Cortex XDR by Palo Alto Networks Reviews

We are not using it for our purposes because we are a Palo Alto partner. We propose it for our customers based on their requirements.

We are both a service provider and a reseller.

When the pandemic first began, the use cases were mostly for remote users. We deployed this for the majority of remote users.

When the pandemic started, Palo Alto came up with many solutions, which helped with the quick shift from on-premises to the cloud. We have a lot of advantages as a result.

It's a very simple implementation, and I have direct Palo Alto implementation available as well. So it's very simple. We haven't found any issues, so far the implementation is going well, I don't see any gaps.

In general, the price could be more competitive.

In Palo Alto, we also work with all product lines, including Prisma and other product lines as required. Is a mix, it's a subproduct, we work with the mix of products.

We have been working with Cortex XDR by Palo Alto Networks for two to three years.

We get updates from Palo Alto directly.

Cortex XDR by Palo Alto Networks is a stable product.

It's a scalable solution, we have not had any challenges with the scalability of Cortex XDR by Palo Alto Networks.

Our customers range from medium to large enterprise companies. The adoption rate in small businesses is much less, but the majority of our requirements come from mid-to enterprise-sized businesses.

Technical support is the best in class, in my opinion, because they have invested heavily in research and development. In terms of comparison and today's challenges, such as security and layers, Palo Alto complies with all of the challenges.

In terms of Security, we are working with a few products and a few brands.

We use Palo Alto and we also work with Barracuda. These solutions are used on the web firewall and for email protection.

We work with the entire Barracuda product line, but specifically for email protection and web filtering.

Barracuda Essentials is included with O365 protections, we work with those solutions. 

Palo Alto is part of a different vertical layer than Barracuda. It's distinct. They are very different.

The initial setup depends on the environment, but as a technology, I would say it's simple. It's not that difficult.

The length of time it takes for deployment is determined by the project and the surrounding environment. We can only determine the timeframe based on that, pinpointing a specific time period is difficult.

It does not require maintenance because regular updates and monitoring are required. So if there is anything, new patches and the like, it is done automatically, and there is no additional implementation unless there are any infrastructure changes.

In comparison to other competing products, it is based on the customer's needs and the environment. However, when compared to other products, the price is slightly higher, but when considering technology and new innovation, that is the plus I would say when it comes to being XDR.

The price could be more competitive because it is not on the price wall when you go and question Palo Alto XDR. It is present, but when compared to other competitive products, I would say it is not less expensive; however, when all of the other added values are considered, the price is reasonable.

So far, it has met all of our requirements, and it should be able to cater to a wide range of product lines.

We must first determine what their business requirements are, as well as what other technical layers we are considering, and then propose the appropriate sizing and solution.

We mostly promote Palo Alto, but it depends on the customer's needs, as well as their budget, infrastructure, and what their business requires, all of those factors come into play when recommending a solution.

When you compare it with other products, I would rate Cortex XDR by Palo Alto Networks a nine out of ten.

It's close to being rated a ten out of ten because of their level of support, and the other is the solution and the most recent technology.

As with any advanced malware protection tool, it's really about the results and getting the security you need. We are end users and I'm a cybersecurity incident response analyst.

I like that the product has behavior-based detection which offers many benefits over signature-based detection. When it comes to zero day attacks and targeted attacks, signature detection is not able to detect problems. Behavior-based detection is able to detect attacks tailored specifically for your environment, or malware that doesn't yet have a known malicious signature. It's the nature of how the data is processed that makes the tool really powerful. 

The downside to the solution is that there are a large number of false positives. There are a whole lot of different things for business automated actions, and it's hard to sort through all that. Without some assistance and suppression of false positives from Palo Alto or some event triaging that you might have enabled on your SIEM, you'll continue to get the high number of false positives. It's related more to the lack of capability to easily identify and suppress false positives before they're presented to you. There needs to be a function for suppressing false positives for types of machines and not necessarily for the actual groups.

I've used this solution for close to six months while we were evaluating it. 

Since Palo Alto was giving us the proof of concept, we had direct access to them.

It takes quite a few people to set it up. I would say the biggest difference between Palo Alto XDR and something like Cisco AMP outside of the actual detection is going to be the ease of implementation. Cisco AMP only requires one person to go through all the groups and configure policies. With XDR you define groups based on types of machines and commonalities in the machines. It's not like you just send a connector to machines and they're part of that group in that policy. It means there is a whole lot more to configure on XDR.

The same things apply to anyone looking to implement any form of anti-malware agent. You really want to take the time to make sure your environment is organized and configured the way that you want it to be, because once you start getting empty policies and machines in run groups, you run into a pretty big mess. Another thing would be documentation. If you're adding suppressions or custom detections or your AOCs, keep a document which logs all the changes, because people come and go, and handing down an anti-malware tool to somebody that doesn't know how or why it was configured a certain way, could make things difficult.

It would be a tremendous amount of work for us to implement Networks in a company our size. We have a whole bunch of projects going on right now that are pretty important and since we already have that advanced malware protection tool and AMP, which we think is good, we don't necessarily think Networks is as powerful at detection. On other projects, if we were going to go ahead and turn around and move forward with Palo Alto, it would mean taking a step backwards and reimplementing an anti-malware agent that we already have. That said, my impression is that it's a really good tool and you can get a lot out of it. 

I rate this solution a nine out of 10. 

I've found the security protection modules there, have been the most valuable.

I started using it from 4.1, but it didn't change that much. Some features and some fixes have been added to 4.2, but not that much. They need to improve reporting, the end-point reporting. They could also enhance their notification statuses. In the current version, you will see some threat alerts, or if anything is executable, but you will not see behavioral analysis. You will see what was being blocked, and that's it. If Traps logs something, you will get a notification. Otherwise, you have to generate the dump file and investigate on your own.

In the next release, I would like to see more UI improvements. Their UI is a bit basic. When we are speaking about Palo Alto Networks they are a big company, so they can surely improve the UI a little bit. The UI, the reports, the log system can all be improved. But overall, when we speak about security and protection, they are one of the top providers.

It's very stable. I've never experienced downtime for the ASM console or ASM core. But we experienced this for the database, and it was not clear in Trap's interface. So, Trap's server stopped working, stopped getting jobs, stopped the enforcing policies because the database was full. We did not get any alert for that, so you will not see any alert on the ESM console that says that your database is about to fill up. It was not reachable and there was no warning or indication for this. You have to go to some tools internally and check in the command line, to see. You will see some errors for the DB, and you will realize that it's a DB issue. I've never experienced any issue with the Traps itself, but with the database.

It's very easy to scale if you have file availability. If it's more clear, we can do high availability, but it's a bit tricky. We deployed this for 4,000 endpoints, and it was very easy. Two ASM core servers were enough to deploy it for 4,000 plus endpoints. These are enterprises, not SMBs. They're government institutions.

I would not say that technical support is bad, but it's not that good. It could be better.

Basically, they don't provide customer support tools just to investigate the logs. From a reseller or authorized center for Palo Alto, I can't get that much information from the logs because it's a bit complicated. If they have support tools, for example, to analyze the logs as they have for the Palo Alto firewall. They don't have for this for Traps. They need to have some tools to analyze the logs. We can generate something called tech support files from Traps, but it's useless. Nothing's there. You will not get that much from the tech support file.

But for the firewall, if we get the tech support file and upload it to somewhere they have some tools, we can get many useful logs and alerts. For Traps, this is not possible.

The initial setup was straightforward. They are using MySQL database, and I think it's a disadvantage because you need to buy a license for MySQL also to deploy it. They don't have this concept of file availability between DS and core servers.

We are a reseller. We are implementing it on customer premises for our clients.

The main advice I can share is to watch out for your database and make sure to give it enough resources. That's it.

I would rate this solution eight out of 10.

We use it for primary endpoint protection.

Its multi-layer approach helps my organization with anti-malware, exploit protection, and restrictions. A good analogy would be like peeling back an onion, getting through those layers. It gives you the confidence that it will stop exploits, ransomware, worms, or viruses from compromising endpoints, essentially providing peace of mind.

The multi-layered approach to the product is its best feature. Each layer has a different method of protecting its endpoint. 

With cloud integration, there were several improvements made:

• Previously, the endpoint would leave the environment, not being on our VPN, essentially unable to interact with the server to upload files. It was unable to retrieve new file verdicts. It was using a thing called "local analysis" to determine if something was a malicious file or not. There was no dynamic analysis. With the cloud implementation, we now have connectivity to the server at any moment, as long as we have an internet connection.
• A new user interface, which is a lot easier to use. Making it similar to managing a firewall.
• Additional OS support.

Stability has improved over the years, as there were noticeable bugs in earlier releases, such as 3.x. With the later releases, versions 4.1 through 5, they have polished the product. It has gotten much better.

When major releases come out with new features, it is a fairly simple process to upgrade these releases.

It is 100 percent utilized with every feature turned on. We leverage their product to the fullest extent.

Scalability is great with servers and workstations. At a moment's notice, you can add hundreds of endpoints. With Traps 5 being on the cloud, there is no scalability risk. You're not going to overload it, as it is a cloud portal. It is their problem, not yours. If you have any issues, call support. I'm confident I can push the client out to 1000 machines, and it will still check in.

We have over 2500 people in our organization using Traps (the entire organization).

The technical support has gotten better over the years. When they first started Traps, the support was overseas, and there was a language barrier being from the United States. Over the years, they have distributed that support throughout their company. Now, we will call and get someone in the United States, so there is no language barrier, which is an improvement. 

I feel like the support group has definitely improved over the years. If I call now, I'm positive I'm going to get someone who knows the product very well and is going to help me to resolve whatever issue I'm seeing. We have had weird issues, and they actually have done forensic analysis of what was going on. They have adjustments to future dynamic updates because of these issues. Thus, we have had an impact on the product by bringing them an issue, then having them correct it.

We previously used McAfee vs Palo Alto. McAfee is a traditional antivirus. It provided little to no value. We didn't see it stop anything. It wasn't blocking anything. The management was difficult to use because of the virus definitions, where you had to sync every endpoint each day with these updates.

I set up Traps 5 without even looking at the administrative guide. I set it up using logic. Looking at it, reading it, testing it and pushing it out. I set it up in an afternoon with a colleague of mine.

It is easy to implement. It also has dynamic updates, making it smarter. Therefore, there is not much work to be done once you get it configured and pushed out. You can manage it with a small crew of people. Because of its ease of use, businesses might require a full-time employee to manage it. 

It's just one of the tools in the toolbox, and it save us time.

They made it very easy to set up, because you just log into the portal and activate it. They have an automated process to spin up your environment in the cloud. It all happens behind the scenes. 

From a user perspective, it is a click of a button. You just put in the key that was paid for and click a button, then it runs through the setup. Then, they essentially give you a button on your portal, you click it, and it brings you to your management console. Everything is already set up. They manage the upgrades, which is another bonus when being in the cloud, because when it was on-premise, you have to care and feed the server, patch it, upgrade it, and manage the database.

It takes 10 minutes for everything to initialize, since it is a brand new environment. You get to pick your URL, and Palo Alto manages the certificates. When your endpoints connect to the URL, it's just a trusted signed public certificate authority. As long as your endpoints are patched and up-to-date, they trust that certificate. 

Palo Alto is making it easier to implement and manage. They're making it easier to upgrade. The dynamic updates came within the last year or two. Previously, you have to upgrade the actual endpoint software to get more features. 

With dynamic updates, it's an automatic process. It makes the software logic smarter. 

When I first set up Traps four years ago, it took a lot longer because I had to set up a server with the operating system. That takes time. I had to install the software and configure it. I had to have a database, which took time and involved other people. There was a client to deploy to endpoints. Then, there was a certificate to set up for the portal to have our endpoints to communicate with the portal over our SSL. There were a lot of steps.

We did our implementation in-house. We required three to four people for the initial deployment: database administrator, network engineer, server administrator, and security analyst. Afterwards, it takes two people to maintain the solution, but it could be done with one person. We use two people for quality control.

For implementation strategy, if it was a new push or a build, set up your cloud portal, then do a test group, such as a pilot. Set up your policies how you would want them. From there, with your test group, you want to see if any alerts come in and what your endpoints are doing. Then, depending on your company, do a site-by-site implementation. It is integrated with Active Directory, so you can also do group implementation.

We have peace of mind knowing that ransomware isn't spreading through our environment.

The product checks a lot of boxes for compliance efforts. The value is there, because these days no one can afford to experience a breach or have a compromised endpoint. Since these would have to be reported, depending on your industry, it would look bad for the company.

We didn't have to pay any additional fee for the cloud instance. It just came with the renewal, which was nice.

If ransomware were to spread throughout your company, you would not want your file shares to be encrypted nor your servers to be affected. My advice would be get Traps on your servers and on your workstations. Go with version 5 and the cloud instance, then turn on all the features that you can. Some of them come by default disabled out-of-the-box, but you want to turn on all of the features, such as local analysis, file quarantine, WildFire, malicious and grayware blocking and quarantine, restrictions (don't allow executables to run from USB drives, unless it's whitelisted). Turn on all the exploit protections with dynamic updates, and just let it just update. Since we all know the next version of Flash Player is going to have a vulnerability which no one knows about until it's discovered. Then, at that point, it could have already been out there for a while.

With Traps, it could potentially determine the exploit before it's even a known vulnerability. Turn on every single feature you can without taking an impact to performance. Once it's fine-tuned and doing its thing, I have never witnessed Traps not working properly.

They have put in improvements over the years. We have been using the product for over four years now (since I've been with the company). They have added support for additional operating systems, such as Android, macOS, and Linux. They used to be Windows only. They put improvements where they no longer require you to have an on-premise server, so you can host it on the cloud. Thus, when endpoints leave the environment, they can connect to a cloud host and have full connectivity to your policies.

When Traps does sandbox tests, it checks the verdict against their sandbox: WildFire. Having it in the cloud is great, because then the machine doesn't have to be on a VPN or within the company walls with connectivity to an on-premise server. Therefore, having the cloud implementation was definitely an improvement.

When Palo Alto acquires a technology, they implement it into Traps and make the product better. They have done this in the past, and there are cool things coming in the future from these acquisitions.

Advanced endpoint protection.

Traps has drastically reduced our endpoint attack surface via advanced detection capabilities, sandboxing of never before seen programs, and by drastically limiting where executables can launch in the first place. We have not had any malware successfully execute on an endpoint since deploying Traps.

Wildfire, advanced detection capabilities, and whitelist/blacklist features. These features have provided us an easy way to lock down our systems to prevent execution of unknown code and scripts and to prevent launching of code from end user writable directories.

The application whitelisting/blacklisting feature is based purely on path and filenames. Changing a filename can bypass it easily. The uninstall admin password for the client is passed in clear text during install. 

There is a severe gap in functionality between Windows, Linux, and Mac versions. For example all folder restriction settings are Windows only. Traps 5.0+ does not have SAML / LDAP integration. This is ridiculous for an enterprise product. 

Traps 5.0 does not integrate with Palo Alto's Panorama product, which was a big selling point of Traps 4.0. Traps 5.0 has no ability to send an email to alert of detections. Instead customers have to jump through hoops to use Palo Alto's log management service to forward logs into a 3rd party SIEM and then build your alerts from there. No EDR functionality, though this is supposedly coming.

Mostly positive. We've had some episodes early on where upgrades caused some issues with the backend database, but that seems to have cleared up. This issue would not impact the Traps 5.0 users as it is SaaS based.

This software exists on every workstation and server in our company with ~10,000 people using the solution. For on-prem, we run 3 nodes and it handles the load just fine. We could always add more nodes if necessary. For the SaaS solution, that is all on Palo Alto's side.

Setup was pretty straight forward. The product is very granular and customers can turn on features as they are ready/comfortable in order to keep the deployment simple. For organizations with a good understanding of their infrastructure, deployment should be pretty simple.

We deployed Traps ourselves. We went big bang and deployed all features at once. We had a strong understanding of our systems and were able to provide whitelisting settings up front that made sense. There was a bit of post-deployment work to resolve things that were missed, but all things considered the deployment strategy went smoothly and was the right call.

For an endpoint security service, that is hard to state. We have not seen a malware infection since deployment.

I feel it is fairly priced.

We evaluated 

• Palo Alto Networks Traps vs Carbon Black
• Palo Alto Networks Traps vs Cylance
• Palo Alto Networks Traps vs CrowdStrike
• and Palo Alto Networks Traps vs Sophos X.

I think Traps has the best mix of features by price in the industry. It is not flawless by any means, but Palo Alto seems committed to it and are improving it. Traps 5.0 is promising, though they have a ways to go before I'd be willing to implement it.

It has just been about a month.

It is mainly for monitoring and/or logging. We look at it to see if there are any log incidents. 

We are using its latest version. It is deployed as a hybrid.

Monitoring is most valuable.

In terms of areas of improvement, we have not completed our review of the product. We're also looking at other products. So, it's a little bit hard to tell what could be different because we have not completed the review of this product, but based on our experience so far, its implementation is quite complex.

In terms of new features, we don't have any functions or features that we would like to add at the moment. 

It is looking promising in terms of scalability, but we have not looked into it further because we are still in the process of learning and getting some experience.

Currently, there are just two users of this solution. They are IT specialists.

Its initial setup is quite complex. In terms of complexity, I would rate it a four and a half out of five.

I am using the Community edition.

My advice for people who are looking into implementing this system is that they should be aware of the complexity of the installation and the management of the system. I would preferably buy this from a partner.

We have not yet completed our review of the product. At this time, I would rate it a five out of 10.

We have a complete overview of all our PCs and it's very easy to handle and to use the interface. It has a lot of benefits for us.

The one area which should improve is not on the user side but on the product itself. Currently, if you use Palo Alto endpoint protection as the only solution it's very complicated to remove pre-existing threats. For example, if you had something that was not detected by the former solution, and you install Palo Alto, you will have some difficulty removing the virus with the Palo Alto tool. It would be helpful if they had a tool for removing a virus or threat in these cases.

The solution is very stable. We have about 350 licenses across all our PCs, and of course, only administrators are allowed to plug in.

Scalability is not an easy question. For us, Palo Alto traps is running on a good environment, so if we have a plan to expand we just adjust the environment and from the Palo Alto side, it is not a problem at all. The only thing I have to do is update the license file and it should work. But in the case of a bigger expansion, you have to separate the servers. For us, it is not a problem at all if we decide to scale Palo Alto traps.

Support response was very fast. I'm satisfied with the support.

If you have been educated in Palo Alto, the initial setup is very easy. Without an education it depends. It can be difficult, it depends on the knowledge of the installer.

We use the on-prem version, not the cloud version of Palo Alto.

We use it daily but we have logs. Normally, if we have an incident in detection from a wire system, there's more effort. But typically it would take about ten minutes in order to check the logs and it's not complex at all. But if you have some threats or viruses then, of course, maintenance takes longer.

In terms of advice, I'd say it depends on the usage of the PCs. For us to use in the main production, Palo Alto benefited us. It was easy to install and performance of the traps themselves are very good. In most cases, you don't have to worry about the performance of the PC at all. Palo Alto Traps takes up very few resources.

I would rate this solution 9 out of 10.

Cortex XDR by Palo Alto Networks is a network management solution.

Cortex XDR by Palo Alto Networks can improve mobile integration to allow access to the console.

I have sold Cortex XDR by Palo Alto Networks within the last 12 months.

Cortex XDR by Palo Alto Networks should be a stable solution.

The scalability of Cortex XDR by Palo Alto Networks is very good.

The cost of Cortex XDR by Palo Alto Networks is $55 to $90 USD per endpoint per month.

I would recommend this solution to others.

I rate Cortex XDR by Palo Alto Networks an eight out of ten.