A typical firewall's primary function is to allow or deny traffic based on the ports and protocols in use. This has to led to some pernicious problems.
Problem 1: Typical firewalls never deny a known set of ports and protocols, leaving gaping holes through which numerous applications pass. Some of these applications carry malicious code.
Problem 2: Some of the applications coming through holes in the firewall are very useful. Many are less useful, and a few can be downright dangerous. A typical firewall can't help you distinguish among or control these applications.
PAN addresses these problems by reframing the primary function of a firewall. In PAN's view, job one is to precisely identify every application that comes in and goes out of the network. This makes all kinds of interesting things possible.