Palo Alto strata NGFW overview-deck.pptx

Editor's Notes

• #3: There are three key challenges that Network Security teams face: Network security teams lack the visibility into traffic in a cloud or private network. The second challenge is consistency. Organizations struggle to protect private networks, public and private clouds, virtual data centers and branch locations due to multiple products and dissimilar management interfaces. When network security does try to implement additional security tools, they struggle to find tools that can operate and scale at the rate their business does.
• #4: A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed. NGFWs use a more thorough inspection style, checking packet payloads and matching signatures for harmful activities such as exploitable attacks and malware.- Wikipedia https://en.wikipedia.org/wiki/Next-generation_firewall
• #5: Strata is Palo Alto Networks platform to connect and secure everything. Strata has best-in-class capabilities, natively integrated, resulting in simplified and highly effective networking and security. Our PA-series Next-Generation Firewall hardware appliances are designed for simplicity, automation, and integration. Our VM-series firewalls protect your private and public cloud deployments with segmentation and threat prevention. As you are moving to the cloud, leverage Prisma Access, our secure access service edge (SASE) solution for branch offices, retail locations and mobile users. CN-Series container firewalls help network security teams safeguard developers by enabling threat prevention in Kubernetes environments. Panorama gives you a single place to manage all of your Palo Alto Networks Next-Generation Firewalls.
• #6: Palo Alto Networks uses a prevention focused architecture. Zero Trust is a cybersecurity strategy that prevents data breaches. In Zero Trust, each step a user makes through the infrastructure must be validated and authenticated across all locations. Our Next-Generation Firewalls directly align with Zero Trust, including enabling secure access for all users irrespective of location, inspecting all traffic, enforcing policies for least-privileged access control, and detecting and preventing advanced threats. This significantly reduces the pathways for adversaries, whether they are inside or outside your organization, to access your critical assets. Our Next-Generation Firewalls inspect all traffic, including all applications, threats, and content, and tie that traffic to the user, regardless of location or device type. The user, application, and content—the elements that run your business—become integral components of your enterprise security policy. As a result, you can align security with your business policies as well as write rules that are easy to understand and maintain. Palo Alto Networks embraces machine learning to deliver the industry’s only inline malware and phishing prevention to stop unknown threats as they reach your network. Automatically reprograms your network with zero-delay signature updates for all other threats. Provides accurate signatureless identification of all unmanaged internet-of-things (IoT) devices. Uses telemetry to optimize security policy and eliminate breaches due to misconfiguration. Adopts a consistent, integrated, and best-in-class network security platform.
• #7: The Palo Alto Networks Single-Pass Architecture addresses performance and flexibility challenges with a unique single-pass approach to packet processing. The single-pass architecture eliminates many redundant functions. As packets are processed, networking, policy lookup, application and decoding, and signature matching for any and all threats and content are performed only once. This significantly reduces the amount of processing overhead required to perform multiple functions in one security device.
• #8: Palo Alto Networks Next-Generation Firewalls are available in physical, virtual and cloud-delivered form-factors. Physical firewalls are the PA-Series firewalls. Virtual firewalls are the VM-Series firewalls. To protect branches and mobile users, we deliver security capabilities from the cloud. Prisma Access is our Secure Access Security Edge (SASE) offering. Our security subscriptions coordinate intelligence and provide protections across all attack vectors, eliminating the coverage gaps generated by disparate network security tools. Deploy our security subscriptions where and when you need them. They work seamlessly with our family of firewalls. Palo Alto networks offers easy-to-implement and centralized management features to gain insight into network-wide traffic, logs and threats. Reduce complexity by simplifying configuration, deployment, and management of your PaloAlto Networks security products. With Panorama, you get deployment flexibility: on-premise hardware, virtualized appliances, public cloud environments.
• #9: Our full range of physical ML-Powered Next-Generation Firewalls are easy to deploy into your organization’s network and purposefully designed for simplicity, automation, and integration. Physical firewalls are the PA-Series firewalls that include: PA-220 and PA-800 Series, typically used at branch offices PA-220R, a ruggedized appliance suitable for harsh environments PA-3200 Series, typically used at the internet edge / network perimeter deployments PA-5200 Series and PA-7000 Series, typically used to protect datacenters
• #10: Our full range of physical ML-Powered Next-Generation Firewalls are easy to deploy into your organization’s network and purposefully designed for simplicity, automation, and integration. Physical firewalls are the PA-Series firewalls that include: PA-220 and PA-800 Series, typically used at branch offices PA-220R, a ruggedized appliance suitable for harsh environments PA-3200 Series, typically used at the internet edge / network perimeter deployments PA-5200 Series and PA-7000 Series, typically used to protect datacenters
• #11: All Palo Alto Networks next-generation firewalls run the PAN-OS operating system. By leveraging the three key technologies that are built into PAN‑OS natively—App‑ID, Content‑ID, and User‑ID—you can have complete visibility and control of the applications in use across all users in all locations all the time. PAN-OS includes many additional built-in capabilities, including SSL decryption, site-to-site IPSec VPN, External Dynamic Lists (EDLs), file blocking, logging, reporting, APIs and others.
• #12: Palo Alto Networks subscriptions unlock certain firewall features or enable the firewall to leverage a Palo Alto Networks cloud-delivered service (or both). To enable a subscription, you must first activate subscription licenses; once active, most subscription services can use dynamic content updates to provide new and updated functionality to the firewall.
• #13: Palo Alto Networks subscriptions unlock certain firewall features or enable the firewall to leverage a Palo Alto Networks cloud-delivered service (or both). To enable a subscription, you must first activate subscription licenses; once active, most subscription services can use dynamic content updates to provide new and updated functionality to the firewall. DNS Security Provides enhanced DNS sinkholing capabilities by querying DNS Security, an extensible cloud-based service capable of generating DNS signatures using advanced predictive analytics and machine learning. This service provides full access to the continuously expanding DNS-based threat intelligence produced by Palo Alto Networks. Enterprise Data Loss Prevention Palo Alto Networks Enterprise DLP solution discovers, monitors and protects an organization’s sensitive data, such as PII and intellectual property, minimizing the risk of data breaches and enhancing data privacy and compliance. IoT Security Delivering a machine learning based approach to discover all unmanaged devices, detect behavioral anomalies, recommend policy based on risk, and automate enforcement without the need for additional sensors or infrastructure. This unique combination of IoT visibility and the NGFW enables context-aware network segmentation to reduce risk exposure and applies our leading security subscriptions to keep IoT and IT devices secure from all threats. GlobalProtect Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use advanced GlobalProtect features (HIP checks and related content updates, the GlobalProtect Mobile App, IPv6 connections, or a GlobalProtect Clientless VPN) you will need a GlobalProtect license (subscription) for each gateway.
• #14: SD-WAN Provides intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Managed by Panorama, the SD-WAN implementation includes centralized configuration management, automatic VPN topology creation, traffic distribution, monitoring and troubleshooting. Threat Prevention Inspect all traffic for threats, regardless of port, protocol or encryption and automatically blocks known vulnerabilities, malware, exploits, spyware, and command-and-control. Customers can import, sanitize, manage and completely automate workflows to rapidly apply IPS signatures in popular formats such as SNORT and Suricata, adding to our existing leading threat coverage. URL Filtering Provides the ability to not only control web-access, but how users interact with online content based on dynamic URL categories. You can also prevent credential theft by controlling the sites to which users can submit their corporate credentials. WildFire Cloud-based malware detection and multiple analysis techniques to identify and protect against unknown file-based threats, while resisting attacker evasion techniques. WildFire’s unique real-time signature streaming capability ensures your organization is protected against previously unknown threats in seconds after they are first discovered. Advanced Threat Prevention Leverage full-featured IPS, antimalware, and command-and-control (C2) protection (per-device subscription for unlimited users). Find more information here. Cortex Data Lake Cortex Data Lake is a cloud delivered, scalable and secure log storage service that enables NetSec administrators to ingest, store, forward, and stream logs from select PANW solutions AIOps for NGFW Take advantage of the industry’s first domain-centric AIOps for NGFW that redefines firewall operational experience by interpreting, predicting, and resolving problems before they become businessimpacting. AIOps for NGFW can be used on all PA-Series firewalls, VM-Series firewalls, and Panorama consoles that run on PAN‑OS 10.0 and above. AIOps is available in two versions: a Free version and a Premium (paid) version (subscription based on the number of firewalls managed). Check out the feature set in both versions here
• #15: SD-WAN Provides intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Managed by Panorama, the SD-WAN implementation includes centralized configuration management, automatic VPN topology creation, traffic distribution, monitoring and troubleshooting. Threat Prevention Inspect all traffic for threats, regardless of port, protocol or encryption and automatically blocks known vulnerabilities, malware, exploits, spyware, and command-and-control. Customers can import, sanitize, manage and completely automate workflows to rapidly apply IPS signatures in popular formats such as SNORT and Suricata, adding to our existing leading threat coverage. URL Filtering Provides the ability to not only control web-access, but how users interact with online content based on dynamic URL categories. You can also prevent credential theft by controlling the sites to which users can submit their corporate credentials. WildFire Cloud-based malware detection and multiple analysis techniques to identify and protect against unknown file-based threats, while resisting attacker evasion techniques. WildFire’s unique real-time signature streaming capability ensures your organization is protected against previously unknown threats in seconds after they are first discovered. Advanced Threat Prevention Leverage full-featured IPS, antimalware, and command-and-control (C2) protection (per-device subscription for unlimited users). Find more information here. Cortex Data Lake Cortex Data Lake is a cloud delivered, scalable and secure log storage service that enables NetSec administrators to ingest, store, forward, and stream logs from select PANW solutions AIOps for NGFW Take advantage of the industry’s first domain-centric AIOps for NGFW that redefines firewall operational experience by interpreting, predicting, and resolving problems before they become businessimpacting. AIOps for NGFW can be used on all PA-Series firewalls, VM-Series firewalls, and Panorama consoles that run on PAN‑OS 10.0 and above. AIOps is available in two versions: a Free version and a Premium (paid) version (subscription based on the number of firewalls managed). Check out the feature set in both versions here
• #16: Top Benefits Tightly integrated innovations continually replaces disconnected tools Simplify security by replacing disconnected tools with innovations (Threat Prevention, URL Filtering, WildFire, DNS Security, SD-WAN) that are tightly integrated into our next-generation firewall Reduce the chances of human error, the leading cause of breaches Reduce your risk of attack by easily implementing best practices Automation and analytics drive immediate, effective actions Prevent known and previously unknown threats, including in encrypted traffic, using intelligence generated across more than 30,000 customers Use machine learning and automated enforcement actions to improve security effectiveness with faster response to attacks Save time by automating manual and repetitive tasks Consistent visibility and control everywhere: datacenter, campus, branch, mobile Classify all traffic, including encrypted traffic, based on application, user and content, enabling deep visibility Create easily understood, precise security policies to safely enable applications and close dangerous policy gaps Consistently protect your data and apps everywhere using the PA-Series NGFW appliance that meets your performance needs. Extend the same protection to your mobile users with GlobalProtect.
• #17: Value of the Next Generation Firewall Reduce legacy tools Customers are still using thousands to tens of thousands of legacy rules that rely on ports and IP addresses. The result is an extremely porous ruleset which leaves big security holes and is difficult to manage. Often, even after they buy NGFWs, they continue using these legacy rules. This means customers are not fully utilizing their security investments. Palo Alto Networks introduced an architecture that enabled natively integrated innovations. Instead of buying standalone IPSes, web proxies and sandboxing solutions, our customers benefited immensely from simply enabling these capabilities on the Palo Alto Networks Next-Generation Firewall. Reduce cost Deployment, maintenance, management and troubleshooting is manual. Tools don’t easily talk to each other, so following a workflow requires manually following each step. This means security teams spend a vast majority of their time in tactical items and in firefighting, instead of strategic projects. Palo Alto Networks believes in automating manual and repetitive tasks, so that our customers can focus on what matters. Examples of automation in our NGFW are: (1) security automation - Automatically reprogramming firewalls to protect against new threats, (2) policy automation - Our NGFWs can ingest new threat indicators from third-party sources and automatically protect against these sources (3) workflow automation - our NGFWs and Panorama centralized manager can integrate into your security workflows Reduce risk of attack As the perimeter evolves, the sources of threats are no longer confined to outside attackers. There is a need to detect and stop attacks from inside the organization. Our PA-Series NGFWs are available in different sizes, from desktop-sized form factor for your small offices, to large chasses for your datacenters, and run the exact same operating system (PAN-OS). This provides consistent security for your data centers, campus, and branches. Reduce human error Enterprises often use 100+ security tools, resulting in complexity and increased risk of human error, the leading cause of breaches. Using a simpler product like ours removes complexity and reduces the chances of human error, the leading cause of breaches.
• #19: For the buyer: CIO / VP of infrastructure and operations / VP of IT Simplify your security infrastructure by replacing multiple disconnected tools Manage risk without slowing down your business Protect your assets everywhere For the user: Network Security Operations/Engineer Simplify security by replacing disconnected tools with innovations that are tightly integrated into the next-generation firewall Save time by automating manual and repetitive tasks Consistently protect your data and apps everywhere using flexible deployment options: physical, virtual and delivered-from-the-cloud
• #20: A next-generation firewall is generally applicable to a vast majority of organizations, in addition to the target company profile, it is useful to prioritize opportunities. This is especially helpful to sellers who have a large number of accounts. Here are some guidelines: Prioritize organizations that value security (rather than buying a firewall to simply check a box to comply with internal guidelines). Find out if the organization has dedicated security personnel. Find out whether they hold the firewall budget, or have a good amount of influence over firewall buying decisions. Prioritize organizations that are concerned about data loss. Several types of data can be protected or sensitive, e.g., patient health records, student records, intellectual property, source code, employee data, customer data, financial records, credit card data, and so on. The best way to find this out is to ask the security team. Prioritize organizations that have compliance requirements. Prioritize organizations that have a legacy firewall, an IPS device, a proxy and/or a sandboxing solution. These organizations are paying for multiple different network security devices that can all be replaced by the next-generation firewall. These organizations are higher priority targets compared to those that have already consolidated these functions to a next-generation firewall. De-prioritize organizations that make buying decisions mainly based on price. These types of organizations are likely to buy cheap firewalls rather than look for industry-leading security.
• #22: https://www.businesswire.com/news/home/20220609005791/en/Network-Security-Firewall-Market-Report-2022---Global-Forecast-to-2027---Opportunities-in-the-Expansion-of-Network-Function-Virtualization---ResearchAndMarkets.com
• #23: Deal triggers to listen for Existing firewalls up for refresh: 4 years or older (start engaging with the customer when the firewalls are 3 years old) IPS renewal Web proxy / secure web gateway renewal Need to buy advance malware analysis system / sandboxing solution Recent cybersecurity breach Mandate to consolidate security devices / security capabilities Acquisitions, especially if an existing customer uses us but the acquired organization uses a different security vendor Use Cases Secure the Branch Use the next-generation firewall at the branch for the full networking and security capabilities available on perimeter and data center firewalls, including threat prevention and network segmentation. Palo Alto Networks next-generation firewalls can be used as SD-WAN edge devices with the security built-in, thus making it easier to deploy both networking and security at the branch with a single device. Secure the Data Center Palo Alto Networks reduces complexity and delivers robust protection of your data and application workloads everywhere to enable the business to move faster. Palo Alto Networks has the simplest integration into your software defined environments. By removing complex security management we can deploy consistent security across the hybrid cloud. With Palo Alto Networks, you see everything across your hybrid environment, minimize opportunities for attack across north-south and east-west traffic, and deliver unparalleled threat prevention and response to mitigate risk and reduce operational complexity. Secure the Mobile NetworksThe evolution to 5G opens the door to exciting new services – but it also increases the number of potential intrusion points, amplifying the security impact. The Palo Alto Networks next-generation firewall prevents successful cyberattacks targeting mobile network services, IoT devices and subscribers. It simplifies operations by providing robust, prevention-oriented security to build resilient and high-value mobile networks for a secure 5G digital economy. Secure the Perimeter Deliver world-class security to your organization’s evolving perimeter. Protect your campus locations with simple-to-use and natively integrated innovations like Threat Prevention, URL Filtering, WildFire Malware Analysis and DNS Security. As perimeters change and systems get more interconnected, the way you approach data protection and risk must also change. Palo Alto Networks can help your organization safely enable internet access with prevention-focused firewalls. Secure the Remote and Mobile users Palo Alto Networks GlobalProtect extends protection to mobile workers, regardless of their location. We provide greater visibility into all traffic, users, devices and applications. You can extend consistent security policies to all users, while eliminating remote access blindspots and strengthening security. Extend protection to mobile workers, no matter where they are Implement a zero-trust architecture for both internal and external access Apply customized access control for corporate, BYOD, and third-party devices