NextGig Systems, Inc. - Network Connectivity & Test Solutions

Palo Alto Networks' Next-Generation Firewalls - Policy Control

Secure Application Enablement

The increased visibility into applications, users and content can help simplify the task of determining which applications are traversing the network, who is using them, the potential security risk. Armed with these data points, administrators can apply secure enablement policies with a range of responses that are more fine-grained than the traditional allow or deny. Watch Video.

Questions? Call  1-805-277-2400

Balancing protection and enablement with fine-grained policy enforcement.

App-ID graphically displays the applications that are traversing the network, who is using them, and their potential security risk, which in turn, empowers administrators to quickly deploy application-, application function-, and port-based enablement policies in a systematic and controlled manner. Policies may range from open (allow), to moderate (enabling certain applications or functions, then scan, or shape, schedule, etc.), to closed (deny). Examples may include:

Allow or deny

Allow based on schedule, users, or groups

Apply traffic shaping through QoS

Allow certain application functions such as file transfer within instant messaging

Allow, but scan for viruses and other threats

Decrypt and inspect

Apply policy-based forwarding

Any combination of the above

Mixing next-generation policy criteria such as applications, application functions, users, groups and regions with traditional policy criteria such as source, destination and IP address allows organizations to deploy the appropriate policy for the requirement at hand.


Selectively filter applications to quickly create policy control lists.

The application browser allows administrators to add dynamic application filters to the security policy using a wide range of criteria including category, subcategory, underlying technology, and behavioral characteristic (file transfer capabilities, known vulnerabilities, ability to evade detection, propensity to consume bandwidth, and malware transmission/propagation). Additional application details include a description of the application, the commonly used ports and a summary of the individual application characteristics. Using the application browser, administrators can quickly research an application and immediately translate the results into a security policy.

Stop threats and unauthorized file/data transfer.

The same levels of fine-grained control that can be applied to a specific set of applications can be extended to threat prevention. Using a very targeted approach, administrators can apply:

Antivirus and antispyware policies to allowed webmail applications.

IPS policies can be applied to Oracle database traffic

Data filtering profiles can be enabled for file transfer within instant messaging.

Traffic shaping ensures business applications are not bandwidth starved.

Secure application enablement may entail allowing bandwidth intensive applications such as streaming media. Administrators can strike an appropriate balance using QoS policies that ensure business-critical applications are not starved of bandwidth by non-work related applications.

Guaranteed, maximum and priority bandwidth can be applied across 8 traffic queues.

Policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination, and more.

Diffserv marking is also supported, enabling application traffic to be controlled by a downstream or upstream networking device.

Real-time view of bandwidth hogging applications, users or groups.

Based on the QoS policies enabled, the real-time bandwidth monitor provides administrators with an up-to-the-minute view of the bandwidth being consumed by applications, users and groups.

For more information, pricing, demonstration or evaluation on Palo Alto Networks Products please contact us here.