In this era of constantly pushing for more productivity and greater efficiency, it is essential that every resource devoted to web access within a business is utilised for business benefit. Unless the company concerned is in the business of gaming or social media, etc. it is unwise to use resources like internet/web access, and the infrastructure supporting it, for a purpose other than business. Like they say, “Nothing personal, just business”

With this in mind, IT administrators have their hands full ensuring management of web applications and their communication with the Internet. The cost of not ensuring this is loss of productivity, misuse of bandwidth and potential security breaches. As a business it is prudent to block any unproductive web application e.g. gaming, social media etc. and restrict or strictly monitor file sharing to mitigate information leakages.

Track, monitor and block any user application from the internet with award winning GFI WebMonitor - Limited Free Download!

It is widely accepted that in this area firewalls are of little use. Port blocking is not the preferred solution as it has a similar effect to a sledge hammer. What is required is the fineness of a scalpel to parse out the business usage from the personal and manage those business requirements accordingly. To be able to manage web application at such a level, it is essential to be able to identify and associate the request with its respective web application. Anything in line with business applications goes through, the rest are blocked.

This is where GFI WebMonitor excels in terms of delivering this level of precision and efficiency. It identifies access requests from supported applications using inspection technology and helps IT administrators to allow or block them. Hence, the administrators can allow certain applications for certain departments while blocking certain other applications as part of a blanket ban, thus enhancing the browsing experience of all users.

So, to achieve this, the process is to use the unified policy system of GFI WebMonitor. The policies can be configured specifically for application control or, within the same policy, several application controls can be combined using other filtering technologies.

Let’s take a look at the policy panel of GFI WebMonitor:

Figure 1. GFI WebMonitor Policy Panel interface. Add, delete, create internet access policies with ease (click to enlarge)

The Microsoft KnowledgeBase provides high-quality articles covering Microsoft's technologies such as Windows Server (2019, 2016, 2012, 2008, 2003, 2000), Hyper-V Virtualization, Group Policies, Active Directory, Security and other Windows Services. The section also contains technical articles covering Windows workstation operating systems such as Windows XP, Windows 7, Windows 8, Windows 10, Windows 11 and more.

This section is continuously populated with in-depth technical articles, providing detailed information and step-by-step instructions, ensuring our readers ,regardless of their level of experience, will be able to understand these technologies.

Our previous article examined the benefits of Palo Alto Networks Firewall Single Pass Parallel Processing (SP3) architecture and how its combine with the separate Data and Control planes to boost firewall performance and handle large amounts of traffic without and performance impact. This article focuses on the traffic flow logic inside the Palo Alto Firewall and two unique features that separate it from the competition: Application-based policy enforcement (App-ID) & User Identification (User-ID).

For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section

Flow Logic of the Next-Generation Firewall

The diagram below is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks Next-Generation Firewall and this can be always used a reference to study the packet processing sequence:

Figure 1. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall

Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS Routers Zone-based Firewalls and Cisco ASA Firewalls.

Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.

App-ID & User-ID – Features That Set Palo Alto Apart from the Competition

App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.

App-ID: Application-based Policy Enforcement

App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.

A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:

Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified:

This category contains articles covering the installation and configuration of Windows 2003 Server services. All articles contain step-by-step screenshots to make them easier to follow. No matter how novice or advanced your knowledge on Windows 2000 Technologies is, following the provided instructions is very easy and straight-forward.

We hope you enjoy the provided articles and welcome your feedback and suggestions.

This category contains articles covering the installation and configuration of Windows 2003 Server services. All articles contain step-by-step screenshots to make them easier to follow. No matter how novice or advanced your knowledge on Windows 2003 Technologies is, following the provided instructions is very easy and straight-forward.

We hope you enjoy the provided articles and welcome your feedback and suggestions.

This section contains technical articles, content and resources for IT Professionals working with Microsoft's Windows 2012 & Windows 2012 R2 server. Our content covers basic and advanced configuration of Windows 2012 components, services, technologies and much more, and has been written in an easy-to-follow manner.

We hope you enjoy the provided articles and welcome your feedback and suggestions.