Professional Documents
Culture Documents
fShare
Share
Save
Our previous article examined the benefits of Palo Alto Networks Firewall Single Pass Parallel Processing (SP3) architecture and how its combine
with the separate Data and Control planes to boost firewall performance and handle large amounts of traffic without and performance impact. This
article focuses on the traffic flow logic inside the Palo Alto Firewall and two unique features that separate it from the competition: Application-
based policy enforcement (App-ID) & User Identification (User-ID).
For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section
Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto
Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS
Routers Zone-based Firewalls and Cisco ASA Firewalls.
Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download
section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.
APP-ID & USER-ID – FEATURES THAT SET PALO ALTO APART FROM THE
COMPETITION
App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the
competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.
A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without
asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for
P2P file sharing, which is quite dangerous:
Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic
With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications
traversing the network. Following is the order in which traffic is examined and classified:
Using the above process Palo Alto Networks Next-Generation Firewalls are very successful in identifying DNS traffic not only at the port level but also
at the Application level, making it extremely difficult for an evasive application like BitTorrent to use any open ports and pass through the firewall
undetected.
Traditionally, security policies and rules were applied based on IP addresses. However, these days both the users and applications have a dynamic
nature which means that IP addresses alone have become inefficient for monitoring and controlling user activity. A single user might access the
network from multiple devices (laptops, tablets, smartphones, servers).
Thanks to the User-ID feature of the Palo Alto Networks Next-Generation Firewalls administrators are able to configure and enforce firewall policies
based on users and user groups instead of network zones and addresses.
The Palo Alto Networks Next-Generation Firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory,
SunOne, OpenLDAP, and most other LDAP-based directory servers to provide user and group information to the firewall. With this powerful feature,
large organizations are able to create security policies that are user or group based, without worrying about IP addresses associated to them.
THREAT PREVENTION
Palo Alto Networks Next-Generation Firewalls are very effective in preventing threats and they do offer real-time threat prevention from viruses,
worms, spyware, and other malicious traffic can be varied by application and traffic source.
Figure 3. Palo Alto Application Command Center provides maximum visibility on network traffic (click to enlarge)
CONCLUSION
This article why Palo Alto Networks Next-Generation Firewalls are really unique in many terms. Features such as App-ID and User-ID allow in-
depth control of applications and users, making it possible to fully manage small to very large enterprises without a problem. The Application
Command Control (ACC) helps give the administrator a complete view of applications and services accessing the internet alongside with some
very useful statistics. To discover more in-depth technical articles on Palo Alto Networks Firewalls, please visit our Palo Alto Networks Firewall
section.