Palo Alto earns short list status

App-aware firewall proves especially useful for controlling outbound traffic

1 2 3 Page 2
Page 2 of 3

To get deeper, the PA-5060 has a pastiche of additional tools. The most useful include log analyzers and periodic reporting tools. Jumping between the Application Control Center and the detailed log analysis tools is easy, because once you've narrowed down what you want to look at in the Application Control Center, the filter is automatically passed over into the log analyzer.

The log analyzers are one place where it's easy to get carried away. For example, once you've spent a while building a great filter to identify a particular subset of traffic, it would be nice to be able to dump that filter into a reporting tool and get a summary report. Unfortunately, you can't — although we found it hard to hold this against the PA-5060, because it already was telling us more information about our network, faster, and in more detail, than most of the other visibility tools we had.

Not everything is perfectly thought-out. A series of flashy tools collected under the generic title "App Scope" are just silly, ranging from the poorly designed Summary page, which mixes graph types and time frames into a confusing jumble of misdirection, to the "why is this useful" traffic map, which draws different sized and colored dots on a map in an attempt to show where your traffic is going, at the country level.

Still, the visibility tools are so good that it's difficult to find serious fault with the PA-5060. We certainly had a higher level of visibility than any other firewall has given us. We don't think that you'd want to buy the PA-5060 as a visibility tool all on its own, and Palo Alto Networks isn't selling it that way. But having such sophisticated and powerful ways to look into the network traffic crossing your firewall could easily sway the decision to buy the PA-5060 instead of a traditional firewall, even if you didn't think you wanted next generation firewall functionality.

Basic firewall features are solid

Before a firewall can be a next-generation firewall, it has to cover the basics of a plain-old firewall. In our 2007 tests of UTM firewalls, we identified characteristics that any firewall must have to be considered a proper enterprise product, including firewall, VPN, and NAT functionality, advanced networking support (such as link aggregation and virtual LANs), high availability and high performance, global management, extended IP functionality (routing, QoS and IPv6), and global management.

We started by testing basic firewall functionality: writing rules to allow and block traffic, implement source and destination NAT policies, and build site-to-site VPNs. Network managers familiar with enterprise products from Check Point, Cisco and Juniper will find the Palo Alto firewall user interface both intuitive and familiar.

The main configuration interface is a Web-based GUI, although a command-line interface (CLI) is also available. Network managers who prefer the easy simplicity of Cisco IOS or Juniper's ScreenOS CLI will discover that the Palo Alto's CLI is more like editing raw XML, and not nearly as simple or straightforward to learn or use.

The productivity-killing part of the Web-based GUI is the commit model. After making changes in the user interface, you have to "commit" the changes to the firewall. There's nothing wrong with that, except that a commit takes about 25 seconds. When you're making occasional changes, the commit delay is a mild annoyance. When you're debugging and making rapid small changes, slow commits become a significant speed bump. Don't think that using the CLI will save you -- the same commit delay applies.

We took our lab's existing main production Juniper ScreenOS firewall policy, with 182 rules in it, and tried to convert it to fit into the Palo Alto firewall. The job was easier than we had imagined, because Palo Alto has fixed one of our long-standing design complaints about the Juniper firewall: the inability to put more than one security zone in a single firewall rule. The PA-5060 supports rules with more than one security zone, which let us shrink our policy down by a third. Smaller policies simplify firewall management, and reduce the risk that human error will introduce a security hole. The Palo Alto Networks' firewall won points for both transparency and simplicity.

We were also able to move our NAT configuration, with both source and destination NAT rules, easily. We had less success, though, in trying to move our site-to-site VPN configuration. The Palo Alto firewall has an extensive site-to-site IPsec VPN capability, and we were successfully able to build tunnels and pass traffic with Cisco, Juniper and SonicWall firewalls.

We think that network managers with large VPN deployments will not want to move to Palo Alto quite yet. Panorama doesn't build or manage VPNs across firewalls, meaning that any large deployment would have to be built entirely by hand. At the same time, Palo Alto firewalls only support route-based VPNs, meaning that traffic is pushed into tunnels by routing tables rather than the Security Policy Database called for by the IPsec standards. That meant we had to do some re-engineering of policy and our NAT configuration to fully re-build our five-site VPN. For small VPNs, or even large VPNs that don't change very often, Palo Alto firewalls will work just fine. But the product isn't yet at the same level of power and flexibility that other enterprise firewalls support.

The PA-5060 firewall passed all our other enterprise firewall functionality tests with no problems and a minimum of unexpected behavior. We were successfully able to configure and use dynamic routing, QoS features, and networking features, such as link aggregation and VLAN tagging. You shouldn't buy the PA-5060 firewall to use primarily as a WAN router or a bandwidth management device, but that's no different a conclusion than we'd make about any of the enterprise firewalls on the market today. The PA-5060 supports both active/passive and active/active high availability, but we did not test this feature.

We were also impressed that the PA-5060 came out-of-the-box with a full set of IPv6 capabilities, including firewall rules, application identification and control, static routing, and management and monitoring tools. The only missing piece is dynamic routing. Our testing did exercise some IPv6 bugs, though, as we managed to lock up the IPv6 side of the firewall, requiring a system reboot.

Panorama makes it easy to transition from single firewall to multiple firewall management. Security policies and policy objects can be built in Panorama and pushed to multiple firewalls, which covers the biggest use case for centralized management.

The Panorama management model will be attractive to network managers who want to share management between a central authority and individual network managers, such as in branch offices. Panorama doesn't take over the entire firewall; instead, the Panorama-created security policy is merged with individual policies on each firewall.

Even if you don't use Panorama for configuration of firewalls, it still brings a benefit by collecting and reporting on log information for multiple firewalls at the same time.

As an enterprise firewall, the PA-5060 can certainly be a credible competitor to products from Check Point, Cisco, Juniper and SonicWall. While we found some weaknesses, network managers should definitely consider Palo Alto firewalls for enterprise deployments.

UTM features are broad, granular

Next-generation firewall vendors don't like the term "UTM" (Unified Threat Management) very much because UTM products have been unfairly painted as only appropriate for small businesses. However, next-generation firewalls need threat mitigation features just as much as UTM firewalls do. While the buzzword police fight out the differences and split hairs, we tested the PA-5060's UTM features, including intrusion prevention (IPS), anti-malware and URL filtering.

The PA-5060 lumps threat management and mitigation into a set of seven policies collected together as Security Profiles. The seven policies include the traditional anti-malware (split into anti-virus and anti-spyware policies), vulnerability protection (Intrusion Prevention policy), and URL filtering, as well as the slightly-more-unusual file blocking (which lets you block certain file types from upload or download or both), data filtering (data leak protection), and DoS protections.

For every rule that lets traffic through the firewall, you can apply a separate Security Profile. This would let you apply, for example, one set of DoS protections to seldom-used Web servers and a different set to heavily-used ones. Or, you could apply different IPS signatures for incoming traffic than for outgoing. Since PA-5060 rules can also include user identification, you could even have different sets of URL filtering rules depending on whether the user is identified or not. We tried all of these things and were able to successfully show a high level of granularity when applying UTM protections on traffic flowing through the PA-5060.

Overall, the configuration of UTM features is easy and flexible. Unlike some firewalls where the UTM features are system-wide or apply to all traffic, we found the ability to tie different threat protection profiles to different sets of traffic both intuitive and useful. The PA-5060 has adopted an easy-to-use model with the right amount of flexibility.

When we looked in detail at some of the UTM features, we found that the anti-malware was good, but not great. We tested using a set of fresh viruses that had been caught by our enterprise anti-malware scanner over the 24 hours prior to our test and had a 75% capture rate. The PA-5060 does not use a third-party anti-malware engine; Palo Alto has its own engine that combines multiple threat protections (IPS and anti-malware) into a single über-engine. This suggests that the PA-5060 is good as a secondary anti-malware protection device, but does not obviate the need for other gateway and desktop anti-malware.

With URL filtering, we also had typical results for all engines: our testing showed a few false positives and a few false negatives, along with the usual mis-categorizations.

We configured, but did not rigorously test, file blocking, data filtering and DoS protection capabilities. File blocking lets you identify certain file types that can then be blocked for either upload or download or both. We found that the file blocking was easily fooled. For example, putting a file into a zip archive effectively hid the file type, as did changing the first few bytes of the file (by adding blank lines) and, in one case, changing the filename — which we didn't expect to work. Data filtering, a type of data leak protection, successfully let us search for strings and wildcards in various applications flying by, but really isn't powerful enough to qualify as a data leak protection solution.

To test intrusion prevention, we fed the PA-5060 a live Internet feed of approximately 40Mbps for several weeks and watched what it told us. As with most IPS-in-a-firewall products, the PA-5060 doesn't match the flexibility and power of dedicated IPS products.

However, the policy management system is exceptionally good for this class of device, and most network managers will find it easy to configure policies and examine events. Policies select threats from Palo Alto's own library of about 1,900 threats, and are applied to firewall traffic rules. This integration of IPS and firewall rule is an important one, because it lets you select very different IPS policies on a granular basis for different types of traffic based on zone, IP address, port number and the all-important application identification.

When defining policies, Palo Alto encourages you to use the "simple" settings, which offer a list of severities (critical, high, medium, low, and informational) and an option for each severity, essentially "block" or "allow." You can also take Palo Alto's advice and select "default," which will pick whatever mysterious default Palo Alto shipped with the IPS signatures.

However, you do have the option to select "custom" settings, which lets the network manager pick a specific action for each signature. In this mode, more options are available, including simply dropping packets, resetting connections and even blocking IPs (a common request after detected brute force attacks).

Each policy, whether "simple" or "custom," also has a list of exceptions -- threats that should be ignored. One critical and valuable feature of the PA-5060 GUI is the ability to go directly from a log entry to the exception list with just a few clicks, and without losing your place. This lets you handle false positives quickly and get back to the difficult work of interpreting IPS events.

Analyzing events from the PA-5060 IPS is easy, and the GUI has some nice reporting tools built-in to simplify the task of managing IPS events. For example, we defined an IPS report to show us the top events for our critical systems. Once we ran the report, we were very pleased to see that all of the elements were "hot links" that let us drill down into the actual IPS event logs very quickly. These reporting and analysis tools are scattered around the management system, intermixed with other tools for other parts of the firewall (such as traffic logs or anti-malware logs).

1 2 3 Page 2
Page 2 of 3
IT Salary Survey: The results are in