Palo Alto earns short list status

App-aware firewall proves especially useful for controlling outbound traffic

1 2 3 Page 3
Page 3 of 3

Palo Alto chose to group log analysis tools by the type of tool, rather than the part of the firewall generating the log information, which makes it somewhat cumbersome to just concentrate on IPS events without, for example, stumbling over "top 10 URL categories" along the way. Still, we found ourselves relatively expert at flying between reports, logs, log filters, and events after only a few hours of practice. Network managers for whom IPS analysis is a part-time job will find the PA-5060 offers considerable power without a lot of complexity.

The IPS management system in the PA-5060 will not replace a dedicated IPS console, but it represents one of the most sophisticated IPS event analysis tools we've ever seen in a firewall. The IPS console in Panorama offers the same capabilities as the firewall GUI, except that Panorama is able to report on events from multiple devices at once. We found some bugs in Panorama's reporting that blocked us from generating full reports, so we concentrated our testing on our PA-5060 by itself.

As with all IPSs, the PA-5060 required some tuning before we were ready to set it loose on our production network. We focused on IPS events marked as "high" and "critical" severity, and immediately found a number of important things going on in our network--and no high or critical false positives.

The top 50 events, which the PA-5060 marked as high severity, were all brute force login attempts to SSH servers, Windows Terminal Server servers, FTP servers, and mail servers. Fair enough, and accurate. Same with Conficker, which was hitting our network on average every 30 seconds, along with someone looking for cross-site scripting vulnerabilities, and a variety of other break-in attempts for common exploits and vulnerabilities to all our Web servers.

When we were doing our testing, we quickly discovered an important detail: if you ever want to understand what your firewall is telling you, it's critical to enable not just threat logging, but also URL logging and traffic logging. Without all three pieces of information, the IPS logs themselves are vague enough that many events cannot be tracked or understood. This has important implications for enterprises deploying the PA-5060 with IPS features enabled -- you also have to enable logging on everything else.

The "no false positive" rule didn't hold quite so well as we moved down the severity category to "low" and "informational" events. In those areas, we found a number of false positives. Since the PA-5060 is being sold as an in-line device, we didn't find these false positives a big issue, as network managers deploying the PA-5060 shouldn't be depending on anything other than "high" and "critical" events.

When we were investigating these top events, we found a common frustration: poor documentation on the threat and vulnerability database. For example, one threat that caught our eye was something the PA-5060 called "PDF Exploit Evasion." Looking that up on Palo Alto's threat database portal gave us no useful information: no CVE number, no description or threat analysis other than "PDF exploit evasion has been found on your network." Enterprise IPS products generally include extensive documentation on threats to help the network manager understand criticality and impact, and the PA-5060 hasn't met this standard.

We also tested the PA-5060 IPS using a Mu Dynamics test chassis and their published vulnerabilities tests. When we tested UTM firewalls using the same test chassis in 2007, most firewalls using recommended settings blocked only about a third of the attacks (the average score across all products was 32% block rate, with a low of 14% and a high of 75% using recommended settings). The PA-5060 did better in this test, blocking 90% of the attacks in the client-to-server direction and 93% of the attacks in the server-to-client direction. Since our tests are four years apart, it's difficult to draw any conclusions from these results, other than to say that the IPS in the PA-5060 seems to do a good job on the 1,954 vulnerabilities in our Mu Dynamics tester.

Enterprise network managers looking for better control and higher security in their firewalls need to pay attention to Palo Alto Networks. The PA-5060 goes beyond legacy products from the big three enterprise firewall vendors - Cisco, Juniper and Check Point -- and has earned its place on evaluation short lists.

Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
IT Salary Survey: The results are in