With a new modular firewall, Palo Alto Networks hopes enterprises will consider its next-generation firewalls for all possible use cases, not just as the Internet gateway.
Available now, the PA-7050 is a six-slot chassis with a 1.2 Tbps backplane. Palo Alto is shipping a 20 Gbps line card for the product today, and promises beefier line cards in the future. When fully populated with line cards, the Palo Alto firewall has 120 Gbps of application-aware throughput.
This Palo Alto firewall is aimed at winning over customers who have been reluctant to deploy its products in the data center core or for network segmentation, where larger enterprises may need 60 Gbps of throughput or more.
"For customers [the PA-7050] is about making sure a device will scale to what they need," said Mike Rothman, analyst and president of Securosis, a Phoenix-based security research and consulting firm. Many next-generation firewalls have struggled to scale when IT organizations turn on added functions like intrusion prevention and SSL termination, he said. "The devices would have a drastic decrease in throughput and performance, they would start dropping packets, and, in some cases, they would fall over." Rothman said the PA-7050 addresses that perceived limitation.
Until now, the topline Palo Alto firewall was the PA-5060, a 20 Gbps firewall that slowed down to 10 Gbps with "threat prevention" (intrusion prevention and antivirus) enabled. The PA-7050 tops out at 120 Gbps and only drops down to 100 Gbps with threat prevention turned on. In bi-directional mode -- a prerequisite for uses cases such as network segmentation -- the PA-7050 maxes out at 60 Gbps. The chassis' IPSec VPN throughput is 24 Gbps. It supports 24 million concurrent sessions and 720,000 new sessions per second.
"There are a lot of vendors out there who tout maximum performance levels that, at face value, are no different from what this box can perform at," said Scott Gainey, vice president of product marketing and programs for Palo Alto. "When you turn on the next-generation capabilities, that's when competitor performance degrades massively."
The PA-7050's performance drops to just 83% with threat prevention turned on, while competitors' products degrade to 13% or 18% of their published maximum throughput, he said. "This forces customers to compromise. They need the performance. They can't have any impact on their networks so they turn some things off and that leaves them exposed to risks."
Palo Alto said enterprises increasingly need application visibility in the firewalls they use to segment networks and secure the data center core. For example, the Trojan that compromised Target's point-of-sale systems may have been detected by firewall segmentation that could inspect at Layer 7, said Matt Keil, product marketing manager at Palo Alto. "That threat was using FTP and NetBIOS," he said. "It looked like an application and smelled like an application. So ports and protocols wouldn't work."
Rothman said most enterprises don't currently need application visibility in those internal use cases, but that day is approaching. "As organizations move how they think about network security policies from ports and protocols to more application-aware policies, you'll see that come into play, but it's still pretty early. But the reality is that it's just a logical place to go. Nobody is building specific, proprietary protocols for in-house applications anymore. Everything is run on a Web browser or an application stack that looks a lot like Port 80 or Port 443."
Additional scalability and cost control
Palo Alto's approach to licensing the PA-7050 is distinct from other chassis-based firewalls. Competitors often license functions on a per-line card basis. Palo Alto is selling licenses for intrusion prevention and other functions on a per-chassis basis. Enterprises will pay a flat price for each function and only pay the capital cost of a line card when they need to scale up capacity.
The 1.2 Tbps backplane of the PA-7050 also ensures enterprises can grow this firewall over time. Palo Alto will eventually produce new line cards that take advantage of the unused capacity in the chassis. For instance, Palo Alto plans to offer line cards with 40 Gigabit Ethernet interfaces in the future, Keil said
Palo Alto said the PA-7050 chassis with one line card, support and service subscriptions starts at a little more than $300,000. Each additional line card will cost $150,000.