UTM – the buzzword Palo Alto won't cop to

The PA-4020 is indeed a unified threat management firewall, even if Palo Alto Networks would like to pretend it isn't. Because it's a firewall with integrated VPN, intrusion prevention and detection, URL filtering, anti-virus/anti-spyware, and file blocking, the PA-4020 fits squarely into the definition of a UTM firewall.

The PA-4020 is indeed a unified threat management firewall, even if Palo Alto Networks would like to pretend it isn't. Because it's a firewall with integrated VPN, intrusion prevention and detection, URL filtering, antivirus/antispyware and file blocking, the PA-4020 fits squarely into the definition of a UTM firewall.

Of course, there are some important differences, largely because of the application visibility afforded by the PA-4020. For example, if you want to do antivirus scanning on many traditional UTM firewalls, you usually only have a limited selection of applications and ports. On the PA-4020, each access control rule in the firewall can have a set of UTM profiles attached, listing which applications are scanned for viruses, which for spyware, and which are eligible for file blocking. URL filtering configuration -- because it only applies to Web browsing -- and intrusion-detection/prevention system (IDS/IPS) rules are applied without specifying which application they use.

The additional flexibility in the PA-4020 UTM definitions can give better coverage than a typical UTM firewall. As we found in our UTM test late last year, out of 13 UTM firewalls, only one (SonicWall) was able to scan for viruses across all applications. The PA-4020 adds one more to that list: in our antivirus test, the PA-4020 was able to catch viruses it has signatures for across any Web session we set up, including encrypted ones — something even SonicWall can't do.

The magic caveat there is "has signatures for." We quickly discovered that the antivirus protection in the PA-4020 is not meant to be primary protection. We set the PA-4020 in parallel with our production antispam/antivirus gateway and watched the first 20 live viruses come into our network. The PA-4020 caught seven, a catch rate of only 35% compared with the Sophos AV scanner running on the e-mail gateway. Palo Alto confirmed that it doesn't intend the antivirus protection in the PA-4020 as primary protection.

We had better results in our UTM tests focusing on the IPS performance. Again repeating our UTM tests with client-centric and server-centric attacks, the PA-4020 caught an astonishingly high 89% of the client attacks, and 76% of the server attacks. These catch rates are higher than any of the UTM firewalls we tested last year. Although the PA-4020 IPS policy management is fairly weak, it's clear that the integrated IPS engine and signature database are fairly aggressive. Of course, an aggressive IPS engine has another potential problem: false positives and inappropriate traffic blocking. We found a number of false positives in reviewing results from using the PA-4020 on our production network. For example, the PA-4020 caused a service interruption by misidentifying normal traffic as a buffer overflow attack between our on-site and off-site DNS servers. We didn't, however, track any IPS false positives in client-to-server outbound traffic, again underscoring how tightly focused the PA-4020 is on protection of end users.

We didn't rigorously test the URL filtering part of the PA-4020 (provided by SurfControl), although we did catch some minor, and likely inconsequential, inconsistencies in the database. For example, some pages of a dating Web site were properly marked as "dating", while others on the same site were marked as "lingerie". We didn't find any problems with URL filtering that would keep the PA-4020 from being a primary protection in that area.

< Return to test: Palo Alto provides great visibility into network threats>

Learn more about this topic

 
Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies