Threat Prevention

In today’s threat landscape, traditional malware has become highly targeted and evasive, and specifically designed to be completely undetectable. The goal is to breach the network perimeter by delivering malware that can move laterally across an organization, extracting valuable data as it spreads – all while remaining invisible to traditional network defenses.

Palo Alto Networks® protects your network against these threats by providing multiple layers of prevention, confronting threats at each phase of the attack. Our Threat Prevention subscription protects the network from advanced threats by identifying and scanning all traffic – applications, users, and content – across all ports and protocols.


Block Threats At The Perimeter

Intrusion Prevention

Vulnerability-based protections detect and block exploit attempts and evasive techniques on both the network and application layers, including port scans, buffer overflows, protocol fragmentation and obfuscation. 

  • Protections are based on both signature matching and anomaly detection.
  • Anomaly detection decodes and analyzes protocols, and uses the information learned to block malicious traffic patterns.
  • Stateful pattern matching detects attacks across multiple packets, taking into account arrival order and sequence.

Check out Intrusion Prevention at a glance.

SSL Decryption

A large portion of today’s network traffic – nearly 35% – is encrypted with SSL, leaving a gaping hole in network defenses if left unchecked. Palo Alto Networks next-generation firewalls have built-in SSL decryption capabilities, eliminating this blind spot. All traffic is inspected and advance security services, all without the need for a separate device – removing the complexities of having to manage separate, non-integrated technology.

File Blocking

Reduce the likelihood of a malware infection by preventing file types known to hide malware from entering your network. Further narrow your window of exposure by sending allowed file types to the WildFire® threat analysis service for analysis.


Shut Down Malware Delivery

Network Anti-Malware

Palo Alto Networks Threat Prevention security service protects against malware delivery through custom-built signatures that are based on content – not hash – to protect against known malware, including variants that haven’t been seen in the wild yet. Protections against newly discovered malware are delivered daily by WildFire, keeping the latest threats from breaching your network.


Prevent Threats From Exploring the Network

Because our platform is flexible, highly available, and supports high throughput with its single-pass scanning architecture, it can be implemented anywhere in the network:

  • At the perimeter (next-generation firewall).
  • At the data center edge (PA-7050).
  • Between virtual machines in the data center (VM-Series).
  • On a distributed enterprise – remote and mobile users, branch offices and operations plants (GlobalProtect™ network security for endpoints and Traps™ advanced endpoint protection).
  • At all points of segmentation.

Put a Stop to Data Exfiltration

Command-and-Control (Spyware)

We know there’s no silver bullet when it comes to preventing all threats from entering your network. This is why we focus on preventing attackers from leaving with important data. Our C2 signatures flag on both inbound and outbound requests to malicious domains, protecting your data from being stolen.

DNS Sinkhole

Our exfiltration protection goes a step further by providing sinkhole capabilities for outbound requests to malicious DNS entries. Any outbound request to a malicious domain or IP address can be redirected to an internal IP address set up by an administrator. This feature prevents those requests from ever leaving the network and compiles a report of compromised machines making those requests on which incident response teams can act.


Leverage Global Threat Intelligence

Detailed logs of all threats aren’t merely housed within the same management interface, but are shared between all prevention mechanisms to provide context. We leverage global threat intelligence through the close integration of Threat Prevention security services, URL Filtering and WildFire to automatically discover unknown malware and deliver protections to our entire customer base, keeping them secured against the latest advanced threats. 

The Palo Alto Networks threat research team, Unit 42, analyzes threat data amassed by our global intelligence community to identify and investigate cutting-edge attack methods and malware, and report on unfolding trends within the black hat space.


Related Content


Product Summary Specsheet

Key features, performance capacities and specifications for all Palo Alto Networks firewalls.

  • 63
  • 182236

PA-220 Datasheet

Palo Alto Networks PA-220 brings next-generation firewall capabilities to distributed enterprise branch offices and retail locations.

  • 11
  • 46602

Firewall Feature Overview Datasheet

This datasheet provides a comprehensive overview of the critical PAN-OS features that power all next-generation firewalls from Palo Alto Networks.

  • 13
  • 70836

VM-Series Specsheet

The VM-Series has been optimized and expanded to deliver industry-leading performance of up to 16Gbps of App-ID-enabled firewall throughput across five models.

  • 3
  • 39423

Protect Yourself From Antivirus

Traditional antivirus is not the solution to preventing endpoint breaches—it’s the problem. If you’re still using antivirus you are leaving your organization vulnerable to malicious attack.

Santa Clara, CA
  • 7
  • 25568

Traps: Advanced Endpoint Protection

Palo Alto Networks Advanced Endpoint Protection represents a complete paradigm shift from identification to pure prevention. Providing comprehensive exploit and malware prevention that is not designed to identify; instead, it prevents an attack before the malware can be successful.

Santa Clara, CA
  • 23
  • 52387