Palo Alto Networks targets VMware shops with virtualized next-gen firewalls

LAS VEGAS -- Palo Alto Networks Tuesday unveiled the first virtualized version of its next-generation firewall, server-based software intended to run on the VMware platform to allow security managers to set up firewall application-layer controls in virtual machines (VM).

HUAWEI: We can help keep U.S. safe from 'Net threats

The company's new VM-Series software is intended to overcome the limitation that physical firewall appliances face in virtualized environments in that they don't fit directly between VM-to-VM intra-host traffic flows, says Chris King, director of product marketing.

Palo Alto's entry into virtualization heightens competition in the next-generation firewall market vs. the likes of Sourcefire and Check Point. Next-gen firewalls go beyond traditional port-based firewalls to allow for setting up application-layer controls related to users and machine-to-machine processing.

While Palo Alto this week is entering the virtualized firewall market, it is not abandoning the business of selling physical application-layer firewalls, something it has done since starting up in 2005. The company this week is also introducing an updated physical appliance line called the PA-3000 Series, starting at $14,000. It consists of two next-gen firewalls, the PA-3020 and PA-3050, which respectively deliver 2Gbps and 4Gbps of application-identification throughput.

All of Palo Alto's new products are based on an updated operating system, PAN-OS 5.0. There's also a new M-100 management appliance intended to support all of its firewall line.

But the star of the show -- and a topic of curiosity -- at the company's conference with its customers this week is going to be the virtualized VM-Series versions, which start at $2,700.

The Palo Alto VM-series next-generation firewall for virtualized workloads will require that IT managers pay attention to capacity planning, King says. The virtualized firewall itself is a VM-based security component that will need to be carefully measured in terms of utilization based on factors such as what workloads are permitted to talk to each other.

These virtualized versions come as three basic types, the VM-100 (supporting 50,000 sessions, 250 rules, 10 security zones, 2,500 address objects, and 25 IPsec tunnels and 25 SSL VPN tunnels); the VM-200 (supporting 100,000 sessions, 2,000 rules, 20 security zones, 4,000 address objects, 500 IPsec VPN tunnels, and 200 SSL VPN tunnels) and lastly, the VM-300, (supporting 250,000 sessions, 5,000 rules, 40 security zones, 10,000 address objects, 2,000 IPsec VPN tunnels, and 500 SSL VPN tunnels).

King says that one core concept in managing virtualized application-layer firewalls is that policy should be tied to applications so that if they are migrated to other virtualized servers through use of VMware's vMotion, the policy moves with them. The idea is also to find the right balance of virtualized and physical application-layer firewalls.

King noted that Palo Alto is not using specific VMware-based security APIs in its virtualized application-layer firewalls but there will be a number of management software vendors, including CA and BMC, whose orchestration tools can be used in Palo Alto virtualized environments.

Palo Alto's entry into virtualization has competitors' attention. Oliver Friedrichs, senior vice president in Sourcefire's cloud technology group, expressed confidence that his company will hold its own through its virtualized IPS firewall, an endpoint product that tackles mobile security and a big-data analytics platform for investigating malware-based attacks.

In addition to the new application-aware firewalls from Palo Alto, the company this week is also launching a cloud-based malware-detection component as a subscription service that is intended to notify a company if a problem is detected, though it will not remediate the problem.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Tags: virtualized firewalls, Configuration / maintenance, next-generation firewall, Firewall & UTM, security, hardware systems, Data Center, VMware, palo alto networks, sourcefire, virtualization

Review: File Recovery Tools

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.