Application Based Policies

The port-centric design is relatively ineffective when faced with new applications that are equipped with increasingly sophisticated security evasion techniques. Bolting on Deep Packet Inspection (DPI) or Intrusion Prevention System (IPS) technologies to solve the problem has proven ineffective.

The problem is not so much the growing diversity of applications, but the inability to accurately identify any given application as good or bad. A modern security solution must be able, not only to distinguish one type of application from the next, but also to account for other contextual variables that are applicable in any given scenario, such as who is using the application, on what type of device, and for what purpose.

What's needed is a means to regain control over the applications traversing the network, identifying who is using them and their related content and, by doing so, bring policy-based control back to the network security team. To solve this, Palo Alto Networks® delivers advanced innovation for securing networks that identifies all traffic irrespective of port, protocol, evasive tactic, or SSL.

Reinventing Network Security

Traditional network security solutions have simply failed to keep pace with changing conditions, and the remedies put forth to compensate for their deficiencies have proven ineffective. To reinvent network security required reinventing the firewall, taking an application-centric approach to traffic classification in order to enable full visibility and control of all types of applications running on your enterprise networks. The result is the Palo Alto Networks next-generation firewall, which delivers the essentials for a truly effective, modern firewall that is able to:

  • Identify applications regardless of port, protocol, evasive tactics, or SSL encryption
  • Enable fine-grained visibility and policy control over application access and functionality
  • Identify and control users regardless of IP address, location, or device
  • Protect against known and unknown application-borne threats
  • Support multi-gigabit, in-line deployments with negligible performance degradation

Application Identification (App-ID)

Palo Alto Networks has developed an innovative approach to securing networks that identifies all traffic by applications using a variety of techniques. This replaces conventional approaches that attempt to control traffic based on port and offers the advantage of:

  • Providing much better visibility into what's on the network at all times and at Layer 7, which is where most of today's cyberattacks take place.
  • Simplifying the control of network and application access with fewer rules and policies to manage.
  • With App-ID, up to four distinct mechanisms are used to determine the exact identity of thousands of potential applications traversing the network (irrespective of port, protocol, evasive tactic or encryption).
  • Application Signatures – Used at multiple steps in the classification process, context-based signatures look for unique properties and transaction characteristics that identify applications, regardless of the port or protocol being used.
  • SSL/SSH Decryption – If SSL or SSH encryption is in use, and a decryption policy is in place, the traffic is decrypted and passed on to other mechanisms as needed.
  • Application Protocol Decoding – Decoders for known protocols validate conformance to the protocol specification, detect other applications tunneling inside the protocol, and identify individual functions within a given application. (e.g., Webex Desktop Sharing).
  • Heuristics – Additional heuristics/ behavioral techniques are engaged as needed to identify troublesome applications that typically elude advanced signature and protocol analysis, such as peer-to-peer or VoIP tools that use proprietary encryption.

Simplified Path to App-based Policies

Leveraging the latest Palo Alto Networks Migration Tool v3.0 will help to automate and accelerate the migration from third-party firewall vendors to our next-generation firewalls, as well as enable you to take advantage of the advanced protection of app-based policies. The Migration Tool is now available through our Live Community Portal — at no charge — to assist with your migration. This tool can be very helpful, especially in the hands of experienced professionals who have performed migrations previously.

Consulting Services

Firewall policy migration can be a challenging task, which is most effectively accomplished with professional services assistance from Palo Alto Networks and a network of solution partners, who can guide you though the migration process using a combination of automated tools and best practices.

Utilizing our services team, our customers gain years of experience and extensive knowledge of Palo Alto Networks best practices. Our Professional Services organization will accelerate your project timelines and help guarantee deployments are set up for maximum success from day one.

Taking advantage of Palo Alto Networks Consulting Services will ensure a smooth and efficient transition and get your next-generation firewall project off to a great start.

The Palo Alto Networks Migration Tool v3.0 tool helps automate and accelerate your migration to App-ID