Palo Alto Networks Firewall Evaluation Guide

This paper is the guidance document for the advanced function evaluation of Palo Alto networks check for detail pa-2000 / 4000 series next generation firewall. However, this is not a general guidance document – the guidance provided needs to be modified in a special environment.

This article focuses on the following functions of pa-4000 series:

Application Based Policy Execution

The core of pa-2000 / 4000 series products is application centered classification technology, namely app ID. Different from the traditional protocol and port based security solutions, APP ID is the first technology in the industry to analyze the actual session data and identify applications by using four traffic classification technologies. Even if it uses random ports, applications inside the tunnel will either simulates other applications or uses SSL encryption. By viewing the actual identity of the application, users can deploy policy based application usage control for traffic in and out of the network.

Because of its application-centered feature, APP ID can not only identify and control traditional applications, such as HTTP, FTP, SNMP, etc., but also accurately identify specific instant messaging programs (AIM, Yahoo!IM, Meeboo etc.), e-mail (Yahoo!Mail, gmail, Hotmail, etc.) and P2P (Bittorrent, emule, Neonet, etc.) and other applications commonly used in enterprise network. Once the application is identified and decoded by App-ID, the traffic can be more strictly controlled by security policy.

SSL Decryption

Pa-2000 / 4000 series is the first firewall with policy based identification, control and inspection of SSL traffic. When SSL traffic passes through pa-2000 / 4000 series products, App-ID calls SSL proxy to identify, decrypt and control application traffic in SSL tunnel.

Threat Prevention

Threat prevention service can protect enterprise network from viruses, worms, spyware and other malicious traffic threats tampered by applications and traffic sources. Once the App-ID determines the application traffic, FlashMatchTM Real-time Threat prevention can be used for various threat scanning. The traffic only needs to be scanned once by FlashMatch, and there is no need to scan the traffic with different types of threats like the traditional multi scan engine scheme. This feature improves the traffic scanning speed of pa-2000 / 4000 series to 5 Gbps.

URL Filtering

Filtering outgoing connections prevents access to inappropriate websites. The filtering platform supports an integrated URL database, in which 54 types of 20 million URLs are available for comprehensive web browsing control.

User Identification and Control

Due to the integration of Microsoft’s active directory, in addition to IP address or host name, pa4000 series can also recognize and display the actual user name. When users are active in the network, they may use multiple IP addresses, or because of the use of DHCP (dynamic host assignment protocol) or shared computers, many people share the same IP address. User data is stored in the application command center (ACC), logs and other reporting tools to help administrators get a complete report of network activities.


Pa-2000 / 4000 series uses high-speed network processor, multi-core security processor and dedicated threat prevention processor to manage multi Gbps traffic. In order to ensure the implementation of management access to various traffic loads at any time, the design separates the control plane from the data plane and carries out special treatment separately. This feature is also the first time in the firewall market.

Easy to Manage

Firewall management can be realized through intuitive network interface and command line interface (CLI), or all other devices can be managed through Panorama Central management system, because the network interface of the system is very similar to that of the devices.

Various reporting, logging and notification mechanisms enable users to have a detailed understanding of network application traffic and security events. The application command center in the network interface can identify the vast majority of traffic and the highest level of security risks in the application.

Test Network Configuration

The flexibility of pa-2000 / 4000 series enables it to have multiple network configuration options for system evaluation.

In order to observe the traffic monitoring function of the system in the actual network, pa-2000 / 4000 series can be configured transparently by defining the monitoring port outside the Internet gateway and connecting pa-2000 / 4000 series with the monitoring port shown in Figure 1. The pa-2000 / 4000 series allows users to view the application identification, user identification and log / report functions while identifying the applications actually used in the network.

With this configuration, the application command center (ACC) can start to input application information within 15 minutes, including session, byte and threat. After ACC starts to input data, users will quickly notice the most frequently used applications on the network — according to the application category and application risk, they are classified as: the most frequently used applications and the highest risk applications. By default, ACC displays the top ten applications that were most used in the last hour. You can also adjust application usage and time period.

Click an application in ACC to get other details of the application features, main source and destination IP addresses, source and destination distribution, security rules and detected threats.

Leave a Reply

Your email address will not be published. Required fields are marked *