Continuing our series of blogs on “what’s new in PAN-OS 8.0?”, in this blog we look further in to the new “Breakthrough Performance Hardware” announced at the colossal security event on the 7th February 2017.
With the release of the new ‘Breakthrough Performance Hardware’ models, Palo Alto have made SSL decryption a reality to safely enable applications and secure the enterprise without compromising performance or upsetting the users, a real win !
Why is this interesting? Well recently Gigamon released an SSL Infographic Dealing with Growth in SSL Traffic, showing SSL encrypted traffic is currently 25-35% of all Internet traffic and predicting a 20% year on year growth. With the release of free certificates from Let’s Encrypt, the Internet is seeing a massive explosion in HTTPS/SSL encrypted traffic. Some of our customers are already reporting 75% of traffic is SSL encrypted and asking about decryption.
Many customers want to implement SSL decryption on their existing firewalls to be able to content scan the encrypted traffic and remove threats & undesired content, however decryption, is resource intensive, and can slow down website browsing if the firewall hardware is not up to the task of decrypting thousands of encrypted sessions. It is a trade off with securing the traffic passing through the firewall and happy, efficient end users, a tough call.
When reviewing firewall specifications, one key factor, along with the other specifications, for me as security consultant and knowing the bad guys are using SSL encryption to hide malicious content, is the ‘Max concurrent decryption sessions’ number to help customers specify the correct firewall for their requirements.
Please note: – The new models will only operate with the new PAN-OS 8.0. If you are planning on purchasing new Palo Alto Networks hardware, please be sure to contact us for professional advice on how to integrate the new models into your infrastructure and plan the upgrade of the current models to the all-new PAN-OS 8.0.
Here’s the lowdown on the latest models:
New advanced architecture for high-performance and scalability
The new PA-5200 series introduces three new modes; PA-5220; PA-5250 & PA-5260, targeting the high-speed data centre & service provider deployments. As enterprises consolidate data centres, by reducing smaller localised data centres into larger regional data centres, add in the growth of Internet speeds, the explosion of encrypted (HTTPS/SSL) traffic, all requiring more processing power, there is a need to fill the gap between the PA-5060 and the PA-7050, and these three new models fill that gap nicely.
- Firewall throughput (App-ID) for the PA-5260 is 72.2Gbps & the PA-5250 is 35.9Gbps
- Threat prevention for the PA-5260 is 30Gbps & the PA-5250 is 20.3Gbps
- IPSec VPN tunnel throughput for the PA-5260 is 21Gbps & the PA-5250 is 14Gbps
- New sessions per sectioned for the PA-5260 is 458,000 & the PA-5250 is 358,000
- Max concurrent decryption sessions for the PA-5260 is 3.2Million & the PA-5250 is 800,000
- 5Gbps SSL decrypt throughput
- Higher 10G port density, 40G & 100G interface support
New scale and performance to secure enterprise branch offices & midsized businesses
With the growth in cloud adoption; data centre consolidation & the rise of encrypted traffic, the north/south traffic Internet & IPSec VPN traffic requires more processing power. Palo Alto Network have introduced two new models; PA-820 & PA-850, to meet these requirements.
- Firewall throughput (App-ID) for the PA-850 is 1.9Gbps & the PA-800 is 940Mbps
- Threat prevention for the PA-850 is 780Mbps & the PA-800 is 610Mbps
- IPSec VPN tunnel throughput for the PA-850 is 500Mbps & the PA-800 is 400Mbps
- New sessions per sectioned for the PA-850 is 9,500 & the PA-800 is 8,300
- Max concurrent decryption sessions for the PA-850 is 19,200 & the PA-800 is 12,800
- Redundant power supplies on the PA-850
Next-Generation Firewalls for distributed branch offices, retail & midsized businesses
The PA-220 refreshes the PA-200, delivering all the same security capabilities as the rest of the Palo Alto Networks platform in a small desktop footprint, however it packs a in a lot more to make the PA-220 the preferred choice for branch/remote office, retail and midsized businesses.
- Full PAN-OS capabilities, in a small desktop footprint
- Firewall throughput (App-ID) increase from 100Mbps to 500Mbps
- Threat prevention throughput tripled from 50Mbps to 150Mbps
- IPSec VPN tunnel throughput doubled from 50Mbps to 100Mbps
- New sessions per sectioned quadrupled from 1,000 to 4,200
- Max concurrent decryption sessions sees a six-fold increase from 1,024 to 6,400
- Complete high availability support (Active/Passive with session sync, and Active\Active), compared with the PA-200 only supporting active\passive configuration synchronisation.
- Fan-less design, creates passive and silent cooling to eliminate noise and increase reliability
- Built-in resiliency with dual power adapters; using an optional power brick
- Increased port density; 8×10/100/1000 Interfaces, compared with the PA-200 4xInterfaces
- Optional rack and wall mounting brackets available