BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Editor's Note: This Palo Alto firewall product overview is part of a series on buying network security products for the enterprise. The series explores the evolution of network security and lays out some major use cases. It also looks at the buying criteria for network security products and compares the leading network security vendors in the market.
The Palo Alto firewall line from Palo Alto Networks includes enterprise next-generation firewalls (NGFWs) on both hardware and virtualized platforms. These firewalls inspect and analyze all traffic in a variety of deployment scenarios, including the network perimeter, data centers and branch offices. Additionally, Palo Alto firewalls offer GlobalProtect -- an integrated mobile security application that protects mobile devices when accessing corporate resources. Traps advanced endpoint protection, meantime, protects Windows systems that can no longer be patched.
NGFW platform options
There are 19 different Palo Alto firewall models offering NGFW functionality -- five of which are virtual servers. The primary differences between the firewall models boils down to performance and physical port connectivity needs. We'll take a look at a few options to give you an idea of the wide range of capability differences:
The PA-200 series is a lower-end Palo Alto firewall. This is a hardware-based, fixed-port firewall that has four 10/100/1000 Mbps interfaces. The firewall is capable of handling a maximum of 100 Mbps Layer 7 firewalling capabilities -- 50 Mbps when threat prevention analysis is added. The firewall provides up to 10 security zones and can handle up to 1,000 simultaneous connections per second.
A mid-level, hardware-based firewall, the PA-3050 appliance boasts eight fixed 1 Gbps small-form pluggable (SFP) interfaces supporting either copper or fiber optic transceivers. The 3050's performance leaps up to a maximum of 4 Gbps Layer 7 firewalling throughput -- 2 Gbps with the inclusion of threat prevention analysis. This firewall offers up to 40 different security zones and can handle 50,000 connections per second.
At the high end is the PA-7080 -- a chassis-based firewall engineered with line cards to expand both port capacity and performance capabilities. When fully loaded, the PA-7080 has a maximum Layer 7 throughput of 200 Gbps -- 100 Gbps with the inclusion of threat prevention analysis. The Palo Alto firewall can segment up to 900 different security zones and handles up to 1.2 million connections per second.
Palo Alto offers four different virtualized NGFW appliances. The virtual appliances support the exact same firewall features as the hardware-based versions. The VM-Series is supported in all the popular virtualized environments and is an option in the Amazon Web Services marketplace.
Pricing and support
Unless you are renting the use of a VM-series NGFW on Amazon, purchasing a Palo Alto firewall requires you to buy through a Palo Alto channel partner. The partner ultimately sets the purchase price. List price for Palo Alto firewalls starts at around $2,000 and can go well beyond $1 million for a well-equipped PA-7080.
Palo Alto offers five levels of support; all provide phone and email response, hardware replacement and access to updates. More advanced tiers offer faster access to support services and sometimes a dedicated team of support staff. Turnaround for replacement parts is faster in higher-level tiers and one tier gives you the option to keep spare hardware on site.
Integrate an NGFW into your existing security architecture.
Can an NGFW have too many features?