PALO ALTO

NETWORKS
PORTFOLIO AND ALWAYS USE THE RIGHT TOOL FOR
ARCHITECTURE THE JOB!
• Palo Alto Networks Portfolio overview
• Next-generation firewall architecture
• Firewall offerings

EDU-210 Version A
PAN-OS® 10.1

© 2017-2021 Palo Alto Networks, Inc. Page 1

 Learning Objectives
After you complete this module,
you should be able to:
• Describe the three Pillars of the Palo Alto Networks Portfolio
• Define the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo
Alto Networks

2 | © 2017-2021 Palo Alto Networks, Inc.

After you complete this module, you should be able to:

• Describe the three Pillars of the Palo Alto Networks Portfolio
• Describe the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo Alto Networks

© 2017-2021 Palo Alto Networks, Inc. Page 2

 Palo Alto Networks Portfolio overview

Next-generation firewall architecture

Firewall offerings

This section provides a high-level introduction to the architecture and components of the Palo Alto Networks
Security Operating Platform.

© 2017-2021 Palo Alto Networks, Inc. Page 3

 Strata Prisma

Cortex

4 | © 2017-2021 Palo Alto Networks, Inc.

The Palo Alto Networks Product Portfolio® consists of a tightly integrated system of components and
services, including a partner ecosystem, that delivers consistent security across the network, endpoints, and
cloud. By working as an integrated system, the Product Portfolio simplifies security by leveraging
consolidated threat intelligence information, automation, machine learning, and data analytics.
The platform prevents successful attacks and stops attacks in progress to provide consistent protection to
secure the enterprise, the cloud, and the future:
• Secure the enterprise: Tightly integrated innovations allow consistent protection for the enterprise with
machine learning ML-Powered Next-Generation Firewalls, Threat Prevention services, security
subscriptions services such as DNS Security and URL Filtering, and Panorama™ for firewall management.
• Secure the cloud: Prisma provides complete cloud security through protection for branches, mobile users,
software as a service (SaaS), and apps in private and public clouds.
• Secure the future: For security teams, day-to-day tasks can be complex, consist of manual tasks, and
require working across multiple teams and tools. The Palo Alto Networks approach is to reduce risk by
lowering the mean-time-to-response and the mean-time-to-detection to increase efficiency for your teams.

© 2017-2021 Palo Alto Networks, Inc. Page 4

 Key Elements

Complete Reduce Attack Prevent Prevent

Visibility Surface Known Threats Unknown Threats

5 | © 2017-2021 Palo Alto Networks, Inc.

The key elements of the Palo Alto Networks approach to cybersecurity:

• Provide visibility: An organization is unable to protect against what it cannot see. Visibility requires the
full visibility of users, applications, and content traversing corporate networks, the cloud, and endpoints.
Only then is it possible to implement security policies and take actions, such as blocking unknown traffic,
identifying advanced attacks, or permitting only the applications that have a valid business purpose.
• Reduce the attack surface: An attacker has more difficulty compromising an organization when the attack
surface is reduced. A variety of actions and tactics are available to reduce the attack surface, including
implementing an allowed application list to enable only critical business applications, inspect unknown
traffic and activity against acceptable use policies, and implement two-factor authentication to ensure that
compromised credentials cannot be used to access applications and data.
• Prevent known threats: Preventing known threats is a foundational capability of any security program,
but to do so effectively, your organization must be able to consume and process threat intelligence and
have a well-organized defense that can be reconfigured rapidly and automatically, based on new
intelligence.
• Prevent unknown threats: Although preventing known threats is vitally important, signature-based
prevention is limited to blocking only what it knows to block. Preventing unknown threats is a crucial
capability that consists of making unknown threats known, developing controls to stop them, and
automatically reprogramming security technologies to incorporate the new controls. Palo Alto Networks
technologies use data analytics and machine learning on collected datasets to detect behavioral anomalies
indicative of a breach or attack and then provide detailed actionable alerts. An organization can use
automated processes and event correlation to make it easier to identify and address the critical threats.

© 2017-2021 Palo Alto Networks, Inc. Page 5

 Securing the Enterprise
The key Palo Alto Networks Product Portfolio elements for securing the enterprise are:
• Strata, VM-Series, and CN-Series -The foundation of the Palo Alto Networks Product
Portfolio.
• Subscription services - Provides enhanced threat services and NGFW capabilities.
• Panorama™ - Centralized NGFW management and logging.
• WildFire® - Malware detection service automatically detects and prevents unknown
threats.
• GlobalProtect - Extends the enterprise perimeter to remote offices and mobile users.
• Prisma™ Access - Extends the enterprise perimeter to remote sites and mobile users.

Strata ML-Powered
Firewall Panorama WildFire GlobalProtect Prisma Access

6 | © 2017-2021 Palo Alto Networks, Inc.

The networking infrastructure of an enterprise can be extraordinarily complex. The Product Portfolio secures
the enterprise networks’ perimeter, data center, and retail/branch offices with a fully integrated and automated
platform that simplifies security. Simplifying your security posture enables you to reduce operational costs
and supporting infrastructure while increasing your ability to prevent threats to your organization and quickly
adjust to your dynamic environment. The key Product Portfolio elements for securing the enterprise are:
• Strata ML-Powered firewalls: The foundation of the Palo Alto Networks Product Portfolio.
• Subscription Services: Provides enhanced threat detection and prevention services and NGFW
capabilities.
• Panorama: Centralized next-generation firewall management and logging.
• WildFire: Malware detection service automatically detects and prevents unknown threats.
• GlobalProtect: Extends the enterprise perimeter to remote sites and mobile users.
• Prisma Access: Provides SD-WAN-based secure access to the cloud from remote sites and for mobile
users. Secure remote access is provided globally and without compromising the users’ experience.
For information about securing the enterprise, see the documentation at
https://www.paloaltonetworks.com/network-security.

© 2017-2021 Palo Alto Networks, Inc. Page 6

 Securing the Cloud

Prisma SaaS Prisma Cloud Prisma Access

• Prisma SaaS brings
together data protection,
governance, and
compliance to safely
enable SaaS application
adoption.
● Prisma Cloud provides ● Prisma Access provides
continuous security secure access to the
monitoring, compliance cloud from remote sites
validation, and cloud and for mobile users
storage security globally without
capabilities across multi- compromising the users'
cloud environments with experience.
Prisma Cloud.

7 | © 2017-2021 Palo Alto Networks, Inc.

Prisma provides the most comprehensive cloud security in the industry by protecting users, applications, and
data, regardless of where they are. Prisma is a complete cloud security offering that provides visibility,
reduction of risk, compliance, and secure access for your organization’s applications and users.
Regardless of where an organization is in their cloud integration, Prisma can secure their entire cloud posture
in the following ways:
• Prisma SaaS: Brings together data protection, governance, and compliance to safely enable SaaS
application adoption.
• Prisma Cloud: Provides continuous security monitoring, compliance validation, and cloud storage
security capabilities across multi-cloud environments. In addition, you can simplify security operations
through effective threat protections enhanced with comprehensive cloud context.
• Prisma Access: Provides secure access to the cloud from remote sites and for mobile users globally
without compromising the users' experience.
For information about securing the cloud, see the documentation at
https://www.paloaltonetworks.com/prisma/cloud.

© 2017-2021 Palo Alto Networks, Inc. Page 7

 Securing the Future

Powering Innovative Apps and Services

Cortex™ Data Cortex™ XDR Cortex™ Cortex™

Cortex™ XDR
Lake Prevent XSOAR AutoFocus

Cortex™ Data Lake A cloud-delivered Cortex XDR™ The Security The AutoFocus
provides cloud-based, endpoint security detection and Orchestration, contextual threat
centralized log storage service simplifies response empowers Automation, and intelligence service
and aggregation for deployment and day- you to stop Response platform provides the
your enterprise to-day management of sophisticated attacks enables security attribution, context,
security data. endpoint protection. and adapt defenses to teams to accelerate and classification to
prevent future threats. responses through make security analyst
automation. teams more effective.

8 | © 2017-2021 Palo Alto Networks, Inc.

Security teams are constantly challenged to prevent data breaches. The issues originate from too many alerts,
too few security analysts, narrowly focused tools, lack of integration, and time. The more they react, the
further behind they get. Cortex is an Artificial Intelligence (AI)-based, continuous security platform. Cortex
allows organizations to create, deliver, and consume innovative new security products from any provider,
without additional complexity or infrastructure:
• Cortex Data Lake: Provides cloud-based, centralized log storage and aggregation for your enterprise
security data.
• Cortex XDR Prevent: Endpoint protection and response, provides behavior-based protection to detect and
respond to sophisticated attacks.
• Cortex XDR: Prevents malware, blocks exploits, and analyzes suspicious patterns through behavioral
threat protection.
• Cortex XSOAR: A Security Orchestration, Automation and Response platform that enables security
teams to accelerate response across people, process, and technology.
• Cortex AutoFocus: Provides contextual threat intelligence with instant access to community-based threat
data, enhanced with deep context and attribution from the Unit 42 threat research team.
For information about securing the future, see the documentation at
https://www.paloaltonetworks.com/cortex.

© 2017-2021 Palo Alto Networks, Inc. Page 8

 Palo Alto Networks Portfolio overview

Next-generation firewall architecture

Firewall offerings

This section introduces architectural features of Palo Alto Networks firewalls.

© 2017-2021 Palo Alto Networks, Inc. Page 9

 Palo Alto Networks Single-Pass Architecture
Single pass: Policy Engine

• Operations per packet: Data Filtering

• Traffic classification with App-ID technology Content-ID URL Filtering

• User or group mapping Real-Time Threat Prevention

• Content scanning: threats, URLs, Application Protocol

Decoding
confidential data Application Protocol
Detection and Decryption
App-ID
• One single policy (per type) Application Signatures

Parallel processing:
Heuristics

• Function-specific parallel processing User-ID

Captive Portal

hardware engines Multi-Factor Authentication

• Separate data and control planes L2/L3 Networking, HA, Config

Management, Reporting

10 | © 2017-2021 Palo Alto Networks, Inc.

The strength of the Palo Alto Networks firewall is its single-pass parallel processing (SP3) engine. The single-
pass software performs operations once per packet. As a packet is processed, networking functions, policy
lookup, application identification and decoding, and signature matching for any and all threats and content are
all performed just once. The parallel processing hardware is designed with separate data and control planes.
The separation of the data and control planes means that heavy utilization of one plane will not negatively
impact the other plane.
The advantage of providing the SP3 engine is that traffic is scanned with a minimal amount of buffering as it
traverses the firewall. This speed enables you to configure advanced features, such as scanning for viruses and
malware, without slowing the firewall’s performance.

© 2017-2021 Palo Alto Networks, Inc. Page 10

 Palo Alto Networks Firewall Architecture

Control Plane Control Plane | Management

Provides configuration, logging, and
CPU MGT interface
Management SSD reporting functions on a separate
configuration | logging | reporting RAM Console processor, RAM, and hard drive

Signature Matching
Data Plane Stream-based, uniform signature
Single-Pass Signature match including vulnerability
Signature Matching Pattern Matching exploits (IPS), virus, spyware, CC#,
Match
exploits | virus | spyware | CC# | SSN Components and SSN
SECURITY PROCESSING REPORT RAM
AND Hardware Security Processing
Security Processing ENFORCE
CPU
POLICYEnforce
Security component
High-density parallel processing for
App-ID | User-ID | URL match | policy Processing types and
Policy
sizes per layer flexible hardware acceleration for
match | SSL/IPsec | decompression Components
vary per standardized complex functions
RAM firewall
NETWORK PROCESSING
Network Processing
flow control | route lookup | MAC lookup | QoS | NAT
Network model. Network Processing
flow control | MAC lookup | route Processing Front-end network processing,
FPGA
lookup | QoS | NAT Components hardware-accelerated per-packet
route lookup, MAC lookup, and NAT
Data Interfaces
11 | © 2017-2021 Palo Alto Networks, Inc.

Palo Alto Networks has processors dedicated to specific security functions that work in parallel. These
components can be implemented in hardware or software.
On the higher-end hardware models, the data plane contains three types of processors that are connected by
high-speed 1Gbps buses:
• Signature Match Processor scans traffic and detects:
• vulnerability exploits (intrusion protection system)
• viruses
• spyware
• credit card numbers
• Social Security numbers
• Security Processors: Multicore processors that handle security tasks such as Secure Sockets Layer
decryption.
• Network Processor: Responsible for routing, network address translation, and network-layer
communication.
On the higher-end hardware models, the control plane has its own dual-core processor, RAM, and hard drive.
This processor is responsible for tasks such as management UI, logging, and route updates.

© 2017-2021 Palo Alto Networks, Inc. Page 11

 Zero Trust Architecture
Internet
Zone
• Never trust, always verify.
• Inspect perimeter traffic: Inspect Inspect

north-south
inbound outbound
• Inbound traffic traffic traffic

• Outbound traffic
• Also inspect internal traffic.

Applications User's zone

Inspect
zone
internal
traffic

east-west

12 | © 2017-2021 Palo Alto Networks, Inc.

Conventional security models operate on the outdated assumption that everything inside an organization’s
network can be trusted. These models are designed to protect the perimeter. Meanwhile, threats that get inside
the network go unnoticed and are left free to compromise sensitive, valuable business data. In the digital
world, trust is nothing but a vulnerability.
The Zero Trust architecture model remedies the deficiencies of the perimeter-only architecture. Zero Trust is
based on the principle “never trust, always verify” rather than on the principle “trust but verify.” In Zero
Trust, each step a user makes through the infrastructure must be validated and authenticated across all
locations.
Even in complex network architectures, you can simplify traffic flows to inbound traffic from the internet,
outbound traffic to the internet, and internal traffic between nodes in your data center. You accomplish
inbound and outbound inspection by locating a firewall between your internal network segments and the
internet. You accomplish internal traffic inspection by locating a firewall between your internal subnets and
VLANs.

© 2017-2021 Palo Alto Networks, Inc. Page 12

 Palo Alto Networks Portfolio overview

Next-generation firewall architecture

Firewall offerings

This section introduces the physical and virtual firewall models available from Palo Alto Networks. For the
latest information about available Palo Alto Networks firewall models, see
https://www.paloaltonetworks.com/products/product-selection.html.

© 2017-2021 Palo Alto Networks, Inc. Page 13

 Flexibile Architecture

Hardware Software Cloud Service

PA-Series VM-Series / CN-Series Prisma Access

CN-

High Performance Virtual Software Cloud Delivered

Physical Appliances VM & CN Series Security
& Chassis

14 | © 2017-2021 Palo Alto Networks, Inc.

The foundation of the Strata Network Security Platform is the ML-Powered Next-Generation Firewall. Strata
is designed to not only protect the perimeter of your network (north-south traffic), regardless of where that
perimeter may be, but also traffic that moves internally (east-west) within your network. The flexibility of the
Strata platform currently has 3 form-factors of the firewall that can be used independently or combined for
different uses cases to match your requirements by location, and you can manage all deployments centrally
through Panorama network security management.
The PA-Series is a physical appliance that provides a blend of power, intelligence, simplicity, and versatility.
The PA-Series protects enterprise and service provider deployments at headquarters, data centers, and branch
offices. The VM- and CN-Series are Virtual Next-Generation Firewalls that protects your hybrid cloud and
branch deployments by segmenting applications and preventing threats. And Prisma™ Access is a secure
access service edge (SASE) offering that delivers security globally from the cloud.

© 2017-2021 Palo Alto Networks, Inc. Page 14

 PA-Series Next-Generation Firewalls
High-performance physical appliance solution.

PA-7000 Series
PA-5400 Series
PA-5200 Series

PA-3200 Series
PA-800 Series

PA-400
PA-220R Series

PA-220 PA-410

Small Branches & Large

Remote Locations Network Perimeter Data Centers

*PA- 410 will be available in September 2021

15 | © 2017-2021 Palo Alto Networks, Inc.

The PA-Series firewall is a high-performance physical appliance solution. The PA-Series is available in
different sizes, from a desktop-size form factor for your small offices to large chassis form factors for your
datacenters. The operating system is consistent across all hardware platforms, so the look and feel of the web-
based management interface is the same.
The PA-7000 Series provides power, intelligence, and versatility for enterprise and service provider
deployments. With the release of PAN-OS® 10.1, the PA-5400 series firewall was released. The PA-5400
series provides a versatile platform built for Hyper-Scale Data Centers, Internet Edge deployments, and
Campus segmentation deployments. The PA-5200 series provides no-compromise security and high-
performance for data centers and service providers and the PA-3200 series provides broad threat coverage at
the internet edge. The PA-800 series provides security for branch offices and mid-sized businesses. With the
release of PAN-OS® 10.1, the PA-400 series firewall was released. The PA-400 series is optimized to meet
your distributed enterprise branch requirements, while the PA-220 provides visibility, control, and the power
to prevent network threats in a small form factor. The PA-220R provides network security in a ruggedized
form factor for severe environments. The K2-series firewall is a 5G-ready firewall designed for service
provider mobile network deployments with 5G and internet of things (or IoT) security requirements.
To compare the capabilities of the various firewall models, see
https://www.paloaltonetworks.com/products/product-selection.html.

© 2017-2021 Palo Alto Networks, Inc. Page 15

 Virtual Systems
• Separate, logical firewalls within a single physical firewall
• Creates an administrative boundary
• Use case: multiple customers or departments

Physical Firewall

vsysA vsysB

TrustZone UntrustZone TrustZone UntrustZone

Data Interfaces Data Interfaces

16 | © 2017-2021 Palo Alto Networks, Inc.

A virtual system (vsys) is a separate, logical firewall instance within a single physical Palo Alto Networks
firewall. Managed service providers and enterprises can use a single pair of firewalls (for high availability)
and enable virtual systems on them, rather than use multiple firewalls. Each virtual system is an independent,
separately managed firewall with its traffic kept separate from the traffic of other virtual systems.
A vsys consists of a set of physical and logical interfaces and subinterfaces, virtual routers, and security
zones. You choose the deployment modes, which can consist of any combination of virtual wire, Layer 2, and
Layer 3 interfaces on each virtual system. When you use virtual systems, you can segment any of the
following:
• administrative access
• management of all policies (Security, NAT, QoS, Policy‐Based Forwarding, Decryption, Application
Override, Authentication, and DoS Protection)
• all objects (such as address objects, application groups, filters, external dynamic lists, Security
Profiles, Decryption Profiles, and Custom objects)
• User‐ID
• certificate management
• Server Profiles
• logging, reporting, and visibility functions
Virtual systems are supported on the PA‐3x00, PA‐5x00, and PA‐7x00 Series firewalls. Each firewall series
supports a base number of virtual systems; the number varies by platform. A Virtual Systems license is
required to support multiple virtual systems on the PA‐3x00 Series firewalls and to create more than the base
number of virtual systems supported on a platform.
For more information about Virtual Systems, see: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-
admin/virtual-systems.html.

© 2017-2021 Palo Alto Networks, Inc. Page 16

 VM-Series Models and Capacities

VM-100/ VM-50
Example Performance and Capacities VM-700 VM-500 VM-300
VM-200 /Lite
Firewall throughput (App-ID enabled) 16Gbps 8Gbps 4Gbps 2Gbps 200Mbps
Threat prevention throughput 8Gbps 4Gbps 2Gbps 1Gbps 100Mbps
New sessions per second 120,000 60,000 30,000 15,000 3,000
Dedicated CPU cores 2, 4, 8, 16 2, 4, 8 2, 4 2 2
Dedicated memory (minimum) 56GB 16GB 9GB 6.5GB 4.5GB/4GB
Dedicated disk drive capacity (minimum) 60GB 60GB 60GB 60GB 32GB

17 | © 2017-2021 Palo Alto Networks, Inc.

The VM-Series virtual firewalls provide all the capabilities of the Palo Alto Networks next-generation
hardware firewall in a virtual machine form factor, so you can secure the environments that are vital to your
organization. The VM-Series firewall can be deployed either on premises or in a public cloud. For public
cloud deployment, the VM-Series firewall can be deployed on either Alibaba Cloud, Amazon Web Services,
Google Cloud Platform, Microsoft Azure, or Oracle Cloud to protect your cloud perimeter and your east-west
traffic. More and more organizations are quickly adopting multi-cloud architectures as a means of distributing
risk and taking advantage of the core competencies of different cloud vendors.
To ensure your applications and data are protected across public clouds and virtualized data centers, the VM-
Series has been designed to deliver up to 16 Gbps of App-ID-enabled firewall performance across five
models:
• VM-50/VM-50 Lite models are engineered to consume minimal resources and support CPU
oversubscription yet deliver up to 200 Mbps of App-ID-enabled firewall performance for scenarios from
virtual branch office/customer-premises equipment to high-density, multi-tenant environments.
• VM-100 and VM-300 models are optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled performance,
respectively, for hybrid cloud, segmentation, and internet gateway use cases.
• VM-500 and VM-700 models can deliver 8 Gbps and 16 Gbps of App-ID-enabled firewall performance,
respectively, and can be deployed as Network Functions Virtualization (NFV) security components in fully
virtualized data center and service provider environments.
For more information about the VM-Series Firewall, see: https://www.paloaltonetworks.com/prisma/vm-
series.

© 2017-2021 Palo Alto Networks, Inc. Page 17

 CN-Series Firewall
• CN-Series provides visibility and security to
containerized application workloads.
K8s Cluster
• Natively integrates into Kubernetes
clusters. Ordering
CN
Payments
NGFW

• Delivers the same capabilities as the PA- Node Node Node

Series and VM-Series firewalls.

• Provides Layer 7 visibility, application-level
segmentation, DNS security, and advanced
threat protection.
• Protects traffic across trusted zones in
public cloud or data center environments. Internet

18 | © 2017-2021 Palo Alto Networks, Inc.

The Container Native, or CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series
firewalls, but in a container form factor. You can deploy the same cloud-delivered security services on top of
the CN-Series firewalls, just like you would other firewall form factors. The CN-Series firewall natively
integrates into Kubernetes to provide complete Layer 7 visibility, application-level segmentation, DNS
security, and advanced threat protection for traffic going across trusted zones in both public cloud or data
center environments.
The CN-Series firewall provides containerized traffic visibility. For instance, the CN-Series firewall identifies
the specific pod that traffic originates from unlike a firewall deployed at the edge. This means that you can
write more granular security policies that are defined at the application level rather than at the cluster level.
Management of the CN-Series firewall is done through Panorama using the Kubernetes plugin. The
Kubernetes plugin continuously pulls information from Kubernetes and feeds that information into
Panorama.
For more information about the CN-Series Firewall, see: https://www.paloaltonetworks.com/network-
security/cn-series.

© 2017-2021 Palo Alto Networks, Inc. Page 18

 K2-Series Next-Generation Firewall: 5G Network
• K2-Series can be deployed on all 5G network interfaces to achieve scalable, complete
protection with consistent management, and full application visibility.
• K2-Series offers two modes, Secure Mode, and Express Mode.
• Secure mode comes with all the NGFW features enabled, including Threat Prevention with
App-ID, IPS, antivirus, anti-spyware, advanced malware analysis, and logging enabled.

Radio Access
Network

Mobile and IoT Devices

K2 NGFW Internet

K2 NGFW
Radio Access
Network
K2 NGFW
Next-Gen Core
Mobile and IoT Devices Network

19 | © 2017-2021 Palo Alto Networks, Inc.

Palo Alto Networks has developed as part of the Next-Generation Firewall Platform, a 5G ready platform
called the K2-Series, to prevent successful cyberattacks targeting mobile network services. The K2 series
firewalls are designed to handle growing throughput needs due to the increase of application, user, and device
generated data. The K2-Series offers amazing performance and threat prevention capabilities to stop advanced
cyberattacks and secure mobile network infrastructure, subscribers, and services.
The Palo Alto Networks® family of 5G-ready next-generation firewalls is available in both physical and
virtual form factors. The PA-5220, PA-5250, PA-5260, and PA-7000 series firewalls and all VM-Series
firewalls are 5G-ready. The Palo Alto Networks 5G-ready, K2-series next-generation firewalls support service
providers in your fixed or wireless networks and in your emerging 5G, IoT, and multi-access edge computing
(MEC) ecosystems.
For more information about the K2-Firewall, see: https://www.paloaltonetworks.com/security-
for/network/5g-mobile-networks.html.

© 2017-2021 Palo Alto Networks, Inc. Page 19

 Prisma Access: Secure Access Service Edge (SASE)

PUBLIC HQ/DATA
SaaS INTERNET
CLOUD CENTER

Security as a Service
Layer
SSL Decryption CASB ZTNA Cloud SWG
Sandboxing DLP DNS FWaaS

Network as a Service
Layer
SD-WAN IPSec VPN Policy Based Forwarding
QoS SSL VPN Network as a Service

HOME BRANCH MOBILE

Secure Access Service Edge (SASE) combines wide area networking and security
services into a cloud-delivered converged solution.
20 | © 2017-2021 Palo Alto Networks, Inc.

Existing network approaches and technologies no longer provide the levels of security and access control
needed by digital organizations. These organizations demand immediate, uninterrupted access for their users,
no matter where they are located. Because of an increase in remote users, SaaS applications, and more traffic
going to public cloud services, the need for a new approach for network security has increased.
Secure Access Service Edge (SASE) is the convergence of wide-area networking (WAN) and network
security services such as cloud access security brokers (CASB), firewall as a service (FWaaS), and Zero Trust
into a single, cloud-delivered service model. SASE capabilities are delivered as a service based on the identity
of the entity, real-time context, enterprise security compliance policies, and continuous assessment of risk and
trust throughout the sessions. Identities of entities can be associated with people, branch offices, devices,
applications, services, IoT systems, or edge computing locations.
For more information about the Prisma Access, see: https://www.paloaltonetworks.com/prisma/access.

© 2017-2021 Palo Alto Networks, Inc. Page 20

 Module Summary
Now that you have completed this module,
you should be able to:
• Describe the three Pillars of the Palo Alto Networks Portfolio
• Define the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo Alto
Networks

21 | © 2017-2021 Palo Alto Networks, Inc.

Now that you have completed the module, you should be able to perform the tasks listed.

© 2017-2021 Palo Alto Networks, Inc. Page 21

 Questions

22 | © 2017-2021 Palo Alto Networks, Inc.

Review Questions
1. Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.)
a. control
b. application
c. data
d. parallel processing
2. Which object cannot be segmented using virtual systems on a firewall?
a. network security zone
b. data plane interface
c. administrative access
d. MGT interface
3. Which series of firewall is a high-performance physical appliance solution?
a. CN
b. PA
c. VM
4. Which Strata product provides centralized firewall management and logging?
a. WildFire
b. Panorama
c. GlobalProtect
d. Prisma Access
5. True or false? The CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series
firewalls.
a. true
b. False

© 2017-2021 Palo Alto Networks, Inc. Page 22

 Protecting our
digital way
of life.

23 | © 2017-2021 Palo Alto Networks, Inc.

Answers to Review Questions

1. a, c
2. d
3. b
4. b
5. a (true)

© 2017-2021 Palo Alto Networks, Inc. Page 23