Solutions by Location

Distributed Enterprise:

Problem

Your organization is more distributed than ever before. In addition to your traditional, centralized corporate headquarters, your enterprise probably includes smaller branch offices, employees working remotely from home, or roaming users. Your users may move from one location to another within the span of a business day. While this flexibility enables new gains in productivity, it also leads to dangerous inconsistencies and compromises in terms of your information security.

Solution

Palo Alto Networks delivers a consistent approach to network security based on applications, users, and content that always protects your end-users with the full power of our next-generation firewalls, regardless of their physical location. Furthermore, management and reporting for all of your locations can be centralized, freeing your IT team from having to manage multiple "one-off" security solutions.

Consistent security across all platforms.

Palo Alto Networks designed all of its hardware platforms to consistently deliver the full functionality of the industry's only true next-generation firewall. All of our platforms, from the top-end PA-5000 Series to the PA-200 for enterprise branch offices, share an identical approach to App-ID, User-ID, and Content-ID. Every platform is built on a consistent architecture that dedicates resources to both the data and control planes to ensure high-speed security and manageability. While your policies may vary by location, the Palo Alto Networks next-generation firewall platform makes sure that you never have to settle for less firepower at any point across your network.

Always-on protection for mobile users.

More employees are working outside of the office from the road, at home or from a local coffee shop. GlobalProtect keeps roaming users logically connected to your enterprise network - and protected by your network policy - even when they are physically outside your office. GlobalProtect provides a transparent agent that ensures that all the visibility, control, and threat prevention of our next-generation firewall applies consistently to all of your enterprise traffic. GlobalProtect allows you to embrace new devices safely, and provides coverage for today's most popular computing platforms:

• Windows
• Mac OS X
• iOS
• Android

GlobalProtect offers additional licensable policy controls that can check the configuration of your endpoint automatically to ensure that it is in compliance with your corporate standards. It can detect if:

• The operating system has the proper patches.
• The antivirus software is up to date.
• Disk encryption is enabled.

GlobalProtect integrates these controls with our next-generation firewall, making it possible to restrict access to your sensitive applications if the user's endpoint needs remediation. Combined with our next-generation application, user, and content controls,  GlobalProtect gives you the greater precision and flexibility you need to design the ideal security policy for your enterprise.

Centralized visibility and control over all locations.

Panorama provides centralized visibility and management for all of your Palo Alto Networks next-generation firewalls. From a central location, it gives you insight into the applications, users, and content traversing your firewalls. This maximizes your protection and control, while minimizing administrative efforts. Analysis, reporting, and forensics can be performed with the aggregated data over time, or against more recent data, delivered to you on-demand.

Palo Alto Networks believes in management consistency, no matter which management mechanism is being used, from Panorama and our device user interface, to our command line interface (CLI). The management interface for Panorama shares the same web-based look and feel as the next-generation firewall. This minimizes learning curves or delays in executing the task at hand.

Enterprise Perimeter:

Problem

Your network is full of applications you cannot identify nor control with your port-based firewall. Filesharing, social networking, personal email, and streaming media are just a few of applications that can evade your firewall by hopping ports, using SSL, or non-standard ports. Your employees are using these applications - legitimately in many cases - to do their jobs. Blocking the applications outright may hurt your bottom-line, but blindly allowing them invites business and security risks.

Solution

Using a Palo Alto Networks next-generation firewall, you can strike the right balance between blocking all personal-use applications and allowing all of them. Secure application enablement begins with knowing exactly which applications are being used and by whom. This information allows you to create effective firewall control policies that extend well beyond the traditional 'allow or deny' approach. The final component of our solution is giving you the ability to securely enable applications without degrading your firewall's performance.

Knowledge is power: identifying applications, users and content.

Secure application enablement requires a systematic approach that begins with learning which applications are traversing your network, who is using each application, and the types of threats the applications might carry.

• App-ID first determines exactly which application is in use, no matter which port or evasive tactic is used.
• User-ID ties the application usage to the identity of the employee, not just the IP address, based on information stored in your corporate directory.
• Content-ID controls web surfing, protects you against threats, and limits the unauthorized transfer of files and data.

Armed with a better understanding of what is traversing your network, your security team and business groups can determine the business value of certain applications to specific users. Next, you can set up policies that enable application usage while also protecting your network.

Secure application enablement: restoring control to the firewall.

The firewall is the only place where all traffic passes through, which makes it the ideal location for controlling applications, users, and content. With the new, deeper understanding of your network traffic provided by our firewalls, your security team can quickly deploy application enablement policies that extend beyond 'allow or deny.' Examples include:

• Enable application, or application-function usage, for specific groups of users.
• Scan allowed traffic for a wide range of threats including viruses, vulnerability exploits, Trojans, and other forms of malware.
• Apply QoS to specific applications, users or groups to ensure your business applications are not bandwidth deprived.
• Block all P2P filesharing, external proxies, and circumventors.

These are just a few of the ways you will benefit from the secure application enablement policy approach of Palo Alto Networks next-generation firewalls.

Purpose-built platform: predictable performance with services enabled.

Identifying and controlling applications, while scanning them for threats, is a computationally intensive process that can crush most server-based platforms. Palo Alto Networks addresses these performance challenges using a unique combination of function-specific processing for:

• Networking
• Security
• Content inspection
• Management

The result is a platform that delivers predictable performance at up to 20 Gbps when security services are enabled.

Virtualized Data Center:

Problem

As a datacenter manager tasked with new virtualization or cloud computing initiatives, you will be forced to address many different challenges, not the least of which is security. Specific security challenges include:

• How to enable and protect applications traversing the cloud
• Isolating applications and data; blocking lateral movement of threats
• Eliminating the security lag as your cloud environment changes

Your virtualization datacenter needs a flexible network security solution that not only safely enables applications and protects against modern threats, but can support the dynamic nature of a virtualized environment.

Solution

The VM-Series of virtualized next-generation firewalls eliminate the unacceptable compromises you previously faced when moving into virtualized datacenter or cloud computing. The VM-Series enables you to deploy a virtualized security infrastructure that safely enables the complex and growing number of applications in your datacenter, while keeping pace with the rapid pace of change occurring in your virtualized environment.

You can use our centralized management platform to deploy both virtualized and physical firewalls, which optimizes visibility, reduces operational complexity, and decreases policy configuration gaps. With consistent next-generation security features, available in physical or virtual form factors our firewalls allow you to address any datacenter design - without compromise.

Safely Enable Applications

Palo Alto Networks next-generation firewalls identify, control, and safely enable applications, while also inspecting all content for threats. Identifying and controlling your datacenter traffic – physical or virtual reduces the scope of attacks by:

• Validating datacenter applications are in use on standard ports
• Blocking rogue or non-compliant applications
• Blocking known and unknown threats without degrading performance
• Systematically managing unknown traffic

Isolation and Segmentation of Mission Critical Applications

Security best-practices dictate that your mission critical applications and data should be isolated in secure segments using Zero Trust (never trust, always verify) principles at each segmentation point. The VM-Series can be deployed throughout your virtualized environment, residing as a gateway within your virtual network or in between the different VMs (applications), exerting control based on application, and user identity. This allows you to control the applications traversing your virtualized environment, while blocking potentially rogue or misconfigured applications and controlling access based on user identity. The exact same segmentation capabilities are available in the physical and virtual form-factors, providing you with a consistently strong security posture. 

Eliminating the VM Change-Security Update Lag

The speed of change in your cloud computing environment often times will outpace security, leaving you with the option of delay or weak security, neither of which is acceptable. To eliminate that security lag, the VM-Series includes automation features such as VM monitoring, dynamic address groups and a REST-based API to proactively monitor VM changes and dynamically feed those context changes into security policies, thereby eliminating the policy lag that may occur when your VMs change.

Centralized management:

Panorama allows you to manage your VM-Series deployments along with your physical security appliances, thereby ensuring policy consistency and cohesiveness. Rich centralized logging and reporting capabilities provide visibility into virtualized applications, users and content.