Recently, the discussion surrounding application visibility and control provided by next-generation firewalls has become deafening. Now, every stateful inspection based firewall vendor is calling themselves a next-generation firewall that can identify and control applications. A remarkable feat, given that they are all still using port and protocol as the primary traffic classification mechanism and that all application identification is being done by a bolt-on IPS engine.
In some respects, the added discussion is beneficial because it means that the traditional vendors recognize that their existing, port-based products are relatively ineffective at classifying the traffic on corporate networks. However, the increased noise means it is even more important to clarify the fundamental differences between App-ID, the traffic classification technology used in Palo Alto Networks next-generation firewalls and the classification mechanisms used in other offerings [learn more about how App-ID works].
The fundamental differences can be summarized by the Rule of All.
Palo Alto Networks users will initially see the result of App-ID and the Rule of All in ACC where, with a single firewall rule of any-any-allow, the details on applications, users, threats can be viewed quickly and easily with a few clicks of a mouse. The Rule of All is then extended into the policy editor where, with equal ease, an administrator can establish positive control model policies to enable the use of applications. Finally, logging, reporting and analysis takes full advantage of the Rule of All, allowing an administrator to investigate security incidents, perform traffic and threat analysis and generate reports based on the exact application identity [learn more about how App-ID works].
So how can you clarify the discussion and determine what the other vendors are saying? Ask these questions:
Thanks for reading.
Matt
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.