What are three unique benefits of the Palo Alto Networks Content ID choose three?

What makes Palo Alto Networks Next-Generation Firewall (NGFW) so different from its competitors is its Platform, Process and Architecture. Palo Alto Networks delivers all the next generation firewall features using the single platform, parallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features.

More technical and how-to articles covering Palo Alto's Firewalls can be found in our Palo Alto Networks Firewall Section

Palo Alto Networks Next-Generation Firewall’s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:

1. Single Pass Software
2. Parallel Processing Hardware

Figure 1.   Palo Alto Networks Firewall Single Pass Parallel Processing Architecture

Single Pass Software

Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:

Figure 2: Palo Alto Networks Firewall - Single-Pass Architecture Traffic Flow

This processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall enormously reduces the processing overhead, other vendor firewalls using a different type of architecture produce a significantly higher overhead when processing packets traversing the firewall. It’s been observed that the Unified Threat Management (UTM), which processes the traffic using multi-pass architecture, results in process overhead, latency introduction and throughput degradation.

The diagram below illustrates the multi-pass architecture process used by other vendors’ firewalls, clearly showing differences to the Palo Alto Networks Firewall architecture and how the processing overhead is produced:

Figure 3: Traffic Flow for multi-pass architecture resulting in additional overhead processing

Palo Alto Networks Next-Generation Firewall Single Pass Software scans the contents based on the same stream and it uses uniform signature matching patterns to detect and block threats. By adopting this methodology Palo Alto Networks Next-Generation Firewall is negating the use of separate scan engines and signature sets, which results in low latency and high throughput.

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware ensures function-specific processing is done in parallel at the hardware level which, in combination with the dedicated Data plane and Control plane, produces stunning performance results. By separating the Data plane and Control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the Platform. At the same time, this means there is no dependency on either plane as each has its own CPU and RAM as illustrated in the diagram below:

Figure 4: Palo Alto Networks Firewall Hardware Architecture – Separation of Data Plane and Control Plane

The Control Plane is responsible for tasks such as management, configuration of Palo Alto Networks Next-Generation Firewall and it takes care of logging and reporting functions.

Palo Alto Networks Next-Generation Firewall offers processors dedicated to specific functions that work in parallel. The Data Plane in the high-end models contains three types of processors (CPUs) connected by high-speed 1Gbps busses.

The three type of processors are:

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar tasks.
3. Network Processor: Dedicated processor responsible for network functions such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

Conclusion

Palo Alto Networks unique architecture and design has played a significant role in helping place it apart from the rest of its competitors. Its Single Platform Parallel Processing architecture coupled with the single management system results in a fast and highly sophisticated Next-Generation Firewall that won’t be left behind anytime soon. For more technical information and articles covering configuration and technical features of the Palo Alto Networks Firewall, visit our Palo Alto Networks Firewall Section.

Back to Palo Alto Networks Firewall Section

What are the 3 pillars of Palo Alto Networks strategy?

What are three benefits of App

Which three advantages does User

Which three of the following threats does Palo Alto Networks Threat Prevention Service detect and block?