The new product is new machine-learning based firewalls, aimed at both datacentres and branch offices, and giving Palo Alto Networks its first sub-$1000 models, in a move explicitly designed to challenge Fortinet’s dominance in that part of the market.
Palo Alto Networks has deepened their Zero Trust security ecosystem with five new or enhanced solutions. They have greatly expanded the number of SaaS applications that they cover. They have added a new Cloud Identity Engine that provides a single central place for authentication and authorization of users, regardless of where the identity stores are located. Two new capabilities have been added to better secure content. One is an upgraded URL subscription that provides advanced URL filtering. The other is an enhancement of DNS security to provide protection against ultra-slow DNS tunnelling, which has become more common and is dangerous because the slow attack speed lets the attacks hide from crawlers. Finally, five new machine learning-powered firewalls are being announced, one for data centres and large campuses, and four aimed at branch environments of different sizes.
“We have had Zero Trust before, but with the ability of the workforce to move on and off campus becoming increasingly critical, we are taking measures to ensure that access must be based on context, not location,” said Navneet Singh, Senior Director, Product Marketing for Next-Generation Firewalls at Palo Alto Networks. “So we are enhancing many of those capabilities. The future will be to provide a secure user experience no matter where you are located. That’s the outcome Zero Trust must have.”
The enhancements start with an integrated CASB that greatly expands the number of SaaS applications supported.
“We now support 15,000 SaaS applications, up from about 1000 SaaS applications before,” Singh said. “This will greatly help with the regulation of shadow IT.”
A new component, the Cloud Identity Engine, allows customers to authenticate and authorize their users across enterprise networks, clouds and applications, regardless of where their identity stores live.
“Cloud Identity Engine is an industry first,” Singh stated. “It lives in the cloud, and makes it easy for network security to talk to a central place for authentication. 87% of organizations use cloud-based identity or plan to move to it, as well as using on-prem Active Directory or identity sources. When these are split up, they become harder to authenticate. Cloud Identity Engine makes it much easier to configure.”
Both the URL Filtering service and DNS security capabilities have been significantly enhanced.
“Zero Trust is not just about access, but also security, which means that all the content must also be secure.” Singh said. “We do this with two major new capabilities.”
The existing URL subscription is being replaced with an advanced URL Filtering service which uses inline machine learning capabilities to protect against zero-day web attacks.
“This brings a completely new inline machine engine that goes through the content that is being given to users, to prevent Zero Day threats and attacks that can hide from crawlers,” Singh said.
The existing DNS Security capabilities have been enhanced, specifically to provide protection against ultra-slow DNS tunnelling.
“This ultra-slow tunnel is an emerging attack type which has become more prevalent over the last year,” Singh said. “The purpose of going so slow is it makes it hard to detect that it is an attack. Vendors tend not to talk about this emerging trend in their reports, because they don’t have protections against it, but now we do.”
Finally, all these capabilities are included within two new machine learning based next-generation firewall platforms, which are also being announced. One of them, the modular PA-5450 platform, is for data centres and very large campuses and hyperscale data centers. For branch offices, the PA-400 Series offers four models of increasing size.
“There is a particularly strong channel angle on these lower end branch office firewalls,” Singh said. “These are really our first products in the sub-$1000 range. Fortinet has dominated this low-end market, and with these products, we are taking them head on.” He noted that these are distribution products, and that resellers like CDW and WWT are excited about them.
Most of the hardware and all of the new features will be available in June. The smallest desktop firewall, the PA-410, will be available in late summer.