This week we launched the PA-200 next-generation firewall and PAN-OS 4.1. This product launch really honed in on two key areas our enterprise customers need help with:
Our announcement was well received. Over the course of the launch, I spoke with a number of analysts and press, and a few key questions stuck out:
When talking to Neil MacDonald, who has been a champion of bringing context to network security (e.g., bringing application and user into firewall policy decisions), he brought up the fact that the ability to bring CONTEXT into the firewall policy (i.e., not port 80 allow, but Skype or SharePoint allow) is what makes it next-generation. Similarly the IPS – if the IPS cannot incorporate context (an element of which is application), in its analysis of traffic, it’s not next-generation.
Somewhat related to that, I had a few reporters ask how this was different that a UTM box in the branch office, and the same applies – if the “allow” decision is made based on port, and then any application analysis is subsequent, it’s a UTM. UTM typically has cost savings as its primary design. NGFWs, per the comment above, focus on bringing context into that same decision.
Sandboxes have been around for a long time. Remember Finjan? The difficulty is deploying them in the network. More specifically, collection and enforcement tend to be challenges. First, it has to see all of the traffic/all ports. Second, it has to be able to decode all of the application protocols. Third, in order to do any enforcement, it has to be in line. TCP resets are not an enforcement mechanism, to quote a friend of mine. In-line sandboxes = latency. The NGFW, on the other hand, is in-line and sees all traffic, has application protocol decoders, and does enforcement – all at line speed with low latency. Combine that with the ability to send unknown executable content up to a cloud based sandbox and you have an enterprise-deployable capability. Which is in sharp contrast to previously conceived sandbox technology.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.