Delivering full next-generation firewall controls and integrated threat prevention to any user in any location.

Enterprise security is at a crossroads–users, applications and data are all migrating beyond the traditional walls of the enterprise, while the security solutions that protect them remain anchored to the physical perimeter.This has split enterprise security into two very different and uneven approaches.

Inside the network, security is based on industry best-practices and the full visibility and control of all traffic, users, applications and threats. Outside the network, the collective intelligence and experience gained internally is lost, replaced with a “best-effort” approach afforded by host-based end-point security solutions.This situation creates multiple parallel security policies, duplicate expense and effort for security teams and very inconsistentstandards of security.

GlobalProtect introduces a new approach to network security that bridges the divide between remote users and the enterprise security policy. First and foremost, GlobalProtect makes the enterprise security policy universal, extending the same visibility, control and threat prevention of the next-generation firewall beyond the traditional perimeter, to any and all users connecting to the network, regardless of their location. Secondly, GlobalProtect enables new policy controls based on the configuration of the end-point, such as preventing access to sensitive or risky applications if the user’s operating system is not properly patched. When added to the next-generation controls based on application, user and content, this provides security teams with even more flexibility to design the ideal security policy for the enterprise.

GlobalProtect delivers consistent security policy enforcement regardless of an end-user’s location, in effect, breaking the reliance on the notion of a physical perimeter, and establishing a logical perimeter that is user-location agnostic. This approach re-establishes the corporate security policy as the rule of law for all network connections and brings unified and consistent approach to policy enforcement, threat prevention and security reporting.

GlobalProtect

• Consistent visibility and enforcement of enterprise security policy both inside and outside of the physical enterprise.

• Deep policy controls based on applications, user, content and host profile.

• Leverages any and all Palo Alto Networks firewalls to deliver protection and performance to any end-user location .

P A L O A LT O N E T W O R K S : G l o b a l P r o t e c t D a t a s h e e t

SatelliteOffice User

HeadquartersUser

Home Office User

RoadWarrior

GlobalProtect: Consistent Security Everywhere

Applications and Users On the MoveModern enterprises and their networks are no longer centralized fortresses of data, with users and applications tucked safely behinda well-managed perimeter. Instead, user behavior has evolved to the point where they expect to be able to work and reach their applications from anywhere, and a myriad of wired and wireless connectivity options deliver on this expectation. Similarly, enterprise applications and data are being increasingly abstracted from their traditional in-house infrastructure and are migrating off-site either to the cloud or remote hosting centers.

As these assets have moved beyond the traditional perimeter, they have also moved beyond the protection of the corporate firewalls, application control, IPS and filtering solutions that make up the bedrock of corporate security policy. This leads to two very serious problems.

• Inconsistent security: First, it creates a substantial imbalance in the quality of protection for users who are in the field. For these users the risks posed by evasive applications, social networking, and modern threats remain high, but the protections drop off precipitously when the user is outside the corporate network.

• Duplication of effort: Secondly, this approach consistently undermines the corporate security policy. Security teams must maintain duplicate policies for the corporate network and mobile users, each with very different capabilities, rules and reporting. Correlating information between these products just adds to the already large operational burden. The end-result is that the security policy, the quality of protection and the overall risk are essentially left to chance based on how and where the user chooses to connect.

P A L O A LT O N E T W O R K S : G l o b a l P r o t e c t D a t a s h e e t

The GlobalProtectSolution GlobalProtect introduces a modern approach to enterprise security. Instead of trying to reinvent the entirety of enterprise security on the end-user’s laptop, GlobalProtect takes what already works today, the next-generation firewall, and deliversit transparently to all remote connections. Almost as importantly, GlobalProtect takes advantage of the next-generation firewalls that are already deployed and can typically be deployed with no additional hardware required. The solution is comprised of three different components:

• GlobalProtect Agent : The GlobalProtect agent is a small piece of software that resides on the end-user’s PC. This agent can be delivered to the user automatically via Active Directory, SMS or Microsoft System Configuration Manager or can be downloaded directly from the GlobalProtect Portal. The agent does three key things: It communicates to the GlobalProtect Portal to obtain the appropriate policy for the user. It establishes and maintains a secured connection to the nearest (fastest) Palo Alto Networks GlobalProtect Gateway. And lastly it compiles a Host Information Profile (HIP) of the client device including such factors as patch level, disk encryption, antivirus version and many more.

• GlobalProtect Portal: The GlobalProtect Portal provides the centralized management for the solution. Any Palo Alto Networks firewall can act as the portal while also performing its everyday duties as a next-generation firewall. However, each GlobalProtect deployment will only have 1 portal at a time. The portal provides three key functions: It delivers the GlobalProtect Agent to users. It provides the GlobalProtect agents with a list of available GlobalProtect Gateways. And lastly, it manages the authentication certificates for the solution. The GlobalProtect Portal, like all Palo Alto Networks can be run as a high-availability pair, to ensure always-on reliability of the solution.

The GlobalProtectSolution GlobalProtect extends security

policy to all users, no matter where they are located.

PAGE 2

Headquarters Branch Office HotelAirport

HomeOffice

Palo Alto Networks 232 E. Java DriveSunnyvale, CA. 94089Sales 866.207.0077www.paloaltonetworks.com

Copyright © 2011, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN-OS 4.0, March 2011.

.

P A L O A LT O N E T W O R K S : G l o b a l P r o t e c t D a t a s h e e t

• GlobalProtect Gateway: The GlobalProtect Gateways are responsible for the majority of the actual security enforcement in the solution. Similar to the portal, any Palo Alto Networks firewall can be a gateway for the GlobalProtect solution. However, unlike the portal, you can leverage as many gateways simultaneously as you need, ensuring multiple potential routes between an agent and gateway. The Gateway has three core functions: First and foremost, it performs the full breadth of next-generation firewalling functionality including application control, threat prevention, URL filtering, user visibility, etc on all traffic from associatedGlobalProtect Agents. It also provides the end of the secure connection established by the Agent. Lastly, it receives the Host Information Profile (HIP) and enforces policies accordingly.

Dynamic and Distributed ArchitectureThe GlobalProtect architecture leverages the distributed nature of modern enterprises to break the bottlenecks that have traditionally plagued centralized solutions such as SSL VPNs. Instead of sending all traffic back to a single centralized location, the GlobalProtect solution actually adapts to the end-user’s location to find the best path to a gateway. The GlobalProtect Agent automatically tests all available gateways to determine the route with the fastest response times. This approach ensures that a user always leverages the fastest option based both on location and relative load on the various gateways. This model avoids the congestion and latency common to backhaul solutions and enables the enterprise to get added value from all of their Palo Alto Networks firewalls as they work together as a virtual hosted security service.

Enforce Network Controls Based on User ProfileGlobalProtect also enables new enterprise policies and controls that are tied to the configuration of the end user’s device. If the user’s end-point is not properly secured, security teams can automatically enforce network controls to compensate.For example, a user may have rights to access certain information on the enterprise network, but the GlobalProtect Gateway can prevent

that user from downloading files if his laptop is not using disk encryption. Or alternatively, if the host antivirus is out of date, staff can automatically restrict access to social networking sites where malware tends to propagate. When added to the application, user and content controls available from the Palo Alto Networks next-generation firewall, security teams now have a level of control and flexibility that they have never had from traditional solutions. Just as the next-generation firewall allows for more granular controls of firewall policy, GlobalProtect offers granular control of user rights based on their host configuration. Policies can be based on the following host characteristics.

• OperatingSystemandApplicationPatchLevel

• HostAnti-MalwareVersion

• HostFirewallVersion

• DiskEncryption

• DataBackupProducts

• Customizedhostconditions

Transparent VPN and Single Sign-OnGlobalProtect also acts as a transparent SSL VPN that establishes a secure tunnel for end-user traffic regardless of their method of connectivity. This step helps prevent users from being lured into “honeypot” connections or falling into Man-in-the-Middle (MITM) exploits by ensuring that all traffic remains encrypted between the end-user laptop and the Palo Alto Networks gateway. This provides an additional set of protections for users who may need to use unfamiliar networks for connectivity when they are outside the corporate network.

Additionally GlobalProtect provides a single sign-on solution for end-users. The solution seamless integrates with the Windows Login utility to securely store logon information for subsequent logons such as VPN authentication.

Supported operating systems

• MicrosoftWindowsXP

• MicrosoftWindowsVista

• MicrosoftWindows7