Industry First Next-Generation Firewall Review: Palo Alto Networks Achieves Short List Status

Last week, Network World (NWW) published the first ever next-generation firewall functionality and performance review using the PA-5060 running PAN-OS 4.0. To test the functionality, NWW focused their efforts on the visibility and control over applications, the ability to tie users into policy and visibility, and the ability to inspect the content for threats. The title of the functionality article summarizes the results very succinctly: Palo Alto [Networks] Earns Short List Status. For performance testing, NWW proposed, and we agreed on a set of criteria that are the most strenuous we have seen in the nearly 10 years of firewall product reviews. When the testing was complete, the title of the performance article summarizes the results nicely: PA-5060 is One Fast Firewall.

Application control begins with visibility

Since 2007, one of the pillars of our messaging  has been application visibility is the first step towards regaining control over the applications traversing the network.  In the functionality review, the numerous visibility (ACC, Log Viewer, Reporting) tools received high marks, prompting Joel Snyder, a tough but fair reviewer to state that the view into applications, URL categories, threats and data patterns “will likely be an eye-opener for most network managers, as most of these data are not available in traditional visibility tools.” Snyder concludes that “the visibility tools are so good that it's difficult to find serious fault with the PA-5060. We certainly had a higher level of visibility than any other firewall has given us.”

Application Enablement

Enabling applications has become a critical item for many organizations – employees expect to be able to use whatever application they need to get their job done. Blindly allowing or blocking these applications may hurt the business, so securely enabling them is the best approach. Here too, Snyder observed, “For every rule that lets traffic through the firewall, you can apply a separate Security Profile. This would let you apply, for example, one set of DoS protections to seldom-used Web servers and a different set to heavily-used ones. Or, you could apply different IPS signatures for incoming traffic than for outgoing.” Snyder concludes that, the PA-5060 has adopted an easy-to-use model with the right amount of flexibility.”

Real-world performance tests

The PA-5060 has been built for high performance application identification and control – it uses dedicated processors for networking, security (3 x multi-core Cavium), content inspection and management. We need that type of processing power to continually classify and control applications. When NWW proposed the pure HTTP test scenarios, we agreed, knowing we wanted to go beyond the traditional firewall “UDP and large packets (1,518 bytes)” testing that always results in a favorable but unrealistic datasheet performance number. The agreed upon a set of test criteria uses HTTP with a mix of payloads (table 1) as well as static HTTP traffic (10kb and 512kb response sizes). These criteria were used for all of the tests.

The PA-5060 achieved 18.7 Gbps of static (512kb) HTTP throughput and 17 Gbps of mixed HTTP throughput – these are spectacular results. In addition to maximum firewall throughput tests, Newman tested maximum throughput with services enabled as well as the first ever test of firewall-based SSL decryption and inspection. Here too, the PA-5060 performed as expected delivering nearly 1 Gbps of max throughput.

The good and the not-so-good…

As with any review, there are a few issues that Network World highlighted.

• SSL performance with full threat prevention enabled. The 100 and 118 Mbps of SSL decryption with full threat inspection enabled is the result of a test-tool configuration issue plus a PAN-OS software defect found after the review had been submitted. The defect has been fixed in PAN-OS 4.0.4 and running the exact same test internally has shown 1.2 Gbps of throughput with SSL decryption and full threat scanning enabled.

• We do not see ourselves as a UTM: The reviewer uses UTM liberally, but does so as a descriptive term of a security device that does many things. From the review, “Next-generation firewall vendors don't like the term "UTM" (Unified Threat Management) very much because UTM products have been unfairly painted as only appropriate for small businesses. However, next-generation firewalls need threat mitigation features just as much as UTM firewalls do. While the buzzword police fight out the differences and split hairs, we tested the PA-5060's UTM features, including intrusion prevention (IPS), anti-malware and URL filtering.” We do not think we are a UTM and have no way to influence how the reviewers choose to describe what we do.

• User-ID: The statement, “Gathering user identification information is hard” acknowledges (correctly) that identifying users in heterogeneous environments is challenging – we do not see it as an indictment of the User-ID feature. In fact, later in the article, Snyder encourages its use, “Since every session through the PA-5060 firewall is logged with extensive information, adding user identification just makes the job of the security analyst that much easier. For this reason, we'd recommend turning on user identification, even if it doesn't properly identify 100% of network users.”

Another step in the ongoing process

This is yet another small step in our continued efforts to differentiate ourselves from the competition and grow our business.

Thanks for your support.