Skip Links

Palo Alto provides great visibility into network threats

The PA-4020 is an innovative twist on traditional firewall

By , Network World
August 11, 2008 12:02 AM ET

Network World - Palo Alto Networks' PA-4020 is not just another firewall.

Yes, it has what you'd expect in a basic firewall: 24 ports, divided into16 gigabit Ethernet ports and eight SFP ports. It has a rule base, some basic VPN capabilities, and a Web-based management interface. If the description ended there, Palo Alto would not likely make any headway into the enterprise firewall business which is already carved up between Check Point, Cisco, and Juniper (Compare products).


Palo Alto's performance holds steady as security measures increase
How we tested Palo Alto's firewall
Why Palo Alto's firewall is a UTM
Archive of Network World tests

Palo Alto's secret sauce lies in the visibility it provides. Most firewalls do what they do, and provide little information (other than logs) about what they're seeing. The Palo Alto PA-4020 has a much greater focus on exposing the actual application-layer traffic, and then giving the network manager visibility into the traffic and threats in the network.

In this Clear Choice, we found the Palo Alto Networks PA-4020 to be an innovative turn on the traditional firewall (see Is Palo Alto's firewall a firewall or not?). By looking at application data streams, rather than TCP/IP port numbers, the PA-4020 is able to provide a finer-grained control over end-user Internet usage than has previously been available in any firewall. The PA-4020 also leverages this application knowledge to provide unprecedented (for a firewall, that is) levels of visibility into network traffic.

That said, we found the PA-4020 to still be a work in progress. Weaknesses in areas such as bandwidth management and virus scanning mean that it can't fully replace the combination of a firewall and Web security gateway — yet.

What's it all about

The Palo Alto PA-4020 (like all Palo Alto's firewalls) claims to do something that no other firewall can do: control based on application, rather than on port number. For traffic coming into an enterprise, that's not very interesting, because most network managers know for which applications they're opening holes in the firewall. However, when it comes to outbound traffic, network managers haven't had that vital visibility.

The alternatives, up to now, have been slim. Either run with a "default outbound allow" policy and have no idea what people are really doing. Or, block all outgoing traffic and force users through proxies that can control and log what's happening.

Palo Alto changes the game by allowing you to write your firewall rules based on the applications you want to control. The familiar firewall rules page is changed in a subtle, but very important way: you get one more column called "application." To block outbound SMTP from everyone other than your mail server, rather than specify Port 25 (which will catch some, but not all SMTP), you could simply block the application SMTP. We tested the PA-4020 and it found SMTP on non-standard ports without a problem.

The PA-4020 we tested had information about 638 applications loaded into it. Those applications ranged from obvious protocol-based ones (Session Initiation Protocol and FTP) to browser-based programs (Facebook, SharePoint and PokerStars) to client-server applications (World of Warcraft, VMware and SSH) to peer-to-peer code (BitTorrent and Gnutella). We tested a selection of applications on the PA-4020 and found that it works… most of the time, and for the things you probably care about.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News