|
EffectivenessB+
The PA-4050's key component, the App-ID, uses three classification engines working in concert to accurately identify the applications traversing the network, irrespective of the ports used. This enables enterprises to address security evasion tactics such as the use of nonstandard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls.
The application decoder engine identifies the protocol structure and the overall traffic pattern to flag anomalies. The signature engine identifies the exact application based on more than 450 definitions, which are updated periodically (updates have to be downloaded manually through the administration portal. We received two updates during our one-month review).
The SSL decryption engine offers visibility into encapsulated traffic without disclosing any of the data contents.
The application command center provides a very detailed multilayer graphical representation of the application activity at any given time, such as a real-time list of Top 10 applications in use, Top 10 high-risk applications, etc. These lists can be clicked on to obtain more information about each application, IP addresses, access times and even UserIDs if AD integration is configured.
Administration/MonitoringB
The customizable dashboard displays general device information, such as the software version, the operational status of each interface, resource utilization, and up to 10 of the most recent entries in the threat, configuration, and system logs. Real-time on-box logging, in addition to ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
the graphs, can be filtered on 17 different fields, including source/destination, user/group, application and usage. In addition to tracking user and traffic activities, the log viewer provides visibility into administrative changes to the firewall based on admin ID, timeframe, result and changes made. Except for the traffic log, all logs are saved locally by default. Traffic logs can be sent remotely to a syslog server or as email notifications. About 25 "top 50" predefined reports provide a good summary of all the major activities, threats, and traffic patterns. At this time, the reports cannot be exported to PDF, XML or any other format.
PA 4050 also supports high-availability configuration, and organizations with multiple Palo Alto devices can use Panorama, the central management system to manage all devices from a single interface.
Verdict
Palo Alto's application-centric approach to traffic classification brings policy-based application control back to the network security team. The ability to trace network traffic to individual users rather than a subnet or an IP address might be of interest to many organizations as well. The add-on threat prevention components and real-time graphical reports make PA 4050 a coveted security solution for organizations requiring high firewall throughput, while consolidating security devices.
Testing methodology: PA 4050 was evaluated in a typical test lab environment open to the Internet. A variety of well-known and custom P2P and IM applications were used to send and receive traffic through the firewall along with attacks, suspicious URLs and worm downloads.
|
 |
|
