Enable full IPS protection while maintaining performance.

Predictable IPS performance is achieved through hardware acceleration, uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection as well as networking, security and management provides hardware acceleration necessary for predictable IPS performance. Dedicated processing means that key functions are not competing for processing cycles with other security functions, as is the case in a single CPU or ASIC/CPU hardware architecture. A uniform signature format eliminates many redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.), while the single pass software means that the traffic is touched only once, no matter how many policy elements are in use.

Blocks a wide range of known and unknown vulnerability exploits.

A rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms:

• Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
• Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
• Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
• Statistical anomaly detection prevents rate-based DoS flooding attacks.
• Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
• Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly are utilized for protection against evasion and obfuscation methods employed by attackers.
• Custom vulnerability or spyware phone home signatures that can be used in the either the anti-spyware or vulnerability protection profiles.

DoS/DDoS attack protection.

Palo Alto Networks next-generation firewalls protect organizations from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. DoS protection policies can be deployed based on a combination of elements including type of attack, by volume both aggregate and classified with response options can include allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:

• Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
• Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.
• Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

Market leading threat discovery and research.

The intrusion prevention engine is supported by a team of seasoned signature developers who are active in the threat prevention community, performing ongoing research and working closely with software vendors, both informally and formally, through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, Palo Alto Networks is provided priority access to Microsoft's monthly and out-of-band security update releases. By receiving vulnerability information earlier, Palo Alto Networks can develop signatures and deliver them to customers in a synchronized manner, thereby ensuring that customers are protected. To date, Palo Alto Networks has been credited with the discovery of numerous critical and high severity vulnerabilities discovered in both Microsoft and Adobe applications. Signature updates are delivered on a weekly schedule or on an emergency basis.