Security Features

Application Visibility:

Visibility into Applications, Users, and Content

Port numbers, protocols, and IP addresses are useful for network devices, but they tell you nothing about what is on your network. Detailed information about the applications, users, and content traversing your network empowers you to quickly determine any risks they pose and quickly respond. Leveraging the rich context provided by Palo Alto Networks firewalls, our visualization, analysis, and reporting tools let you quickly learn more about activity on your network and analyze incidents from a current or comparative perspective.

Visibility into your applications, web traffic, threats, and data patterns

Our Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. It allows you to keep your finger on the pulse of what is going on. ACC provides a 10,000 foot view of what's happening on your network, and with just a few clicks you can get a highly detailed view to learn more, including links to the specific policy that allowed a certain behavior so you can tune it as needed.

Knowledge is power. Learning more about new or unfamiliar applications or threats that are displayed in ACC takes just a single click, which shows you:

• A description of the application or threat.
• An application's key features and behavioral characteristics.
• Details on the users using an application.
• Details on those affected by a threat.

Additional data on traffic source and destination, security rules and zones provides a wider view of the application's usage patterns, which helps you make a more informed decision on how to treat that traffic.

Visibility based on users and groups – not IP addresses

Integration with a wide range of directory services allows our system to display detailed user information (along with their IP address), complementing the application and threat information you receive. You can add additional filters to learn more about application usage for individual users, along with the threats detected within your application traffic. In only minutes, ACC arms you with the data you need to make more informed security policy decisions and take action to reduce risk in your enterprise.

Comparative view into traffic and threat patterns

App-Scope is a dynamic, customizable window into your network's activity, presenting you with comparative statistics based upon different timeframes, applications, application categories, threat profiles and more. A standard feature in both our device web-interface and Panorama (centralized management), App-Scope reduces the amount of time you have to spend investigating unusual behavior.

Detailed analysis of all your traffic and device activities

Our log viewer provides a fine-grain view into your network activity. It summarizes all traffic traversing the network – including apps, user information, and threats. The log viewer supports context and expression-based filtering, allowing you to quickly and easily monitor, analyze, and investigate security incidents  The log viewer leverages our firewalls' integration with user repositories, complementing application and threat views with user and group visibility. Logs can be sent automatically to your syslog server, while individual filter results are exportable to a CSV file for offline archival or further analysis.

Customized reporting for all traffic and device activities

Using either your firewall's individual device management interface or Panorama, you will appreciate fingertip access to powerful reporting and logging features that will help you quickly investigate and analyze security incidents, application usage and user behavior. More than 50 predefined, customizable reports - incorporating elements you choose from other reports - are available. You can automate reports to run on a scheduled basis and have the results emailed or exported to a PDF or Excel spreadsheet.

User Visibility:

Users: an integral component for secure application enablement policies

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a policy control element for safe application enablement. Our next-generation firewalls integrate with a wide range of enterprise directories and terminal services offerings, allowing you to:

• See who is using the applications on your network
• Set policy based on users
• Perform forensic analysis and generate reports on user activities

Visibility into User’s Application Activity

Visibility into the application activity at a user level, not just at an IP address level, allows you to determine patterns of usage along with the associated business and security risks. With just a few clicks, you will gain visibility into the application bandwidth and session consumption, the associated threats, as well as the source and destination of the application traffic. With this knowledge, you can more proactively align application usage with your business unit requirements through safe application enablement policies.

User-based Policy Control

Visibility into application usage means that you can quickly analyze the role and risk of applications, and who is using them, then translate that information into user-based safe application enablement policies. User-based policy controls can be assembled based on the application, which category and subcategory it belongs in, its underlying technology, or the application characteristics. Examples of user-based policies might include:

• Enable only the IT department to use tools such as SSH, telnet, and FTP on the standard port
• Allow the Help Desk Services group to use Yahoo Messenger
• Block the use of Facebook-apps for all users, allow Facebook for all users, but allow only marketing to use Facebook-posting

User-based Analysis, Reporting and Forensics

User information is pervasive throughout our firewall feature set - and that includes fine-grained forensic analysis and reporting. You can easily create log filters by clicking on a cell value, which can then be expanded with additional criteria using the expression builder. Informative reports on user activities can be generated using any one of the many pre-defined reports, or by creating a custom report from scratch, or by modifying a pre-defined report. Any of the reports – pre-defined or custom – can be exported to either CSV, PDF XML, or emailed on a scheduled basis.

Integration with any user repository

Our firewalls can integrate with an extensive list of user repositories and terminal services offerings that are complemented by an XML API and an explicit challenge response mechanism. Integration points include:

• Directory services: Microsoft Active Directory, Microsoft Exchange, OpenLDAP, and eDirectory
• Terminal services: Citrix XenAPP, Microsoft Terminal Services, and an XML API for non-standard terminal services environments 
• Syslog Listener natively harvests user information from Blue Coat Proxy, Citrix Access Gateway, Aerohive AP, Cisco ASA, Juniper SA Net Connect, and the Juniper Infranet Controller
• XML API: In cases where the syslog listener is not applicable, XML API allows you to integrate user information into your security policies from other user directories, and authentication mechanisms

APT Prevention:

WildFire: Protection from targeted and unknown threats

Modern attackers are increasingly using targeted and new unknown variants of malware to sneak past traditional security solutions. To address this, Palo Alto Networks developed WildFire, which identifies new malware in minutes. By executing suspect files in a virtual environment and observing their behavior, Palo Alto Networks identifies malware quickly and accurately, even if the malware sample has never been seen before.

Once a file is deemed malicious, WildFire automatically generates protections that are delivered to all WildFire subscribers within an hour of detection. A WildFire license provides your IT team with a wealth of forensics to see exactly who was targeted, the application used in the delivery, and any URLs that were part of the attack.

Sandbox analysis of unknown threats

Advanced cyber attacks are employing stealthy, persistent methods to evade traditional security measures. WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) through dynamic analysis in a scalable cloud-based, virtual environment. We directly observe the behavior of the malicious malware and exploits, then WildFire automatically generates and distributes protections globally in as little as 30 minutes.

DNS-based intelligence

DNS traffic exists in nearly every organization, creating an overwhelming ocean of data security teams often ignore, or do not have the tools to properly analyze. Knowing this, cyber attackers are increasingly abusing DNS to mask their command-and-control (C2) activity in order to deliver additional malware or steal valuable data. Malicious domain names controlled by attackers enable the rapid movement of command-and-control centers from point to point, bypassing traditional security controls such as blacklists or web reputation. Palo Alto Networks addresses this by:

• Allowing opt-in passive DNS monitoring, creating a database of malicious domains and infrastructure across our global customer base. This intelligence is used by PAN-DB URL filtering, DNS-based command-and-control signatures, and WildFire to prevent future attacks.
  
  
• Enabling customers to create local a DNS sinkhole, re-directing malicious queries to an address of your choosing to quickly identify and block compromised hosts on the local network.

Behavioral botnet report

Our behavioral botnet report correlates traffic anomalies and end-user behaviors to identify devices on your network that are likely to be infected by a botnet. The logic supporting the report tracks unknown or anomalous TCP and UDP, as well as a variety of potentially suspicious behaviors such as repeated download patterns, and the use of dynamic DNS and browsing anomalies. These factors are correlated to create a report that provides you with a list of users that are likely infected, and the behaviors that led to the diagnosis.

IPS:

Today's attacks on your network use a combination of application vectors and exploits. Palo Alto Networks next-generation firewalls arm you with a two-pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID, and the applications you choose to allow through are scanned for vulnerability exploits by our NSS-approved IPS engine.

Enable full IPS protection while maintaining performance

We deliver predictable IPS performance to you through hardware acceleration, a uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection, as well as networking, security and management, provides the hardware acceleration necessary for predictable IPS performance.

• Dedicated processing means that key functions do not compete for processing cycles with your other security functions, which happens in a single CPU or ASIC/CPU hardware architecture.
• A uniform signature format eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.).
• Single pass software means that your traffic is touched only once, no matter how many policy elements are in use.

Blocks a wide range of known and unknown vulnerability exploits

Our rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging your enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms, including:

• Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
• Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
• Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
• Statistical anomaly detection prevents rate-based DoS flooding attacks.
• Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
• Passive DNS monitoring to globally identify and build protections for compromised domains and infrastructure, and local DNS sinkholing to re-direct malicious requests to an address of your choosing for discovery and blocking of infected hosts.
• Other attack protection capabilities, such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly, protect you against evasion and obfuscation methods used by attackers.
• Custom vulnerability or spyware phone home signatures that can be used in either anti-spyware or vulnerability protection profiles.

DoS/DDoS attack protection

Palo Alto Networks next-generation firewalls protect you from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. You can deploy DoS protection policies based on a combination of elements including type of attack, or by volume (both aggregate and classified), with response options including allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:

• Flood protection—Protects you against SYN, ICMP, UDP, and other IP-based flooding attacks.
• Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential targets.
• Packet-based attack protection—Protects you from large ICMP packets and ICMP fragment attacks.

Market leading threat discovery and research

Our intrusion prevention engine is supported by a team of seasoned signature developers. Our team is highly active in the threat prevention community, performing ongoing research and working closely with software vendors - both informally and formally - through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, we have priority access to Microsoft's monthly and out-of-band security update releases.

By receiving vulnerability information early, Palo Alto Networks can develop and deliver signatures to you in a synchronized manner to ensure that you are fully protected. Signature updates are delivered on a weekly schedule or emergency basis. To date, our team has been credited with the discovery of numerous critical and high severity vulnerabilities in both Microsoft and Adobe applications.

Data Filtering & File Blocking:

The application function level control, file blocking by type, and data filtering features of our next-generation firewalls allow you to implement a range of policies that help balance permitting the use of personal or non-work related applications, with the business and security risks of unauthorized file and data transfer.

Enabling applications while blocking unapproved or dangerous files by type

Our next-generation firewalls give you the ability to control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension), to determine if a file transfer is allowed by your policy. You can implement file blocking by type on a per application basis. This enables you to do things like approve a specific webmail application like Gmail, and allow attachments, but block the transfer of specific file types.

Enabling or denying the use of file transfer functions

Function level control over file transfer represents another policy option that helps you balance application use with policy control. You can establish policies to allow IM or webmail application usage, but deny a related file transfer function.

Prevent data loss with pattern-based content identification

Rounding out our filtering features is the ability to identify and control the transfer of sensitive data patterns such as credit card numbers, social security numbers or custom data patterns in application content or attachments.

Mobile Security:

Mobile computing is one of the most disruptive forces in information technology. It is revolutionizing how and where employees work, as well as the tools they use to perform their jobs. Mobile devices are not just ways to access existing applications such as corporate email, but the platform for opening up entirely new ways of doing business.

Make sure that you have the proper security to extend your business applications and data to smartphones, tablets and laptops. Learn how to safely enable mobile devices by using GlobalProtect from Palo Alto Networks.

Manage Mobile Devices

Ensure devices are safely enabled by configuring the device with proper security settings. Simplify deployment and setup by provisioning common configurations like account settings for email and credentials such as certificates.

Protect Mobile Devices

Protect the mobile device from exploits and malware. Protecting the device also plays an important role for protecting the data as well, because data is not safe on a compromised device.

Control the Data

Control access to data and control the movement of data between applications. Establish policies that define who can access sensitive applications, and the particular devices that can be used.

URL Filtering:

The perfect complement to the policy-based application control provided by App-ID is our on-box URL filtering database, which gives you total control over related web activity. By addressing your lack of visibility and control from both an application and web perspective, App-ID and URL Filtering together protect you from a full spectrum of legal, regulatory, productivity, and resource utilization risks.

On-box URL database maximizes performance and flexibility

URL filtering is enabled through local lookups, as well as querying our master database in the cloud. Local lookups ensure maximum inline performance and minimal latency for the most frequently accessed URLs, while cloud lookups provide coverage for the latest sites. Our combination of application control and URL filtering allow you to implement flexible policies to control employee and network activity.

• Control web browsing based on category or through customized white or blacklists.
• Specify your group-based web browsing policies with user repository integration provided by User-ID.
• Enable SSL decryption policies by allowing encrypted access to specific web sites about topics your employees enjoy – like health, finance, and shopping – while decrypting traffic to all other sites such as blogs, forums, and entertainment sites.
• Enable bandwidth control for designated categories by creating QoS policies for specified URL categories.

Customizable URL database and categories

To account for your unique traffic patterns, on-device caches store the most recently accessed URLs. Devices can also automatically query a master database in the cloud for URL category information when a URL is not found on-device. Lookup results are automatically inserted into the cache for future activity. You can also create custom URL categories.

Customizable end-user notifications

There are multiple ways to inform your end users that they are trying to visit a web page that does not adhere to your corporate policy:

• Customizable block page: A page informing a user that they are violating policy can include your corporate logo, references to the username, IP address, the URL attempting to be accessed, and the category of the URL.
• URL filtering block and continue: Users accessing a page that potentially violates your URL filtering policy see a block page with a "Warning and Continue" button.
• URL filtering override: Requires a user to correctly enter a password in order to bypass the block page and continue surfing.

Flexible, policy-based control over web usage

To complement the application visibility and control enabled by our App-ID, you can use URL categories as a match criteria for your policies. Instead of creating policies limited to either 'allow all or block' all behavior, URL as a match criteria permits exception-based behavior. This increases your flexibility and gives you more granular policy enforcement capabilities. Examples of how URL categories can be used in your policy include:

• Identify and allow exceptions to your general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group).
• Apply URL filtering policies to cached results when end-users attempt to view the cached results of Google Search and Internet Archive.
• Apply URL filtering policies to URLs that are entered into translation sites such as Google Translate as a means of bypassing policies.
• Enforce Safe Search to prevent inappropriate content from appearing in users' search results. When this feature is enabled, only Google, Yahoo or Bing searches with the strictest Safe Search option set will be allowed; all other searches will be blocked.
• Allow access to streaming media category, but apply QoS to control your bandwidth consumption.
• Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation).
• Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypts and inspects traffic to all other categories.

Antivirus:

Network-based Malware Protection

The broadening use of social media, messaging and other non-work related applications introduce a variety of vectors for viruses, spyware, worms and other types of malware. Palo Alto Networks next-generation firewalls allow you to block unwanted applications with App-ID, and then scan allowed applications for malware.

Broad-based protection against a range of malware

Our antivirus engine detects and blocks viruses, spyware phone home, spyware download, botnet, worms and trojans. Additional features, above and beyond protecting your network from a wide range of threats, include:

• Inline, stream-based protection against malware embedded within compressed files and web content
• DNS-based botnet analysis to reveal rapidly evolving malware networks and malicious websites
• Protection against HTML and malicious Javascript
• Leverages SSL decryption within App-ID to block viruses embedded in SSL traffic

Stream-based scanning dramatically reduces latency

The Palo Alto Networks antivirus engine uses stream-based scanning to inspect your traffic as soon as the first packets of a file are received. This eliminates the performance and latency issues associated with a traditional proxy- or file-based approach. As with IPS, a uniform signature format is used for virus scanning, which eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.), while the single pass software means that your traffic is touched only once, no matter how many policy elements are in use.

Continual malware research and updates

Signatures for all types of malware are generated directly from millions of live virus samples delivered to Palo Alto Networks by leading third-party research organizations around the world. Our threat team analyzes the samples and quickly eliminates duplicates and redundancies. New signatures for new malware variants are then generated (using our uniform signature format) and delivered to you through daily scheduled or emergency updates.

Protect your network from threats propagated by drive-by downloads

Unsuspecting users can inadvertently download malware merely by visiting their favorite web page and clicking on an image. This increasingly popular malware delivery mechanism is known as 'drive-by downloads.' Palo Alto Networks next-generation firewalls control this threat to you by identifying malware downloads and sending a warning to your user to ensure that the download is desired.