Next-Generation Firewall Buyer's Guide: Palo Alto Networks

As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.

In this EnterpriseNetworkingPlanet buyer's guide, we examine capabilities and features offered by Palo Alto Networks PA Series next-generation firewalls. Founded by Nir Zuk in 2005, Palo Alto Networks pioneered the NGFW approach now being embraced throughout the market.

"Our company was founded to solve the problem that applications had changed, but firewalls hadn't," explained senior product manager Matt Keil. "So we decided to ignore port and protocol and start from scratch. Our App-ID technology looks across all ports, all the time, examining streams to identify applications as the basis for security policy."

Next-generation firewalls -- from the ground up

To run App-ID in an optimal fashion, Palo Alto engineered purpose-built platforms, ranging from the PA-500 series (for medium businesses and branch offices) to the PA-5000 series (for large enterprises and service providers). Models differ in horsepower and connectivity, but all deliver the same NGFW services.

"With the PA-4000 series, we designed an architecture that used dedicated processors for networking, security, threat prevention, and management," said Keil. "High speed Cavium processors for security, high speed Field-Programmable Gate Arrays for threat prevention, and so on. We've carried that through to our PA-5000 series, using more processors [to increase capacity]."

Top-of-the-line PA-5060 sports a 20 Gbps network processor, 16 Cavium security processors, and 2 FPGA threat processors, attached to 20 Gbps backplane. A single-pass parallel processing architecture inspects each packet once for low-latency performance under load, while the management processor is separated to avoid data plane impact.

"It's easy to get 20 Gbps with a single allow-any/any rule," said Keil. "But when you add policies that turn on services and allow/deny applications, our performance remains at fairly high levels. App-ID tends to maintain 20 Gbps; threat prevention still delivers 10 Gbps. In NSS Labs tests, we beat our own [specs] while competitors significantly under-achieved theirs."

The PA-5060 supports up to 4M sessions (120K sessions per second), 20K SSL VPN users, and 40K policies. The PA-5050 delivers half that capacity (10 Gbps firewall/5 Gbps IPS/2M sessions), while the PA-5020 cuts that in half once again. All three models have 12 10/100/1000 Ethernet ports and 8 Gigabit SFP ports; the 5060 and 5040 sport another four 10 Gigabit SFP+ ports.