REVIEW OF PALO ALTO NETWORKS NGFW: Why Palo Alto Networks Firewalls?
welcome to chromecast check it out i'm sam major commercial at chrome technologies i'm joined once again by ben randall technical director and uh in-house palo alto expert thanks for having me sam no problem we'll draw attention to the very small blue elephant in the room that's making some noise which we can probably pick up on the microphones but not as bad as the the dell power store that we had which i still think i'm suffering somewhat for but we have today uh panamato 8 20 fireball yes it's palo alto network's pa 820 it does actually say on the back so i should have found that easier but obviously palo alto has been our firewall of choice for 10 years i would say at least obviously a big fan yeah big fan of their technology given that well in our opinion best files out there but first to market with kind of layer 7 deep packing inspection changing the way i guess firewalls worked and really upping the kind of security game this obviously in 820 there are newer models available yes it's good if you can i guess the difference is uh i know we can see the front and camera and we'll probably do a bit of a closer shot sure later but if you want to see that the 820 we have here and the newer ones in the range yeah sure um the the 800 series are intended for some uh branch small medium offices um this is an 820 which is the lower spec of the two actually there's an 850 which the main difference between that and this is that the 850 has redundant power supplies hot swappable in the back uh and of the has the same arrangement of ports on the front but uh four of them are uh dual personal 10 or one gig whereas this unit is one gigabyte it's all one gig yes um fundamentally the difference between the various models apart from number of ports things like that is is really fundamentally throughput so you go back down to the bottom of the range the the pa 400s and the eight and the 220s um they're lower performance they go up through the 800 series the 3200 series um and and you basically get the same user interference user user interference is exactly why we have bubbles yes that's absolutely the same user interface um and features but you get greater performance it's just it's just i guess the amount of the bandwidth that we need the size of the office throughput et cetera et cetera absolutely going up to let me talk very briefly but the 7000 series will be kind of big data center class absolutely yeah we're talking like a bank or something like that it's a very high throughput device indeed um we're just talking about feature set though so exactly the same from the 220 to the 7000 series and so on same subscriptions same level of protection yes basically yes the the the obviously the throughput is different but the actual uh subscriptions you can buy the same subscriptions for all the models on the way up um and you know so you get things like the threat most basic level support threat prevention uh then you go into things like wildfire um which we can touch on a little bit later on the detail look at exactly what these mean um sd-wan and so on so there's a there's a lot there there is a lot there and i think it'd be really good to get into things like wildfire and the use of that i think it's quite very very impressive police technology panorama something obviously we use to manage clients firewalls and people with larger states have to use absolutely uh and like you say sd-wan config all that sort of good stuff but it's pretty good idea um if we can get into some of the i guess the actual look and feel of the the interface absolutely good for our audience to actually see what does powder look like now no we're going to jump into correct if i'm wrong on this but it's os 9.1 that's correct yes uh we've got a yeah obviously this is an unconfigured firewall there's not a lot to look at apart from the basic interface and having some lights on the front yeah it's got some lights on front yeah so we've got a running machine so we've got some actual traffic through it you can really get a look at what what there is there and it's going to show you what i feel is has always been the thing that palo alto has delivered over and above the next gen firewall thing you've got the the nice user interface you know the ability to look into the logs and so on so we can demonstrate that great let's just jump into that here's what i prepared earlier yeah exactly so then obviously this is the home page the dashboard do you want to talk us through what we're looking at here yeah sure this when you first log in this is the dashboard show some general information about the firewall so we can see its name its management ip address other information like the serial number um the current state of the updates on it yeah the system resources as well as high availability information and the latest system log entries and who happens to be logged into the following absolutely there's also configuration logs with so we can go into all those logs later it's quite comprehensive so um certainly from a tech point of view i thought it'd be makes sense to kind of show the the highlights of this rather than the details step by step yeah um so we can show you some of the areas where people may do a lot of their work so first of all go to the network and we can see the actual physical interfaces and the virtual sub interfaces which are the vlan tagged interfaces below an actual physical port so for example here you can see that the vlan tags on there the security zone applied to it and the ip address yep this is fairly straightforward and quite quite quite obvious really you click on on the link and you can open it you can see that the various settings including the ip address and so on additionally we can see vpn tunnel interfaces so these are the virtual interfaces that actually relate to the ipsec tunnels which go to other sites and here you can see the status of various tunnels some being up on others down at the moment on this machine then regard to routing you can have multiple virtual routers within the file also you have interfaces applied to routers and static routes or dynamic routing bgp ospf and so on configured in there as you can see in the tabs here then moving on really the the the most important thing the main the main original usp of the palo alto network's firewall uh next gen firewall i should say um was the application id so it's not just a port base it's working at layer seven yes so we've got the ability you've got a quite a comprehensive database here of types of network traffic so for example i mean this is this is where you can literally look up anything so i'll put in ftp and search for that i should find down here ftp amongst other things we have f and t and p of them we can see the standard ports that uses tcp port 21 and it's a a short description of what ftp is and the kind of what it's used for and the level of of risk associated with it similarly you can go on a more advanced level so we could look for facebook so if i do a search for facebook as you can see there's multi there's not just facebook we've got your facebook games facebook file sharing and so on and so we can literally click on one of those and you can see the standard ports that that would use as well as a description of what that is so that gives us the granularity to actually examine traffic and say okay we'll let our users view facebook but we don't want them playing facebook games so we can actually you know if we've been if we set up ssl decryption because this will take place over ssl then the firewall can see what their traffic is and actually block access to those things we don't want we can give them every grinder and what we can that level of ground even though they're all using tcp support before we went next year and everything's kind of port-based yeah that had been binaries it'd been open or closed we would have facebook or not right but now we can actually have elements of well to be honest even beyond that i mean and if you unless you have some kind of url filtering literally you can't block port 80 and 443 because that's 90 of the internet nowadays um so a very blunt instrument really do yeah um so yeah and and further than that if i look to look at something like um bittorrent if i can spell it there we go so we can pull that up and we can see that bittorrent doesn't have a standard port so it's not just going to be on port 80 if it if it finds it can't go out and port 80 or 443 it will keep looking until it finds one that's open so unless you switch off the internet entirely you're literally we'll all agree the internet is quite useful yes yes it has excuses um so yes so so basically we can we can examine traffic see it's bittorrent block it okay if we don't if we don't want that or restricted to certain users or times or what have you um then basically moving on from that we've got the the policies so this is where we see our what we what any firewall user would recognize as firewall rules applied from the top down this firewall is actually managed by panorama so we see these rules in highlighted in yellow and they are actually centrally managed by panorama and pushed out to our files that are a basic set of is it worth touching just very quickly what panorama is doing absolutely yes a panorama is a management platform where you can control multiple different firewalls and you could have a standard set of policies so for every site we want to maybe might have a ban list of ip addresses or known um no malware ips or websites or whatever and we just block access to and from those as a standard course we'll have to manually do that on every side yes if you've got dozens tens hundreds of sites it's a single place just to make those changes and push out from here absolutely yeah and um and then say we can apply um applications groups based on zone you know the rules are based on on a top down basis and the most specific match and immediately blocks or allows based on on those rules there and um so in addition to the application where we can actually filter on port as well okay so you could make it force it to be a an application on a certain port if it tries to go on a non-standard port we could prevent that okay interesting um similarly uh nat policies are very similar um they're i'm you know i think i'm probably talking to it to an audience that knows about nat and how to basically how to configure it but we can you can say incoming inbound and outbound that all that is is done on a raw basis top down yes for any other uh firewall where the palo alto really shines though i think is in the ability to look at the logs so if we take an example of the threat logs here so as you can see there are traffic logs flat threat logs url filtering wildfire submissions and so on so if we filter there's a boolean search so it's you know if there's like a an and or you know include kind of things so here i filtered for anything from the untrust zone and greater than equal to medium threat level just to filter out all the information and so on and we can see these various um attempts to attack as i'd suggest so we're getting a vulnerability identified as a netgear netgear dgn device remote con remote command execution vulnerability and that's being blocked by the by the file as a critical vulnerability as an example of how we can we can see that they're consistent maybe a particular ip that's constantly attacking so we can actually click on that it'll add to the rule set the to the to the query at the top filter on that and we can see everything that's coming from that ip yep and we can see it's just going to a single ip address in this case um but sometimes you find that it scans through they scan through multiple um or via wan ips or they they try lots of different types of types of attack you know that it's it's it's an ongoing thing yeah but um it's you know we can set up policies as well so if you get a above a certain level of um malicious traffic you can set up profiles so that that ip can be added to an actual block list which will last for half an hour or an hour or something which will really reduce the ability for them to try and do brute force attacks it's that kind of kind of work then we've got the application command center acc where we can really dig into what's going on in the network so if i just clear all the filters here so be able to see this is showing the last hour it takes it a moment to uh to populate there we go so we can see all the applications on a undercover bunnies patchwork quilts or kind of kind of views but we can see the amount of traffic from users so we can see which user has been who has had the most traffic go to and fro so you can see this slightly dodgy user here ben randall if i can add that to a filter and then i can see the traffic that's come from me you shouldn't want to do this now while recording well and we could literally look and we can see oh look there's a vimeo we should basically i'm recording this on vimeo right now so i can filter on that and we could then look and see where that traffic actually goes so we can actually see the destination ip and see actually that's that's actually going to the united states but i guess you know the same sort of application you can look at where you might be losing data from a network you can see as i know we have seen previously that a certain pc might be sending lots of data to china for instance absolutely stuff shows itself up right yeah exactly and likewise we can see in the other direction we could see oh we're getting a lot of incoming traffic from russia from china without naming any names but you know that that's that kind of thing gives you a lot more visibility it's very quick and easy we're looking at just the last hour here but you know we can select a much larger you know last 30 days for example yeah and have a much greater idea of the pattern of behavior so is it worth touching i'm just thinking and feel free to turn it over um obviously we're looking here and this is where we'd identify potentially there's something wrong with those threats that kind of leads my brain into the wildfire mm-hmm so so obviously the the the next gen firewall itself it has uh antivirus capabilities um both that will be signature based but um what palo alto came up with quite a few years ago now actually is a product called called uh wildfire where if it sees an unknown file that's an executable a pdf that sort of thing which is not it not that doesn't doesn't match is a unique thing it hasn't seen before doesn't matter the signatures it will then uh send that up to uh palo alto where they've got a series of virtual machine like sandbox environments and they'll basically open that file in that vm and look at the behavior okay so um does it immediately trump phone home to a commander control system or whatever just trash everything yeah exactly that kind of behavior yeah and then it will come back with a verdict and those updates that that update will be sent back to your palo alto but also added to the overall database so anybody who's got a wildfire subscription even if they're not sending those those items out they're getting the benefit of the of all the other thousands of people am i right thinking that's something like it's within six minutes or something crazy yeah you can yes you can get updates every five minutes um for for uh from wildfire so rather than your normal av sort of daily updates or something like that you're 24 hours behind yes exactly always on the back foot but yeah this this helps to to bring that you know bring keep you right up to the minute literally and i guess on that similar vein and i don't know if we can show it in this console but i'm thinking of wildfire obviously that kind of six minute protection window within the palo alto kind of the ecosystem of products you've obviously got the cortex cortex xdr yeah yes so the client protected as well which i also believe she's uses well absolutely yeah cortex xdr previously known as traps um also takes use of wildfire uh makes use of wildfire uh cortex xtr base is based on exploits so rather than a signature based uh detection of malware where again you have to stay up to date if there's something somebody's written something yesterday yeah won't know about it or today even then it won't know about it but um if you've that the actual exploits that those those pieces of malware are using are much less frequently discovered yeah so it looks for a piece of a piece of software making use of that um that known exploit or even a behavioral change so you know unusual behavior will get flagged up there's ai behind that whole system and so that can identify that that unusual behavior and block activity based on that and will do the same thing i guess report up to wildfire work out that it's wrong report back to absolutely yeah it it it makes use of wildfire as part of its you know unrecognized file it will send up to wildfire and do the explode the file and find out what's going on fantastic when you think about the problems and we've obviously talked this podcast before about ransomware and all this sort of stuff and antivirus now again in my opinion i'll caveat that a little bit behind the times because you are always on the back foot you're at best maybe 12 or 24 hours away from a solution but with things like the power outage and wildfire and cortex xdr you are stopping at the source yeah absolutely yeah so the firewall is kind of the perimeter defense but you you do need you know that that end point protection as well because there's also the attack from within yeah and you know via social engineering people can have otherwise legitimate access to a machine or apparently legitimate access without actually sending something through so you need to consider all the options on on that really absolutely okay is there anything else in console we can go through you think it's interesting um i think those are the main things um there's beyond that we're looking at licensing set up and so on i mean i can i can quickly show the dynamic updates for example so there's a schedule uh which is the updates to the vulnerability antivirus application threat databases so as new applications are made available that database which i showed earlier is not static that's obviously people are coming up with new things all the time and so those updates come in every day and yes you can see we've actually got wildfire set up to download every 15 minutes here which in our experience has found to be fine but that that interval has gone down as people's bandwidth has increased of course you know because it's a it's a download so yeah a place which had a small amount of bandwidth that could be a problem if you you're constantly doing that comms has become cheaper and cheaper and enables to do this so again just thinking out loud we're also looking at we said os 9.1 yes they've released 10.1 yes are you able to choose as i understand it again quick from wrong it's not a huge amount of difference functionally now well i think that the bottom line there are new functions that should be made available but the overall the uh functionality which for 99 of use cases really is satisfied by 9.1 and we find it to be a little bit quicker on the some of the older file will start once quicker you know as with everything in it you get the latest and greatest and you find always a little bit slower you know um so but the support for 9.1 is continuing until 2023 i believe five to loads of time yeah exactly the obviously there are still updates in terms of security and bug fixes that sort of thing um but we're actually on 10.1 as the major branch has been released now so do like 10-0-10-1 yeah there'll be 11 11 0 and so on um but things like sd-wan are were released in as a new feature was released in version 10 so that's that's a feature that you need to upgrade to but if you're not using that obviously it's licensable or inclusive that is nice that's a licenseable feature okay but nice to have i guess because the sd-wan has exploded and having multiple different boxes to manage that when actually you can consolidate that into a single appliance is if it's a commercial advantage yes absolutely if you've got a use case for sd-wan then then absolutely you can have um can you do a lot with that for sure excellent so i guess wrapping up the key usps in your mind obviously we're big fans of palo alto if i can do the body podcast thing give me give me three three reasons why you should buy palo alto uh in your opinion as an sms palo alto what are the three key things that you really really like about technological set set apart right for me obviously it's the app id the ability the granularity the layer 7 firewalling so we're not just on the old legacy layer 4 firewalling then we've got the the ease of use of the interface really um and following into that really is the visibility excellent logging and searching which i've not i've really i've found that to be unmatched anywhere else where i've worked on firewalls anyway and you've had die hard checkpoint users have come have have gone to me and say why didn't we get a power outage before you know and that's what i have been trying to tell you but you know what can we say you know and and yeah i think i think it's a really nice platform to use yeah um and and gives you great visibility that that really is what you want out of fire you want to see what's going on yeah i guess you've got that from my perspective the advantages i see as a sales person when i'm talking to a customer it's really the whole ecosystem that you have with palo alto you've got firewalls the ability to use wildfire which i think is excellent but also controlling controlling the client controlling prisma in the cloud sas applications all that sort of good stuff with that single vendor approach where historically you might have had one or two or three different vendors and as you all know far more than i will troubleshooting issues can can be a problem yeah i couldn't agree more um yeah having having a single vendor having that that's one ecosystem when it integrates together that certainly saves a lot of bother if there's a if there's a you know there's always going to be a problem somewhere that's this is this is it after all we have jobs but it's um yeah basically having one vendor one ecosystem that certainly certainly really works well thank you thank you you're welcome and thank you for joining us on this edition of chromecast check it out if you think you'd like us to discuss on future episodes please remember to leave that in the comment section below and do like subscribe and share and join us again on next disney chromecast take [Music] you
2021-12-08 22:25