Enterprise-class IPS

Today's attacks use a combination of application vectors and exploits. Palo Alto Networks next-generation firewalls provide organizations with a two pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID and those that are allowed can be scanned for vulnerability exploits by the NSS-Approved IPS engine.

NSS-Approved and Recommended IPS

Enable full IPS protection while maintaining performance.

Predictable IPS performance is achieved through hardware acceleration, uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection as well as networking, security and management provides hardware acceleration necessary for predictable IPS performance. Dedicated processing means that key functions are not competing for processing cycles with other security functions, as is the case in a single CPU or ASIC/CPU hardware architecture. A uniform signature format eliminates many redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.), while the single pass software means that the traffic is touched only once, no matter how many policy elements are in use.

Intrusion Prevention Features

Blocks a wide range of known and unknown vulnerability exploits.

A rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms:

  • Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
  • Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
  • Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
  • Statistical anomaly detection prevents rate-based DoS flooding attacks.
  • Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
  • Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly are utilized for protection against evasion and obfuscation methods employed by attackers.
  • Custom vulnerability or spyware phone home signatures that can be used in the either the anti-spyware or vulnerability protection profiles.

Prevent Denial of Service Attacks

DoS/DDoS attack protection.

Palo Alto Networks next-generation firewalls protect organizations from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. DoS protection policies can be deployed based on a combination of elements including type of attack, by volume both aggregate and classified with response options can include allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:

  • Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
  • Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.
  • Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

IPS Support

Market leading threat discovery and research.

The intrusion prevention engine is supported by a team of seasoned signature developers who are active in the threat prevention community, performing ongoing research and working closely with software vendors, both informally and formally, through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, Palo Alto Networks is provided priority access to Microsoft's monthly and out-of-band security update releases. By receiving vulnerability information earlier, Palo Alto Networks can develop signatures and deliver them to customers in a synchronized manner, thereby ensuring that customers are protected. To date, Palo Alto Networks has been credited with the discovery of numerous critical and high severity vulnerabilities discovered in both Microsoft and Adobe applications. Signature updates are delivered on a weekly schedule or on an emergency basis.

Free Consultation

Due to our numerous partnerships, we can provide unbiased opinions on the best solution for your environment.

Unbeatable Prices

Our partnership levels give us the highest product discounts which we pass on as savings to our customers.

Professional Services

Finish your IT projects on-time and under budget with our nation-wide team of senior level engineers.

24x7 Tech Support

Rest assured knowing that our U.S. based IT support team is here for you on nights, weekends and when you need us most.