OK so I will put my hands up. We published an item about the Palo Alto PA 2050 a few months back, and - well let’s just say that it was a ’bit’ over the top. Just a touch... over enthusiastic. Like a rabbit on Rohypnol more like.
It’s just that every now and then you come across a ’game changer’ - something that seems to right so many previous wrongs, that you can’t help but enthuse about it.
After a few cold showers - now we’re back to re-post, and we’re going to try our best not to ’over-juice’ it.
What it basically boils down to is that these firewalls are the very first of a new generation of behavior & content ’aware’ firewall devices. Some might call them ’Full Layer Firewall Devices’ others less technically inclined would say that these firewalls don’t just base their security policies on where something in coming from, and where it’s going to - but importantly - exactly what that ’something’ is, and whether it’s behaviour is ’suspicious’ or not. Whatever you want to call them - they do represent a significant up shift in capability when compared to your average run of the mill firewall device.
This advanced capability is made even more impressive - thanks to the PA 2050s capability of being able to ’virtually’ segment sections of the firewall device off. So out of the 16 gigabit ports on the device, you can slice and dice a number of firewalls that to all intense purposes are separate firewall devices. The benefits of this feature (known as ’Virtual Systems’) to anyone running multi tier hosting facilities, and needing to conform to standards such as PCI - are glaringly obvious. Where you might have needed three pairs of firewalls, across your three tiers - now you might just need a single pair of PA 2050s.
This not only saves a heap of cash, space, and power - but also reduces the administration footprint - and of course the ’compliancy footprint’.
One of the first tasks we gave our PA 2050 - was to become, what would effectively be, a ’network condom’ for a mini-cloud style hosting environment. The PA 2050 can operate in three different operating ’modes’. ’Transparent’, ’Layer 2’ (switching) and ’Layer 3’ (routing) - and thanks to the multiple ’Virtual Systems’ that the device supports, it’s possible to deploy all three operating modes on the same hardware. Naturally, the easiest means of deploying our ’condom’ was to go with the Transparent mode - so the device was simply slipped on, over the edge of the hosting network, in front of the existing ’dumb’ or non-application aware firewalls. There were no configurations to change - just a quick patch of the cables to go via the new device - and you’re ready to go. Instant ROI.
(above) Monitor & Manage global threat outbreaks using the ’Threat Map’
Thanks to the PA 2050s excellent reporting, we were then able to sit back and marvel as the device dealt with port scans, host sweeps, SQL injection attacks, viruses, trojans and Win32.Conflicker.C.psp attempts. We knew the threats were there before - we’d just never seen their manifestations and alarming frequency presented to us in such a ’graphic’ form. It kind of brings it home.
(above) View a cross section of what is really eating your bandwidth...
The other benefit of being application aware, is the extremely useful bandwidth reporting, which can be logged, exported, and - with a bit of tinkering, this data can be fed into other back end systems if so required. Perhaps your existing network monitoring system breaks bandwidth usage down into protocols. That’s great - but when there is so much being pumped down HTTP 80 - how can you break this usage type down into content type? That’s just not possible with your tradition SFLOW or NETFLOW switch monitoring system.
With this device - at last you can see bandwidth use split by the specific application type - such as YouTube, Facebook, Flash or Outlook Web Access. This really makes you feel like someone just turned a light on in your dark and dingy network operations centre.
There are of course many other things we like about the PA 2050 - but that’s it for now.
We don’t want to seem too keen do we?
Subscribe to feed
