Select your country

Not finding what you are looking for, select your country from our regional selector:


Are all security functionalities active on your firewall?

Palo Alto Networks

Do you have a state-of-the-art firewall from Palo Alto Networks today?

In this rapidly-evolving technological world, it is crucial to check whether your firewall can still face current and future threats. Our Palo Alto experts have created a checklist with 7 items to help you protect your organization.

Go to the checklist

Protection on 4 levels

Traditional malware is nowadays highly targeted and evasive. Therefore, the new malware types are specifically designed to be completely undetectable. The goal of these new malware types is to penetrate the network perimeter by delivering malware that moves laterally across an organization extracting data as it spreads while remaining invisible to traditional network defenses.

1. Complete visibility
You can’t prevent what you can’t see. Full visibility into the (mobile, network & cloud) environment across all traffic (encrypted or not) is essential. Your Palo Alto firewall analyses all traffic to provide that visibility with its Single Pass architecture allowing for predictable performance. This extends to all mobile devices with the GlobalProtect feature. The IoT security is providing full visibility on all connected devices on your network.

2. Reduce attack surface
Use a positive enforcement model to reduce the attack surface. This means only letting traffic through that is allowed by the policy, including granting access to the required function of an application and denying everything else. Furthermore, you should enforce multi-factor authentication where needed or if identity theft is suspected. DNS security is reducing the risk of malware abusing the DNS protocol. IoT security can provide behavioral learning of IoT devices and providing

security policies on the Palo Alto Networks Firewall.

3. Prevent known threats
You can’t let a known piece of malware or spyware traverse your environment or make your endpoints communicate with known-malicious sites. Palo Alto Networks’ Threat Prevention and URL-Filtering feature provide those prevention capabilities. Palo Alto Networks’ MineMeld allows extending that knowledge to third party feeds.

4. Prevent unknown threats
You must stop new threats as quickly as possible. You must find the unknown threat, reveal it, make it known, and stop it everywhere through automated updates. The Palo Alto Networks’ Wildfire feature provides that prevention capability for files. On the DNS side the DNS security reveals when DNS is misused to tunnel data, by malware to communicated with the control server.

Palo Alto Networks’ Firewall Features Explained

Palo Alto Networks provides multiple protection features to cope with threats on each of the four levels mentioned above:

1.     Palo Alto Networks’ Threat Prevention Feature

The Threat Prevention subscription protects the network from advanced threats by identifying and scanning all traffic – applications, users, and content – across all ports and protocols with predictable performance.

It includes a full-featured IPS allowing to define vulnerability matching rules within a next-generation policy, and you can add anti-malware scanning when and where required. Furthermore, Threat Prevention provides command-and-control protection through pattern definition of known botnets. Analysis of DNS queries for botnet patterns and sinkholing technology prevent that traffic from getting through.

2.     Palo Alto Networks’ URL-Filtering Feature

You can enforce web browsing policies (per device subscription for unlimited users) with Palo Alto Networks’ URL-Filtering subscription. This subscription enables the enforcement of an acceptable use policy,

the blocking of threats sites, e.g., known malware, phishing or proxy-avoiding sites.

Palo Alto Networks’ Firewall enables the definition of policies which allow a positive security paradigm. This means only allowing access to data through authorized applications for authorized users and only for the required content type. This can be combined with the decryption policy which leaves privacy-sensitive categories encrypted.

3.     Palo Alto Networks’ Wildfire Feature

Protection from previously unknown threats (Zero-Day threats, APT) can be provided through the Wildfire feature. WildFire is a cloud-based advanced threat intelligence service that identifies unknown malware, Zero-Day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment. Through updates, WildFire automatically generates malware, URL and DNS signatures and distributes them in seconds to all global, WildFire-subscribed Palo Alto Networks platforms. For PE files (exe, dll, PowerShell) the static analysis with ML based technology is done on the firewalls, no need to upload to the cloud, to lower the risk of a patient zero on your network.

The Palo Alto Networks’ Wildfire file analysis includes the following steps:

  • Static Analysis
    Wildfire uses static analysis to detect known threats by examining the characteristics of samples prior to execution. Because it is not signature-based, it can also detect and block unknown risks based on the characteristics of malware in the static analysis profile.
  • Machine Learning
    Machine Learning is used to identify variants of known threats by comparing malware feature sets against a dynamically-updated classification system.
  • Dynamic Analysis
    Wildfire’s Dynamic Analysis is a custom-built, evasion-resistant virtual environment (i.e. sandbox) in which previously unknown submissions are opened to determine real-world effects and behavior.
  • Heuristic analysis
    The heuristic engine determines if the file exhibits suspicious behavior and if so sends samples to the bare metal appliance that display the characteristics of an advanced VM-aware threat.
  • Bare-metal analysis (WildFire cloud analysis only)
    That last step is executed in an entirely hardware-based analysis environment specifically designed for catching the most evasive type of malware that is aware of virtualized threat evaluation environments.

4.     Palo Alto Networks’ DNS security Software Feature

Protection from previously uninspected DNS traffic can be provided through the DNS security subscription. DNS security is a cloud-based advanced DNS analysis service that reveals DNS tunneling and command & control connections using DNS. More than 80% of the malware is abusing DNS communication to communicate and extract data. Static lists with known bad DNS requests are not sufficient to stop the threats as the adversaries are using DGA (Domain Generated Algorithms) to create thousands of domains in short time periods. Also, the IP’s resolved by domains are changed rapidly by the adversaries to avoid detection by static lists. DNS security service is cloud native to have the capacity to analyze DNS request and reveal abuse of DNS communication in real time.

5.     Palo Alto Networks’ IoT security Software Feature

IoT subscription is bringing insights in IoT/OT devices on your network. Leveraging the existing Palo Alto Networks firewalls the IoT subscription can provide you visibility and security for IoT devices on your network. It gives you information about IoT devices their operating system, vulnerabilities, weak security configuration and traffic behavior. Adding the possibility to accept traffic behavior and create policies based on device-id on the Palo Alto Networks firewalls. As more and more IoT devices such as security cameras, consumer electronics, energy management, IP Phones, printers, … are becoming connected the become a risk to the company. The IoT security is cloud based and can interact with Network Access Control devices to even further automate the security posture of the network when unknown/unsecure devices get deployed on the network protecting your business.

6.     Palo Alto Networks’ GlobalProtect Software Feature

GlobalProtect extends the protection of the firewall to users wherever they are. This includes App-ID, SSL Decryption, Threat Prevention, URL-Filtering as well as File blocking and unknown threat protection with Wildfire.

By using GlobalProtect, you can consistently enforce security policies. This includes the protection of users that leave the building, the use of tablets or smartphones as well as Linux endpoints. Furthermore, for external users, a clientless portal can be used to provide access to applications.

GlobalProtect checks the endpoint to get an inventory of how it’s configured and builds a host information profile that’s shared with the Next-Generation Firewall. The Next-Generation firewall uses the host information profile to enforce application policies that only permit access when the endpoint is properly configured and secured.

Spit tunneling based on the destination domain, client process, and video streaming application can be implemented with that subscription.

5.     Palo Alto Networks’ MineMeld

MineMeld is an open-source application that streamlines the aggregation and sharing of threat intelligence.

MineMeld automates the process of digging for indicators from threat feeds and of packaging the information into a variety of formats you can use with different security platforms.

Those feeds can be commercial or open-source threat feeds, or even a way to integrate volatile information such as the Office365 URLs and IPs currently used.

This information is useful to enrich existing security policies.

This can be done by blocking bad websites or DNS domains, as well as defining in policies dynamic address groups or feeding external dynamic lists of IPs.

Orange Cyberdefense has defined a specific work package for our customers that wish to implement the MimeMeld solution.

Is your Palo Alto Networks Firewall still Next Generation?

Is your firewall configured according to current security best practices?

Palo Alto Networks developed a Best Practice Assessment tool to verify this.

read more

Your Next-Generation firewall as Zero-Trust framework enabler?

How do you transfer your security policies to the cloud? Do you have a ‘single pane of glass’ for your entire perimeter?

Read More

Does your firewall already have an extension to the cloud?

Palo Alto Networks developed a Best Practice Assessment tool to verify this.

Read More

Is your firewall Artificially Intelligent?

Can you automatically detect whether your users or IoT devices have strange behavior? Do you know when your network undergoes a cyberattack?

Read More

Are all security functionalities active on your firewall?

Have you activated all software licenses?

Read More

Does your firewall support PAN-OS10.0 or higher?

Do you know the latest features for your Palo Alto Networks firewall? Can your Palo Alto Networks firewall support the latest PAN-OS version?

Read More

What information does your firewall have for your CISO?

Which questions from your CISO can you easily answer?

Read More

Cortex platform as the cornerstone for MicroSOC Managed Threat Detection & Response

Get the most out of your Cortex XDR platform by adding threat analysis and incident response services.

Read More

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.