Professional Documents
Culture Documents
NGFW Security in The Data Center
NGFW Security in The Data Center
1 | ©2014,
©2015, Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS AT-A-GLANCE
Firewall placement is
designed around expectation
of layer 3 segmentation
Network configuration
changes required to secure
East-West traffic flows are
manual, time-consuming and
complex
MS-SQL SharePoint Web Front End
In the cloud, applications of different trust levels now run on a single server
VM-VM traffic (East-West) needs to be inspected
Port and protocol-based security is not sufficient
Virtualized next-generation security is needed to:
Safely enable application traffic between VMs
Protect against against cyber attacks
Provisioning of applications
can occur in minutes with
frequent changes
Security approvals and
configurations may take
weeks/months
Dynamic security policies that
understand VM context are
needed
South traffic
Securing East
West traffic
Virtualized Physical
servers servers
Next-generation
appliances
Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050
WildFire: WF-500
Virtual: VM-Series (ESXi, KVM, Amazon) & VM-Series-HV for NSX
Threat Prevention
URL Filtering
Subscriptions GlobalProtect™
WildFire™
Endpoint (TRAPS)
Use cases
Next-Generation Cybersecurity: Web gateway VPN
Firewall IDS / IPS / APT
Management system Panorama, M-100 appliance, GP-100 appliance
Operating system PAN-OS™
San Jose
✔
SharePoint
Linux
Servers
Web Servers
MySQL
Servers
Miami DC
WildFire
192,000 Anti-malware Protections delivered
automatically in
protections per day
15 minutes
24,000 URL THREAT
INTELLIGENCE
protections per day
CLOUD Richforensics and
12,000 DNS reporting for quick,
protections per day detailed investigation
1 Breach the perimeter 2 Deliver the malware 3 Lateral movement 4 Exfiltrate data
Next-Generation Firewall / Traps / WildFire Next-Generation Firewall / Threat Prevention
GlobalProtect Block known and unknown GlobalProtect Block outbound command-and-
Visibility into all traffic, including
vulnerability exploits Establish secure zones with control communications
SSL Block known and unknown strictly enforced access control Block file and data pattern
malware Provide ongoing monitoring uploads
Enable business-critical
applications Provide detailed forensics on and inspection of all traffic DNS monitoring and sinkholing
attacks between zones
Block high-risk applications
URL Filtering
Block commonly exploited file WildFire Block outbound communication
types
Detecting unknown threats to known malicious URLs and
pervasively throughout the IP addresses
Threat Prevention
network
Block known exploits,
malware and inbound
command-and-control
communications
URL Filtering
Prevent use of social
engineering
Block known malicious URLs
and IP addresses
WildFire
Send specific incoming files
and email links from the
internet to public or private
cloud for inspection
Detect unknown threats
Automatically deliver
16 protections
| ©2015, globally
Palo Alto Networks. Confidential and Proprietary.
17 | ©2015, Palo Alto Networks. Confidential and Proprietary.