- All Features
Secure Application Enablement
The increased visibility into applications, users and content can help simplify the task of determining which applications are traversing the network, who is using them, the potential security risk. Armed with these data points, administrators can apply secure enablement policies with a range of responses that are more fine-grained than the traditional allow or deny. Watch Video.
Balancing protection and enablement with fine-grained policy enforcement.
App-ID graphically displays the applications that are traversing the network, who is using them, and their potential security risk, which in turn, empowers administrators to quickly deploy application-, application function-, and port-based enablement policies in a systematic and controlled manner. Policies may range from open (allow), to moderate (enabling certain applications or functions, then scan, or shape, schedule, etc.), to closed (deny). Examples may include:
- Allow or deny
- Allow based on schedule, users, or groups
- Apply traffic shaping through QoS
- Allow certain application functions such as file transfer within instant messaging
- Allow, but scan for viruses and other threats
- Decrypt and inspect
- Apply policy-based forwarding
- Any combination of the above
Mixing next-generation policy criteria such as applications, application functions, users, groups and regions with traditional policy criteria such as source, destination and IP address allows organizations to deploy the appropriate policy for the requirement at hand. Learn More (Videos).
Selectively filter applications to quickly create policy control lists.
The application browser allows administrators to add dynamic application filters to the security policy using a wide range of criteria including category, subcategory, underlying technology, and behavioral characteristic (file transfer capabilities, known vulnerabilities, ability to evade detection, propensity to consume bandwidth, and malware transmission/propagation). Additional application details include a description of the application, the commonly used ports and a summary of the individual application characteristics. Using the application browser, administrators can quickly research an application and immediately translate the results into a security policy.
Stop threats and unauthorized file/data transfer.
The same levels of fine-grained control that can be applied to a specific set of applications can be extended to threat prevention. Using a very targeted approach, administrators can apply:
- Antivirus and antispyware policies to allowed webmail applications.
- IPS policies can be applied to Oracle database traffic
- Data filtering profiles can be enabled for file transfer within instant messaging.
Traffic shaping ensures business applications are not bandwidth starved.
Secure application enablement may entail allowing bandwidth intensive applications such as streaming media. Administrators can strike an appropriate balance using QoS policies that ensure business-critical applications are not starved of bandwidth by non-work related applications.
- Guaranteed, maximum and priority bandwidth can be applied across 8 traffic queues.
- Policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination, and more.
- Diffserv marking is also supported, enabling application traffic to be controlled by a downstream or upstream networking device.
Flexible, policy-based control over web usage.
As a complement to the application visibility and control enabled by App-ID, URL categories can be used as a match criteria for policies. Instead of creating policies that are limited to either allowing all or blocking all behavior, URL category as a match criteria allows for exception based behavior, resulting in increased flexibility, yet more granular policy enforcement. Examples of how URL categories can be used in policy include:
- Identify and allow exceptions to general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group).
- Allow access to streaming media category, but apply QoS to control bandwidth consumption.
- Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation).
- Apply SSL decryption policies that allow encrypted access to finance and shopping categories but decrypts and inspects traffic to all other categories.
Systematically identify and control unknown traffic.
Every network has a small amount of unknown traffic. Most commonly, unknown traffic is an internal, custom developed application. Other times it is an unidentified commercial application or worst case, it is a threat. Regardless of the amount of unknown traffic, unknown traffic is a concern for any security administrator.
Administrators can utilize application control features within the Palo Alto Networks next-generation firewalls to systematically identify, investigate and manage unknown traffic in a systematic manner. The end result is a dramatic reduction in the risks posed by unknown traffic. Watch Video.