Palo Alto Networks

Customer Presentation
November 2009
Ozan Ozkara
About Palo Alto Networks

• Founded in 2005 by a world-class team with strong security and

networking experience
• Innovations: App-ID, User-ID, Content-ID

• Builds next-generation firewalls that identify and control more

than 850 applications; makes firewall strategic again
• Global footprint: presence in 50+ countries, 24/7 support

Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Applications Have Changed – Firewalls Have Not

• The gateway at the trust

border is the right place to
enforce policy control
- Sees all traffic
- Defines trust boundary

• BUT…Applications Have Changed

- Ports ≠Applications
- IP Addresses ≠Users
- Packets ≠Content

Need to Restore Visibility and Control in the Firewall

Page 3 | © 2009 Palo Alto Networks. Proprietary and Confidential.
Application Control Efforts are Failing
• Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of
900,000 users across more than 60 organizations
- Bottom line: despite all having firewalls, and most having IPS, proxies, & URL filtering – none of
these organizations could control what applications ran on their networks
• Applications evade, transfer files, tunnel other applications, carry threats, consume
bandwidth, and can be misused.

Applications carry risks:

business continuity, data loss,
compliance, productivity, and
operations costs

Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential.

The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall

1. Identify applications regardless of port,

protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats

embedded across applications

4. Fine-grained visibility and policy control

over application access / functionality

5. Multi-gigabit, in-line deployment with no

performance degradation

Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Identification Technologies Transform the Firewall

App-ID
Identify the application

User-ID
Identify the user

Content-ID
Scan the content

Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Purpose-Built Architecture: PA-4000 Series

RAM

Content RAM Content Scanning HW Engine

Dedicated Control Plane Scanning • Palo Alto Networks’ uniform signatures
Engine RAM
• Highly available mgmt • Multiple memory banks – memory
• High speed logging and bandwidth scales performance
RAM
route updates
10Gbps

RAM
RAM CPU CPU CPU .. CPU
1 2 3 16
Multi-Core Security Processor
Dual-core RAM • High density processing for flexible
RAM
CPU security functionality
De- • Hardware-acceleration for standardized
HDD SSL IPSec
Compression complex functions (SSL, IPSec,
decompression)
10Gbps

Route, 10 Gig Network Processor

ARP,
QoS NAT • Front-end network processing offloads
MAC
lookup
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT

Control Plane Data Plane

Page 9 | © 2009 Palo Alto Networks. Proprietary and Confidential.
Enables Visibility Into Applications, Users, and Content

Page 10 | © 2008
2009 Palo Alto Networks. Proprietary and Confidential.
PAN-OS Core Firewall Features
Visibility and control of applications, users and
content complement core firewall features
• Strong networking • Zone-based architecture
foundation - All interfaces assigned to security PA-4060
- Dynamic routing (OSPF, zones for policy enforcement
RIPv2)
• High Availability
- Tap mode – connect to SPAN
port - Active / passive PA-4050
- Virtual wire (“Layer 1”) for true - Configuration and session
transparent in-line deployment synchronization
- L2/L3 switching foundation - Path, link, and HA monitoring
PA-4020
• VPN • Virtual Systems
- Site-to-site IPSec VPN - Establish multiple virtual firewalls
in a single device (PA-4000 & PA-2050
- SSL VPN
PA-2000 Series only)
• QoS traffic shaping
• Simple, flexible PA-2020
- Max/guaranteed and priority
management
- By user, app, interface, zone,
IP and scheduled - CLI, Web, Panorama, SNMP,
Syslog, XML API
PA-500

Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement

• Application, user and content • IPS with app visibility & control • Firewall replacement with app
visibility without inline • Consolidation of IPS & URL visibility & control
deployment filtering • Firewall + IPS
• Firewall + IPS + URL filtering

Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Enterprise Device and Policy Management
• Intuitive and flexible management
- CLI, Web, Panorama, SNMP, Syslog
- Role-based administration enables delegation of tasks to appropriate person
• Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management, logging, and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACC/monitoring views, log collection, and reporting
• All interfaces work on current configuration, avoiding sync issues

Page 13 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Addresses Three Key Business Problems
• Identify and Control Applications

- Visibility of over 850 applications, regardless of port, protocol, encryption, or

evasive tactic

- Fine-grained control over applications (allow, deny, limit, scan, shape)

- Fixes the firewall

• Prevent Threats

- Stop a variety of threats – exploits (by vulnerability), viruses, spyware

- Stop leaks of confidential data (e.g., credit card #, social security #)

- Stream-based engine ensures high performance

• Simplify Security Infrastructure

- Fix the firewall, rationalize security infrastructure

- Reduce complexity in architecture and operations

Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential.
Thank You
 Additional
Information
Speeds and Feeds, Deployment, Customers, TCO, Support, and Management
Palo Alto Networks Next-Gen Firewalls

PA-4060 PA-4050 PA-4020

• 10 Gbps FW • 10 Gbps FW • 2 Gbps FW
• 5 Gbps threat prevention • 5 Gbps threat prevention • 2 Gbps threat prevention
• 2,000,000 sessions • 2,000,000 sessions • 500,000 sessions
• 4 XFP (10 Gig) I/O • 16 copper gigabit • 16 copper gigabit
• 4 SFP (1 Gig) I/O • 8 SFP interfaces • 8 SFP interfaces

PA-2050 PA-2020 PA-500

• 1 Gbps FW • 500 Mbps FW • 250 Mbps FW
• 500 Mbps threat prevention • 200 Mbps threat prevention • 100 Mbps threat prevention
• 250,000 sessions • 125,000 sessions • 50,000 sessions
• 16 copper gigabit • 12 copper gigabit • 8 copper gigabit
• 4 SFP interfaces • 2 SFP interfaces

Page 17 | © 2009 Palo Alto Networks. Proprietary and Confidential

 Leading Organizations Trust Palo Alto Networks
Health Care Financial Services Government

Media / Entertainment / Retail

Service Providers / Services Education

Mfg / High Tech / Energy

Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential

Fix The Firewall – and Save Money!

• Capital cost – replace multiple devices

Cut by as much
- Legacy firewall, IPS, URL filtering device (e.g.,
proxy, secure web gateway) as 80%

• “Hard” operational expenses

- Support contracts Cut by as much
- Subscriptions as 65%
- Power and HVAC

• Save on “soft” costs too

- Rack space, deployment/integration, headcount,
training, help desk calls

Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential.

Legendary Customer Support Experience
• Strong TSE team with deep
Customer support has always been
network security and amazing. Whenever I call, I always get
infrastructure knowledge someone knowledgeable right away, and
never have to wait. They give me the
answer I need quickly and completely.
- Experience with every major Every support rep I have spoken with
firewall knows his stuff.
- TSEs average over 15 years -Mark Kimball, Hewlett-Packard
of experience
• TSEs co-located with
Customer support has been extraordinarily
engineering – in Sunnyvale, helpful – which is not the norm when
CA dealing with technology companies. Their
level of knowledge, their willingness to
participate – it’s night and day compared
• Premium and Standard to other companies. It’s an incredible
offerings strength of Palo Alto Networks.
-James Jones, UPMC
• Rave reviews from
customers
Page 20 | © 2007
2009 Palo Alto Networks. Proprietary and Confidential
Confidential.
Single-Pass Parallel Processing (SP3) Architecture

Single Pass
• Operations once per
packet
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific
parallel processing
hardware engines
• Separate data/control
planes

Up to 10Gbps, Low Latency

Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential.
Comprehensive View of Applications, Users & Content
• Application Command Center (ACC)
- View applications, URLs, threats, data
filtering activity
• Mine ACC data, adding/removing filters as
needed to achieve desired result

Filter on Skype Remove Skype to

Filter on Skype
and user oharris expand view of oharris

Page 22 | © 2009 Palo Alto Networks. Proprietary and Confidential.