https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/3293#M2456 <HTML><HEAD></HEAD><BODY><P>Given a flow and properly written policy to allow Facebook and its myriad apps/widgets on port 80/443, other than the admin management overhead (i.e., having to open ports 80 and 443), how is what Palo Alto does different from what Checkpoint does?</P><P></P><P>This question addresses the quote below (found on the link shown).</P><P></P><P><A href="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/" title="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/">http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/</A></P><P></P><UL><LI><STRONG style="background-position: no-repeat no-repeat;">Port 80 allow – open the floodgates.</STRONG> The always-on nature of port-based traffic classification, means old-guard firewalls will <EM style="background-position: no-repeat no-repeat;">first</EM> need to open the application default port controlling the application. To control Facebook, you need to allow tcp/80 and tcp/443. Based on the <EM style="background-position: no-repeat no-repeat;">June</EM><EM style="background-position: no-repeat no-repeat;">2012 Application Usage and Risk Report,</EM> <STRONG>you may be allowing more than 500 (42%) <EM style="background-position: no-repeat no-repeat;">other</EM> applications that you may or may not want on the network</STRONG>. <STRONG>This means the strength of a default deny all policy is significantly weakened</STRONG>. If you are using Check Point, or any other port-based firewall, ask them if the above statement is true and how they recommend managing it.</LI></UL><P></P><P>In other words, if I allow ports 80/443 in my port policy and an application policy to allow Facebook apps only, I expect Checkpoint to be able to identify Facebook and non-Facebook traffic--then allow only the Facebook traffic and discard/block the rest.&nbsp; I expect Palo Alto to do the same--with the exception that the admin would not incur the management overhead of dealing with explicitly opening ports.&nbsp; Can someone elaborate on how Checkpoint (or any firewall that claims NG capabilities) opens "the floodgates."?&nbsp; </P><P></P><P>Just looking for an objective/technical answer.</P><P></P><P>thanks</P></BODY></HTML> Thu, 17 Apr 2014 22:15:55 GMT derasa 2014-04-17T22:15:55Z https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/3293#M2456 <HTML><HEAD></HEAD><BODY><P>Given a flow and properly written policy to allow Facebook and its myriad apps/widgets on port 80/443, other than the admin management overhead (i.e., having to open ports 80 and 443), how is what Palo Alto does different from what Checkpoint does?</P><P></P><P>This question addresses the quote below (found on the link shown).</P><P></P><P><A href="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/" title="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/">http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/</A></P><P></P><UL><LI><STRONG style="background-position: no-repeat no-repeat;">Port 80 allow – open the floodgates.</STRONG> The always-on nature of port-based traffic classification, means old-guard firewalls will <EM style="background-position: no-repeat no-repeat;">first</EM> need to open the application default port controlling the application. To control Facebook, you need to allow tcp/80 and tcp/443. Based on the <EM style="background-position: no-repeat no-repeat;">June</EM><EM style="background-position: no-repeat no-repeat;">2012 Application Usage and Risk Report,</EM> <STRONG>you may be allowing more than 500 (42%) <EM style="background-position: no-repeat no-repeat;">other</EM> applications that you may or may not want on the network</STRONG>. <STRONG>This means the strength of a default deny all policy is significantly weakened</STRONG>. If you are using Check Point, or any other port-based firewall, ask them if the above statement is true and how they recommend managing it.</LI></UL><P></P><P>In other words, if I allow ports 80/443 in my port policy and an application policy to allow Facebook apps only, I expect Checkpoint to be able to identify Facebook and non-Facebook traffic--then allow only the Facebook traffic and discard/block the rest.&nbsp; I expect Palo Alto to do the same--with the exception that the admin would not incur the management overhead of dealing with explicitly opening ports.&nbsp; Can someone elaborate on how Checkpoint (or any firewall that claims NG capabilities) opens "the floodgates."?&nbsp; </P><P></P><P>Just looking for an objective/technical answer.</P><P></P><P>thanks</P></BODY></HTML> Thu, 17 Apr 2014 22:15:55 GMT https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/3293#M2456 derasa 2014-04-17T22:15:55Z https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/3294#M2457 <HTML><HEAD></HEAD><BODY><P>I'm an eval custom as well, so I don't have an extremely detailed answer. The way that Palo Alto works is that they inspect the packets and determine that they belong to Facebook, which then gets allowed in. Other firewalls will require you to open up port 80/443, which means you either need to limit that rule to all of Facebook's IPs, or allow those ports in general.</P></BODY></HTML> Mon, 21 Apr 2014 15:19:30 GMT https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/3294#M2457 hheck 2014-04-21T15:19:30Z