Palo Alto Networks Jay Flanyak Channel Business Manager jflanyak@paloaltonetworks.com

Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications and preventing cyber threats Able to address all enterprise cybersecurity needs Exceptional ability to support global customers Experienced team of 1,300+ employees Q1FY14: $128.2M revenue; 14,500 customers Revenues $MM FYE July Enterprise customers Jul-11 Jul-12 Jul-13

Our Market Opportunity

Magic Quadrant for Enterprise Network Firewalls “Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.” Gartner, February 2013 In this MQ Gartner is validating that the next-generation firewall has gone mainstream, stating "Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them."   With our placement in the upper right for the 2nd consecutive Gartner is validating that we are a leader in the enterprise FW market: "Palo Alto Networks continued through 2012 to generate the most firewall inquiries among Gartner customers by a significant margin. Palo Alto Networks was consistently on most NGFW competitive shortlists, and we observed high customer loyalty and satisfaction from early adopters." We came to market in 2007 with an innovative, disruptive firewall solution and a singular focus on customers, which Gartner validates in the MQ: "Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward.” As far as what not to say – stick to the script, do NOT: 1.  Put words in Gartner's mouth. 2.  Anticipate future MQ positions. 3.  Talk about other vendors.  We have plenty of strong stuff in the bullets below.

Many Third Parties Reach Same Conclusion Gartner Enterprise Network Firewall Magic Quadrant Palo Alto Networks leading the market Forrester IPS Market Overview Strong IPS solution; demonstrates effective consolidation NetworkWorld Test Most stringent NGFW test to date; validated sustained performance and key differences NSS Tests IPS: Palo Alto Networks NGFW tested against competitors’ standalone IPS devices; NSS Recommended Firewall: traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended NGFW: Palo Alto Networks best combination of protection, performance, and value; NSS Recommended (1 of only 3)

Applications Get Through the Firewall Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. They use evasive techniques to simplify use and avoid detection. AV in the late 90s started using port 80 (it is a C/S app), AIM prompted you to find an open port, BitTorrent and Skype hop ports, use encryption, MS Lync uses 443, 3489 and a host of ports above 50,000, SharePoint and function control use a range of web ports, but it is not a web app (it uses Office! SAP, Oracle, DropBox, Box.net Network security policy is enforced at the firewall Sees all traffic Defines boundary Enables access Traditional firewalls don’t work any more

Applications Get Through the Firewall: Threats Threat ramifications: Applications are a threat vector and a target Threats target applications Used as a threat vector Application specific exploits

Applications Get Through the Firewall: Exfiltration Exfiltration ramifications: Today’s threats are applications – their command/control requires network communications. Apps can act as the conduit for data theft. Applications provide exfiltration Threat communication Confidential data

Applications Get Through the Firewall: Encryption SSL and SSH: more and more applications use encryption, rendering existing FWs useless. What happens traffic is encrypted? SSL Proprietary encryption

Technology Sprawl and Creep Aren’t the Answer “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Doesn’t address application control challenges UTM Internet IM DLP IPS Proxy URL AV the control that once existed in the firewall has eroded over time. UTMs exist for the sole purpose of consolidating devices to save money – just google the IDC definition from 2004 UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etc UTMs are all stateful inspection based – the all make their first decision on port. We are not a utm. Enterprise Network

The Answer? Make the Firewall Do Its Job 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment 11 11 11

Zero-day discovery with WildFire™ Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures Global intelligence and protection delivered to all users 10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.) Malware run in the cloud with open internet access to discover C2 protocols, domains, URLs and staged malware downloads Malware, DNS, URL, and C2 signatures automatically created based on WildFire intelligence and delivered to customers globally Stream-based malware engine performs true in- line enforcement On-premises WildFire appliance available for additional data privacy WildFire TM Soak sites, sinkholes, 3rd party sources Command-and-control Staged malware downloads Host ID and data exfil WildFire Appliance (optional) WildFire Users

Enabling Applications, Users and Content The goal is to use applications, users and content as a means of talking about all 5 technologies and services: app-id, user-id, contentid, globalprotect and wildfire – not just the 3 core ones. This slide includes several good application examples – none of which are Facebook or Twitter . Each example has a user, an app and some content – doc, file, threat – when traversing the FW, those elements are either allowed or blocked for specific groups of users ********************** Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development. Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux or Android, iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversing the network, no matter where or how the user is accessing the network. Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community. Enterprise wide enablement: Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. At the perimeter, organizations can reduce their threat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.

Enabling Applications, Users and Content Applications: Safe enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.