PaloAlto Networks Next Generation Firewall

PaloAlto Networks Firewall’s 4.1 Release

I have been selling and supporting PaloAlto firewall’s forabout 3 years and I really like how the firewall operates. They are doing someadvanced things that no one else can really do that well. They also have just released a new version of firmware.

Application Based Firewall Rule Base

 You can really define your firewall policy usingapplications such as SMTP, FTP, Facebook instead of just opening ports. Why isthat important? Most have figured out that port 80 or 443 is the port that mostfirewalls have in use. Applications are written to use that port and yourfirewall is less secure. You don’t really know what you are allowing to bypass the firewall.
For example, say you wanted to allow someone to view Facebook,but not post or chat. The PaloAlto can allow for that. Most Firewall’s can not stop that (Unless some sort of URL filtering is in place).

Active Directory and Terminal Server Integration

 Other firewall’s can integrate and put active directory userand groups into policies, but I have not seen many that can also supportTerminal and Citrix servers. Usually on a Citrix server the first person whologs in is the person that the firewall identifies. Palo Alto Networks has anagent that you place on the Citrix server that allows you to identify the individualusers. It allows you to assign user groups to a firewall rulebase, allowing youto customize your firewall policy to different user populations. It also allowsyou to track user activity by name instead of just an IP address. You can also install agents on Domain Controllers and have them part of the rule base and in firewall logs. The users will not even know this is happening, it is transparent to them.

Threat Protection and Virus scanning

This firewall has always done a great job of virus scanningand threat prevention. It is one of the few devices that you can turn bothfeatures on and not kill the box. It will allow the needed traffic and blockthe bad traffic. The IPS has won numerous awards and after running them in my client’senvironments, I can say it works well with very minimal tuning.
They also have a new service called WildFire that will submitcertain file types up to the cloud for virus scanning. If the file is 2 MB orunder, it gets shipped to a virtual machine that will analyze what the file isdoing. If it looks like a worm, bug or a botnet, it will quarantine the file.That is good in times like these. The day of the mass virus outbreak is overand you are seeing more targeted attacks. Those targeted attacks are not noticed as muchand most modern virus scanners can miss them. Analyzing what a file is doing isa great way to stop spyware malware. With the Mafia involved with credit card and other fraud these days, you can not trust files that are sent your way. They do not want to be detected, they want the bug to come in and run in the background and steal information before it is to late.

US Based Support

This is also huge for me. I am tired of getting routed to a foreigncountry with someone that has a very heavy accent. It has been improving, but Istill dread it. With Palo Alto I get an English speaking person who is usuallyvery helpful and solves my issue quickly. I hope they keep it this way as it isa refreshing thing to see someone with that type of support.

Easy To Use WEB UI

This is another huge item for me. I can configure the entirefirewall with a web interface. I do not need a third party client. The webinterface is clear and easy to use. If you are use to working with a CheckpointFirewall, the learning curve on this firewall is small.


I have numerous other features I like about this firewall.If you are interested in a demo, I have two firewall boxes that can be used for a demo. Just contact me at james@tbjconsulting.comor at 262-373-9070.

Add a Comment

Your email address will not be published. Required fields are marked *