You are on page 1of 13

Product Architecture

Enterprise Security Platform Approach

Single Pass
Operations Once per Packet
o Traffic Classification (App-ID)
o User/Group Mapping (User-ID
o Content Scanning Threats,
URLs, Confidential Data
One Policy
Parallel Processing
Function-specific parallel processing
hardware engines
Separate Data/Management Planes








Cheatsheet v1.1

Why Palo Alto Networks?




Palo Alto Networks
Single Unified Policy

Competitors
Separate Policies for FW, App, IPS, AV

Reduce Administrative efforts; Eliminate potential


security loop holes as well as user errors

Administrative effort increases for each added policy;


Creates potential security holes

Single Log Entry

Separate logs for one traffic session

Session based single view of network activities

Extra effort to correlate logs required for visibility into


network activities; Slows forensic reaction time

Positive Control Model

Negative Control Model

Allow by policy, all else is denied


For example: If SharePoint traffic needs to be
allowed, you will just need to create a Single Security
Policy/Rule to allow SharePoint Application. All other
application using other ports and protocols including
those using same service port as SharePoint
Application will be deny implicitly.

Hard to enforce deny-all-else premise


For example: If SharePoint traffic needs to be allowed,
you will need to create a Port Based Policy/Rule to
allow SharePoint service port and protocol and you
need to create another rule on the application control
function to allow SharePoint Application. All other
application using same service port as SharePoint
Application will be allow implicitly. So you will need to
create new rules to block application you do not allow
on the application control function.

Systematically manage unknowns

Lack of unknown traffic management

Quick Identification of high risk traffic; systematic


management. Positive Control Model ensures all
unknown application is denied implicitly. And with all
known applications are classified in different risk
levels, you may specify policies to handle traffic
based on Risk Levels.

Negative app control model means unknown is


allowed by default. And means that anything unknown
or not managed applications will be allowed implicitly.
Separate policies make unknown management
difficult.

Predictable Performance

Severe Performance Degradation

Superior Performance in real-world scenarios; Built


from ground up on both Software and Hardware, the
Single Pass Parallel Processing Architecture ensures
that the performance degradation is predictable and
inline with datasheet metrics.

Performance only good in lab environment with L3-L4


traffic. All new functionalities are added onto existing
Firewall Architecture that causes performance to
degrade severely with inspection enabled.

Built in Reporting and Management

Separate Reporting Management

With Dedicate Hardware Resources for the Control


Plane separated from Data Plane in a Single
Hardware Platform, the Control Plane provides on
box dashboard (like Application Command Centre)
and superior reporting functions. The Control Plane
continuously provides management access of the
platform regardless of traffic load on the Data Plane.

In order to provide better reporting capabilities,


additional software and hardware may be required. In
the event of heavy traffic load, the additional
hardware may not be accessible to management of
the Firewall.









Cheatsheet v1.1

Objection Handling

My Firewall can do that... Port-based firewalls attempt to address application control with add-on, IPS-like
components. This results in duplicate policies that cannot be easily reconciled, duplicate log databases which
reduces visibility, inability to systematically manage unknown traffic and weakens the deny-all-else premise
that firewalls are built on.
My UTM can do that... UTMs are port-based firewalls with add-on, IPS-like components that do not share
information (context). They are designed to reduce costs through consolidation. UTMs have duplicate
policies that cannot be easily reconciled, have duplicate log databases which reduces visibility, are unable to
systematically manage unknown traffic, and weaken the deny-all-else premise that firewalls are built upon.
MY IPS can do that... IPS default allows. If it doesnt know about a threat, it passes through. Unknown traffic
goes through. An IPS downstream from a firewall has no context other than port number allowed, and has
to decide whether to block purely on signature.
My Secure Web Gateway can do that... Secure web gateways provide limited amounts of protection,
because by definition, they are only looking at a http/https traffic passing overdefault ports. Organizations
need to address protection of all network traffic, over all ports and any applicationwhich is what a firewall
has always been designed to do.

Competitive Landscape

Security
Technologies

Advance
Persistent
Threat (APT)

Palo Alto
Networks
FireEye / Lastline

Damballa
Check Point /
Fortinet /
Juniper / Cisco
SourceFire /
Tipping Point
Blue Coat /
WebSense
MobileIron /
Good / AirWatch

Next Generation Intrusion


Firewall
Prevention
Systems (IPS)

URL Filtering

Mobility (MDM
Focus)



*Sources as of June 2014


The above table shows Palo Alto Networks is the only solution in the market that handles every single vertical of
Security Capabilities. Position Palo Alto Networks in when Customers Security Technologies needs or Competition is
mentioned in the opportunities. Use the Why Palo Alto Networks? Table to differentiate us from all the
Competition.




Cheatsheet v1.1

Product Offering

Next Generation
Enterprise Security Platform

PA-7050

Firewall Throughput Threat Prevention


(App-ID / Layer 7)
Throughput
(All Enabled)
120 Gbps
100 Gbps (DSRI) /
60 Gbps

Ports

Sessions
Capacity

24 SFP+ (10 Gig)


48 SFP (1 Gig)
72 copper gigabit

24,000,000

4 SFP+ (10 Gig)


8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
8 SFP (1 Gig)
12 copper gigabit

4,000,000

PA-5060

20 Gbps

10 Gbps

PA-5050

10 Gbps

5 Gbps

PA-5020

5 Gbps

2 Gbps

PA-3050

4 Gbps

2 Gbps

8 SFP (1 Gig)
12 copper gigabit

500,000

PA-3020

2 Gbps

1 Gbps

8 SFP (1 Gig)
12 copper gigabit

250,000

PA-500

250 Mbps

100 Mbps

8 copper gigabit

64,000

PA-200

100 Mbps

50 Mbps

4 copper gigabit

64,000

2,000,000

1,000,000

Suggested Sizing Models


Sizing
Small Branch Office
Small Office
Medium Office
Large Office
Campus/Service Provider
Data Center

No. of Users
1 to 10
10 to 50
50 to 500
500 to 10000
10000 and above
NA

Model Range
PA-200
PA-500
PA-3000 Series
PA-5000 Series
PA-7000 Series
PA-7000 Series


Please note that the suggested sizing above is based on best-case deployment. Consult your local Palo Alto Networks
Sales Person for more accurate sizing.




Cheatsheet v1.1

Virtualization

VM-Series for VMware
vSphere Hypervisor (ESXi)


VM-100, VM-200, VM-300, and
VM-1000-HV deployed as Guest
VM on VMware ESXi
Deployed as part of virtual
network configuration for East-
West traffic inspection
ESXi 4.1 and 5.0 for PAN-OS 5.0
and ESXi 5.5 for PAN-OS 6.0

VM-Series for VMware NSX

VM-Series for Citrix NetScaler


SDX


VM-100, VM-200, VM-300, and
VM-1000-HV deployed as guest
VMs on Citrix NetScaler SDX
Consolidates ADC and security

services for multi-tenant and


Citrix XenApp/XenDesktop
deployments


VM-1000-HV for NSX deployed as
a service with VMware NSX and
Panorama
Automated deployment,
transparent traffic steering,
dynamic context-sharing
Ideal for East-West traffic
inspection

Dynamically updates VM Instances IP Address in to Dynamic Address Groups used in Policies

Cheatsheet v1.1

WildFire (Advance Persistence Threat Prevention)



WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) by directly
executing them in a scalable cloud-based, virtual sandbox environment. WildFire automatically creates and
disseminates protections in near real-time to help security teams meet the challenge of advanced cyber attacks.
Extending the next-generation firewall platform that natively classifies all traffic across nearly 400 applications,
WildFire uniquely applies this behavioral analysis regardless of ports or encryption, including full visibility into web
traffic, email protocols (SMTP, IMAP, POP) and FTP.


















Cheatsheet v1.1

GlobalProtect (Agent-Based SSL VPN)


How it works

GlobalProtect Agent will authenticate via Portal and Conduct Location Discovery
If location is internal, no VPN tunnel will be establish. Only User & Host Information is sent to Portal
If location is external, the GlobalProtect Agent will choose the best gateway to connect from the list
provided by the Portal
When selected, the VPN tunnel will be established. User & Host Information will be sent to the Portal
Note that Portal and Gateway can be configured on the same Next Generation Security Platform
No Licensing or User License required if it is a single portal single external gateway setup without HIP Check
or GlobalProtect Mobile App support.

GlobalProtect Portal and Subscription


Licensing based on Portal and Gateways (Firewall), not by Number of Users

Requirement

Free

Single Gateway

Multiple Gateway

Internal Gateway

Host Information
Profile (HIP) Check
GlobalProtect
Mobile App

Portal License
(Perpetual)




Gateway
Subscription




Cheatsheet v1.1

GlobalProtect Mobile Security Manager (Mobility/BYOD)


How it works

GlobalProtect GP-100 Appliance and Licensing


Mobile Security Manager runs on the new GP-100 appliance


GP-100 comes with support for up to 500 mobile devices. Additional capacity licenses (perpetual) to support
additional devices 1K, 2K, 5K, 10K, 25K, 50K, and 100k
WildFire subscription (optional add-on) for Android malware detection. Price varies based on underlying
capacity license
GP-100 is not design to be sold as a standalone product. Requires other GlobalProtect components for full
functionality (app, portal, gateway) GlobalProtect Licensing Concept Applies.






















Cheatsheet v1.1

URL Filtering License


Palo Alto Networks provides the ability to control access to websites based on URL Category. You
add purchase and install a subscription for PAN-DB (Palo Alto Networks DataBase) or the
BrightCloud URL Filtering databases.

Palo Alto Networks recommends customers to use PAN-DB which is Palo Alto Networks solely
owned URL Category Database which integrates seamlessly with WildFire where malicious URL
Sites are updated whenever a Malicious Content is detected in the Threat Cloud.

The differences between PAN-DB and BrightCloud Licenses are as follows:
Requirement
Seed Database
Size
Support Offline
Database
Minimum PAN-OS
Version
Part Number
(SKUs)

PAN-DB
BrightCloud
Small. Uses a seed database for intial
Large. Relies on a URL database file
configuration, then the device stays in which saved to disk and updated daily.
sync with Cloud Servers.
No. Requires internet connection to
Yes. Cloud Server lookups are
the cloud servers to function
optional.
Available from version 5.0 and higher
Backwards-compatible with PAN-OS
4.x
URL licensing for PAN-DB is reflected
URL Licensing for BrightCloud is
as URL4*
reflected as URL2*

Example of PAN-DB URL License SKUs: If you are quoting a PA-5050 One Year URL Filtering
subscription, you may use PAN-PA-5050-URL2 SKUs.


Without the subscription license, the customer may still enable URL Filtering based on Custom URL
Categories. (Note that appliance may still show no URL Filtering license warning alert)





















Cheatsheet v1.1

Quote me in based on Use Case!


Data Center & Cloud / Enterprise Perimeter / Mobility


Use Cases

Mobility (SSL
VPN)

Mobility (BYOD)
Data Center
NGFW
Software Defined
Network (SDN) /
Virtualization
Perimeter NGFW
/ Branch Office
Intrusion
Prevention
Systems (IPS)
Advance
Persistent Threat
(APT)

Subscription Services on PAN-OS


Threat
Prevention (IPS,
Anti-Virus, Anti-
Spyware)

WildFire
(Advance
Persistent
Threat APT)

URL Filtering
(Incl. Advance
Malware URL
Categories)

Other Appliance

Global Protect (SSL


VPN)

VM-Series

MSM (Mobile
Device
Management
MDM)


The above table shows different deployment Use Cases and the subscriptions service licenses you may add in to your
quotation for the specific Use Cases. In a deployment Use Cases like Mobility (BYOD), an additional appliance like
Mobile Device Management (MSM) is recommended to be part of solution.

Example of deployment Use Case: If you need to propose a solution on Virtualization, you may propose Threat
Prevention License, WildFire License as well as VM-Series Virtual Appliance.




















Cheatsheet v1.1

Banking, Finance Services and Insurance (BFSI)



Use Cases
Palo Alto Networks for PCI Compliance

PCI Security Policies in Action


Deployment Engagements

Business Applications
DBs (Oracle, IBM, Hadoop)
ERP/CRM (Oracle, SAP,
Netsuite)
Collaboration (Webex)
Sharepoint, Box.net
Banking Application (Oracal-
IPM, Silverlake, Temonos-
T24)

Application visibility
and Control
URL Filtering
User access Control
Threat Prevention
Bandwidth Control
Virus Control



Protocol / Application / Standards Protocol / Application
Active Dir, LDAP
Social Networking (Facebook)
Activesync
VoIP (Skype)
FTP
Video, Audio (Youtube,
Netflix..)
Securid, Kerboeros, Radius
Games, P2P

Over 1700 application signatures including a growing list of Industry-Specific signatures


Cheatsheet v1.1

SCADA and ICS



Use Cases

Protecting Unpatched Systems

Security VPN/Remote Access

CVE

Identifying Remote Users





HMI /
Workstation

PLC / RTU /
IED

Server /
Database

Data Center Security

Remote Station / Plant Floor Security

Abbreviations: SCADA (Supervisory Control and Data Acquisition), ICS (Industrial Control System), CVE Identifiers (Common
Vulnerabilities and Exposures), HMI (Human Machine Interface), PLC (Programmable Logic Controller), RTU (Remote Terminal
Unit), IED (Intelligent Electronic Device), OPC (OLE for Process Control), PI (Plant Information), DCS (Distributed Control
System), EMS (Energy Management System)


Protocol / Application
Modbus base
Modbus function control
DNP3
IEC 60870-5-104 base
IEC 60870-5-104 function control
OSIsoft PI Systems

Protocol / Application
ICCP (IEC 60870-6 / TASE.2)
Cygnet
Elcom 90
FactoryLink
MQTT

Protocol / Application
CIP Ethernet/IP
Synchrophasor (IEEE C.37.118)
Foundation Fieldbus
Profinet IO
OPC

Over 1700 application signatures including a growing list of SCADA/ICS-specific signatures


Cheatsheet v1.1

HealthCare
Use Cases

General Workstations
On Campus
(Headquarter)

Remote Practice
(Branch)

Access to business relevant


apps and controlled access
to internet

Deploy firewall on
premise, manage it
centrally

Clinician Remote
Access
(BYOD/Mobility)

Establish a secure VPN


connection. User-ID
identifies user and
access is provided to
authorized apps
Managed access to internet Apply same policies as Apply same policies as

within hospital campus within hospital campus

Next-
Generation
Firewall

Next-
Generation
Firewall

Apply rules that limit traffic


and reduce scope of
Broad portfolio of
security
appliances to select
from

Clinical Workstations
On Campus (Branch)
Access to clinical data and
authorized apps for
business purposes

Controlled access to PHI
data through (App-ID,
User-ID, Content-ID)

Next-
Generation
Firewall

GlobalProtect



Laptops, iPads,
iPhones, Android
devices


Business Applications
DBs (Oracle, IBM, Hadoop)
ERP/CRM (Oracle, SAP, Netsuite)
Collaboration (Webex)
Sharepoint, Box.net
HL7, DICOM


Protocol / Application / Standards
Active Dir, LDAP
Activesync
FTP
Securid, Kerboeros, Radius

Protocol / Application
Social Networking (Facebook)
VoIP (Skype)
Video, Audio (Youtube, Netflix..)
Games, P2P

Over 1700 application signatures including a growing list of Industry-Specific signatures








Cheatsheet v1.1