GlobalProtect and WildFire Frequently Asked Questions (FAQ)

GlobalProtect and NetConnect Consolidation

Why were GlobalProtect and NetConnect merged? GlobalProtectTM Agent represents the future of Palo Alto Networks VPN client and already provides a more feature-rich solution. Standardizing on GlobalProtect as the VPN solution provides simplicity and ensures support for all the latest product features.

How do I upgrade from NetConnect to GlobalProtect? Users will need to install the GlobalProtect agent in order to upgrade. The connection will fail if a user attempts to connect to a GlobalProtect Portal with the NetConnect VPN. Installation of the GlobalProtect agent will automatically uninstall NetConnect, and NetConnect SSL-VPN settings on the firewall are automatically migrated into the corresponding GlobalProtect portal and gateway settings.

How is the user experience going to change? GlobalProtect provides a simplified user experience compared to NetConnect. All user-initiated connections will be performed through the system tray. The browser-based sign-in and java launch options have been removed. By default, GlobalProtect will use the same connection mode found in NetConnect in which the user must choose to establish a secure connection. This mode is known as on-demand mode. In addition, GlobalProtect can be configured in automatic (non-on-demand) mode, in which it will always stay connected to the corporate GlobalProtect gateway without any user interaction. This mode allows for the option to configure GlobalProtect as a transparent VPN.

I just downloaded PAN-OS 4.1 and cannot find NetConnect. NetConnect has been replaced by our new next generation secure access client product called GlobalProtect.

Does that mean that you are charging for SSL VPN/NetConnect? No. GlobalProtect provides more functionality for free than was found in NetConnect. The basic functionality of GlobalProtect, on-demand and transparent remote access, Single Sign On and single gateway support are part of the firewall you purchased at no extra charge. Advanced features, such as multi-gateway support and host information profile checking are premium features requiring a separate portal and gateway licenses.

If SSL VPN is now part of GlobalProtect, do I need to deploy portals and gateways (GlobalProtect)? Yes. GlobalProtect requires a firewall to act as a gateway and a firewall to act as a portal. A single firewall can be configured as both the portal and the gateway and use the same IP address. A firewall can be a gateway and/or a portal while continuing to perform its normal duties as a firewall. In an upgrade scenario, the existing SSL-VPN settings are automatically migrated into the appropriate GlobalProtect portal and gateway settings.

GlobalProtect FAQ: General Questions

What devices are supported? Windows 7 (32 and 64 bit) Windows Vista (32 and 64 bit) Windows XP Mac OS X 10.6 or greater and 10.7 Apple iOS 4.3 and 5.0 (using the built-in IPSec client). iOS devices are supported for security connectivity only and do not support licensable features such as HIP profile checking or multiple gateway support.

2011 Palo Alto Networks (PAN-OS 4.1)

Page 1

GlobalProtect and WildFire Frequently Asked Questions (FAQ)

What is the value of the licensed features of GlobalProtect? Host information profile checking as well as support for multiple gateways and dynamic gateway selection are premium features requiring a license. These features allow an organization to extend their network policies and protections to users in any location, effectively establishing a logical perimeter capable of moving with users and assets. The full functionality of GlobalProtect allows users to tightly integrate controls based on application, user (including the configuration of the host) and content, while also providing the performance and reliability needed in order to protect all remote traffic. Host profiles enable organizations to integrate source host information into their security policies to complement application, user and content information that they enjoy today. Support for multiple gateways provides the flexibility and performance needed in order to ensure employees use the VPN as default protection when they are outside the office. A brief description of each feature is listed below: o Host Information Profile Checking When licensed, the GlobalProtect agent can check the configuration of the host machine, which can then be used as part of security policy. This includes the ability to check operating system and application patch level, host anti-malware version and state, host firewall version and state, disk encryption configuration, data backup product configuration, and customized host conditions (e.g. registry entries, running software). These factors can be incorporated into all standard Palo Alto Networks policies. For example, a user can be denied access to secure zones of the network if disk encryption is not enabled on their machine, or denied access to high-risk applications if the antivirus profile is not up to date. Multiple Gateway Deployments Traditional VPN deployments are susceptible to performance problems due to the fact that they often funnel all traffic back to a single centralized server. This can introduce geographical latency and traffic congestion. GlobalProtect allows any Palo Alto Networks firewall to act as a Gateway. When more than one firewall is licensed as a Gateway, the agent on an end-users machine will automatically test all available gateways to find the option that provides the best performance. This enables organizations to support geographically distributed users and to intelligently balance load across multiple firewalls.

How is GlobalProtect priced? Unlike most client security solutions, GlobalProtect is not priced on a per user basis, but rather is licensed as a subscription per Palo Alto Networks appliance. An organization will need to purchase a license for at least one GlobalProtect Portal, although more than one Portal is allowed. Then the organization will purchase GlobalProtect Gateway subscriptions for each firewall that will need to act as a Gateway for remote users.

WildFire: FAQ
What makes modern malware different than traditional malware? Modern malware has evolved in several ways to avoid traditional antivirus and network security solutions, but we see two overarching trends that define modern malware. First, a great deal of malware has become highly networked, meaning that it has the ability to remotely connect (and be controlled) by a remote attacker. Botnets are a perfect example of highly networked malware. This interconnectivity makes the malware highly resilient and far more dangerous because it can change and adapt based on the desires of the attacker. Secondly, modern malware strategies have evolved to avoid detection by traditional antivirus solutions. This is done largely through the use of targeted or polymorphic malware that can gain access into a network without triggering AV signatures. While these techniques arent completely new, they are being seen far more frequently in targeted, high-profile attacks.

2011 Palo Alto Networks (PAN-OS 4.1)

Page 2

GlobalProtect and WildFire Frequently Asked Questions (FAQ)

What is WildFire? WildFire allows users to submit .exe and .dll files to Palo Alto Networks secure, cloud-based, virtualized environment where they are automatically analyzed for malicious activity. Palo Alto Networks allows the file to run in a vulnerable environment and watches for more than 70 specific malicious behaviors and techniques such as modifying system files, disabling security features or using a variety of methods to evade IPS detection. Users can be automatically notified when results are available for review. Detailed analysis of the submitted files are available via the WildFire Portal, allowing managers to see which users were targeted, the applications that were used, malicious behaviors that were observed and if the file is covered by industry antivirus solutions.

Is WildFire an appliance, feature or a service? WildFire is a new feature available in PAN-OS 4.1 that automatically detects malware based on the actual behavior of the executable as opposed to a signature.

Why did Palo Alto Networks develop WildFire? Modern malware has become one of the most important assets in targeted, professional attacks and socalled APTs (advanced persistent threats). In these cases the malware is often custom-built for the target network and since it has not been released in the wild, will not trigger traditional AV signatures. As a result, modern network security needs the capacity to determine if a file is benign or malicious even if the file has never been seen before. WildFire performs this analysis and provides IT with actionable intelligence and protections once a malicious file is found.

Does WildFire require any additional hardware? No. Users can submit samples of executables via their existing Palo Alto Networks or they can be uploaded to Palo Alto Networks WildFire Portal. The WildFire analysis is performed in the cloud and has no impact on the performance of the customers firewalls.

Does WildFire provide prevention capability or is it detection only? WildFire contains two critical components: The virtualized sandbox environment, which detects the presence of malicious behaviors, and an automated signature generator which will generate and fully test signatures which will be delivered through the standard Palo Alto Networks malware updates. In the future, these updates will be delivered in near-realtime, reducing the signatures to be delivered worldwide within an hour of the instance of a piece of malware.

How can I ensure the privacy of my information submitted to WildFire? All file transfers to the cloud are encrypted using Palo Alto Networks certificates. Once the file is received in the cloud it is passed into a heavily secured sandbox environment where all traffic is tightly regulated by multiple layers of security. After the analysis is complete, the file is immediately deleted (in most cases this will be 5 minutes or less). WildFire maintains a hash of the analyzed file so that it does not need to be analyzed again. If the file is seen again by another firewall, the firewall will check with the cloud to see if the file has already been analyzed before sending the file. WildFire will also initially be limited to the analysis of EXE and DLL file types. Policies can be set to only forward files coming from untrusted sources such as the Internet, while not sending executable files from internal segments which may contain proprietary information. Additionally, users can set exactly what information should or should not be included with samples submitted to WildFire such as target user, application or IP address.

2011 Palo Alto Networks (PAN-OS 4.1)

Page 3

GlobalProtect and WildFire Frequently Asked Questions (FAQ)

What operating systems are used in the virtualized environment? The virtualized sandbox will use Windows XP as its exclusive operating system. The list of supported operating systems will continue to grow over time.

Will other OSs be supported? Yes, Windows XP is simply the first operating supported due to its popularity in the market and with malware authors.

Will the solution support other file formats such as PDFs? Yes, WildFire will steadily expand to include other file types that are commonly used in the malware lifecycle.

Are there any applications which cannot be used to submit samples to WildFire? Any files transferred over proprietarily encrypted traffic are not able to be analyzed by WildFire. These applications should be heavily regulated by the next-generation firewall for a variety of reasons including their ability to provide an avenue for malware infection. Palo Alto Networks does offer the ability to decrypt SSL, which will be required in order to submit samples to WildFire for analysis.

Can WildFire open a zipped file? Yes. Zipped and compressed HTTP (GZIP) will be inspected and any internal EXE and DLL files can be submitted for analysis

How does WildFire work in the continue page for Drive-by-download? Produce the comfort page, and continue, continue/forward.

How does a user know a file has been forwarded? File uploads to WildFire are logged (File Blocking).

Where can report and logs be viewed? Logs and reports are viewed in the Wildfire web portal.

Why is it called WildFire? The name speaks to the main challenge that WildFire was created to address. Namely that anti-malware solutions are based on the need to capture samples of malware in the wild before protections can be delivered. In the case of targeted or custom malware this is a serious problem because the malware will likely never show up in a traditional honeypot or honeynet. The target network is the only place where we know that the malware will have to reveal itself. As a result we needed to bring the concept of capturing malware in the wild down to the local level of the firewall.

WildFire FAQ: Sales Positioning

How and when should WildFire be sold? WildFire should be incorporated into the overall value of Palo Alto Networks approach to threat prevention. In short, customers need multiple security disciplines working together and in context in order to protect themselves against real-world attacks. This means controlling applications, stopping known exploits and malware, controlling dangerous URLs and files, and now also the ability to detect and respond to targeted unknown malware. Use WildFire to differentiate Palo Alto Networks from traditional IPS and UTM solutions.

2011 Palo Alto Networks (PAN-OS 4.1)

Page 4

GlobalProtect and WildFire Frequently Asked Questions (FAQ)

How does WildFire compare to Check Points Anti-Bot Blade Given that Check Point is not yet shipping the Anti-Bot Blade, our technical analysis is limited to their public comments. However with that caveat the Anti-Bot Blade is obviously considerably different from WildFire. The Bot blade is simply looking at network traffic to identify command and control traffic and to identify IP addresses that are part of botnets. This type of analysis has existed in the Palo Alto Networks solution for years. WildFire is completely different in that it is designed to identify threats that have never been seen before. Where the bot blade applies signatures, WildFire actually executes and analyzes unknown files to determine their risk. This allows enterprises to go beyond controlling the large, well-known botnets and actually catch and root out the targeted attacks that have plagued the industry over the past year.

How does WildFire compare to FireEye? FireEye provides a very costly and incomplete approach to modern malware. FireEye requires a separate box at every ingress point, adding to the device sprawl when most organizations are looking to consolidate. The FireEye appliance is a Windows solution and as such is not suited as an in-line security device. Furthermore, FireEye lacks the next-generation firewalls ability to inspect all traffic on all ports and to decode more than 100 applications and protocols, meaning that it will miss file transfers that are intentionally hidden. Lastly, there is no coordination between the various FireEye boxes, meaning that when malware is found in one box, none of the other boxes receive any benefit from that intelligence. In short, the solution requires a lot of hardware with each piece acting as its own silo of information. When considering FireEye, there are several factors that prospects will want to consider. o FireEye Cant Enforce Traffic it Cant See. The most fundamental issue for FireEye is that they lack the visibility of App-ID to identify evasive traffic both in terms of infecting traffic and ongoing command and control. This means that they will miss traffic that knows how to hide or circumvent traffic today such as hiding within in SSL or proxying into the environment. FireEye Is Not Built for Inline Security Enforcement. FireEye is a Windows-based appliance, which will preclude it from many true security environments. Additionally, FireEye has little to no background as a high-performance and resilient environment. The next-generation firewall is purpose-built for the challenges of being deployed in-line including high throughput, low latency, routing, NAT and fail-over considerations. Overall Cost and Time to Protection. FireEye requires an additional appliance to be deployed at each ingress point, which makes the solution extremely expensive to only add an additional analysis capability with very little enforcement. Also, information is not shared between the devices deployed in separate ingress points, meaning that an ingress point will NOT be protected even once a malicious files has been detected at another ingress point. Palo Alto Networks uses the hardware that is already deployed and offloads the sandboxing functionality to virtualized system that are hosted in the cloud. As soon as a file is found to be malicious, a signature is generated and delivered to all other firewalls in order to provide protection.

What are some good examples of modern malware? There are quite a few examples that we cover in the Application and Threat Research Center http://www.paloaltonetworks.com/researchcenter/ so be sure to use this ongoing resource. A few key examples are listed below. o RSA and Aurora Attacks These are two very well-known targeted attacks. They provide a clear example of highly sophisticated attacks using previously unknown malware to break into enterprises. More info on high profile breaches is available here: http://www.paloaltonetworks.com/researchcenter/2011/05/a-few-thoughts-on-the-latest-databreaches/ o TDL-4 This is a good example of highly networked malware that uses a variety of tricks to avoid traditional security measures. A deeper analysis of TDL-4 can be found here: http://www.paloaltonetworks.com/researchcenter/2011/07/analyzing-the-indestructible-botnet/

2011 Palo Alto Networks (PAN-OS 4.1)

Page 5