Networking & Integration Features
Safely enabling applications based on users and groups are just a few of the many features that every Palo Alto Networks next-generation firewall supports. A flexible networking foundation facilitates integration into nearly any network. IPsec and SSL VPN deliver enterprise-wide connectivity. Stateful high-availability ensures that your network is always protected.
Our flexible networking architecture includes dynamic routing, switching, and VPN connectivity, which enables you to easily deploy Palo Alto Networks next-generation firewalls into nearly any networking environment.
Integrate into any architecture with our flexible networking architecture
L2/L3 networking: Our firewalls use a L2/L3 architecture that leverages zone-based security enforcement, which enables deployments in switched and routed environments.
- Dynamic routing: Support for OSPF, RIP and BGP combined with full 802.1Q VLAN support is provided for both layer 2 and layer 3 deployments, so all of your services can be enabled while seamlessly integrating with your existing routing or VLAN architecture.
- Virtual Wire: Virtual Wire gives you a true transparent mode by logically binding two ports together, and passing all your traffic to the other port, without any switching or routing. Full inspection and control for all traffic is enabled with zero impact on your surrounding devices, and no networking protocol configuration is required. Multiple Virtual Wire pairs can be configured to support multiple network segments.
Multicast traffic routing participation
Multicast support includes identification and control of multicast traffic, as well as the ability to participate in multicast routing and group management through PIM-SM, PIM-SSM and IGMP support.
The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments. Automation features and an API enable you to dynamically update security policies as your VM environment changes, eliminating potential security lag. The VM-Series supports the following hypervisors: VMWare ESXi and NSX, Citrix SDX, KVM (Centos/RHEL), Ubuntu, Amazon Web Services.
Enable Applications, Block Known and Unknown Threats
With the VM-Series next-generation firewall and threat prevention, you can implement the same level of protection available for your physical network. Allow and control applications based on the identity, not the port. Inspect all traffic into and across the cloud for known and unknown threats. Isolate mission critical applications and data using Zero Trust principles of never trust, always verify.
Automated Tracking of VM Context Changes
VM Monitoring polls your virtualization environments for virtual machine inventory and attribute changes, collecting this context in the form of tags that are then used in Dynamic Address Groups to dynamically create or update security policies.
Dynamic Policy Creation and Update
Dynamic Address Groups automates policy creation using tags (from VM Monitoring) as an identifier for virtual machines instead of static object definitions such as an IP address. As you add, remove or change your VM, your security policies are dynamically updated, eliminating any security policy lag associated with VM changes.
Customization and 3rd Party Tool Integration
The fully-documented REST-based API allows you to collect VM changes and programmatically make security part of your cloud computing workflow using customized tools or cloud orchestration tools such as OpenStack or CloudStack.
Safely enabling applications, users and content in IPv6 environments
Our next-generation firewalls allow you to deploy consistent, safe application enablement policies across IPv6, IPv4 and mixed environments.
Consistent user-based policies across IPv6 and IPv4 environments
If you are implementing an IPv6 infrastructure, you can deploy the same user-based enablement policies that you have in your IPv4 environments. Your IPv6-based applications and content can be classified, monitored, enabled, inspected and logged, just like they are in your IPv4 environments. IPv6 user information is captured from all of the User-ID supported repositories and terminal services, as well from captive portal and our XML API. In addition, our SSL encrypted User-ID-to-firewall communications protocol supports IPv6.
Flexible deployment options simplify network integration
Support for virtual wire, layer 2, or layer 3 deployment modes - for both IPv6 and IPv4 environments - gives you flexible network integration options. Additional networking features include:
- Stateless Address Auto-configuration (SLAAC) informs hosts of the IPv6 prefixes needed for address configuration
- NAT64 translates source and destination IP headers between IPv6 and IPv4
- IPv6 over IPsec between IPv4 endpoints
- High availability control, data link and path monitoring
Management and administrative consistency between IPv6 and IPv4
When configuring your management and administrative services, your firewall managers can enter IPv6 or IPv4 addresses.
- Management services we support include: RADIUS, Syslog, DNS, User-ID agents, LDAP, SNMP, SCP, FTP, SSH, URL filtering service, Panorama (device-to-Panorama connectivity), and service route configuration
- Administrative services we support include: admin authentication sources, NTP, Panorama, logging and alerting (syslog, SNMP, email), and PBF next-hop monitoring of IPv6 addresses
Identify & Control Encrypted Traffic
Take control of your SSL and SSH encrypted traffic and ensure it is not being used to conceal unwanted activity or dangerous content. Using policy-based decryption and inspection, you can confirm that SSL and SSH are being used for business purposes only, instead of to spread threats or unauthorized data transfer.
Identify, control and inspect inbound SSL traffic
Policy-based identification, decryption, and inspection of inbound SSL traffic (from outside clients to internal servers) can be applied to ensure that applications and threats are not hiding within SSL traffic. A server certificate and private key are installed on Palo Alto Networks next-generation firewalls to handle decryption. By default, SSL decryption is disabled.
Identify, control and inspect outbound SSL traffic
Policy-based identification, decryption and inspection of outbound SSL traffic (from users to the web) can be applied to make sure that applications and threats are not hiding within SSL traffic. Our firewalls use a 'man-in-the-middle' approach in which device certificates are installed in the user's browser. By default, SSL decryption is disabled.
Offload SSL traffic for additional analysis and archiving.
If your organization requires comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality, you can use port mirroring to forward a copy of SSL traffic to a 3rd party solution such as NetWitness or Solera more granular analysis or archiving purposes. Supported only on the PA-5000 Series and the PA-3000 Series.
Simplify SSL certificate signing and management process.
You can utilize dedicated hardware security modules (HSM) to manage the certificate signing functions for SSL forward proxy, SSL inbound inspection, and the master key storage functions. HSM support is generally required when FIPS 140-2 Level 3 protection for CA keys is required.
- Supported HSMs: SafeNet Luna SA and Thales Nshield Connect.
- Platforms supported: PA-5000 Series, PA-4000 Series, PA-3000 Series, VM-Series and the M-100 management appliance.
Identify and control SSH traffic.
Our enterprise security platform gives you policy-based identification and control of SSH tunneled traffic. A 'man-in-the-middle' approach is used to detect port forwarding or X11 forwarding within SSH as an SSH-tunnel, while regular shell, SCP and SFTP access to the remote machine is reported as SSH. By default, SSH control is disabled.
Standards-based VPN Connectivity
Secure site-to-site and remote user connectivity is a critical infrastructure component. Every Palo Alto Networks next-generation firewall platform allows you to easily and securely communicate between sites using standards-based IPSec VPN connections. Remote user communications are protected through a rich set of VPN features.
Secure site-to-site connectivity through IPSec VPN
Standards-based IPSec VPN connectivity, combined with application visibility and control, protects communications between two or more Palo Alto Networks devices and/or another vendor's IPSec VPN device.
If you have a lot of branch offices or retail stores, you may need to deploy site-to-site VPN across a number of locations. Large-Scale VPN automatically configures your key VPN tunnel settings, making it easy for staff at your branch office to deploy new firewalls. When a new firewall is brought online, it will use an available Internet connection to authenticate with a GlobalProtect Portal and pick up the latest VPN settings to maintain ongoing, secure communications.
Consistent Security Everywhere
GlobalProtect lets remote users access your network by automatically establishing either an SSL-or IPSec-based VPN connection, depending on location and configuration. This remote access connection is authenticated through one of several mechanisms: local DB, RADIUS, LDAP, Active Directory, Kerberos or Smartcards. Once a secure connection is established, users are protected by the same security policies as your on-site users. GlobalProtect secures users on a range of platforms, including:
- Mac OS X