Next-generation NGFW – what differentiates Palo Alto firewall from classic network solutions

The term “Next-Generation Firewall” (NGFW) appears in the marketing of many vendors, but not all vendors mean the same thing by it. The classic definition of NGFW (Gartner, 2009) included state inspection, application and user identification, and integration with IPS systems. From the beginning, Palo Alto Networks had its own, more ambitious vision of what a next-generation firewall should be – and that vision has shaped what sets Palo Alto Networks apart from classic networking solutions today.

Table of contents

1. What was the classic firewall and what limitations did it have?
2. How is Palo Alto Networks redefining NGFW?
3. App-ID – identification of applications instead of ports
4. User-ID – user-based policies
5. Content-ID inspection and threats
6. Zero Trust Network Access by Palo Alto
7. Integration with the Palo Alto ecosystem (Prisma, Cortex)
8. Key findings
9. FAQ
10. Summary

What was the classic firewall and what limitations did it have?

The classic firewall (stateful inspection) controlled network access based on IP addresses, ports and transport protocols. The “allow TCP port 80 from the LAN to the Internet” rule seemed sensible in an era when port 80 meant HTTP, and HTTP meant browsing. That era ended long ago.

Today absolutely everything passes through port 443 (HTTPS): Netflix, Dropbox, Salesforce, webmail, malicious applications, C2 malware tunnels, stolen data. A classic firewall sees: “HTTPS traffic to the Internet – allowed.” NGFW Palo Alto sees: “application X, user Y, containing file Z, with risk profile W – allow/block/restrict”.

This difference in visibility translates directly into the ability to enforce meaningful security policies. The combination with NAC solutions creates end-to-end protection from network layer to endpoint.

How is Palo Alto Networks redefining NGFW?

Palo Alto Networks has built its NGFW around three identification engines: App-ID (application identification), User-ID (user identification) and Content-ID (content inspection). All three run simultaneously, on each package, without the need to configure separate modules. This is a “single pass” architecture. – each packet is analyzed by all engines once, rather than passing through a chain of separate units.

In practice, this means that a security policy might read: “allow Salesforce for the Salesforce group, only during business hours, scanning content for DLP, blocking PDF uploads.” No classic firewall or combination of firewall + proxy + IPS will allow you to define such a rule in one place and enforce it in one pass.

App-ID – identification of applications instead of ports

App-ID is a Palo Alto technology that identifies an application based on an analysis of its behavior, rather than a port number or protocol. App-ID has a database of more than 3,000 application signatures – from business (Salesforce, SAP, Teams) to social media (Facebook, TikTok) to potentially malicious (tunneling tools, anonymizers, P2P applications).

Identification is multi-level: port and transport protocol as a clue, application protocol decoding, application signature analysis and, when insufficient, behavioral heuristic analysis. App-ID even works for encrypted HTTPS traffic by analyzing SNI, TLS certificates and behavioral patterns.

The result is the ability to write application-oriented policies: “block BitTorrent regardless of port” instead of “block port 6881-6889” (which BitTorrent can bypass anyway). Application-oriented policies are more semantic and more permanent – they don’t need to be updated when an application changes ports.

User-ID – user-based policies

User-ID maps IP addresses to user identities from Active Directory, LDAP, SSO systems and other identity sources. The result is the ability to write policies based on user and group instead of IP address.

“Allow YouTube for the Marketing group, block for everyone else”. – is a rule that is impossible for a classic firewall to properly execute when users’ IP addresses are dynamic (DHCP) or when multiple users share a single device. User-ID solves this problem by continuously mapping identity-IP from AD logs, agents on stations and integration with Captive Portal systems.

The consequence is also better auditing: firewall logs show “John Smith connected to Dropbox and uploaded 500 MB” instead of “IP address 192.168.1.45 connected to IP 1.2.3.4 via port 443.”

Content-ID inspection and threats

Content-ID is a deep packet inspection (DPI) engine including: IPS (Intrusion Prevention System) with a database of exploit and attack signatures, anti-virus/anti-malware scanning of files in network traffic, URL filtering with categorization of billions of URLs, blocking of files by type (not just extension, but actual content) and detection of sensitive data (basic DLP in network traffic).

All these functions work “inline” – in real time, on flowing traffic. Unlike a multi-box architecture (separate IPS, separate proxy, separate antivirus), Palo Alto’s unified architecture eliminates “gaps” between products through which threats can slip unnoticed.

Integration with next-generation web security completes the protection with advanced web content filtering.

Zero Trust Network Access by Palo Alto

Zero Trust is a “never trust, always verify” security model. – all access must be authorized, regardless of the user’s location. Palo Alto Networks implements Zero Trust through several products: Prisma Access (ZTNA for remote users), NGFW as a micro-perimeter that segments the internal network, and Prisma Cloud for cloud environments.

Palo Alto’s NGFW in a Zero Trust environment serves as an enforcer of access policies between network segments – replacing the traditional flat network model with free east-west traffic restricted by App-ID + User-ID policies.

Integration with the Palo Alto ecosystem (Prisma, Cortex)

Palo Alto’s NGFW is not a standalone product, but part of a larger ecosystem. Cortex XDR collects telemetry from NGFW for correlation analysis and advanced threat detection (APT). Cortex XSOAR uses data from NGFW to automate incident response. Panorama is the central management of multiple NGFW devices from a single console.

Threat Intelligence sharing: all Palo Alto devices worldwide contribute to the WildFire threat database – unknown files are analyzed in a sandbox and signatures of new threats are distributed to the entire fleet within minutes.

Key findings

• Palo Alto’s NGFW goes beyond the classic definition – it combines App-ID, User-ID and Content-ID in a single-pass architecture.
• App-ID identifies applications based on behavior, not port – which eliminates hiding applications on non-standard ports.
• User-ID maps IP to AD identity – policies are based on user and group, not IP address.
• Content-ID is IPS, antivirus, URL filtering and DLP in one engine, running inline.
• Integration with Cortex and Prisma creates an ecosystem in which NGFW is the collection point for telemetry and policy execution.

FAQ

Is Palo Alto’s NGFW replacing dedicated IPS and proxies? In many cases, yes – App-ID, Content-ID and SSL inspection eliminate the need for separate devices. For specialized applications (e.g., full web proxy with Kerberos authentication), dedicated solutions can be a complement.

How does Palo Alto NGFW handle TLS 1.3 encrypted traffic? Palo Alto supports SSL/TLS decryption for inspection of encrypted traffic, including TLS 1.3 with Perfect Forward Secrecy. Certificate management and exceptions are required for categories (e.g. banking, health) that should not be decrypted.

How to manage multiple Palo Alto devices in a large organization? Panorama is a central management console for multiple NGFWs – allowing you to push policies to the entire fleet, collect logs and report.

Is Palo Alto NGFW available as a VM in the cloud? Yes – VM-Series is a virtualized version of NGFW available for AWS, Azure, GCP and virtualization environments (VMware, KVM).

Summary

Palo Alto NGFW firewall is a product category that redefines what a modern firewall should be – not by adding features to an old architecture, but by designing from the ground up with application, identity and content visibility in mind. For organizations that still base network security on port and IP rules, migrating to NGFW is one of the most important steps toward mature security. Contact Ramsdata to learn how Palo Alto Networks can strengthen your organization’s network security.