News Stay informed about the latest enterprise technology news and product updates.

WAN management: Palo Alto adds traffic shaping, QoS, to firewalls

Firewall vendor Palo Alto Networks has added quality of service and traffic shaping capabilities to its firewall operating system. The new features transform the notion of the traditional firewall into a WAN management technology.

By adding new firewall traffic shaping and quality of service (QoS) capabilities, Palo Alto Networks is trying...

to transform the role of the firewall from traffic cop to a WAN management technology.

Palo Alto announced this week that PAN-OS 3.0, the latest version of its firewall operating system, will have QoS features that take advantage of the company's Layer 7 visibility to shape traffic and set QoS for specific applications.

John Kindervag, senior analyst with Forrester Research, said doing QoS within a Palo Alto firewall offers enterprises a chance to save money and consolidate devices.

"It's fairly revolutionary to have that level of QoS and traffic shaping built into the product, where you can do traffic shaping as part of a rule," Kindervag said. "You've seen other [firewall] players like Check Point have the ability to do some traffic shaping and QoS, but not really by rule and not as granular as this. This puts Palo Alto in competition with some other bandwidth management and WAN acceleration tools. You're going to get 80% of the functionality of some of the more dedicated tools, but you get it for free with the Palo Alto product."

Traffic shaping is the practice of regulating the flow of network data transfer to ensure a certain level of performance or QoS for certain forms of traffic. Network managers can use this technology to set limits on how much bandwidth non-critical applications can consume. This also allows them to set QoS thresholds for critical applications. Given that Palo Alto's firewalls have application-level visibility into network traffic, the vendor's traffic shaping and QoS technology is more capable of properly identifying and shaping traffic by application.

Kindervag said Palo Alto's decision to write traffic shaping and QoS directly into the operating system of its firewall products gives it the ability to offer much more granular traffic shaping and QoS capabilities than other firewall vendors that have dabbled in this field.

"It's not bolted on. It's built into the OS. I always felt that Check Point's solution was kind of bolted on. It worked to some degree between… Check Point gateways, but it doesn't work with a lot of other applications," he said. "[With Palo Alto], as you're coming in, you're able to put traffic shaping as part of a rule for traffic. And the difference is that Palo Alto doesn't just look at port protocols, source address and destination address. It looks at the application, the user, and it looks at all other kinds of things."

Ricardo Capuno, a technical marketing engineer at Check Point, said that the company's old Floodgate product was very much a "bolted on" box for QoS, but he said Check Point has built new QoS features into its R70 Security Gateway products, which allows its customers to do priority service and low latency queuing. He said that Check Point, like Palo Alto, has recognized that WAN management is an important part of the firewall's future.

One of our partnerships right now is with Riverbed," Capuno said. "Their primary focus is WAN optimization and shaping traffic when it comes to communications between two Riverbed boxes. We have partnered with them to enable our R70 Security Gateway on their boxes."

More on QoS and traffic shaping

Understanding the network application environment

Interpreting bandwidth utilization graphs

Troubleshoot and analyze performance of WAN applications

Chris King, Palo Alto's director of product marketing, said that the new QoS features in his company's products offer enterprises an ideal point on the WAN to manage and shape application traffic.

"There are lots of places where one can enforce QoS, but there are not a lot of places where [the QoS device] understands applications," King said. "Our firewall knows what applications are running. There are a lot of dedicated boxes that do QoS. If you look at routers and switches, they are very fast, but they don't have intelligence about the applications that are running. If you look at QoS boxes, they know a lot about applications, but they don't have the performance. They don't have pieces like high-speed queuing to keep up with demand."

"When I was an engineer, I used to use Packeteer to provide QoS and set policies for VoIP networks," he said. "And in this case, if I had a Palo Alto firewall, I conceivably wouldn't have to have [QoS] on an external device."

Kindervag said running QoS through a firewall also reduces the WAN management headaches often associated with trying to set QoS on a router.

"I've found that setting up QoS on routers is pretty painful, so having it more intuitive within the firewall rule set is kind of an interesting thing, especially given that [Palo Alto] is not charging extra for it," he said. "It's just kind of what they're trying to do to redefine the firewall market, giving you more features for your money. I think [enterprises] are looking to get this functionality, and if they can get it out of something they already have [such as a firewall], then I think that will be intriguing for them, especially in a time of budget constraints and cutbacks."

Palo Alto Networks, a 2005 startup, has won many converts in the staid firewall industry by building a product that looks beyond origination and destination of traffic. By identifying traffic by application and user, it has offered enterprises the ability to take a more fine-grained approach to security and WAN management.

Steve Belcher, assistant director of network operations at West Virginia University, switched to Palo Alto a couple of years ago after having multiple problems with an incumbent firewall vendor, which he declined to identify.

"We had a policy to block Google desktop," Belcher said. "Before, the only way to drop an application from the network was to block the URL from being downloaded, which broke things like Google Earth and Google Maps. So now we can block the application and everything else works. We don't want to block anything unless we really need to."

Belcher said the new firewall traffic shaping and QoS capabilities will allow him to go a step further with WAN management by throttling certain applications.

"Skype is a really tough application to manage on the network because it's so robust that it can find holes in a firewall," he said. "Palo Alto can block those holes if you want it to. But if you don't want to block it, you can now actually shape the traffic down to a manageable level. We're always worried about the bandwidth these applications can take, particularly with peer-to-peer applications. Now we can use this box to manage the bandwidth it takes up. We didn't have that functionality before, although we had a traffic shaping device in line. But if you tunnel Bit Torrent through port 80, [the traffic shaping appliance] sees it as HTTP traffic."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig Deeper on WAN optimization and performance