About the Palo Alto Firewall Project

Project Summary

Beginning in 2016, OIT began evaluating next generation firewall platforms as part of our
strategy to strengthen our security posture. After months of testing and evaluation of products from multiple vendors, the Firewall Team and Cyber Security, working with other OIT units, chose Palo Alto as our new firewall platform.

We will continue to utilize fw.noc.gatech.edu to manage the individual policies for each firewall. We have spent the past few months updating the application to interface with the Palo Alto API in order to make this migration seamless from the customer point of view. While the back end will operate quite differently, the fw.noc.gatech.edu interface will remain the same.

The new platform will of course provide us significantly expanded functionality. Some of the new functionality will include:

Application Awareness – These firewalls inspect traffic at layer 7, and will attempt to classify traffic as specific applications that are contained in its extensive database, such as ssh, web, DNS, etc. Palo Alto calls this functionality App-ID. During our initial phase this will offer a much more detailed glimpse into our network and security posture. Among other things this leads to two main benefits of this platform going forward:

Expanded Visibility and Reporting. – The Palo Alto platform offers a live view into our network and can give us a good idea of current trends and incidents. App-ID gives us a better view into what traffic is being permitted and dropped, application usage, threat activity, and compromised hosts. Rather than a sea of IP addresses and ports, we can see hostnames, applications, and geographical locations.

Application Based Firewall Rules – Palo Alto’s App-ID allows for access policy rules that are based on application rather than on port or protocol. This can prevent a bad actor from sending malformed traffic or another application by exploiting an open port, as well as give us greater functionality to permit or deny certain application functionality. As the IT community has countless custom applications that serve the campus, port/protocol based rules will remain available for applications that need it.