Editor's note: Next-generation firewalls (NGFWs) are becoming an essential tool for organizations taking steps...
to fortify their network security. Our easy-to-digest reviews look at what you can expect from NGFWs. To help you understand what you should look for when assessing a next-gen firewall, click HERE for our NGFW buying overview.
Palo Alto Networks has a number of different models of its flagship next-generation firewall (NGFW) platform, but the PA-5060 is one of the most popular for high-end enterprise data centers. With its advertised maximum 20 Gbps throughput and 4 million maximum sessions through the device, as well as numerous gigabit and fiber interfaces, the PA-5060 is best suited for core data center deployments.
Palo Alto offers most enterprise features in its entire line of devices, with several noted exceptions. The biggest differentiator tends to be a loss in performance, particularly with advanced features enabled under load.
The PA-5060 has a broad array of application identification capabilities, both through the App-ID identification console and the Application Command Center, or ACC, "summary" view of which applications are in use and by whom. The PA-5060 came with a library of several thousand known applications that could be identified; and in testing, the Palo Alto did a good job of tagging application traffic ranging from Skype to databases to Gmail. Creating rule policies focused on these applications is also simple, with an easy-to-use drag-and-drop interface.
The user identity features of Palo Alto are very sophisticated but somewhat difficult to implement. Linking the PA-5060 to Active Directory took a lot of work, and still had some kinks to iron out several weeks into a deployment cycle. That said, its ability to create rules and policies focused on user identities, as well as the URLs that users visit, is a powerful feature that performs better than similar features in most of the other NGFW products tested.
The intrusion prevention system (IPS) features with the PA-5060 were excellent. Numerous signature-based threats and attacks were detected and blocked by the device, with strong protocol anomaly detection capabilities for tunneled command-and-control and unusual protocol behavior, as well.
Setting up IPsec rules for VPN connectivity and policies based on VPN users was straightforward with the PA-5060. The advertised maximum number of total IPsec tunnels is 8,000, and we never approached this number in the test. But more than 2,500 tunnels posed no problem in the scenario tested. Clustering was also simple to configure.
Ease of management is high with the Palo Alto products. The native Web interface is simple to navigate and relatively uncluttered. The Panorama central management tool is also easy to use, with strong aggregation and grouping features for numerous locations with Palo Alto firewalls.
The PA-5060 can integrate with Palo Alto's new Wildfire antimalware system, where detected threats are "detonated" in a virtual malware sandbox.
Secure Sockets Layer and Secure Shell inspection are natively available within the PA-5060. Palo Alto did a good job decrypting and analyzing encrypted traffic, but at a noticeable performance cost. The system can also mirror or forward decrypted traffic to third-party systems for deeper data loss prevention, or DLP, analysis, as well as network forensics.
The last word
Overall, the PA-5060 is a relatively easy-to-use next-gen firewall platform with some very advanced features. The one downside to the system is the performance impact associated with application-layer analysis. When we turned on the extensive App-ID inspection rules, IPS rules and SSL decryption capabilities, the device's capacity dropped somewhat from the advertised 20 Gbps throughput, ending up closer to 15 Gbps in our test scenario. The product did a fine job of identifying users and applications, however, and should be on the short list for any enterprise-class NGFW evaluation.
How to buy: Assessing next-gen firewalls
Check Point 12610 review
Fortinet FortiGate 3950B review