About prnair

Palo Alto Networks is pleased to announce the General Availability of integration of VM-Series virtual firewalls with Microsoft Azure Gateway Load Balancer . This integration has been designed to efficiently augment native Microsoft Azure network security capabilities with next-generation threat protection — so customers can more easily attain greater performance and scalability.   Realize Both Speed and Security   Load balancing is critical for evenly distributing loads of incoming network traffic across a group of backend resources or servers. With Azure Load Balancer, you can scale your applications and create highly available services. But as organizations move more and more workloads into the cloud, setting up security becomes a top-of-mind concern. With this integration, VM-Series virtual Next-Generation firewalls augment native Microsoft Azure network security capabilities with next-generation threat protection. This includes preventing exploits, malware, previously unknown threats, and data exfiltration to keep apps and data in Azure safe.   That’s why Palo Alto Networks is proud to offer the VM-Series software firewall integration with Azure Gateway Load Balancer, which provides simplified connectivity while ensuring secure support for critical zone-based policies for Internet ingress traffic.   Figure 1: VM-Series virtual firewalls working in tandem with Azure Gateway Load Balancer       Preserve Full Visibility on Packet Sources   Truly securing traffic ingress requires complete visibility of the traffic source’s identity as it travels to its destination in the cloud. This was previously difficult to achieve with inbound traffic. When VM-Series firewalls are deployed behind a public standard load balancer, the source IP addresses of inbound traffic are replaced with the IP address of the load balancer. As a result, application source identity is obfuscated.   But with the new VM-Series and Azure Gateway Load Balancer integration, traffic packet headers and payload are kept intact, which provides complete visibility of the source’s identity as it travels to its destination.   Discover Zone-Based Policy Support for Internet Ingress Traffic   The integration is designed to be fast and non-disruptive. You can continue to use your Hub VNET for centralizing your security by leveraging the Azure Gateway Load Balancer to scale and load-balance traffic across a stack of VM-Series firewalls. Plus, Gateway Load Balancer helps segment Internet-bound traffic from the VNET-bound traffic.   What this means is that you can now assign a trust zone to the VNET-bound traffic and the untrust-zone for the Internet bound traffic – and enhance security posture by continuing to author next-generation zone-based policies.   In addition, the VM-Series integration with Azure Gateway Load Balancer is also designed to provide the following customer benefits: Scale with ease while managing costs Improve VM-Series availability Flow symmetry       Find More Resources   We encourage you to try out the integration of the VM-Series/Azure GWLB integration using PAN-OS version 10.1.4 or later  in Azure Marketplace or on GitHub . You can download the VM-Series and Azure GWLB Deployment Guide PDF below.    You can also find more information on how VM-Series adds a critical layer of protection to Azure environments on the LIVEcommunity Azure resource page . And to get a personalized demo tailored to your specific needs, sign up here to discover how to secure your Azure investments.     Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. ... View more

  We’ve attained a significant milestone in boosting firewall performance to maximize hyperscale data center and service provider security efficiency: VM-Series virtual firewalls now integrate with data processing units (DPUs) and smart network interface cards (SmartNICs), thanks to the just-released Intelligent Offload (ITO) service.   This means that organizations running these environments can improve VM-Series performance by up to five times—because ITO offloads the processing of encrypted traffic not benefitting from security inspection to the DPU or SmartNIC, instead of the firewall.    This is critical, because in service provider networks and hyperscale data centers, roughly 80% of traffic consists of flows that either cannot—or will not—benefit from security inspection. For example, a firewall cannot decrypt and inspect encrypted telco network application traffic between an end-user's device and Facebook. In order to inspect the 20% of traffic that can benefit from security inspection, the operator must deploy a firewall capable of handling the throughput of the total traffic or risk increasing network latency. Deploying enough large firewalls to support these enormous networks without sacrificing performance can make security cost prohibitive—until now.   In this blog, we will dive deep into how the Intelligent Traffic Offload service reduces the overall load on VM-Series firewalls and increases its performance—without sacrificing security efficacy.    How Intelligent Traffic Inspection Works Today   Before we get into the details of how the new Intelligent Traffic Offload service works, let’s take a look at how software firewalls analyze traffic without the service. VM-Series inspects the first few packets of every flow to identify the application. Once the application is identified, two factors determine whether the VM-Series performs further content inspection:    Can the application be inspected? Examples here include encrypted traffic without a corresponding decryption policy, or unidentified applications, which cannot be inspected. Is there a benefit to inspecting further packets of the session? This part of the virtual firewall’s decision-making process looks at streaming media applications that do not have any known vulnerability or any known associated threat—and will not benefit from content inspection.    If the session is identified as not requiring inspection, subsequent packets of that particular session will skip the content inspection step and be directed to the egress interface as shown below.     Figure 1: Security inspection with VM-Series virtual firewalls without Intelligent Traffic Offload enabled   Current trade-off of Hyperscalers: Security vs. Cost   In a typical enterprise environment all encrypted traffic is decrypted and inspected, so the percentage of traffic in these settings that will skip the content inspection step is negligible. But in hyperscale environments, such as service provider transit networks, a major portion of traffic cannot be—or need not be—inspected. There are two primary reasons for this:   The service providers operating the transit networks do not have the keys to decrypt the traffic.  A major portion of the traffic passing through these transit networks is streaming media, such as  gaming, video streaming, video conferencing, etc.   So what happens in hyperscale data centers where large volumes of traffic need to be inspected—but only a minor portion of that traffic benefits from next-generation security inspection? Network security professionals end up making less-than-ideal tradeoffs. They can optimize for cost by not deploying next-generation firewalls. Alternatively, they can optimize for security by deploying large numbers of firewalls needed for inspecting every packet of every session, which can be prohibitively expensive. In either scenario, they’re not doing themselves or their organizations any favors.    Intelligent Traffic Offload Service Eliminates Tradeoffs With the new ITO service, VM-Series virtual NGFWs now eliminate the tradeoff between security and cost. ITO integrates with the industry’s leading DPUs and SmartNICs to improve virtual firewall performance by up to 5X with an elegant and cost-effective approach: traffic that does not benefit from security inspection is offloaded from the firewall to either adapter.   Here’s how it works: For each new flow on the network, ITO determines whether or not the flow can benefit from security inspection. The first few packets of the flow are routed to the firewall for inspection by ITO, which determines whether the session can benefit from content inspection. This part of the process is essentially the same as it always has been.   But, if ITO determines the session does not benefit from content inspection, it instructs the DPU or SmartNIC – using OpenAPI  – to forward subsequent packets of that session directly to its destination without sending them up to the VM-Series, as illustrated below.        Figure 2: ITO offload use case   In other instances where firewall traffic inspection is needed, ITO ensures VM-Series inspects all packets of such traffic flows, as seen below.        Figure 3: ITO firewall inspection use case.    By only inspecting flows that can benefit from security inspection and offloading the rest of the flows to the DPU or SmartNIC, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.    Offload Traffic, Onboard Benefits With ITO in place, organizations in need of securing their hyperscale data center and service provider networks can discover significant benefits:    Reduce CAPEX by up to 150% using VM-Series virtual NGFWs in high throughput environments. Instead of deploying massive hardware firewalls to accommodate throughput needs of service provider and hyperscale networks, organizations can now deploy VM-Series virtual NGFWs with ITO for a fraction of the cost. Open new revenue opportunities for service providers by enabling advanced security as a value-add service on top of transit networks. With the ability to selectively enforce threat inspection on traffic, service providers can now offer their customers advanced security as an optional service. Reduce risk by inspecting vulnerable traffic for threats without compromising network and application performance. ITO ensures all traffic that can be inspected will be inspected.     For more information and to learn how to get started, contact us .    ... View more