Overview
Native security is convenient, but is it sufficient? Cloud Firewall Benchmarking replaces the "good enough" assumption with irrefutable, empirical data — measuring how effectively your current firewalls block sophisticated L7 threats compared to a Palo Alto Networks Cloud NGFW.
The assessment deploys a temporary, isolated Cyperf (Keysight) sandbox in your account, replays high-severity CVEs, malware, and C2 beaconing against both firewalls simultaneously, and produces a side-by-side Security Validation Report (SVR).
Key Capabilities
- Side-by-Side Efficacy Testing: Real-world strikes injected in both directions against a PANW firewall and your native cloud firewall at the same time.
- Comprehensive Strike Packs: High-severity CVEs, malware, and command-and-control beaconing measured for detection depth and blocking efficacy.
- Non-Intrusive Sandbox: Uses Cyperf (Keysight) in an isolated environment — zero risk to production traffic.
- Highest-Level Security Configuration: Both firewalls tested at maximum security posture — Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering.
- Multi-Cloud: Supported on AWS and Azure.
- Board-Ready SVR: A Security Validation Report showing exactly where gaps exist and how to close them.
Assessment Areas
Threat Detection
- High-severity CVE exploits
- Malware samples
- Command-and-control beaconing
- Evasive L7 attacks
Directional Coverage
- Inbound threat blocking
- Outbound exfiltration blocking
- Per-DUT breakdown
- Overall efficacy score
Advanced Security Features
- Advanced Threat Prevention
- Advanced WildFire (sandboxing)
- Advanced URL Filtering
- DNS security
Framework Alignment
- CIS Benchmarks
- NIST Cybersecurity Framework
- Miercom test methodology
- Cyperf strike pack standards
Deliverable
- Security Validation Report (SVR) — side-by-side comparison
- Test objective and threat categorization
- Policy configuration used on both DUTs
- Overall threat efficacy score for both firewalls
- Test topology diagram
- Inbound and outbound efficacy breakdowns
- Appendix — full list of injected threats with priority and blocking status
Availability
Cloud Firewall Benchmarking has no geographical restrictions — it's delivered worldwide. Coverage is limited to AWS and Azure only; GCP is not supported today.
Training Walkthrough
End-to-end steps for deploying and running the Cloud Firewall Benchmarking demo. Follow these in order; the entire flow completes in under 24 hours.
Install Docker Desktop
Download Docker Desktop for macOS to a local Linux machine, install it, and confirm the Docker daemon is running before proceeding.
Download the Benchmarking Package
Download the Cloud Firewall Benchmarking package to your local machine and verify the contents:
The package includes the setup script, deployment tarball, and Terraform variable files for both AWS and Azure.
Configure the Terraform Variables
Edit terraform-aws.tfvars with the credentials of the cloud account where you want to deploy:
The stack name is prepended to deployed instances. The allowed CIDR controls network access — use ["0.0.0.0/0"] to allow all. The license server IP comes from the TME team.
Deploy the Stack
Make the deployment script executable, subscribe to the CyPerf Controller and Agent on AWS Marketplace (one-time), then trigger the deploy:
When the deploy finishes, capture the CyPerf controller UI IP from the output — it looks like:
Create Azure App Registration
In the Azure portal, create a new App Registration. Add an App Role with write permissions, then generate a Client Secret from the Overview menu — capture it immediately, it won't be shown again.
Configure Azure Terraform Variables
Edit terraform-azure.tfvars with your Azure credentials and the App Registration values from Step 1:
Then follow the same deploy steps as the AWS flow — the setup script takes an --deploy-azure flag.
Install Latest Content on the PANW Firewall
Before running the efficacy test, install the latest security content so the PANW firewall is at its maximum posture. Either update manually via the firewall UI (Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering) or run the helper script:
Execute the Efficacy Test
Log in to the CyPerf controller UI using the IP captured earlier:
The controller UI shows a topology diagram of the inbound and outbound threats CyPerf agents will inject across both the PANW firewall and the CSP firewall (the two DUTs). Available actions:
- Start test — begins injecting inbound and outbound threats through both DUTs
- Live Statistics — auto-shown after start; live threats-injected vs threats-blocked
- Test Result — final scores when the run completes
- Download report — export the SVR
- Test details — see the exact test configuration
Download & Analyze the Report
When the test completes, click Download report in the top-right of the controller UI. The Security Validation Report contains:
- Objective — threat efficacy comparison of PANW and the CSP firewall
- Threats categorization — strikes used and their categories
- Policy configuration — both DUTs configured at highest security posture
- Overall threat efficacy — the headline blocking-rate comparison
- Test topology — diagram of the deployed test environment
- Inbound / outbound efficacy — directional breakdowns per DUT
- Appendix — full list of injected threats with per-DUT block status and priority
Tear Down the Environment
Once you've downloaded the report, destroy all deployed resources with a single command from the same folder: