Enterprise-class IPS.

Today's attacks on your network use a combination of application vectors and exploits. Palo Alto Networks next-generation firewalls arm you with a two-pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID, and the applications you choose to allow through are scanned for vulnerability exploits by our IPS engine. Watch this video to see how we stop attacks.

 

Learn more about Content-ID Technology.

 

Read about the Integrated Threat Prevention capabilities supported on all platforms.

Enable full IPS protection while maintaining performance.

We deliver predictable IPS performance to you through hardware acceleration, a uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection, as well as networking, security and management, provides the hardware acceleration necessary for predictable IPS performance.
 

  • Dedicated processing means that key functions do not compete for processing cycles with your other security functions, which happens in a single CPU or ASIC/CPU hardware architecture.

  • A uniform signature format eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.).

  • Single pass software means that your traffic is touched only once, no matter how many policy elements are in use.

Blocks a wide range of known and unknown vulnerability exploits.

Our rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging your enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms, including:
 

  • Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.

  • Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.

  • Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.

  • Statistical anomaly detection prevents rate-based DoS flooding attacks.

  • Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
  • Passive DNS monitoring to globally identify and build protections for compromised domains and infrastructure, and local DNS sinkholing to re-direct malicious requests to an address of your choosing for discovery and blocking of infected hosts.
  • Other attack protection capabilities, such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly, protect you against evasion and obfuscation methods used by attackers.

  • Custom vulnerability or spyware phone home signatures that can be used in either anti-spyware or vulnerability protection profiles.

DoS/DDoS attack protection.

Palo Alto Networks next-generation firewalls protect you from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. You can deploy DoS protection policies based on a combination of elements including type of attack, or by volume (both aggregate and classified), with response options including allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:
 

  • Flood protection—Protects you against SYN, ICMP, UDP, and other IP-based flooding attacks.

  • Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential targets.

  • Packet-based attack protection—Protects you from large ICMP packets and ICMP fragment attacks.

Market leading threat discovery and research.

Our intrusion prevention engine is supported by a team of seasoned signature developers. Our team is highly active in the threat prevention community, performing ongoing research and working closely with software vendors - both informally and formally - through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, we have priority access to Microsoft's monthly and out-of-band security update releases.

By receiving vulnerability information early, Palo Alto Networks can develop and deliver signatures to you in a synchronized manner to ensure that you are fully protected. Signature updates are delivered on a weekly schedule or emergency basis. To date, our team has been credited with the discovery of numerous critical and high severity vulnerabilities in both Microsoft and Adobe applications.