The PA-7050 is our new chassis-based next-generation firewall. It represents yet another innovation milestone for Palo Alto Networks as it takes full next-generation firewall security screaming past the 100 Gbps barrier. The PA-7050 delivers 120 Gbps of App-ID firewall performance, 100 Gbps of DSRI threat prevention and 60 Gbps of non-DSRI threat prevention.
Let’s look at why this is important and why we decided to do this now.
Who Needs 120 Gbps Firewalls?
As a veteran of the firewall market going back to NetScreen, I can say that each performance milestone of 10, 20, 30 Gbps and so on was met with the question of who needs it or why? The forces driving the need for 120 Gbps security are twofold: (1) an insatiable thirst for more bandwidth and (2) a way to defend against increasingly sophisticated cyber attacks that sneak past the crunchy exterior and find little resistance once on the internal network.
The need for more bandwidth is self-explanatory. The need for better end-to-end security is driven by high profile incidents such as APT1 and the recent Target breach. Both of those are perfect examples of how attacks will:
- Use applications as their infiltration vector,
- Mimic applications,
- Exhibit application-like characteristics such as using port 80, or SSL to communicate, yet evade detection, and
- Leverage commonly used applications like FTP and RDP for exfiltration.
Protecting against this new type of cyber attack requires true NGFW security – not UTM-based security – deployed at the perimeter, within the datacenter and at key network access points for segmentation.
Purpose-Built vs. Parts-Bin Approach
The PA-7050, like all of our platforms, is purpose-built, designed specifically to address both application level traffic classification (at the firewall) and threat prevention – on all ports, for all applications.
Think of a racing vehicle. Whether it’s F1, Indycar, Nascar or Rally car, its purpose-built to go fast. It is not just the engine, the suspension, or the aerodynamics that makes it go fast. It is the sum of all parts working together for a specific purpose. The PA-7050 follows the same approach. It starts with a single pass software architecture where we identify what the application is, no matter which port, as soon as it hits the firewall. At that same time, we look for any type of threat within that traffic and make policy decisions accordingly. The single pass software eliminates redundant processes while maintaining the context of the application and the user for policy decisions, visibility, reporting and forensics. The single-pass software is then married to more than 400 processors distributed across the PA-7050 chassis subsystems, all working in tandem to deliver next-generation firewall security at throughput speeds of up to 120 Gbps.
Continuing with a race car theme, alternative firewall offerings take a parts-bin approach to both the software and the hardware. The software bolts IPS and AV, then application control components onto stateful inspection. Each scan is an individual decision, often times a separate policy, made in isolation, impacting performance, limiting policy decision making and forensics. The chassis hardware you see in the market also take a parts-bin approach by wrapping many individual firewalls in sheet metal, often times requiring separate software management, licensing, and support for each. These platforms deliver top end speed that may be faster than the PA-7050, but when application level, next-generation firewall security is applied, their degradation is as high as 88%. Put another way, you’re getting 12% of what you think you paid for.
To summarize, the PA-7050:
- Delivers the same functionality as all of our other appliances, but at over 100 Gbps. This means full NGFW security that can be applied to perimeter gateways, within the datacenter and across key internal network access points for segmentation.
- Scales in a linear manner. As you add up to 6 processing cards the PA-7050 intelligently applies all available networking and security processing power to application layer traffic classification and threat protection tasks. No traffic engineering changes are required in order to utilize the added capacity. It just goes faster, much like when you press the accelerator in your car.
- Is managed and licensed as a single system no matter how many processing cards you use, making it no different from a user perspective, than our smallest appliance, the PA-200. The fixed subscription and support costs means that from day 1, you will know what your annual operational costs are. Start with a single processing card, then add up to 6, and the annual operational costs remain exactly the same – year in and year out.
Join us this Thursday, Feb. 13, for a live videocast on the PA-7050. Nir Zuk, CTO and Co-Founder, Lee Klarich, SVP, Product Management, and Scott Gainey, VP of Product Marketing, will take your questions and discuss the latest innovations from Palo Alto Networks.