NEW YORK -- Palo Alto Networks today announced a major enhancement to the PAN-OS software running on the PA-4000 Series next-generation firewall. The new capabilities make the PA-4000 Series the first enterprise firewall to transparently integrate with Microsoft Active Directory, enabling visibility into application usage by individual user names or groups. As a result, enterprises can centrally define and deploy granular, user-specific policies that greatly tighten information security and compliance, without impeding the business.
In contrast to legacy firewalls that can only define policies based on IP addresses, Active Directory integration further extends the PA-4000 Series to now provide integrated visibility and control of users, applications, and threat activity.
Transparent and Consistent User Identification
Legacy firewalls were designed to define policies based on source and destination IP addresses for controlling access to servers with a small number of fixed IP addresses. However, due to the dynamic IP address assignment as part of the Dynamic Host Configuration Protocol (DHCP), it is not an effective means for controlling users.
By transparently integrating with Microsoft Active Directory, the PA-4000 Series is the first enterprise firewall to enable mapping of user names and groups to security policies without requiring the use of client software or additional authentication steps by the end user. The Palo Alto Networks solution requires no changes to the Active Directory server or to the end user PCs.
This integration manifests itself through the PA-4000 Series Application Command Center (ACC), which provides a real-time display of application traffic flowing across the network now by user or group name. From this, enterprises can use the ACCs rules-based editor to create, review and deploy more targeted application usage policies.
In every company in the world users install and use applications that are not approved by IT, which makes it challenging to establish uniform security and compliance policies, said Jeff Wilson, Principal Analyst, Network Security, Infonetics Research. Establishing application visibility and control based actual user identity, not just IP address, is an important feature in next-generation firewalls.