Overview:

The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances allowing you to safely enable applications flowing into and across your private public and hybrid cloud computing environments.

Automation features such as VM monitoring dynamic address groups and a REST-based API allow you to proactively monitor VM changes dynamically feeding that context into security policies thereby eliminating the policy lag that may occur when your VMs change.

The VM-Series supports the following hypervisors:

• VMWare ESXi and NSX
• Citrix SDX
• KVM (Centos/RHEL)
• Ubuntu
• Amazon Web Services 

Virtualized Firewalls

As your organization embraces virtualization and cloud initiatives your networking security and virtualization teams have two alternatives when it comes to protecting the resident mission-critical applications and data from modern cyber threats. The first alternative is to ignore security all together not because it is unnecessary but because security policy deployment cannot keep pace with the rate of virtualization changes oftentimes lagging weeks behind.

The second alternative is to implement traditional security technologies that are port-bound which means they lack the ability to identify and control applications and they are ineffective at blocking today's modern attacks. Neither of these alternatives address the critical requirements you need to protect your virtualized environments. Key requirements for virtualized security include:

• Support the same next-generation firewall features across both physical and virtual form factors
• Automate the deployment of next-generation firewalls and policies across a range of virtualization environments
• Isolate and segment mission critical applications and data following Zero Trust principles
• Stop cyber threats from moving laterally in an east-west manner
• Deliver centralized visibility and policy management for both physical and virtual form factors

The Palo Alto VM-Series combines next-generation firewall security and advanced threat prevention to protect your virtualized environments from advanced cyber threats. Native automation tools such as Virtual Machine monitoring (VM) and Dynamic Address Groups monitor VM additions removals and attribute changes to help eliminate any security policy lag as your VMs change.

Applying next-generation security to virtualized environments

The VM-Series virtualized firewall is based upon the same full-stack traffic classification engine that can be found in our physical form-factor firewalls. The VM-Series natively classifies all traffic inclusive of applications threats and content and then ties that traffic to the user. The application content and user &mdash the elements that run your business &mdash are then used as the basis of your virtualized security policies resulting in an improved security posture and a reduction in incident response time.

Isolate mission critical applications and data using Zero Trust principles

Security best-practices dictate that your mission-critical applications and data should be isolated in secure segments using Zero Trust (i.e. never trust always verify) principles at each segmentation point. The VM-Series can be deployed throughout your virtualized environment residing as a gateway within your virtual network and controlling VM-to-VM communications based on application and user identity. This allows you to control the applications traversing your virtualized environment while blocking potentially rogue or misconfigured applications and controlling access based on user identity.

Block lateral movement of cyber threats

Today&rsquos cyber threats will commonly compromise an individual workstation or user and then they will move across the network looking for a target. Within your virtual network cyber threats will move laterally from VM-to-VM in an east-west manner placing your mission critical applications and data at risk. Exerting application-level control using Zero Trust principles in between VMs will reduce the threat footprint while applying policies to block both known and unknown threats.

Automated transparent deployment and provisioning

A rich set of automation features and APIs allow customers to streamline their security policy deployment so that security keeps pace with the buildup and teardown of their virtualized mission-critical applications.

• Virtual Machine monitoring: Security policies must be able to monitor and keep up with changes in the virtualization environment including VM attributes and the addition or removal of VMs. Virtual Machine monitoring (i.e. VM monitoring) automatically polls your virtualization environments for virtual machine inventory and changes collecting this data in the form of tags that can then be used in dynamic address groups to keep policies up to date.
• Dynamic address groups: As your virtual machines change functions or move from server to server building security policies based on static data such as IP address delivers limited value. dynamic address groups allow you to create policies using tags [from VM monitoring] as an identifier for virtual machines instead of a static object definition. Multiple tags representing virtual machine attributes such as operating system can be resolved within a dynamic address group allowing you to easily apply policies to virtual machines as they are created or travel across the network.
• RESTful APIs: A flexible REST-based API allows you to integrate with 3rd party cloud orchestration solutions such as OpenStack and CloudStack. This enables the VM-Series to be deployed and configured in lockstep with virtualized workloads.
• Centralized management: Panorama&trade allows you to manage your VM-Series deployments along with your physical security appliances thereby ensuring policy consistency and cohesiveness. Rich centralized logging and reporting capabilities provide visibility into virtualized applications users and content.

Features and Benefits:

Security Features

• Application Visibility
  Port numbers protocols and IP addresses are useful for network devices but they tell you nothing about what is on your network. Detailed information about the applications users and content traversing your network empowers you to quickly determine any risks they pose and quickly respond. Leveraging the rich context provided by Palo Alto firewalls our visualization analysis and reporting tools let you quickly learn more about activity on your network and analyze incidents from a current or comparative perspective.
• User Visibility
  Traditionally security policies were applied based on IP addresses but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a policy control element for safe application enablement.
• AntiVirus
  The broadening use of social media messaging and other non-work related applications introduce a variety of vectors for viruses spyware worms and other types of malware. Palo Alto next-generation firewalls allow you to block unwanted applications with App-ID and then scan allowed applications for malware.
• IPS
  Today's attacks on your network use a combination of application vectors and exploits. Palo Alto next-generation firewalls arm you with a two-pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID and the applications you choose to allow through are scanned for vulnerability exploits by our NSS-approved IPS engine.
• Data Filtering & File Blocking
  The application function level control file blocking by type and data filtering features of our next-generation firewalls allow you to implement a range of policies that help balance permitting the use of personal or non-work related applications with the business and security risks of unauthorized file and data transfer.
• Modern Malware Protection
  Modern attackers are increasingly using targeted and new unknown variants of malware to sneak past traditional security solutions. To address this Palo Alto developed WildFire which identifies new malware in minutes. By executing suspect files in a virtual environment and observing their behavior Palo Alto identifies malware quickly and accurately even if the malware sample has never been seen before. Once a file is deemed malicious WildFire automatically generates protections that are delivered to all WildFire subscribers within an hour of detection. A WildFire license provides your IT team with a wealth of forensics to see exactly who was targeted the application used in the delivery and any URLs that were part of the attack.
• URL Filtering
  The perfect complement to the policy-based application control provided by App-ID is our on-box URL filtering database which gives you total control over related web activity. By addressing your lack of visibility and control from both an application and web perspective App-ID and URL Filtering together protect you from a full spectrum of legal regulatory productivity and resource utilization risks.
• Mobile Security
  Mobile devices are a part of nearly every modern network. As a result security teams need to deliver protection and policy enforcement to a myriad of new devices and applications. The Palo Alto next-generation firewall extends comprehensive application visibility and control and vulnerability protection to mobile devices.

Networking Features

• Decryption
  Take control of your SSL and SSH encrypted traffic and ensure it is not being used to conceal unwanted activity or dangerous content. Using policy-based decryption and inspection you can confirm that SSL and SSH are being used for business purposes only instead of to spread threats or unauthorized data transfer.
• IPv6
  Our next-generation firewalls allow you to deploy consistent safe application enablement policies across IPv6 IPv4 and mixed environments.
• Networking
  Our flexible networking architecture includes dynamic routing switching and VPN connectivity which enables you to easily deploy Palo Alto next-generation firewalls into nearly any networking environment.
• VPN
  Secure site-to-site and remote user connectivity is a critical infrastructure component. Every Palo Alto next-generation firewall platform allows you to easily and securely communicate between sites using standards-based IPSec VPN connections. Remote user communications are protected through a rich set of VPN features.
• Virtualization Security
  To optimize computing resources enterprises are moving towards supporting virtualized applications with different risk levels on a single server. In these environments virtualized firewalls are critical to deliver security for your communications within the virtualized server.

Management Features

• Device Management
  Our firewall management philosophy is to make administrative tasks such as report generation log queries policy creation and ACC browsing easy to execute and consistent no matter which mechanism - web interface Panorama CLI or API - you use.
• Policy Control
  The increased visibility into applications users and content delivered by Palo Alto simplifies figuring out which applications are traversing your network who is using them and the potential security risks. Armed with this data you can apply secure enablement policies with a range of responses that are more finely tuned than the traditional 'allow or deny' approach.
• Redundancy
  Palo Alto next-generation firewalls support a series of redundancy and resiliency features that ensure your firewall will continue to provide the secure application enablement you need to keep your business running.
• Virtual Systems
  Virtual systems are unique and distinct next-generation firewall instances within a single Palo Alto firewall. Instead of deploying many individual firewalls security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances (virtual systems). Each virtual system is an independent (virtual) firewall within your firewall that is managed separately and cannot be accessed or viewed by other users.

Technical Specifications:

Networking Specifications: