Palo Alto Networks Customer Presentation Click to edit Master text styles Second level Third level Fourth level Fifth level November 2009 Ozan Ozkara 1 1

About Palo Alto Networks Founded in 2005 by a world-class team with strong security and networking experience Innovations: App-ID, User-ID, Content-ID Builds next-generation firewalls that identify and control more than 850 applications; makes firewall strategic again Global footprint: presence in 50+ countries, 24/7 support © 2009 Palo Alto Networks. Proprietary and Confidential. 2 2

Applications Have Changed – Firewalls Have Not The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary Need to Restore Visibility and Control in the Firewall © 2009 Palo Alto Networks. Proprietary and Confidential. 3 3 3

Applications Carry Risk Applications can be “threats” P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats SANS Top 20 Threats – majority are application-level threats Applications & application-level threats result in major breaches – Pfizer, VA, US Army © 2009 Palo Alto Networks. Proprietary and Confidential.

Application Control Efforts are Failing Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of 900,000 users across more than 60 organizations Bottom line: despite all having firewalls, and most having IPS, proxies, & URL filtering – none of these organizations could control what applications ran on their networks Applications evade, transfer files, tunnel other applications, carry threats, consume bandwidth, and can be misused. Applications carry risks: business continuity, data loss, compliance, productivity, and operations costs Applications are built for accessibility. 57% of the applications found – both business and consumer – use port 80, port 443 or port hop to simplify access Applications that enable users to circumvent security are common. Proxies (81), remote desktop access (95%) and encrypted tunnel applications were detected across the participants File sharing usage is rampant. P2P file sharing was found in 92% of the time, browser-based file sharing continues to gain in popularity (76%) Controls are failing. 100% of the customers had firewalls, while 87% had added security (IPS, Proxy, URLF) Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential. © 2009 Palo Alto Networks. Proprietary and Confidential. 5 5 5

Sprawl Is Not The Answer Internet “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential.

The Right Answer: Make the Firewall Do Its Job New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation © 2009 Palo Alto Networks. Proprietary and Confidential. 7 7 7

Identification Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content © 2009 Palo Alto Networks. Proprietary and Confidential. 8 8

Purpose-Built Architecture: PA-4000 Series 03/05/07 Purpose-Built Architecture: PA-4000 Series Content Scanning Engine RAM Content Scanning HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps CPU 1 CPU 2 CPU 3 CPU 16 RAM Dual-core CPU RAM . . Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) RAM RAM SSL IPSec De-Compression HDD 10Gbps QoS Route, ARP, MAC lookup NAT 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT Control Plane Data Plane © 2009 Palo Alto Networks. Proprietary and Confidential. 9 9 9

Enables Visibility Into Applications, Users, and Content Page 10 | Page 10 | © 2008 Palo Alto Networks. Proprietary and Confidential. © 2009 Palo Alto Networks. Proprietary and Confidential. © 2008 Palo Alto Networks. Proprietary and Confidential. 10 10

PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features Strong networking foundation Dynamic routing (OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation VPN Site-to-site IPSec VPN SSL VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, IP and scheduled Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active / passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series only) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog, XML API PA-4060 PA-4050 PA-4020 PA-2050 PA-2020 PA-500 © 2009 Palo Alto Networks. Proprietary and Confidential. 11 11

Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering © 2009 Palo Alto Networks. Proprietary and Confidential.

Enterprise Device and Policy Management Intuitive and flexible management CLI, Web, Panorama, SNMP, Syslog Role-based administration enables delegation of tasks to appropriate person Panorama central management application Shared policies enable consistent application control policies Consolidated management, logging, and monitoring of Palo Alto Networks devices Consistent web interface between Panorama and device UI Network-wide ACC/monitoring views, log collection, and reporting All interfaces work on current configuration, avoiding sync issues Intuitive and flexible management options CLI, Web and Panorama central management application SNMP, Syslog Panorama central management application Panorama is a central management application enabling consolidated management, logging, and monitoring of Palo Alto Networks devices Consistent web interface with device, simplifying learning curve and obviating need for client software installation Provides network-wide ACC/monitoring views, log collection, and reporting All management interfaces work with latest config, avoiding out of sync issues common with multi-level management Automated Updates Automatic install or staging of updates App-ID signatures Threat signatures Software maintenance releases Zero-downtime upgrading of signatures and maintenance releases © 2009 Palo Alto Networks. Proprietary and Confidential. 13 13

Addresses Three Key Business Problems Identify and Control Applications Visibility of over 850 applications, regardless of port, protocol, encryption, or evasive tactic Fine-grained control over applications (allow, deny, limit, scan, shape) Fixes the firewall Prevent Threats Stop a variety of threats – exploits (by vulnerability), viruses, spyware Stop leaks of confidential data (e.g., credit card #, social security #) Stream-based engine ensures high performance Simplify Security Infrastructure Fix the firewall, rationalize security infrastructure Reduce complexity in architecture and operations © 2009 Palo Alto Networks. Proprietary and Confidential.

Thank You Click to edit Master text styles Second level Third level Fourth level Fifth level 15 15

Additional Information Speeds and Feeds, Deployment, Customers, TCO, Support, and Management

Palo Alto Networks Next-Gen Firewalls 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O PA-4050 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA-4020 2 Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA-2050 1 Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA-2020 500 Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces PA-500 250 Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit © 2009 Palo Alto Networks. Proprietary and Confidential 17

Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government Media / Entertainment / Retail Service Providers / Services Education Mfg / High Tech / Energy © 2009 Palo Alto Networks. Proprietary and Confidential

Fix The Firewall – and Save Money! Capital cost – replace multiple devices Legacy firewall, IPS, URL filtering device (e.g., proxy, secure web gateway) Cut by as much as 80% “Hard” operational expenses Support contracts Subscriptions Power and HVAC Save on “soft” costs too Rack space, deployment/integration, headcount, training, help desk calls Cut by as much as 65% Capital cost reduction. This is pretty straightforward – less boxes means less boxes to buy. For most organizations, where these functions already exist, this comes into play at refresh time – let’s say the customer is looking at IPS, but a firewall refresh is 10 months down the road… On the URL filtering subscription front – this comparison is with renewal list price for Websense Web Filter vs. list price for our URL filtering subscription.  Comparing 4 different scenarios (500/1000/2500/5000 users), the lowest savings was 80% (highest was 88%).  This is cost for annual subscription only (not looking at our hardware or the HW required to run Websense).  We can often save organizations enough money that they can buy our HW too with the Websense renewal budget.  There are other URL filtering vendors that charge less, obviously – so the 80% number will vary. Maintenance and support is a major factor as well. Support for firewall vs firewall is a wash, but if we consolidate the functions that the proxy is performing (or web security gateway that runs the URL filtering database), and we start to look much more cost effective with regard to these fees. IPS annual maintenance/support is a wash, since our threat subscription offsets the maintenance on the standalone IPS box. Other ops costs – For large organizations, rack space and power/HVAC is a big deal. For these customers, we have a more complex spreadsheet in the works (contact product marketing for an early copy). The other pieces (headcount, training, etc.) are largely soft costs that we won’t assign a number to, but sometimes can get folks thinking. © 2009 Palo Alto Networks. Proprietary and Confidential. 19 19

Legendary Customer Support Experience Strong TSE team with deep network security and infrastructure knowledge Experience with every major firewall TSEs average over 15 years of experience TSEs co-located with engineering – in Sunnyvale, CA Premium and Standard offerings Rave reviews from customers Customer support has always been amazing. Whenever I call, I always get someone knowledgeable right away, and never have to wait. They give me the answer I need quickly and completely. Every support rep I have spoken with knows his stuff. -Mark Kimball, Hewlett-Packard Customer support has been extraordinarily helpful – which is not the norm when dealing with technology companies. Their level of knowledge, their willingness to participate – it’s night and day compared to other companies. It’s an incredible strength of Palo Alto Networks. -James Jones, UPMC Page 20 | © 2007 Palo Alto Networks. Proprietary and Confidential © 2009 Palo Alto Networks. Proprietary and Confidential.

Single-Pass Parallel Processing (SP3) Architecture Operations once per packet Traffic classification (app identification) User/group mapping Content scanning – threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Up to 10Gbps, Low Latency © 2009 Palo Alto Networks. Proprietary and Confidential. 21 21

Comprehensive View of Applications, Users & Content Application Command Center (ACC) View applications, URLs, threats, data filtering activity Mine ACC data, adding/removing filters as needed to achieve desired result Filter on Skype Remove Skype to expand view of oharris Filter on Skype and user oharris © 2009 Palo Alto Networks. Proprietary and Confidential.