PALO ALTO
NETWORKS
PORTFOLIO AND
ARCHITECTURE
ALWAYS USE THE RIGHT TOOL FOR
THE JOB!
• Palo Alto Networks Portfolio overview
• Next-generation firewall architecture
• Firewall offerings
EDU-210 Version B
PAN-OS® 11.0
© 2023 Palo Alto Networks, Inc.
Page 1
Learning Objectives
After you complete this module,
you should be able to:
• Describe the Palo Alto Networks Portfolio
• Define the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo
Alto Networks
2 | © 2023 Palo Alto Networks, Inc.
After you complete this module, you should be able to:
• Describe the Palo Alto Networks Portfolio
• Describe the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo Alto Networks
© 2023 Palo Alto Networks, Inc.
Page 2
Palo Alto Networks Portfolio overview
Next-generation firewall architecture
Firewall offerings
This section provides a high-level introduction to the architecture and components of the Palo Alto Networks
Security Operating Platform.
© 2023 Palo Alto Networks, Inc.
Page 3
Palo Alto Networks Approach to Cybersecurity
Complete
Visibility
Reduce Attack
Surface
Prevent
Known Threats
Prevent
Unknown Threats
4 | © 2023 Palo Alto Networks, Inc.
The critical elements of the Palo Alto Networks approach to cybersecurity:
• Provide visibility: An organization cannot protect against what it cannot see. Visibility requires the
complete visibility of users, applications, and content traversing corporate networks, the cloud, and
endpoints. It is only possible to implement security policies and take actions, such as blocking unknown
traffic, identifying advanced attacks, or permitting only applications with a valid business purpose.
• Reduce the attack surface: An attacker has more difficulty compromising an organization when the attack
surface is reduced. A variety of actions and tactics are available to reduce the attack surface, including
implementing an allowed application list to enable only critical business applications, inspecting unknown
traffic and activity against acceptable use policies, and implementing multi-factor authentication to ensure
that compromised credentials cannot be used to access applications and data.
• Prevent known threats: Preventing known threats is a foundational capability of any security program. To
do so effectively, your organization must be able to consume, and process threat intelligence and have a
well-organized defense that can be reconfigured rapidly and automatically based on new intelligence.
• Prevent unknown threats: Although vitally essential, signature-based prevention is limited to blocking
only what it knows. Preventing unknown threats is a crucial capability consisting of making known threats,
developing controls to stop them, and automatically reprogramming security technologies to incorporate
the new rules. Palo Alto Networks technologies use data analytics and machine learning on collected
datasets to detect behavioral anomalies indicative of a breach or attack and provide detailed, actionable
alerts. An organization can use automated processes and event correlation to make it easier to identify and
address critical threats.
© 2023 Palo Alto Networks, Inc.
Page 4
Network Security
The key Palo Alto Networks Product Portfolio elements for securing the network are:
• Next-Generation Firewall (NGFW) - The foundation of the Palo Alto Networks Product
Portfolio.
• VM-Series NGFW – A virtualized form factor of the Palo Alto Networks Next-Generation
Firewall
• CN-Series NGFW - A container-native version of the ML-powered Next-Generation
Firewall (NGFW) designed explicitly for Kubernetes environments
• Cloud-Delivered Security Services- Provides enhanced threat prevention services and
NGFW capabilities.
• Panorama™ - Centralized NGFW management and logging.
Next-Generation
Firewall
VM-Series
Firewall
CN-Series
Firewall
Cloud-Delivered
Security
Services
Panorama
5 | © 2023 Palo Alto Networks, Inc.
The networking infrastructure of an enterprise can be extraordinarily complex. The Product Portfolio secures
the enterprise networks’ perimeter, data center, and retail/branch offices with a fully integrated and automated
platform that simplifies security. Simplifying your security posture enables you to reduce operational costs
and support infrastructure while increasing your ability to prevent threats to your organization and quickly
adjust to your dynamic environment. The key Product Portfolio elements for securing the network are:
• Next-Generation Firewall (NGFW): The Palo Alto Networks Product Portfolio foundation.
• VM-Series NGFW - Provides all the capabilities of the Palo Alto Networks Next-Generation hardware
firewall in a virtual machine form factor
• CN-Series NGFW – A container-native version of the ML-powered Next-Generation Firewall (NGFW)
designed explicitly for Kubernetes environments.
• Cloud-Delivered Security Services: Provides enhanced threat detection and prevention services and
NGFW capabilities.
• Panorama: Centralized next-generation firewall management and logging.
For information about securing the enterprise, log into Live and search for “Product Selection” or see the
documentation at https://www.paloaltonetworks.com/network-security.
© 2023 Palo Alto Networks, Inc.
Page 5
Palo Alto Networks Portfolio overview
Next-generation firewall architecture
Firewall offerings
This section introduces the architectural features of Palo Alto Networks firewalls.
© 2023 Palo Alto Networks, Inc.
Page 6
Palo Alto Networks Single-Pass Architecture
Single-pass:
Policy Engine
• Operations per packet:
• Traffic classification with App-ID technology
• User or group mapping
• Content scanning: threats, URLs,
Data Filtering
Content-ID
Application Protocol
Decoding
confidential data
• One single policy (per type)
App-ID
hardware engines
• Separate data and control planes
Application Protocol
Detection and Decryption
Application Signatures
Heuristics
Parallel processing:
• Function-specific parallel processing
Advanced URL Filtering
Real-Time Advanced Threat
Prevention
Captive Portal
User-ID
Multi-Factor Authentication
L2/L3 Networking, HA, Config
Management, Reporting
7 | © 2023 Palo Alto Networks, Inc.
The strength of the Palo Alto Networks firewall is its single-pass parallel processing (SP3) engine. The singlepass software performs operations once per packet. As a packet is processed, networking functions, policy
lookup, application identification, decoding, and signature matching for any threats and content are performed
once. The parallel processing hardware is designed with separate data and control planes. Separating the data
and control planes means that heavy utilization of one plane will not negatively impact the other plane.
The advantage of providing the SP3 engine is that traffic is scanned with minimal buffering as it traverses the
firewall. This speed lets you configure advanced features, such as scanning for viruses and malware, without
slowing the firewall’s performance.
© 2023 Palo Alto Networks, Inc.
Page 7
Palo Alto Networks Firewall Architecture
Control Plane
CPU
Management
configuration | logging | reporting
RAM
SSD
MGT interface
Console
Signature Matching
Stream-based, uniform signature
match including vulnerability
exploits (IPS), virus, spyware, CC#,
and SSN
Data Plane
Signature Matching
exploits | virus | spyware | CC# | SSN
Single-Pass
Pattern
Match
RAM
REPORT
AND
ENFORCE
CPU
POLICYEnforce
App-ID | User-ID | URL match | policy
Policy
Signature
Matching
Components
SECURITY PROCESSING
Security Processing
match | SSL/IPsec | decompression
NETWORK PROCESSING
Network
Processing
flow control | route lookup | MAC lookup | QoS | NAT
flow control | MAC lookup | route
lookup | QoS | NAT
RAM
FPGA
Security
Processing
Components
Network
Processing
Components
Control Plane | Management
Provides configuration, logging, and
reporting functions on a separate
processor, RAM, and hard drive
Hardware
component
types and
sizes per layer
vary per
firewall
model.
Security Processing
High-density parallel processing for
flexible hardware acceleration for
standardized complex functions
Network Processing
Front-end network processing,
hardware-accelerated per-packet
route lookup, MAC lookup, and NAT
Data Interfaces
8 | © 2023 Palo Alto Networks, Inc.
Palo Alto Networks has processors dedicated to specific security functions that work in parallel. These
components can be implemented in hardware or software.
On the higher-end hardware models, the data plane contains three types of processors that are connected by
high-speed 1Gbps buses:
• Signature Match Processor scans traffic and detects:
• vulnerability exploits (intrusion protection system)
• viruses
• spyware
• credit card numbers
• Social Security numbers
• Security Processors: Multicore processors that handle security tasks such as Secure Sockets Layer
decryption.
• Network Processor: Responsible for routing, network address translation, and network-layer
communication.
The control plane has its own dual-core processor, RAM, and hard drive on the higher-end hardware models.
This processor is responsible for management UI, logging, and route updates.
© 2023 Palo Alto Networks, Inc.
Page 8
Zero Trust Architecture
• Never trust; always verify.
• Inspect perimeter traffic:
• Inbound traffic
• Outbound traffic
Inspect
inbound
traffic
north-south
Internet
Zone
Inspect
outbound
traffic
• Also inspect internal traffic.
Applications
zone
Inspect
internal
traffic
User's zone
east-west
9 | © 2023 Palo Alto Networks, Inc.
Conventional security models operate on the outdated assumption that everything inside an organization’s
network can be trusted. These models are designed to protect the perimeter. Meanwhile, threats that get inside
the network go unnoticed and are left free to compromise sensitive, valuable business data. In the digital
world, trust is nothing but a vulnerability.
The Zero Trust architecture model remedies the deficiencies of the perimeter-only architecture. Zero Trust is
based on the principle “never trust, always verify” rather than on the principle “trust but verify.” In Zero
Trust, users’ steps through the infrastructure must be validated and authenticated across all locations.
In complex network architectures, you can simplify traffic flows to inbound traffic from the internet,
outbound traffic to the internet, and internal traffic between nodes in your data center. You accomplish
inbound and outbound inspection by locating a firewall between your internal network segments and the
internet. You achieve an internal traffic inspection by locating a firewall between your internal subnets and
VLANs.
© 2023 Palo Alto Networks, Inc.
Page 9
Palo Alto Networks Portfolio overview
Next-generation firewall architecture
Firewall offerings
This section introduces the physical and virtual firewall models available from Palo Alto Networks. For the
latest information about available Palo Alto Networks firewall models, log into Live and search for “Product
Selection” or see https://www.paloaltonetworks.com/products/product-selection.html.
© 2023 Palo Alto Networks, Inc.
Page 10
Flexibile Architecture
Hardware
PA-Series
Software
VM-Series / CN-Series
Cloud Service
Prisma Access
CN-
High Performance
Physical Appliances
& Chassis
Virtual Software
VM & CN Series
Cloud Delivered
Security
11 | © 2023 Palo Alto Networks, Inc.
The foundation of the Strata Network Security Platform is the ML-Powered Next-Generation Firewall. Strata
is designed to protect the perimeter of your network (north-south traffic), regardless of where that perimeter
may be and traffic that moves internally (east-west) within your network. The flexibility of the Strata platform
currently has 3 form factors of the firewall that can be used independently or combined for different use cases
to match your requirements by location. You can manage all deployments centrally through Panorama
network security management.
The PA-Series is a physical appliance providing power, intelligence, simplicity, and versatility. The PASeries protects enterprise and service provider deployments at headquarters, data centers, and branch offices.
The VM- and CN-Series are Virtual Next-Generation Firewalls that protect your hybrid cloud and branch
deployments by segmenting applications and preventing threats. And Prisma™ Access is a secure access
service edge (SASE) offering that delivers security globally from the cloud.
© 2023 Palo Alto Networks, Inc.
Page 11
PA-Series Next-Generation Firewalls
High-performance physical appliance solution.
PA-5450 Series
PA-7000 Series
PA-5400 Series
PA-3400 Series
PA-800 Series
PA-400
Series
PA-410
Small Branches &
Remote Locations
Network Perimeter
Large
Data Centers
12 | © 2023 Palo Alto Networks, Inc.
The PA-Series firewall is a high-performance physical appliance solution. The PA-Series is available in
different sizes, from a desktop-size form factor for your small offices to large chassis form factors for your
data centers. The operating system is consistent across all hardware platforms, so the look and feel of the
web-based management interface are the same.
The PA-7000 Series provides power, intelligence, and versatility for enterprise and service provider
deployments. The PA-5450 series offers a versatile platform built for Hyper-Scale Data Centers, Internet
Edge deployments, and Campus segmentation deployments. The PA-5400 series provides no-compromise
security and high performance for data centers and service providers, and the PA-3400 series provides broad
threat coverage at the internet edge. The PA-800 Series provides security for branch offices and mid-sized
businesses. The PA-400 series is optimized to meet your distributed enterprise branch requirements, while the
PA-220 delivers visibility, control, and the power to prevent network threats in a small form factor. The PA220R provides network security in a ruggedized form factor for severe environments.
To compare the capabilities of the various firewall models, log into Live and search for “Product Selection”
or see https://www.paloaltonetworks.com/products/product-selection.html.
© 2023 Palo Alto Networks, Inc.
Page 12
Virtual Systems
• Separate, logical firewalls within a single physical firewall
• Creates an administrative boundary
• Use case: multiple customers or departments
Physical Firewall
vsysB
vsysA
TrustZone
UntrustZone
Data Interfaces
TrustZone
UntrustZone
Data Interfaces
13 | © 2023 Palo Alto Networks, Inc.
A virtual system (vsys) is a separate, logical firewall instance within a single physical Palo Alto Networks
firewall. Managed service providers and enterprises can use a single pair of firewalls (for high availability)
and enable virtual systems rather than multiple firewalls. Each virtual system is an independent, separately
managed firewall with its traffic kept separate from the traffic of other virtual systems.
A vsys consists of physical and logical interfaces, subinterfaces, virtual routers, and security zones. You
choose the deployment modes, consisting of any combination of virtual wire, Layer 2, and Layer 3 interfaces
on each virtual system. When you use virtual systems, you can segment any of the following:
• administrative access
• management of all policies (Security, NAT, QoS, Policy‐Based Forwarding, Decryption, Application
Override, Authentication, and DoS Protection)
• all objects (such as address objects, application groups, filters, external dynamic lists, Security
Profiles, Decryption Profiles, and Custom objects)
• User‐ID
• certificate management
• Server Profiles
• logging, reporting, and visibility functions
Virtual systems are supported on the PA‐3x00, PA‐5x00, and PA‐7x00 Series firewalls. Each firewall series
supports a base number of virtual systems; the number varies by platform. A Virtual Systems license is
required to support multiple virtual systems on the PA‐3x00 Series firewalls and create more than the base
number of virtual systems supported on a platform.
For more information about Virtual Systems, log into Live and search for “Virtual Systems” or see
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems.html.
© 2023 Palo Alto Networks, Inc.
Page 13
VM-Series Capacities
• Delivers the same capabilities as the PA-Series firewalls.
• Ensures application and data protection across public clouds and virtualized data
centers.
2vCPU
4.5/5.5GB
2vCPU
6.5GB
4vCPU
9GB
8vCPU
16GB
16/22/32vCPU
56GB
Firewall throughput (App-ID enabled)
3 Gbps
3Gbps
6Gbps
12Gbps
24/28Gbps
Advanced Threat prevention throughput
1.5Gbps
1.5Gbps
3Gbps
6Gbps
12/14/20Gbps
3,000
15,000
30,000
60,000
120,000
2
2
4
8
16, 22, 32
5.5GB/4.5
GB
6.5GB
9GB
16GB
56GB
32GB
60GB
60GB
60GB
60GB
Example Performance and Capacities
New sessions per second
Dedicated CPU cores
Dedicated memory (minimum)
Dedicated disk drive capacity (minimum)
14 | © 2023 Palo Alto Networks, Inc.
The VM-Series firewall is a virtualized form factor of Palo Alto Networks next-generation firewall. The VMSeries virtual firewalls provide all the capabilities of the Palo Alto Networks’ next-generation hardware
firewall in a virtual machine form factor so that you can secure the environments vital to your organization.
To meet the growing needs for inline security across diverse cloud and virtualization use cases, you can
deploy the VM-Series firewall on a wide range of private and public cloud computing environments such as
VMware, Cisco ACI, Cisco ENCS, KVM, OpenStack, Amazon Web Services, Microsoft public, and private
cloud, Oracle Cloud Infrastructure, and Google Cloud Platform to protect your cloud perimeter and your eastwest traffic.
For more information about the VM-Series Firewall, log into Live and search for “VM-Series” or see
https://www.paloaltonetworks.com/prisma/vm-series.
© 2023 Palo Alto Networks, Inc.
Page 14
CN-Series Firewall
• CN-Series provides visibility and security to
containerized application workloads.
K8s Cluster
• Natively integrates into Kubernetes
clusters.
Ordering
Payments
CN
NGFW
• Delivers the same capabilities as the PA-
Node
Node
Node
Series and VM-Series firewalls.
• Provides Layer 7 visibility, application-level
segmentation, DNS security, and advanced
threat protection.
• Protects traffic across trusted zones in
public cloud or data center environments.
Internet
15 | © 2023 Palo Alto Networks, Inc.
The Container Native or CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series
firewalls but in a container form factor. You can deploy the same cloud-delivered security services on top of
the CN-Series firewalls, just like other firewall form factors. The CN-Series firewall natively integrates into
Kubernetes to provide complete Layer 7 visibility, application-level segmentation, DNS security, and
advanced threat protection for traffic going across trusted zones in public cloud and data center environments.
The CN-Series firewall provides containerized traffic visibility. For instance, unlike a firewall deployed at the
edge, the CN-Series firewall identifies the specific pod traffic that originates from. This means you can write
more granular security policies defined at the application level rather than at the cluster level.
Management of the CN-Series firewall is done through Panorama using the Kubernetes plugin. The
Kubernetes plugin continuously pulls information from Kubernetes and feeds that information into
Panorama.
For more information about the CN-Series Firewall, log into Live and search for “CN-Series” or see
https://www.paloaltonetworks.com/network-security/cn-series.
© 2023 Palo Alto Networks, Inc.
Page 15
Module Summary
Now that you have completed this module,
you should be able to:
• Describe the three Pillars of the Palo Alto Networks Portfolio
• Define the single-pass architecture
• Define Zero Trust Concept
• Describe the physical and virtual firewall models available from Palo Alto
Networks
16 | © 2023 Palo Alto Networks, Inc.
Now that you have completed the module, you should be able to perform the tasks listed.
© 2023 Palo Alto Networks, Inc.
Page 16
© 2023 Palo Alto Networks, Inc.
Page 17
Lab 1 Overview
• There is no lab for this module
18 | © 2023 Palo Alto Networks, Inc.
© 2023 Palo Alto Networks, Inc.
Page 18
Protecting our
digital way
of life.
19
| © 2023 Palo Alto Networks, Inc.
© 2023 Palo Alto Networks, Inc.
Page 19
20