Professional Documents
Culture Documents
Single
Pass
Operations
Once
per
Packet
o Traffic
Classification
(App-ID)
o User/Group
Mapping
(User-ID
o Content
Scanning
Threats,
URLs,
Confidential
Data
One
Policy
Parallel
Processing
Function-specific
parallel
processing
hardware
engines
Separate
Data/Management
Planes
Cheatsheet v1.1
Palo
Alto
Networks
Single
Unified
Policy
Competitors
Separate
Policies
for
FW,
App,
IPS,
AV
Predictable Performance
Cheatsheet v1.1
Objection Handling
My
Firewall
can
do
that...
Port-based
firewalls
attempt
to
address
application
control
with
add-on,
IPS-like
components.
This
results
in
duplicate
policies
that
cannot
be
easily
reconciled,
duplicate
log
databases
which
reduces
visibility,
inability
to
systematically
manage
unknown
traffic
and
weakens
the
deny-all-else
premise
that
firewalls
are
built
on.
My
UTM
can
do
that...
UTMs
are
port-based
firewalls
with
add-on,
IPS-like
components
that
do
not
share
information
(context).
They
are
designed
to
reduce
costs
through
consolidation.
UTMs
have
duplicate
policies
that
cannot
be
easily
reconciled,
have
duplicate
log
databases
which
reduces
visibility,
are
unable
to
systematically
manage
unknown
traffic,
and
weaken
the
deny-all-else
premise
that
firewalls
are
built
upon.
MY
IPS
can
do
that...
IPS
default
allows.
If
it
doesnt
know
about
a
threat,
it
passes
through.
Unknown
traffic
goes
through.
An
IPS
downstream
from
a
firewall
has
no
context
other
than
port
number
allowed,
and
has
to
decide
whether
to
block
purely
on
signature.
My
Secure
Web
Gateway
can
do
that...
Secure
web
gateways
provide
limited
amounts
of
protection,
because
by
definition,
they
are
only
looking
at
a
http/https
traffic
passing
overdefault
ports.
Organizations
need
to
address
protection
of
all
network
traffic,
over
all
ports
and
any
applicationwhich
is
what
a
firewall
has
always
been
designed
to
do.
Competitive Landscape
Security
Technologies
Advance
Persistent
Threat
(APT)
Palo
Alto
Networks
FireEye
/
Lastline
Damballa
Check
Point
/
Fortinet
/
Juniper
/
Cisco
SourceFire
/
Tipping
Point
Blue
Coat
/
WebSense
MobileIron
/
Good
/
AirWatch
URL Filtering
Mobility
(MDM
Focus)
*Sources
as
of
June
2014
The
above
table
shows
Palo
Alto
Networks
is
the
only
solution
in
the
market
that
handles
every
single
vertical
of
Security
Capabilities.
Position
Palo
Alto
Networks
in
when
Customers
Security
Technologies
needs
or
Competition
is
mentioned
in
the
opportunities.
Use
the
Why
Palo
Alto
Networks?
Table
to
differentiate
us
from
all
the
Competition.
Cheatsheet v1.1
Product Offering
Next
Generation
Enterprise
Security
Platform
PA-7050
Ports
Sessions
Capacity
24,000,000
4,000,000
PA-5060
20 Gbps
10 Gbps
PA-5050
10 Gbps
5 Gbps
PA-5020
5 Gbps
2 Gbps
PA-3050
4 Gbps
2 Gbps
8
SFP
(1
Gig)
12
copper
gigabit
500,000
PA-3020
2 Gbps
1 Gbps
8
SFP
(1
Gig)
12
copper
gigabit
250,000
PA-500
250 Mbps
100 Mbps
8 copper gigabit
64,000
PA-200
100 Mbps
50 Mbps
4 copper gigabit
64,000
2,000,000
1,000,000
Sizing
Small
Branch
Office
Small
Office
Medium
Office
Large
Office
Campus/Service
Provider
Data
Center
No.
of
Users
1
to
10
10
to
50
50
to
500
500
to
10000
10000
and
above
NA
Model
Range
PA-200
PA-500
PA-3000
Series
PA-5000
Series
PA-7000
Series
PA-7000
Series
Please
note
that
the
suggested
sizing
above
is
based
on
best-case
deployment.
Consult
your
local
Palo
Alto
Networks
Sales
Person
for
more
accurate
sizing.
Cheatsheet v1.1
Virtualization
VM-Series
for
VMware
vSphere
Hypervisor
(ESXi)
VM-100,
VM-200,
VM-300,
and
VM-1000-HV
deployed
as
Guest
VM
on
VMware
ESXi
Deployed
as
part
of
virtual
network
configuration
for
East-
West
traffic
inspection
ESXi
4.1
and
5.0
for
PAN-OS
5.0
and
ESXi
5.5
for
PAN-OS
6.0
VM-100,
VM-200,
VM-300,
and
VM-1000-HV
deployed
as
guest
VMs
on
Citrix
NetScaler
SDX
Consolidates
ADC
and
security
VM-1000-HV
for
NSX
deployed
as
a
service
with
VMware
NSX
and
Panorama
Automated
deployment,
transparent
traffic
steering,
dynamic
context-sharing
Ideal
for
East-West
traffic
inspection
Cheatsheet v1.1
WildFire
identifies
unknown
malware,
zero-day
exploits,
and
Advanced
Persistent
Threats
(APTs)
by
directly
executing
them
in
a
scalable
cloud-based,
virtual
sandbox
environment.
WildFire
automatically
creates
and
disseminates
protections
in
near
real-time
to
help
security
teams
meet
the
challenge
of
advanced
cyber
attacks.
Extending
the
next-generation
firewall
platform
that
natively
classifies
all
traffic
across
nearly
400
applications,
WildFire
uniquely
applies
this
behavioral
analysis
regardless
of
ports
or
encryption,
including
full
visibility
into
web
traffic,
email
protocols
(SMTP,
IMAP,
POP)
and
FTP.
Cheatsheet v1.1
GlobalProtect
Agent
will
authenticate
via
Portal
and
Conduct
Location
Discovery
If
location
is
internal,
no
VPN
tunnel
will
be
establish.
Only
User
&
Host
Information
is
sent
to
Portal
If
location
is
external,
the
GlobalProtect
Agent
will
choose
the
best
gateway
to
connect
from
the
list
provided
by
the
Portal
When
selected,
the
VPN
tunnel
will
be
established.
User
&
Host
Information
will
be
sent
to
the
Portal
Note
that
Portal
and
Gateway
can
be
configured
on
the
same
Next
Generation
Security
Platform
No
Licensing
or
User
License
required
if
it
is
a
single
portal
single
external
gateway
setup
without
HIP
Check
or
GlobalProtect
Mobile
App
support.
Requirement
Free
Single Gateway
Multiple Gateway
Internal Gateway
Host
Information
Profile
(HIP)
Check
GlobalProtect
Mobile
App
Portal
License
(Perpetual)
Gateway
Subscription
Cheatsheet v1.1
Cheatsheet v1.1
PAN-DB
BrightCloud
Small.
Uses
a
seed
database
for
intial
Large.
Relies
on
a
URL
database
file
configuration,
then
the
device
stays
in
which
saved
to
disk
and
updated
daily.
sync
with
Cloud
Servers.
No.
Requires
internet
connection
to
Yes.
Cloud
Server
lookups
are
the
cloud
servers
to
function
optional.
Available
from
version
5.0
and
higher
Backwards-compatible
with
PAN-OS
4.x
URL
licensing
for
PAN-DB
is
reflected
URL
Licensing
for
BrightCloud
is
as
URL4*
reflected
as
URL2*
Example
of
PAN-DB
URL
License
SKUs:
If
you
are
quoting
a
PA-5050
One
Year
URL
Filtering
subscription,
you
may
use
PAN-PA-5050-URL2
SKUs.
Without
the
subscription
license,
the
customer
may
still
enable
URL
Filtering
based
on
Custom
URL
Categories.
(Note
that
appliance
may
still
show
no
URL
Filtering
license
warning
alert)
Cheatsheet v1.1
Mobility
(SSL
VPN)
Mobility
(BYOD)
Data
Center
NGFW
Software
Defined
Network
(SDN)
/
Virtualization
Perimeter
NGFW
/
Branch
Office
Intrusion
Prevention
Systems
(IPS)
Advance
Persistent
Threat
(APT)
WildFire
(Advance
Persistent
Threat
APT)
URL
Filtering
(Incl.
Advance
Malware
URL
Categories)
Other Appliance
VM-Series
MSM
(Mobile
Device
Management
MDM)
The
above
table
shows
different
deployment
Use
Cases
and
the
subscriptions
service
licenses
you
may
add
in
to
your
quotation
for
the
specific
Use
Cases.
In
a
deployment
Use
Cases
like
Mobility
(BYOD),
an
additional
appliance
like
Mobile
Device
Management
(MSM)
is
recommended
to
be
part
of
solution.
Example
of
deployment
Use
Case:
If
you
need
to
propose
a
solution
on
Virtualization,
you
may
propose
Threat
Prevention
License,
WildFire
License
as
well
as
VM-Series
Virtual
Appliance.
Cheatsheet v1.1
Deployment
Engagements
Business
Applications
DBs
(Oracle,
IBM,
Hadoop)
ERP/CRM
(Oracle,
SAP,
Netsuite)
Collaboration
(Webex)
Sharepoint,
Box.net
Banking
Application
(Oracal-
IPM,
Silverlake,
Temonos-
T24)
Application
visibility
and
Control
URL
Filtering
User
access
Control
Threat
Prevention
Bandwidth
Control
Virus
Control
Protocol
/
Application
/
Standards
Protocol
/
Application
Active
Dir,
LDAP
Social
Networking
(Facebook)
Activesync
VoIP
(Skype)
FTP
Video,
Audio
(Youtube,
Netflix..)
Securid,
Kerboeros,
Radius
Games,
P2P
CVE
HMI /
Workstation
PLC / RTU /
IED
Server /
Database
Abbreviations:
SCADA
(Supervisory
Control
and
Data
Acquisition),
ICS
(Industrial
Control
System),
CVE
Identifiers
(Common
Vulnerabilities
and
Exposures),
HMI
(Human
Machine
Interface),
PLC
(Programmable
Logic
Controller),
RTU
(Remote
Terminal
Unit),
IED
(Intelligent
Electronic
Device),
OPC
(OLE
for
Process
Control),
PI
(Plant
Information),
DCS
(Distributed
Control
System),
EMS
(Energy
Management
System)
Protocol
/
Application
Modbus
base
Modbus
function
control
DNP3
IEC
60870-5-104
base
IEC
60870-5-104
function
control
OSIsoft
PI
Systems
Protocol
/
Application
ICCP
(IEC
60870-6
/
TASE.2)
Cygnet
Elcom
90
FactoryLink
MQTT
Protocol
/
Application
CIP
Ethernet/IP
Synchrophasor
(IEEE
C.37.118)
Foundation
Fieldbus
Profinet
IO
OPC
HealthCare
Use
Cases
General
Workstations
On
Campus
(Headquarter)
Remote
Practice
(Branch)
Deploy
firewall
on
premise,
manage
it
centrally
Clinician
Remote
Access
(BYOD/Mobility)
Next-
Generation
Firewall
Next-
Generation
Firewall
Clinical
Workstations
On
Campus
(Branch)
Access
to
clinical
data
and
authorized
apps
for
business
purposes
Controlled
access
to
PHI
data
through
(App-ID,
User-ID,
Content-ID)
Next-
Generation
Firewall
GlobalProtect
Laptops,
iPads,
iPhones,
Android
devices
Business
Applications
DBs
(Oracle,
IBM,
Hadoop)
ERP/CRM
(Oracle,
SAP,
Netsuite)
Collaboration
(Webex)
Sharepoint,
Box.net
HL7,
DICOM
Protocol
/
Application
/
Standards
Active
Dir,
LDAP
Activesync
FTP
Securid,
Kerboeros,
Radius
Protocol
/
Application
Social
Networking
(Facebook)
VoIP
(Skype)
Video,
Audio
(Youtube,
Netflix..)
Games,
P2P
Cheatsheet v1.1