This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
The PA-4050's key component, the App-ID, uses three classification engines working in concert to accurately identify the applications traversing the network, irrespective of the ports used. This enables enterprises to address security evasion tactics such as the use of nonstandard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls.
The application decoder engine identifies the protocol structure and the overall traffic pattern to flag anomalies. The signature engine identifies the exact application based on more than 450 definitions, which are updated periodically (updates have to be downloaded manually through the administration portal. We received two updates during our one-month review).
The SSL decryption engine offers visibility into encapsulated traffic without disclosing any of the data contents.
The application command center provides a very detailed multilayer graphical representation of the application activity at any given time, such as a real-time list of Top 10 applications in use, Top 10 high-risk applications, etc. These lists can be clicked on to
| obtain more information about each application, IP addresses, access times and even UserIDs if AD integration is configured.
The customizable dashboard displays general device information, such as the software version, the operational status of each interface, resource utilization, and up to 10 of the most recent entries in the threat, configuration, and system logs. Real-time on-box logging, in addition to the graphs, can be filtered on 17 different fields, including source/destination, user/group, application and usage. In addition to tracking user and traffic activities, the log viewer provides visibility into administrative changes to the firewall based on admin ID, timeframe, result and changes made. Except for the traffic log, all logs are saved locally by default. Traffic logs can be sent remotely to a syslog server or as email notifications. About 25 "top 50" predefined reports provide a good summary of all the major activities, threats, and traffic patterns. At this time, the reports cannot be exported to PDF, XML or any other format.
PA 4050 also supports high-availability configuration, and organizations with multiple Palo Alto devices can use Panorama, the central management system to manage all devices from a single interface.
Testing methodology: PA 4050 was evaluated in a typical test lab environment open to the Internet. A variety of well-known and custom P2P and IM applications were used to send and receive traffic through the firewall along with attacks, suspicious URLs and worm downloads.
This was first published in March 2008