Palo Alto Networks VM-Series Next-Generation Firewall

Service scope

Service constraints: N/A
System requirements: For Hardware: Racking, Power, Cabling etc.

For Virtual: A supported hypervisor/public cloud environment

Cloud-Delivered: A Panorama/Strata Cloud Manager Instance, Cortex Data Lake instance

User support

Email or online ticketing support: Email or online ticketing
Support response times: Our support is available round-the-clock, every day of the year (24/7/365), ensuring assistance whenever you need it most. We pride ourselves on our swift response times, tailored to the urgency of your issues:

Critical Priority: Guaranteed response time of less than one hour.
High Priority: Issues addressed within two hours to ensure prompt resolution.
Medium Priority: Attention within four hours, balancing urgency and efficiency.
Low Priority: Response within eight business hours, demonstrating our commitment to comprehensive support.
Our service level agreements (SLAs) remain consistent throughout the week, including weekends and public holidays, ensuring reliable assistance whenever you require it.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Onsite support
Support levels: All deployments include standard support, which can be enhanced with additional capabilities:

Standard Support: Included with all products, offering 24/7/365 email, telephone, and web support.
Platinum Support: Enhanced option with expedited response times, a designated technical account manager, and proactive support services.
Dedicated 'Resident Engineer': Optional service providing personalised expertise aligned with your needs, available for an additional purchase at $385,000 USD (List Price) per engineer.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Palo Alto Networks offers comprehensive support to help users start using our service efficiently. We provide both on-site and online training sessions tailored to the specific needs of our users, ensuring they have the knowledge and skills necessary to leverage our offerings effectively.

In addition to training sessions, we offer publicly accessible user documentation covering everything from initial setup to ongoing maintenance and usage, including detailed guides on how to utilize the API for advanced configuration and automation.

For organisations seeking rapid onboarding, we offer Professional Services in the form of "Quickstart" packages. These packages are designed to expedite the onboarding process, providing expert guidance and support to ensure a smooth transition to our service.

Furthermore, our Strata Cloud Manager offering provides operational health and configuration health analysis, ensuring that operators are deploying correctly against best practices and extracting maximum value from our service. This feature enhances operational efficiency and helps users maintain a healthy and optimised environment.

Overall, our goal is to empower users with the resources and support they need to start using our service confidently and efficiently, whether through training, comprehensive documentation, or personalised professional services
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Users have the ability to extract their data when the contract ends to ensure compliance and continuity. Palo Alto Networks facilitates the export of all customer data, allowing users to retain ownership and control over their information.

For cloud data held by Palo Alto Networks on an organisation/tenant, users can initiate the export and deletion process by contacting Palo Alto Networks support. Our support team will assist users in securely exporting their data, ensuring a smooth transition and compliance with data protection regulations.

In the event that users do not initiate the export process, Palo Alto Networks automatically purges the data after 90 days following the cessation of the contract(s). This automated process helps to ensure data security and privacy, mitigating the risk of unauthorized access or retention of sensitive information.
End-of-contract process: At the conclusion of the contract, the organisation retains ownership of the VM-Series firewall licences along with the data stored on them. They have the autonomy to manage the disposal of these licences in alignment with their internal policies and procedures.

For hardware appliances, the organisation holds the authority to determine the disposal method. Palo Alto Networks does not intervene in this decision-making process, allowing organisations to choose the most suitable disposal approach based on their specific needs and requirements.

Using the service

Web browser interface: Yes
Using the web interface: The web interface serves as the primary tool for accessing and managing our service. Users can set up the service through the web interface by accessing either the dedicated management interface or enabling web management capabilities on a traffic-processing (dataplane) interface. This interface facilitates various tasks, including initial setup, system and network configuration, supporting objects configuration, security policy creation, and monitoring/reporting.

Users can make changes seamlessly through the web interface, enabling them to adapt configurations as needed. Additionally, a role-based access control mechanism is available for administrators to tailor access permissions, restricting certain users or roles to specific configuration functions or views. Overall, our web interface provides a user-friendly platform for efficient setup, configuration, and management of our service, with the flexibility to adapt to diverse user requirements.
Web interface accessibility standard: None or don’t know
How the web interface is accessible: Our web interface can be accessed in two ways: either through the dedicated management interface or by enabling web management capabilities on a traffic-processing (dataplane) interface. For added security, access to the management interface can be restricted by IP address if desired.

Integration with external authentication services such as LDAP, RADIUS, TACACS, SAML, and MFA is supported, providing enhanced security and user management capabilities. This allows organisations to leverage their existing authentication infrastructure, ensuring seamless access control and user authentication processes. Administrators can configure the system to authenticate users against these external services, enhancing security posture and streamlining user management processes.

Most modern browsers are supported for accessing the UI, ensuring compatibility and ease of use across various devices and platforms. Users can expect a seamless experience, enabling efficient management and configuration of our service while leveraging advanced authentication capabilities for enhanced security
Web interface accessibility testing: N/A
API: Yes
What users can and can't do using the API: The XML API offers extensive functionality for configuring, operating, and monitoring the platform programmatically. The management CLI and Web UI are clients of the XML API itself, this design approach ensures that any action or function available in those modes are also available in the XML API.

Users can fully configure every aspect of the platform, including network and security policies, using the XML API. Role-Based Access Control (RBAC) ensures that only authorised keys can be used for specific functions, enhancing security and access control.

Additionally, the XML API seamlessly integrates with external libraries, such as Terraform and Ansible. This integration allows users to automate platform management tasks within existing workflows, streamlining operations and enhancing efficiency.

In summary, the XML API provides a powerful mechanism for users to programmatically configure, operate, and monitor the platform, offering extensive capabilities for automation and integration into existing workflows.
API automation tools: Ansible

Chef

OpenStack

SaltStack

Terraform

Puppet

Other
Other API automation tools: Integrates XDR (endpoint, NTA) and SOAR functionalities.

Standardised libraries for custom project automation

Published libraries supporting custom project automation.

Automates configuration management and deployment tasks seamlessly.

Enables infrastructure as code automation for efficient deployment

Automates IT infrastructure provisioning and configuration management.

Streamlines infrastructure automation and continuous delivery processes.

Automates container orchestration and management for scalable deployments.

Integrates with ServiceNow for streamlined IT service management processes.

Any CI/CD tool with a sufficient API for automation.
API documentation: Yes
API documentation formats: HTML

PDF

Other
Command line interface: Yes
Command line interface compatibility: Linux or Unix

Windows

MacOS

Other
Using the command line interface: The CLI provides extensive functionality for configuring, managing, and monitoring the platform. Users can perform various tasks, including but not limited to:

Configuration: Configure network and security policies, system settings, and supporting objects.
Management: Manage user authentication settings, system status, and device administration.
Monitoring: Monitor system performance, network traffic, and security events.
Troubleshooting: Diagnose issues, troubleshoot connectivity problems, and debug configurations.
Testing Command Hierarchy: Utilise the testing command hierarchy to perform diagnostic tests, verify configurations, and assist with troubleshooting.
The CLI offers a robust set of commands to accomplish these tasks efficiently. However, it's essential to note that certain administrative actions may require elevated privileges or authentication. Additionally, complex configurations or specialized tasks may be more efficiently handled through other interfaces, such as the web interface or API.

Overall, the CLI provides a powerful and flexible tool for administrators to configure and manage the platform, offering extensive capabilities for efficient administration and troubleshooting.

Scaling

Scaling available: Yes
Scaling type: Automatic

Manual
Independence of resources: In either deployment model the VM-Series platform offers suitable horizontal scaling with a clustering capability (external load balancing/distribution required) for hot-running instances. Additionally, organisations can leverage the health metrics to automate the provision and insertion of new VM-Series instances in order to scale the service as required.

In our public cloud environments, where the VM-Series is delivered as a service (e.g. Google Cloud Firewall Plus) each user receives dedicated resources, eliminating shared tenancy. This ensures users are unaffected by others' demands on the service. Dynamic scaling mechanisms further optimise performance and reliability, guaranteeing uninterrupted service availability and performance.
Usage notifications: Yes
Usage reporting: API

Email

Other
Other usage reporting: Syslog and/or HTTP Event Forwarding

Analytics

Infrastructure or application metrics: Yes
Metrics types: CPU

Disk

HTTP request and response status

Memory

Network

Number of active instances

Other
Other metrics: Standard Linux SNMP MIB
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Reseller providing extra support
Organisation whose services are being resold: Palo Alto

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: At least every 6 months
Penetration testing approach: In-house
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding

Other
Other data at rest protection approach: Service are supplied from Google and Amazon Data centers (further information to follow)
Google Security statement
https://cloud.google.com/security/overview/
https://cloud.google.com/security/

AWS Security Statement
https://aws.amazon.com/compliance/data-center/controls/
https://d1.awsstatic.com/whitepapers/aws-security-whitepaper
https://aws.amazon.com/compliance/data-center/data-centers/

All logs can be stored in the customer's instance of a Palo Alto Networks' Cortex Data Lake, user activity is monitored and stored in the Cortex data lake for the agreed retention period.
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed

Hardware containing data is completely destroyed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery: Yes
What’s backed up: Firewall policies,

Network configurations

Security profiles
Backup controls: Users can initiate backups of the service configuration via API on demand or through the CLI or web interface. Additionally, the central managed platform (Panorama) allows scheduling of backups, enabling automatic export of configuration data from managed devices to an external storage repository using SCP or FTP. This flexibility empowers users to tailor backup schedules according to their specific requirements and ensures the timely preservation of critical configuration data.
Datacentre setup: Multiple datacentres with disaster recovery

Multiple datacentres

Single datacentre with multiple copies

Single datacentre
Scheduling backups: Users schedule backups through a web interface
Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Other
Other protection between networks: Custom TLS certificates unique per customer.
We ensure data security during transit by utilising standard encryption protocols and deployment-specific certificates. These measures establish secure communication channels between the buyer's network and our network, safeguarding data integrity and confidentiality. Our security practices align with industry-leading frameworks such as SOC2, NIST, and Cyber Essentials, demonstrating our commitment to compliance and adherence to rigorous security standards. By integrating these frameworks, we mitigate risks and provide customers with assurance that their data is protected against unauthorised access or interception during transit.
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Other
Other protection within supplier network: Internally, we employ a multi-layered security approach to safeguard data. This includes robust access controls, encryption mechanisms, and regular security audits. Our security protocols adhere to industry standards and frameworks, ensuring comprehensive protection against internal and external threats. By continuously monitoring and updating our security measures, we mitigate risks and maintain the confidentiality, integrity, and availability of data within our network.

Availability and resilience

Guaranteed availability: N/A - Responsibility of the cloud provider and/or customer if deployed within a private cloud environment.
Approach to resilience: N/A - Responsibility of the cloud provider and/or customer if deployed within a private cloud environment as this is configuration dependant. For additional inforamtion, contact Palo Alto Networks as more specific information is available on request.
Outage reporting: In a typical scenario this is not-applicable, however customers can leverage the API & Email functionality of the VM-Series NGFW in order to attain a similar experience within their own tooling infrastructure.

Identity and authentication

User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google apps)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: Restrictions can be implemented by restricting IP addresses able to access the management interface(s). In addition a role-based access control (RBAC) system is in place to further restrict users to user definable configuration views and modes.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Dedicated device on a government network (for example PSN)

Dedicated device over multiple services or networks

Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: No audit information available
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Accredited by MSECB
ISO/IEC 27001 accreditation date: 2020-07-06, valid until 2025-10-31
What the ISO/IEC 27001 doesn’t cover: N/A
ISO 28000:2007 certification: No
CSA STAR certification: Yes
CSA STAR accreditation date: N/A
CSA STAR certification level: Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover: N/A
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: SOC2

Fedramp

Common Criteria

Cyber Essentials

NCSC Foundation Grade Certification

FIPS 140-2,

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: Cyber Essentials, NIST, SOC2, etc.
Information security policies and processes: Palo Alto Networks has a formal Enterprise Risk Management program, which includes the performance of an annual risk assessment, with periodic updates, as applicable, to identify and assess key risks and their mitigation approaches. The scope of the program encompasses information security risks and product risks. Our security program consists of a risk-based approach that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of customer data. Palo Alto Network's information security program is aligned to ISO 27001/2, and includes key controls from HIPAA, PCI, SOC2, Cyber Essentials and more. Additional information is available at: https://www.paloaltonetworks.com/legal-notices/trust-center/

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Both Palo Alto Networks and the end-user organisation are in full control of their relevant and respective change control processes.
Additional details are available upon request.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Applications and software that collect, transmit or display, or process End User Data, Palo Alto Networks conducts an application security assessment review to identify common security vulnerabilities as identified by industry recognized organizations annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.

Palo Alto Networks utilizes a qualified third party to conduct the application security assessments. Palo Alto Networks may conduct the security assessment review directly, following industry standard best practices.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Applications and software that collect, transmit or display, or process End User Data, Palo Alto Networks conducts an application security assessment review to identify common security vulnerabilities as identified by industry recognized organizations annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.

Palo Alto Networks utilizes a qualified third party to conduct the application security assessments. Palo Alto Networks may conduct the security assessment review directly, following industry standard best practices.
Incident management type: Supplier-defined controls
Incident management approach: This information is available upon request

Secure development

Approach to secure software development best practice: Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: N/A

Social Value

Fighting climate change

We take our environmental management and the impact we have on the environment very seriously. We have environmental policies in place and hold the ISO14001 accreditation. Our environmental assessments are conducted annually by an external Lead ESOS Assessor; they are signed-off by the board and compliance reported to the regulator (the Environment Agency). Our environmental policy is published on our website at https://www.bytes.co.uk/company/sustainability/environmental.
Bytes achieved carbon net zero in March 2022 through approved carbon offsetting schemes. We are always seeking to reduce our impact on the environment. We aim to minimise waste, reduce pollutants and use renewable materials. Our offices have recycling facilities for cans, plastic and paper. We aim to reduce our office printing to zero within the next few years.
An Environmental Steering Committee has been established to coordinate environmental activities and drive change.
To drastically reduce our emissions, we have switched to renewable energy. Our Head Office has reached our first milestone of using a specialist 100% renewable electricity provider. We are also exploring options to install solar panels on our Headquarters building.
Other environmental initiatives include installing electric vehicle charging points and encouraging staff to commute to work without the car (setting up a car share network and installing secure cycle parking).
We produce a SECR (Streamlined Energy and Carbon Reporting) report that details the companies energy consumption and carbon emissions. This report is produced annually by an independent assessor.
This report provides details of our emissions in Scope 1, 2 and 3 categories. It details the activities previously taken to reduce emissions and also recommendations for further improvements.
For scope 1,2 and 3 emissions we aim to reduce these by 50% by 2025-2026 from our 2021 baseline.
We aim to be Net Zero by 2040, covering our own operational emissions.

Pricing

Price: £140 a unit
Discount for educational organisations: No
Free trial available: No

Palo Alto Networks VM-Series Next-Generation Firewall

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

Palo Alto Networks VM-Series Next-Generation Firewall

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents