    - PAN includes data filtering capabilities
    - User tracking, of course
    - Log support on device and off with syslog
    - Deployment options include span/mirror port, inline virtual wire, layer 2 and layer 3. You can even mix and match and with lots of ports.
    Yes, covered.
    Allow - Allow without logging
    Alert - Allow and log
    Continue (coached access) - Notify the user that perhaps this site might be inappropriate and allow them to continue and log that
    Override - Password override option.

    Policies can be defined by user, group membership, IP address, schedules (time of day), applications, ports. It allows site whitelisting and blacklisting.
    You can even define QoS (Quality of Service) restrictions.
    Both are excellent solutions, both are still actively sold and supported. Palo Alto Networks has made their own URL filtering available to provide another option at the same cost. By owning their own list, it provides PAN with the capability to quickly mark or note URLs with malware as opposed to waiting for updates from another provider. This solution works great with the WildFire solution as new malware may be detected via WildFire customers and then all customers with PAN based URL filtering will benefit from URL categorization changes.

    Both solutions use categories for allow, alerting, blocking, etc. The categories are not identical, but similar. There is a tool for converting from Brightcloud URL filtering to Palo Alto Networks db URL filtering, but not in the reverse direction. In the case of Palo Alto Networks URL filtering, subdomains can be categorized differently than the main domain. This provides better categorization of larger sites that have a wide variety of content.
    Palo Alto Networks is all about performance using a single pass design to only inspect the traffic once for firewall policy, threats / malware, application identification, data content matching and URL filtering. This avoids additional latency imposed by other solutions including competitive UTM offerings.
  • WildFire

    PAN WildFire Subscription

    WildFire exposes previously unseen malicious executable files by directly observing their behavior in a secure virtualized environment. This direct analysis quickly and accurately identifies new malware, leading to the automated creation of new signatures that are distributed to all Palo Alto Networks devices via the current threat prevention subscription service.

    When the firewall encounters an unknown .EXE or .DLL that has been delivered by any application, even those that are encrypted with SSL, the file can be submitted to the WildFire virtualized sandbox, where Palo Alto Networks can directly observe more than 70 malicious behaviors that can reveal the presence of malware. Submissions can be made manually or automatically based on policy.

    When a sample is identified as malware, the sample is passed on to WildFire's signature generator, which automatically generates a signature for the sample and tests it for accuracy. The new signature is then distributed in the next content update. Palo Alto Networks also develops signatures for the all-important command and control traffic, enabling staff to immediately disrupt the communications of any malware inside the network.

    WildFire intelligence and forensics

    In addition to providing protection, administrators have access to a wealth of actionable information about the detected malware through the WildFire portal. A detailed behavioral report of the malware is produced, along with information on the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home of the malware.

    Integration of firewall and the cloud

    WildFire makes use of a customer's on-premises firewalls in conjunction with Palo Alto Networks cloud-based analysis engine to ensure in-line performance, while using the cloud to deliver the fastest protections for all enterprise locations.

    FAQs - PAN WildFire

    In our opinion, it can be. WildFire will continue to evolve, but already offers near realtime protection against new unknown malware by using a cloud based virtual sandbox. Palo Alto Networks will continue to develop and expand the product. The firewall is the proper location to perform this inspection. PAN firewalls offer tremendous real performance and now leverage the cloud to add further protections.

    FireEye is a great point solution, now with Palo Alto Networks this becomes another feature on an already existing powerful security gateway. Did we mention this saves a lot of money compared to multiple point solutions?
    All customers with Threat Prevention license can benefit from WildFire updates, but typically this is a 48 hour delay. This is a tremendous value add that Palo Alto Networks has added to further secure networks. Optionally use GlobalProtect to secure roaming mobile platforms.

    However, if even more protection you can subscribe to a WildFire subscription to get threat updates in less then an hour, on average every 30 minutes. This offers superior zero day (0 day) protection versus waiting 24 hours for a threat subscription update.
    Endpoint software is based upon signature matches. In today's threat landscape with polymorphic (rapidly changing) malware, signatures provide limit protection. Based upon on some studies, as much as 70% of malware could be undetected with purely signature based desktop or laptop agent based software protection.
    Potential threats are sent to the cloud near realtime (you determine the frequency). The virtual sandbox analyzes the characteristics of the attachment to determine if it could be malicious based upon those actions. If it is, the PAN WildFire service will create a new threat signature match and release that as an update to the PAN threats database. You can set your PAN to check hourly for new signatures and apply those on the firewall automatically. This also means that as a valid subscriber to the threats database that you get additional protection from all the other deployed devices across the world.

    With an optional WildFire subscription, updates on average can be received every 30 minutes, no more than a one hour delay. Again, this requires the optional WildFire subscription to get updates within the hour versus after 24 hours.
    As part of WildFire and having a support account, you get access to your own WildFire portal and can view what was found for your own PAN firewalls. It will let you know what has been determined to not be a threat, is still pending an analyses or was in fact a new threat. Please note, as of PANOS 5.s, there have been additional enhancements to WildFire and on box integration versus could portal login.
    It inspects EXE and DLL files. If they are unknown, based upon signatures, then they are submitted to a virtual sandbox in the cloud where it is checked to see if it exhibits any of roughly 70 malicious behaviors that malware might be exhibiting. It then tracks and reports those observations via a hosted portal site that the end customer can access. It then notes the signature and distributes that to all PAN firewalls with current threat licenses preventing further spread of the malware.

    With the optional Palo Alto Networks WildFire subscription, signatures updates are applied much more frequently, this is especially important during the critical first 24 hours.
  • GlobalProtect

    PAN- Global Protect

    Consistent Policy & Enforcement for All Users

    GlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be protected by the logical perimeter in the same manner that they would be if they were working from their office.

    FAQs - Global Protect

    It is a software agent that that extends the protection of a corporate perimeter to remote user devices thereby applying all the same policies and protections to remote users. This includes URL filtering, threat inspection, visibility, etc. already being provided to local users. It does this by utilizing three components:
    1) Existing corporate PAN firewall(s) acting as gateways.
    2) A GlobalProtect portal for management including host configuration characteristics. The portal deals with authentication and downloading of new agent software if needed for the client.
    3) An agent that communicates to the portal, creates an encrypted session to the gateway(s) and it creates a Host Information Profile (HIP) of the client device.
    4) Desktops, laptops and mobile platforms are support (depending upon the license).
    Consistent policy and central management to apply to local or remote users thereby simplifying policy enforcement without additional hardware or additional management systems. Lets not forget not having to buy another appliance just for remote users.
    The portal management runs on the Palo Alto Networks firewall (High Availability option too). The user software agents are supported on: Microsoft Windows XP, Microsoft Windows 7, Microsoft Windows Vista and Apple IOS.
    PAN firewalls are used as the enforcement appliances. From a license perspective, a portal license must be purchased for the unit (or more for redundancy) doing the portal management. Licenses for GlobalProtect are required on all desired PAN units acting as gateways (this does not have to be all the deployed PANs, just those desired as remote access gateways). Support is purchased for updates to the software along with technical support.

    GP (Global Protect) is included in a lite (free) basic form which supports a single gateway and portal (without the host endpoint enforcement). If you want any of the following capabilities, you need to purchase the optional GP gateway subscription:
    • Endpoint enforcement via PAN HIP profiles
    • Mobile support (Apple iOS or Android) versus just MS Windows or MacOS
    • To use the new GP clientless VPN capability
    • To enable multiple gateways (read release notes for more clarification)
    Alt image
    Stacks Image 21904
    NOTE: Starting with PANOS 7.0, you no longer need to purchase the GP Portal License.!
    Yes, split tunneling policies can be defined via the portal management system.

    NOTE: The behavior does change starting with PANOS 7.0, please read the release notes to better understand the changes.
    Basic SSL VPN connectivity via a lite version of GP is already included on the PAN base systems to address remote access for users of Windows and MacOS. GlobalProtect license option extends the features (see buy/not buy question).

    GlobalProtect acts as a transparent SSL VPN regardless of how users connect to the Internet and making sure those connections remain encrypted. GP will use IPSec by default for performance benefits, but can fallback to SSL where networks disallow IPSec traffic.
    - Operating system and patch level
    - Host anti-malware version
    - Host firewall version
    - Disk encryption
    - Data backup products
    - Customized host conditions

    NOTE: Above are enabled via HIP profiles on the portal and require optional Global Protect license(s).
    You can control where users are placed in terms of a security zone. Users can be placed in the same internal network (typically Trust) zone or they can have their tunnels terminated in a different secure zone (e.g. RemoteUsers) and then use security policies tied to usernames and/or applications to control and restrict access. This includes threat inspection features, spyware, malware, ant-virus, etc. Sounds like a great idea, right?
    It can be done, but you need to talk with your PAN administrator and have them check the Palo Alto Networks support site. We're not going to help IT users remove a corporate control from their desktops except via the official corporate administrators. Yes, GP is an excellent tool for enforcing corporate policies and as such should not be easy to disable or remove by unauthorized users.

    If you would like us to work with the IT department, we are available for Professional Services via a billable engagement.
  • AutoFocus
    AutoFocus allows you to protect your organization from unique and targeted threats in a simpler, more effective way. AutoFocus prioritizes the most critical threats targeting your network, adds context, and enables you to take decisive action. Consider it a cyber security research tool.
  • Aperture (Cloud)
    Aperture provides complete SaaS security and visibility.

    Aperture extends the visibility and granular control of the Palo Alto Networks next-generation security platform into SaaS applications themselves – an area traditionally invisible to IT. Aperture solves this problem by looking into SaaS applications directly, providing full visibility into the day-to-day activities of users and data. Granular controls ensure policy is maintained to eliminate data exposure and threat risks.
Open all Close all
Resources 

PAN Resources

We have a separate page for PANOS resources here.
Endpoint 

PAN TRAPS

Palo Alto Networks TRAPS requires no definition updates or hardware, protects unpatched systems, is compatible with all physical or virtual Windows platforms including terminals, VDI, VMs and embedded systems, protects all applications including proprietary and 3rd party applications, and most importantly, it doesn’t need prior knowledge of an attack in order to prevent it.

Find out more on our TRAPS specific page.
Support 

PAN Support

Alt image
Stacks Image 19569
Target Follow-up Times

Severity 1 – Critical: Every 4 hours until resolved or a workaround is in place.
Severity 2 – High: Every business day until resolved or a workaround is in place.
Severity 3 – Medium: Every 3 business days until resolved.
Severity 4 - Low: Once per business week until resolved.

Severity Definitions


Severity 1 – Critical: Product is down and critically affects customer production environment. No workaround yet available.
Severity 2 – High: Product is impaired and customer production is up but impacted. No workaround yet available.
Severity 3 – Medium: A product function has failed and customer production is not affected. Support is aware of the issue and there is a workaround available.
Severity 4 – Low: Product function is not impaired and no impact to customer business. Includes feature, information, documentation, how-to and Enhancement requests from the customer.

© 2017 Altaware, Inc. | All rights reserved.

866-833-4070

CYBER SECURITY | ORANGE COUNTY, CA