Cloud NGFW Versus VM-Series: Comparison Chart

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
NGFW Deployment & Management Description Cloud NGFW for AWS
VM-Series
    Native Management Panorama Management Strata Cloud Manager
Cloud-Native Cloud NGFW for AWS is a cloud-native regional service similar to other AWS services. This resource is delivered on the AWS platform to protect your AWS Virtual network (VPC) traffic in an AWS region. N/A
Zero Mantenance N/A Infrastructure to Manage. Palo Alto Networks does the heavy lifting of deploying firewall instances, and managing scaling and failover N/A
Build-in Resiliency (HA) Cloud NGFW resource offers built-in resiliency within an availability zone and across availability zones in an AWS region N/A
Build-in Scalability Cloud NGFW resource scales with your VPC traffic. The Autoscaling group provisioned for each AWS availability zone (within the Cloud NGFW resource) scales out independently and includes more instances to inspect higher traffic volume. As the traffic volume decreases within an AWS availability zone, the corresponding Auto scaling group scales in independently. N/A
Built-in Lifecycle management (SW and Content Updates) Cloud NGFW resources have built-in software and content updates N/A
Firewall-as-a-code You can automate the Cloud NGFW resource deployment using published and supported extensions in Cloud Formation and Terraform registry N/A
Policy-as-a-code You can automate the Cloud NGFW policy deployment using published and supported extensions in Cloud Formation and Terraform registry N/A
Multi-Cloud Support Centralized policy management across Cloud NGFW deployed in AWS & Azure NA
             
             
Policy Objects Description Cloud NGFW for AWS
VM-Series
    Native Policy Management (Rulestacks) Panorama Policy Management (Cloud Device Groups) Strata Cloud Manager
Address You can specify an address object to include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a subnet), an FQDN, or a wildcard address (IPv4 address followed by a slash and wildcard mask).
Address Groups You can group specific source or destination addresses that require the same policy enforcement. N/A
Regions You can allow or block traffic from (or to) an IP addresses based on their geographic location such as a country. The region is available as an option when specifying source and destination for your policies. You can choose from a standard list of countries or specify a custom region/geolocation along with its associated IP addresses
Service (Port & Protocol) You can granularly control VPC traffic session usage to specific ports on your network (in other words, you can define the default port for the application). Cloud NGFW includes two pre-defined services—service-http and service-https— that use TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You can however, create any custom service on any TCP/UDP port of your choice.
Service Group You can combine services that have the same security settings into service groups to reduce the number of rules in security policy N/A
External Dynamic List You can granularly control your VPC traffic using a dynamic list of IP addresses, Domains or URLs. stored in a file hosted on an external web server. Palo Alto Networks also offers built-in (Bulletproof, High-Risk, KN/Awn Malicious, and Tor Exit IP address) EDLs. Additonally, Palo Alto Networks offers a free EDL hosting service that maintains the ever-dynamic list of IP addresses for Microsoft 365, Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). You can use these EDLs to control your VPC Ingress and Egress traffic.
Applications You can granularly control your VPC traffic by using Palo Alto Network's App-ID™ traffic classification system that relies on application signatures to accurately identify applications in your network.
Application Group You can group together a set of APP-IDs that require the same policy enforcement. N/A
Application Filter You can granulary control your VPC trafic by defining an Application Filter that groups current APP-IDs and any future APP-IDs that match a certain attributes. For example, You can create an Application Filter by one or more attributes—category, sub-category, techN/Alogy, risk, characteristics. From N/Aw on, whenever a new APP-ID is introduced to Cloud NGFW based on a content update, all new applications matching the filter criteria are automatically added to your set. N/A
Tags Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), applications, zones, services, service groups, and to policy rules. NA
Dynamic user group Allow you to create a list of users from the local database, an external database, or match criteria and group them N/A N/A N/A
Certificates Management
Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer.
Self-signed Root CA certificates NA
Import a Certificate and Private Key NA
Cloud Certificates
(AWS Secrets Manager)
N/A
Log Forwarding
Log Forwarding to Palo Alto Networks CDL & Cloud destinations
Customer Managed Log Collectors N/A N/A N/A
Strata Logging Service N/A
Cloud Provider Destinations N/A
Syslog Profile N/A N/A N/A
HTTP Profile N/A N/A N/A
             
             
Security Services Description Cloud NGFW for AWS
VM-Series
      Native Policy Management (Rulestacks) Panorama Policy Management (Cloud Device Groups) Strata Cloud Manager
Security Policy Security policy protects your VPC traffic from threats and disruptions. Individual Security policy rules determine whether to block or allow a VPC/VNET traffic session based on traffic attributes, such as the source and destination security zone, the source and destination IP address, the application, the user, and the service.
IPS Vulnerability Protection
Vulnerability Protection protects against on inbound threats, where an attacker is attempting to exploit a system vulenrability to breach your network, The system vulnerabilies may be in the form buffer overflows, illegal code execution etc.
Best-Practices Profile
Custom Profiles N/A
Anti-Spyware
Anti-Spyware detects and blocks outbound threats, especially command-and-control (C2) activity, initiated by a (cyber-attack leveraged) malware infected workloads in your AWS VPC. You can also define custom regular expression patterns to identify spyware phone home communication.
Best-Practices Profile
Custom Profiles N/A
File Blocking
File Blocking allows you to granularly control file types in your VPC traffic in a specified direction (inbound/outbound/both). You can proactively block files that are kN/Awn to carry threats or that have N/A real use case for upload/download.
Best-Practices Profile
Custom Profiles N/A
Antivirus
Antivirus detects and protects against malware concealed in compressed files, executables, PDF files, and HTML and JavaScript viruses in your VPC traffic
Best-Practices Profile
Custom Profiles N/A
WildFire Analysis Cloud NGFW detects and forwards files, and executables in your VPC traffic to WildFire™ cloud service for analysis, and also performs inline ML analysis for certain files. If a threat is detetced on the files, Wildfire creates protections to block malware and globally distributes protection for that threat in under five minutes. N/A
URL Filtering
URL Filtering analyzes the VPC traffic and controls the URLs accessed by your VPC workloads (in both clear-text and encrypted traffic) by perfoming inline analysis and comparing against Palo Alto Networks managed URL categories or the custom categories you provide.
Best-Practices Profile
Custom Profiles
DNS Security
DNS Security protects outbound DNS requests from your VPCs against threats such as DNS tunneling, Domain Generation Algorithm (DGA) detection, Malware domains etc.
Best-Practices Profile N/A
Custom Profiles N/A
Data Filtering & Enterprise DLP Data filtering detects sensitive information in your VPC traffic—such as credit card or social security numbers or internal corporate documents—and prevent this data from leaving your AWS environment.

With Enterprise DLP you would gain a benefit of Advanced Data Filtering on your VPC traffic with pre-defined a huge list of data patterns with the cloud based analytics.
N/A Planned
Security profile groups A security profile group is a set of security profiles that can be treated as a unit and then easily added to security policies. N/A
Decryption
Cloud NGFW can decrypt, inspect, and re-encrypt your VPC Ingress and Egress traffic as a policy-based decision. You can granularly control what VPC traffic can be decrypted and what traffic canN/At be decrypted and the type of SSL decryption, you want to perform on the indicated traffic. To enable decryption, you set up the certificates required to act as a trusted third-party to a session
SSL Forward Proxy
SSL Inbound Inspection
SSH Proxy N/A
DoS & Zone Protection Zone protection defends network security zones against flood attacks, reconnaissance attempts, packet-based attacks N/A  
APP-ID Cloud Engine (SaaS Inline) Palo Alto Network firewalls can download specific AWS PaaS APP-IDs from App-ID Cloud Engine (ACE) service. You can use ACE App-IDs in Security policy rules to gain visibility into cloud services and applications and control them. N/A Planned Planned
             
             
Networking Services Description Cloud NGFW for AWS
VM-Series
      Native Policy Management (Rulestacks) Panorama Policy Management (Cloud Device Groups) Strata Cloud Manager
Application Override You can configure Cloud NGFW to override the N/Armal Application Identification (App-ID) of specific traffic passing through the firewall. As soon as the Application Override policy takes effect, all further App-ID inspection of the traffic is stopped and the session is identified with the custom application signatures your provide N/A
NAT
Palo Alto Networks Fiirewalls can enforce Destination NAT on your Ingress VPC traffic and Source NAT your Egress VPC traffic
Ingress NAT N/A N/A N/A NA
Egress NAT Planned
Private NAT N/A N/A N/A
Policy Based Forwarding Palo Alto Networks firewalls Policy Based Forwading rules allow traffic to take an alternative path for security or performance reasons. Let's say your company has two links between the corporate office and the branch office: a cheaper internet link and a more expensive leased line. For enhanced security, you can use PBF to send applications that aren’t encrypted traffic, such as FTP traffic, over the private leased line and all other traffic over the internet link. Or, for performance, you can choose to route business-critical applications over the leased line while sending all other traffic, such as web browsing, over the cheaper link. NA NA N/A
             
             
Device Settings Description Cloud NGFW for AWS
VM-Series
      Native Management Panorama Management Strata Cloud Manager
Security Zones
Security zones are a logical way to group interfaces on the firewall, and Cloud NGFW endpoints to control and log the VPC traffic
Private & Public zones N/A Planned
Zone Mapping N/A Planned
VPC endpoint zones N/A Planned  
XFF Traffic to your VPC workloads might have passed more than one proxy server (such as CDN or ALB) before it reaches the Cloud NGFW. If there's an existing XFF header, these proxies appends its IP address to it or adds the XFF header with its IP address. Therefore XFF request header may contain multiple IP addresses that are separated by commas. Cloud NGFW uses the The X-Forwarded-For (XFF) HTTP header field to identify the the original clieng IP address . Cloud NGFW always uses the most recently added address in the XFF header to enforce policy. N/A
DNS Proxy When you configure Cloud NGFW as a DNS proxy, it acts as an intermediary between clients and servers and as a DNS server by resolving queries from its DNS cache or forwarding queries to other DNS servers. Use this page to configure the settings that determine how the firewall serves as a DNS proxy. N/A Planned Planned
Interface Management Palo Alto Neworks Firewalls allow you to configure VLANs, Virtual Wires Link Layer Discovery Protocol (LLDP) , Bidirectional Forwarding Detection (BFD) on its interfaces N/A N/A N/A
Routing Management Palo Alto Networks Firewalls allow you to configure Static Routing and Routing Protocols (BGP, BFD, OSPF, OSPFv3, multicast, RIPv2, and filters) N/A N/A N/A
IPSec Tunnel Management Palo Alto Neworks firewalls terminate IPSec tunnels and inpect tunneled traffic N/A N/A N/A
Global Protect Management Palo Alto Networks firewalls secure mobile workforce by specifyinfg algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway module and client.

N/A N/A N/A
QoS Palo Alto Networks' firewalls allow you to specify traffic that requires preferential treatment or bandwidth limiting. QoS rules allow you to dependably run high-priority applications and traffic under limited network capacity. N/A N/A N/A NA
GRE Tunnel Management Palo Alto Networks firewalls terminate Generic Routing Encapsulation (GRE) tunnels and inspect tunneled traffic N/A N/A N/A NA
SD-WAN link Management Palo Alto Networks firewalls bind multiple WAN connections (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFI) to a virtual interface and support dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use. N/A N/A N/A
             
             
Identity Services Description   Cloud NGFW for AWS
VM-Series
      Native Policy Management (Rulestacks) Panorama Policy Management (Cloud Device Groups) Strata Cloud Manager
User-ID based policies User-ID™, a standard feature on the Palo Alto Networks firewall, enables you to author user- and group-based policies. User-ID provides many mechanisms to collect this User Mapping information. For example, the User-ID agent monitors server logs for login events and listens for syslog messages from authenticating services. leverage user information stored in a wide range of repositories. N/A Planned Planned
Panorama/Firewall based Identity Distribition You can congfigure some firewalls to collect user-ID mapping information from various sources and then redistribute them to other firewalls such as Cloud NGFWs. N/A Planned Planned
Cloud Identity Engine (CIE) Directory Sync Cloud Identity Engine (Directory Sync) allows Palo Alto Networks Firewalls to access your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. N/A Planned Planned
Cloud Identity Engine (CIE) based Identity Distrubition Cloud Identity Engine (User Context) collects and distributes IP address-to-user name mappings, IP port to username mappings, user tags IP address tags, Host IDs, and quarantine list information to Palo Alto Networks firewalls N/A Planned Planned
             
Security Posture, Health Posture & Operations Description   Cloud NGFW for AWS
VM-Series
      Native Management Panorama Management Strata Cloud Manager
Log Visualization You can review the logs to verify a wealth of information on a given session or transaction. Some examples of this information are the user who initiated the session, the action (allow or deny) that the firewall performed on the session, and the source and destination ports, zones, and addresses.
Log Analytics Allows you to monitor the traffic by applications, users, and content activity—URL categories, threats, security policies that effectively block data or files N/A
Rule Usage Metrics Rule usage monitoring helps you evaluate whether your policy implementation continues to match your enforcement needs N/A
Policy Analysis & Optimization Policy Analyzer analyzes your Cloud NGFW rules and recommends possible consolidation or removal of specific rules to meet your intended Security posture. it also checks for aN/Amalies, such as shadows, redundancies, generalizations, correlations, and consolidations in your rulebase.

Policy Optimizer identifies port-based rules so you can convert them to application-based allow rules or add applications from a port-based rule to an existing application-based rule without compromising application availability.
NA
Operational Metrics
Palo Alto Networks firewallls natively publishes custom metrics to monitoring systems in palo Alto Networks (AIOPs) and the public cloud such as AWS® CloudWatch. These metrics allow you to assess firewall performance and usage patterns
AIOPS Planned Planned Planned
AWS Cloud Watch
Packet Capture Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture Planned Planned Planned
3 Comments
L0 Member

does this comparison still holds true even today? or are there any further changes to this? 

L0 Member

Hi @vkannan . I hope this document must be update to consider actual scenario (improved coverage) also include direct comparison between features in AWS and Azure.

L2 Linker

Team - Thanks for the comments. This document is now updated

  • 17761 Views
  • 3 comments
  • 4 Likes
Register or Sign-in
Labels
Top Liked Authors