Palo Alto Networks NG Firewalls Reviews

I design networks for our customers; I always use a high-speed packet filter upfront because I work for a Juniper partner company. This is usually a Juniper SRX series firewall and it does most of the easy work. Behind that, I add a more intelligent firewall, Palo Alto NGFW. We are partnered with Palo Alto, but that's not the main reason we use their solution. I worked with Check Point products for four years, and the Palo Alto alternative seriously impressed me. Here in Hungary, Palo Alto is considered the de facto intelligent firewall, for good reason.

I work for an integrator and support company, and I support our customer's security platforms; we have many customers with Palo Alto Networks NG Firewalls.

The firewalls improved our organization. Creating firewall rules is much simpler. The solution is so straightforward that customers can configure it themselves, and they rarely call us for that, which is great for us as a support company. It makes our job much easier as Palo Alto NGFWs don't require a security specialist to configure; it can be done by systems engineers or IT support staff. 

All the features are valuable, but my main one is the straightforward and well-designed GUI. I'm over 50 and have been in this business since the internet started. I'm not a GUI guy; I prefer using the command line. The product's GUI is excellent, and so is the threat intelligence. It's also straightforward to configure and flexible. The solution even has good networking, such as VLAN and subinterfaces, which is great because, in my experience, if the firewall is good, then the router usually isn't and vice-versa, but Palo Alto has both.

We use the on-premises solution, and it's very impressive; both flexible and intelligent. The machine learning functionality is excellent, and I love the product as a support guy because it makes my job much easier. I have very little troubleshooting, and our customers haven't had a single security incident since implementing Palo Alto. I'm deeply impressed with this solution.

The machine learning against evolving threats works well. The best thing I can say is that none of our customers have had any security issues; I can't find any problems with the solution.

The support is outstanding; we are always alerted about potential issues such as bugs in advance, so we have time to adapt and prepare. Palo Alto has grown more effective; most importantly, there haven't been any security issues. I would give the product a 10 out of 10 for flexibility and at least a seven for security. I can't say precisely what security threats our customers face, but nothing has gotten through.

The solution provides a unified platform, which is essential because there is a significant shortage of experienced IT specialists in Hungary and elsewhere. Their effectiveness is amplified by the quality and straightforward nature of the solution, and the result is more robust security.

I don't have a direct view of our customer's security threats as it is privileged information, but I can say that there have been no security breaches. I would say the solution does eliminate security holes. 

Our Palo Alto firewalls have the zero-delay signature feature implemented, and it works fine. There haven't been any issues with us or any of our customers. This feature makes the whole security system more efficient. 

The network performance is top-notch; I would give it a 10 out of 10. Intelligent firewalls tend to be slower, but this solution is fast. Previously, I used a simple packet filter or zone-based packet filter in conjunction with an intelligent firewall, but Palo Alto is fast and secure enough for standalone use. I've been familiar with the solution's architecture from the beginning, and it's a very nice platform.

I recommend this solution to any engineer; technically speaking, it's the best product on the market. I know it isn't the cheapest, and decisions are often made on a financial level, but Palo Alto in Hungary always gives us a good deal. 

The solution's VPN, called GlobalProtect, could be improved as I've had a few issues with that. 

It can be challenging to migrate configurations between Palo Alto firewalls or restart with a backup configuration using the CLI. That could be improved. I think I'm one of the only people still using the CLI over the GUI, so that's just a personal issue.

I have been working with the solution for four years.

The solution is incredibly stable.

We work with hardware platforms, and they are usually slightly over designed to be on the safe side. The virtual firewall is highly customizable, but I have experience with the hardware platforms, and there is an upper limit on those, but I haven't had any scaling issues thus far.

In Hungary, where I live, the population is 10 million, similar to London. When I say we have 1000 end-users, it may seem like a small number, but that's relatively high for Hungary. Other vendors also supply the solution here, so 1000 is just our customers.

I mostly do deployments and maintenance alone. There are three systems engineers at our company.

The customer service and support are good. I have full support when I have a problem, and they can even do remote assistance. We had a big power failure, and the firewall didn't restart; they provided a hardware expert over the phone to solve the problem. They are very impressive. I would say Juniper offers the best support, but Palo Alto is almost as good, if not just as good for me.

Positive

I have been in this business from the beginning, so I used most firewall solutions. I focused on Cisco for 15 years, but that changed due to license-based selling in a very price-sensitive market. Cisco is not as viable an option as it used to be as customers consider it too expensive. I also used a Check Point solution, which was regarded as the go-to intelligent firewall five years ago, but now Palo Alto has taken that top spot. 

We are partners with several providers, including Juniper, Palo Alto, and a few others, but I always go with Palo Alto because it's a straightforward solution with easy installation.

The setup is easy; it's straightforward for anyone with basic networking and security knowledge. It's comparable to setting up a firewall at home, which is very impressive. It's still easy with very complex network setups, only the VPN concentrator, GlobalProtect, is more challenging, as it requires two-factor authentication, but it's still straightforward.

Initial setup time depends on the specific implementation, but we can do a new deployment in one or two days. It is more complicated when migrating from other platforms because the customer expects the same logic and features in the new platform. Palo Alto has an excellent marketing strategy, so their customers know their product uses a unique logic. This helps keep the implementation straightforward and shorter compared to other solutions. 

My implementation strategy begins with a plan for the customer's network based on their needs. Then I set up all the networking parameters and configure the solution in my lab device, so I can export it and import it on-site. Every setup begins in our lab, as it's more impressive to go to the customer and import the configuration right away. 

I don't know about the price of the platform or the license fees, as the finance department deals with that. I only bill for the materials involved in the design.

I don't know about the price. When there's a new project, I go to the meeting, but after a point, all the engineers leave when it comes to money because it's not our business. I know Palo Alto offers good discounts for the partners, and the solutions are good. They offer free trials and win many customers because it allows them to test products and see how well they perform.

The only thing I can say is it's a top technology. 

I would rate this solution a nine out of ten.

Cloud-based solutions are very unpopular in Eastern Europe, only private clouds are used, but on-premises is the favored deployment method. We use cloud solutions at home and for small companies or companies with particular use cases. I implemented the solution for a customer, and my first task was to disable all cloud-related features. It's exceedingly difficult to find a financial or government institution using a cloud-based platform; this market segment tends to have a more conservative mentality.

I don't use the solution personally, but I'm the first-level troubleshooter. If I can't solve a problem, I open a ticket to Palo Alto's customer support.

I have clients who used separate firewalls and VPN concentrators, but after switching to this solution, they now use the Palo Alto firewall and its VPN, GlobalProtect. I don't think it's the best VPN concentrator, it's an excellent firewall, but the weak point is the VPN.

I advise reading the documentation before configuring, which goes for any platform.

Generally, it is used for the main function of the firewall. It protects the applications and the servers of clients from attacks. We use it as a perimeter firewall for the traffic from the internet, and it is also being used because one of the customers needed a solution for PCI compliance. We have put the firewall between servers inside the network to do segmentation. So, with the firewalls, specific communication is open between the clients and the servers, between the servers, and between the servers, applications, and the database.

We have PA-5000 and PA-850 series firewalls. In terms of the version, we are using version 9.1, which is not the most recent version. It is the previous one. We manage all firewalls from Panorama.

The most important benefit is that we can manage VPNs inside this firewall. We have integrated it with Active Directory. We provide a certificate to a user, and the user of the certificate can connect with the GlobalProtect VPN, which is a Palo Alto solution. With this solution, we can easily manage about 1,000 VPNs daily. It supports integration with Active Directory, and it is very easy for us to manage the VPNs. Before using Palo Alto Next-Generation firewalls, there was another solution, and we had a lot of issues with that.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities. Our main customer is going for PCI certification, and a part of the certification requires the use of these kinds of firewalls to protect all the information that they have.

Palo Alto NGFW’s unified platform helped to eliminate security holes and protect from various threats. 

We have firewalls that automatically update the signatures every 15 minutes. It is very important for us because if something happens, we know that the threat will be eliminated because the firewall is updated to the latest signatures.

The trackability is most valuable. When a port is open for a protocol, such as port 443 for HTTPS, it can look inside the traffic and identify or verify the applications that are using the port, which was previously not possible with traditional firewalls.

It is very important that Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. If something is different, the firewall identifies that based on the behavior of the traffic and alerts us. It can also block that so that nothing more happens.

We use Panorama to manage all firewalls. There is a dashboard, and there is a tab that shows you the real-time traffic that is passing through the firewall. We are able to get all the insights about the traffic.

We use ACC which is a tool for verifying the activity or traffic within your network. Currently, in ACC, the time of the samples that they offer is about five minutes. When you try to go down to a shorter duration, you can't. You only have five minutes. They can provide samples for shorter durations, such as one minute.

I have been using this solution for eight years.

In terms of usage, all the traffic is passing from these firewalls. In general, there are about 3,000 users and 1,000 servers. All the traffic travels through these firewalls. At this moment, there are no plans to increase its usage.

When we were migrating from one model to another, Palo Alto gave us a chance to replace the hardware because the previous model was old, and there was no support. We were able to acquire a new box at the same price that we would have had to pay to repair and maintain it. 

There is another person that is in charge of that. Their support is only in English, which has been challenging, but now, we have engineers who can talk in English.

It wasn't easy because we were migrating from Check Point to Palo Alto. It was difficult at the beginning, but after that it was easy. Overall, the implementation took us three months because we could only do it in certain time windows. It was implemented in phases.

There were some applications that didn't work fine in the beginning. We had to see what was happening and identified the issue.

In the beginning, we used Palo Alto, but after that, we did everything in-house. The support from Palo Alto was fine. Their support person helped us. We are in Mexico, and he helped in translating the support information from English to Spanish in the beginning. We had a few big issues, but in the end, we solved all of them. Now, I can operate these firewalls.

Its price is comparable to other companies. The license is on a one-year or three-year basis. It depends on the customers what they want to go for. There are some features that require an additional license, and there is also the cost of the support.

I would recommend this solution. It is a good solution. I would rate it a nine out of ten.

We use it to see and detect malware. It is also used for antivirus, anti-spyware, anti-malware, vulnerability, and Wildfire analysis. We support different kinds of authentication as well: Kerberos, LDAP, TACACS, and SAML. All in all, it is a security device that you can have anywhere on your network, as per the design considerations.

It is deployed in two different ways, either on-premises or on the cloud, which may require a different hypervisor. 

Nowadays, because of the pandemic, everyone is working from home or users are not sitting in the office to work. So, security has become a challenge. For that, we provide GlobalProtect, which is a VPN solution. This will connect to your organization's network, and then you can access anything that is required. This is the most widely used tool that we provide, and it is used worldwide. During the pandemic, it was a massive success for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities which is really important from the end customer point of view. If I have to set up an organization, I will go ahead and buy different devices or platforms. However, if I go ahead and buy Next-Generation Firewalls and put them on the edge of the network where I connect with ISPs, my Next-Generation Firewalls will take care of the security parameters. I don't need to worry about it that much anymore.

Its security profiles are a valuable feature. 

All the logs can be stored in a single place.

Panorama lets all the devices be managed centrally in a single place. This provides the best view for admins into any particular firewall, which decreases those admins' tasks because they can view everything in a single place. 

The machine learning tracks how many packets per second are coming into the firewall.

Any request coming in will go into the DNS sinkhole first, not to the user. We protect our users that way.

Within this one platform, you are getting everything that you want. This single device can provide you with antivirus, anti-spyware, volumetric protection, URL filtering where decryption is required, and file blocking with Wildfire analysis.

Palo Alto Networks NG Firewalls have a Single Pass Parallel Processing (SP3) Architecture, which has a different kind of code doing the work. It increases the packet processing rate. Whereas, without the SP3 Architecture, you are waiting for each job to complete, even if you have 100 jobs assigned.

There is always scope for improvement on any particular device in any particular organization. For example, when there was change from IPv4 to IPv6, some of the firewalls still didn't support IPv6. In North America, we have seen most customers are using IPv6, as they are getting the IPv6 IPs from their ISPs. Sometimes, when they go through the firewall, it denies the traffic.

It has been almost three years.

From a stability point of view, the firewall is very stable because the PAN-OS version doesn't change very often. If a new PAN-OS version is out in the market, our engineering team checks it multiple times.

The network performance is never compromised.

It is scalable. We have small and big clients.

For small clients, there is the PA-220 device, which is very small but still very productive and secure. 

I have worked with one of the TACs, where there are almost 500 TAC engineers present. They have different rules for case priority when a customer opens something. If a customer is paying more to get support, then we have a dedicated engineer assigned to that particular customer. This is much easier for the customer, as they are getting one of the best engineers out there to troubleshoot their network. They never compromise on that.

Sometimes, due to some issues, tickets don't get assigned. Or, they assign the tickets manually if something goes wrong, which is a very odd case. Customers don't understand that. So, we always apologize to customers, and say, "How can we help you out?"

Support is 10 out of 10. 

Positive

We ask the end customer, whosoever has the legacy network in their organization, if they don't need all their extra devices in order to cut down on costs. We then do an IPSec tunnel on the cloud as a gateway. From there, they can route the traffic to the Internet or wherever they would like.

Palo Alto is a unified device with a very streamlined voice. I have worked on Cisco routers and ASA as well, where you have to do a lot of stuff through the CLI and Linux shell scripting. With Palo Alto, those things are streamlined and engineering takes care of everything.

The initial setup is pretty straightforward. It is very user-friendly. Everyone in an organization can learn the platform quickly. When we give training to our new candidates, they learn it very quickly. So, it is a streamlined device.

There is an interface type called V-Wire. You just connect it to your network. It will not disturb anything. You don't need to provide IPs. It doesn't need a separate Mac address. It just connects to a particular interface as a bump in the wire. It inspects your traffic, giving you an overall idea of what applications your organization is using and what user is doing what. If needed, you can deploy it in your network later on. This makes it very easy for our customer to deploy the product in their network before they buy it.

When it comes to installing a new PAN-OS version, it doesn't require you to go to Linux and write tons of commands in order to download and activate the latest PAN-OS version. You just have to download it, click the download tab, click the install tab, and then you are done. Therefore, it is hassle-free and super easy like Windows.

We have a very large team for deployment.

If you buy Palo Alto Next-Generation Firewalls, everything is in a single platform. You don't need to go and buy the Wildfire analysis to track zero-day attacks and lots of other things. Therefore, cost is cut down by 50% to 60% if you go for Palo Alto Next-Generation Firewalls.

If someone doesn't have a security platform in their network, then the following licenses will be required: antivirus, anti-spyware, vulnerability, and Wildfire analysis. There are also licenses for GlobalProtect and support.

Overall, Palo Alto Networks NG Firewalls is a market leader.

With other devices, you need a controller and console to manage them. That is not the case with Palo Alto Networks NG Firewalls, where most of the work is done through the GUI. If you want to deep dive, then you go to the CLI. 

Cisco ASAs give some information on the Nexus Firewall, but they are not streamlined. Whereas, Palo Alto Networks NG Firewalls is a streamlined device and easy to use.

If someone is in a routing and switching domain and wants to come up to a security domain, they should choose Palo Alto Network NG Firewalls.

We are happy to assist customers whenever support is missing. Over a period of time, we see customers raise tickets because they are looking for a particular feature that is not available on the platform. We don't say to our customers, "We don't support this." Instead, we take it as an opportunity, giving that information to our engineering team.

I would rate the solution as nine out of 10. I am leaving room for improvement.

We are using it for network layer protection. And we have added all the Layer 7 protection there is, such as sinkhole protection and spyware and adware detection.

When you have the advanced URL protection enabled on a Palo Alto NG Firewall, the load on the application layer is reduced. The web application firewall features are already enabled in Palo Alto and those features give you an extra layer of protection, even if you have another technology above the Palo Alto firewall. That extra layer of protection is an opportunity that we have with Palo Alto.

The most important thing is that it's really user-friendly. I have almost stopped using the CLI because I like the graphical interface. You can do whatever you want on a single screen, including all the configuration and implementation, using Panorama. You don't have to switch from one place to another. And the best part is that you can manage multiple Palo Alto devices. We do have other companies' devices and for them we need to go to the CLI. But with Panorama, you almost get everything you need. It is very important for managing all the technology and features on the device, and for adding multiple devices, on one page.

Palo Alto also gives you a lot more options to troubleshoot and fix problems. That really helps our operations team.

Another valuable feature is the sinkhole option. If a malicious packet travels across the firewall, the firewall detects it as malicious traffic but it doesn't stop the traffic then and there. That way the attacker assumes that they have been successful but they have not. It's a type of honeytrap. It allows us to keep on responding to those packets.

Also, when the firewall does network discovery it can detect a malfunction or bugs or a configuration issue. That is very important. If your endpoint system is not functioning properly, it gives you an extra layer of protection in the network discovery field. It shows you all the options and all the data if your system is not compliant.

The Single Pass architecture is a nine out 10. A single pass is always good.

Palo Alto keeps coming out with antivirus and malware updates. When we have to integrate those updates we face some problems with the cloud platform, not the on-prem setup. The device works fine, but sometimes the sync doesn't happen on time.

It's not an issue that happens all the time, just sometimes. It's not a major issue. The device doesn't go down. It is not a priority-ticket situation.

Also, while Palo Alto is doing really well, they should bring out some small devices. As of now, we have the PA-800 Series firewall and the 440 Series firewall. A small Palo Alto firewall would be helpful for low-budget companies.

For the last six to seven months I've been using Palo Alto Networks NG Firewalls for architectural purposes. My job is to build infrastructure for our clients to support their functions. I also used Palo Alto for other clients in my previous organization for almost two years.

Scalability is something that I assume is feasible when you have Palo Alto in the cloud. In that case it's feasible to scale it very well, and you don't have to manage it. You just need to order it and it can be scaled per your request.

But with an on-prem setup it can be difficult if you want to scale anything. Then you need to order the physical device and do all kinds of configuration. I haven't really worked on scaling physical devices.

Support is really nice, but they keep on adding features, so regular training is really required for Palo Alto technical support. Every other day, every week, every month, they come up with something new. Sometimes, even technical support doesn't know about an update when it is still in the transition phase. They should have short-term training to be aware of when they are launching a particular new feature.

With more and better training, they will end up saving a lot of time, because they won't have to search for information or ask their colleagues or their engineering team about new features that have been added. That way, customers will be happy.

Positive

The initial deployment is absolutely straightforward. It's a very easy configuration. You just need to follow the instructions.

And the best part is that you get a lot of training material over the internet. I used to think that Cisco gave the best training materials over the internet but I was wrong. If you have any problem, you can Google it. There will be a lot of answers for Palo Alto NG Firewalls on the internet itself.

If everything goes well and if you don't have a major configuration to implement, you just want to set it up, the maximum it would take is one to two hours, because the image deployment is very easy. Once the device is racked up properly and all the cables are connected, you just need to boot up with the latest image and start the to-the-box and through-the-box configurations. Both configurations can be done within two to three hours.

The pricing is fair enough. 

This year, the pricing has increased. They played it really smart by increasing the support license costs and decreasing the platform costs. If you don't want to go for that particular license, you can opt out. The pricing model is very helpful, especially for small companies. If they don't want URL Filtering because they don't have any URL options, they can opt out of the URL Filtering.

I haven't seen Panorama go down in my entire tenure. I've worked with different companies. For example, I worked in Cisco TAC. Cisco users used to say that Firepower, the unified platform, was down and that they could not manage anything. Even though all the other components were running, they could not do any configuration because the unified configuration page itself was down. And, unfortunately, you don't have the ability to configure anything using the Cisco CLI anymore.

But I would give a slight edge to Cicso's technical support over Palo Alto's. I would rate Cisco's support at nine out of 10, and Palo Alto's at eight. Cisco gives priority to its customers.

Before you go ahead and invest in Palo Alto, look at as many reviews as you can. Do proper research before you deploy any firewall.

If someone says they are just looking for the cheapest and the fastest firewall, I would tell them to go for the PA-800 Series and their problem will be solved. Also, for small office requirements, you could go with the PA-440. The PA-450 and 460 will be a little expensive. If your requirements are to set something up for less than 100 users, the 440 will do it.

Our company, in particular, always wants an extra layer of protection. They don't remove any extra layers of security. But an advantage of Palo Alto NG Firewalls is they are sufficient to tackle complications

Palo Alto's firewall is stable, helpful, and user-friendly.

We have implemented our own private cloud where we host different services for a number of internal companies that are part of a group. We have financial companies, hospitality, and construction companies; a large variety. We use Palo Alto to provide security protection for all these companies.

Previously, with our old firewalls, we did not have any visibility. The application layer was zero. We didn't have any visibility there. And we also didn't have any reports. Now, we have good visibility and we are able to get reports and we can monitor the network much better. That's a big change for us and a big help.

There are a lot of helpful features

• monitoring
• reporting
• WiFi.

You can easily integrate it with Active Directory, and you can use the GlobalProtect VPN for internal and external purposes. The URL Filtering is also clear and the application filtering is a plus. The application filtering is much better when you compare it to FortiGate or other firewall vendors.

Also, the fact that Next-Gen Firewalls from Palo Alto embed machine learning in the core of the firewall to provide inline and real-time attack prevention is very important. Nowadays, all the modern attacks, hackers, and bad people are becoming more intelligent and automating attacks. Embedding AI is a good idea.

We have complete visibility through the logs and the alerting. It depends on how you configure the firewall. You can configure it to get alerts whenever there's an attack or whenever something is happening. That's how we can assess if the firewall is doing the job correctly or not. We are happy with the way the firewall does its job.

There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI.

We have been using Palo Alto Networks NG Firewalls since 2012.

The big firewalls, like the PA-300 and the PA-3020, are very good, stable, and performant. They are very reliable. The smaller models are reliable, but the performance on their management plane is a bit slow. Even the management plane of the PA-850 is a bit slow when you compare it to some of the bigger models.

Scaling is easy. We currently have about 1,000 endpoints.

We haven't worked with their technical support.

We replaced a Cisco ASA Firewall with Palo Alto, and then we started replacing all our other firewalls with Palo Alto. Cisco ASA was not a next-generation firewall at that time. And no firewall could beat the traffic monitoring and the visibility that we had on Palo Alto.

We did a PoC before going to Palo Alto. We placed the Palo Alto in virtual wire mode, meaning a transparent mode. Without changing our existing network infrastructure, we were able to plug the Palo Alto into our network where we could see all the incoming and all the outgoing traffic. Without creating any policies or any blocking, we were able to see all the traffic and we were impressed with that part and we decided to switch to Palo Alto.

The first deployment was very complex. I was not the one who implemented it, it was an integrator, but it was a headache due to some difficulties. After that, things became easy. We have implemented six or seven Palo Altos, and things are easy because of our familiarity with the whole deployment process. The first time we were using this firewall we were not at ease with the product. After that, we got used to it and it became easier.

Because of the issues with the first one, it took one week for the deployment, for the complete transition from Cisco ASA to Palo Alto. Since then, all the deployments have been done in one day.

We have seen ROI as a result of the visibility and reporting. These are two things we didn't have, and now that we have the visibility, we can ensure  that our network is secure.

If you compare Palo Alto with other firewalls, it's a bit expensive.

At that time, Palo Alto was the leader and I think it was the only next-gen firewall.

We have looked into other firewalls since then. In 2017 or 2018, we decided to replace one Palo Alto with a Forcepoint Next-Gen Firewall. We placed that in the network but, after six months, we replaced it with Palo Alto.

If someone is looking for the cheapest and fastest firewall, I would say the fastest is good, but not cheapest. Palo Alto Firewalls are not cheap.

We use it as an Internet-facing parameter firewall. In my environment, it has security and routing. It is on a critical path in terms of routing, where it does a deep inspection, etc.

There have been a lot of improvements from security to service.

It is critical that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. In my environments, we have an integration with a third-party vendor. As soon as there is new information about new threats and the destination that they are trying to reach on any of our network devices, that traffic will be stopped.

Setting up a VPN is quite easy. 

It gives you a lot of information when you are monitoring traffic. 

In terms of user experience, Palo Alto has very good user administration.

Machine learning is important. Although we have not exhausted the full capabilities of the firewall using machine learning, the few things that we are able to do are already very good because we have an integration with a third-party. We are leveraging that third-party to get threat intelligence for some destinations that are dangerous, as an example. Any traffic that tries to go to those destinations is blocked automatically. There is a script that was written, then embedded, that we worked on with the third-party. So, machine learning is actually critical for our business.

There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better.

I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

I started using Palo Alto in 2015.

It is very stable. We had two outages this year that were not good. They were related to OSPF bugs. Those bugs affected our service availability. 

It is quite scalable. I have been able to create a lot of zones to subinterfaces for a number of environments. I don't really have any issues regarding scalability. It meets my expectations.

Palo Alto Networks NG Firewalls technical support is very poor. Three or four months ago, I had a bug where the database of the firewall was locked. You cannot do anything with it. We looked for documentation, giving us a procedure to follow, but the procedure didn't work. We logged a complaint with Palo Alto Networks, and they gave us an engineer. The engineer relied on documentation that doesn't work, and we had already tested. In the end, the engineer gave us an excuse, "No, we need this account to be able to unlock it." This happened twice. The way out of it was just to restart the firewall. You can restart the firewall and everything goes back to normal. Therefore, I think the support that we got was very poor.

Neutral

I have used Check Point and Cisco ASA.

Initially, when I started with Palo Alto, we had Cisco ASA, but Palo Alto Networks beat ASA hands down.

We have a multi-vendor environment with different providers. Our standard is that we can't have the same firewall for each parameter, so there is some kind of diversity. 

We had ASA looking at one side of the network and Palo Alto Networks looking at the other side of the network. We also had Juniper looking at another side of the network. At the end of the day, ASA was very good, I don't dispute that. However, in terms of functionality and user experience, Palo Alto Networks was better. 

Palo Alto Networks beat ASA because it was a next-generation firewall (NGFW), while ASA was not.

When we bought Palo Alto, we had Juniper devices in our environment. We were told that it was a bit like Juniper, so we were happy. However, some people were a bit skeptical and scared of Juniper firewalls. Because of that, it took us a very long time to put them on the network. However, as soon as we did the implementation, we realized that we were just thinking too much. It was not that difficult. 

We deployed Palo Alto Networks as part of a project for data center implementation. The implementation of the firewall didn't take long.

We buy through a third-party. Our account is managed by IBM.

We have seen ROI. There is more visibility in the environment in terms of security. There was a time when we suspected a security breach, and this firewall was able to give us all the logs that we expected. 

Palo Alto is like Mercedes-Benz. It is quite expensive, but the price is definitely justified.

One thing is system administration. In our opinion, Palo Alto administration is easier compared to other vendors. I know other vendors who have Check Point. You have to manage Check Point, and it is a bit cumbersome. It is a very nice, powerful firewall, but you need more knowledge to be able to manage Check Point compared to Palo Alto. Palo Alto is very straightforward and nice to use.

In our environment, troubleshooting has been easy. Anybody can leverage the Palo Alto traffic monitoring. In Cisco ASA and Check Point, you also have these capabilities, but capturing the traffic to see is one thing, while doing the interpretation is another thing. Palo Alto is more user-friendly and gives us a clearer interpretation of what is happening.

One thing that I don't like with Palo Alto is the command line. There isn't a lot of documentation for things like the command line. Most documents have a graphic user interface. Cisco has a lot of documents regarding command lines and how to maneuver their command line, as there are some things that we like to do with the command line instead of doing them with the graphic interface. Some things are easy to do on a graphic interface, but not in the command line. I should have the option to choose what I want to do and where, whether it is in the command line or a graphic interface. I think Palo Alto should try to make an effort in that aspect, as their documentation is quite poor.

We would rather use Cisco Umbrella for DNS security.

I compared the price of Palo Alto Networks with Juniper Networks firewall. The Juniper firewall is quite cheap. Also, Palo Alto Networks is a bit expensive compared to Cisco Firepower. Palo Alto Networks is in the same class of Check Point NGFW. Those two firewalls are a bit expensive.

It gives us visibility. In my opinion, the first firewall that I would put on our network is Palo Alto Network and the second would be Check Point.

Palo Alto Networks NG Firewalls is a very good firewall. It is one of the best firewalls that I have used.

I would rate Palo Alto Networks as nine out of 10.

We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

We have deployments in other campuses, as well.

As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

Overall, our experience with ProSys was good. We like working with them.

Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

I would rate this solution a ten out of ten.

It is a data center firewall solution and a centralized management for remote office firewall solutions. We have 30-odd remote offices where we are putting firewalls in to replace the standard routers that we used to have. This solution will give us a little bit of routing and firewall capabilities.

We are deploying the PA-440 Series in our remote offices.

Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration. 

The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.

The firewall feature is great because we didn't have specific firewall capabilities beforehand. The anti-malware features and the ability to plug into our mail scanning are valuable as well, so we can share data between our email antivirus scanning solutions. That integration has been quite useful.

Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is another string to the bow of our layered security approach. So, it is important. It is not the big reason we bought it, but it is a useful component to our layered security approach. Security best practices push for a layered approach because there are so many different factors that you need to cover: 

• Email threats
• Malware
• Viruses
• Accidental human mistakes made internally to your network.
• Malicious humans in your network and outside your network. 

Therefore, a multi-layered approach really is a security best practice way of attacking security. You can't just worry about the parameter; you need to worry about what's inside your network and how things come in.

The key thing is that we don't have to try and play Whac-A-Mole. The machine learning-powered firewalls do that for us. As a recruitment company, we can never have the necessary technologies available to us to try and do this ourselves, so leveraging the machine learning power from Palo Alto reduces the risk for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is very useful. This prevents us from having to go to a lot of different systems, and in some cases, many different systems in many different regions, because we are a global company with 60 remote offices around the world in 30 different countries. Its centralized platform is really what we look for in all services, whether it be security or otherwise.

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

We started with a couple of firewalls about 18 months ago. We started them in our data centers and are just about to deploy them in our remote offices.

It has been very stable.

On the maintenance side, we haven't increased our team at all. One of the great things that we have been able to improve is the capability of our team without increasing the number of heads who are using Palo Alto.

It is scalable with what we need. I am not looking at thousands and thousands of devices, so it is well within what we need for our few hundred devices.

We often didn't deploy tools because it was too hard to try and manage them with our small team. This solution has enabled our small team to be way more effective than they were before. It gives us the visibility and control that we need.

We have a senior network administrator and about five operational guys. There are also some service desk-level guys and about 12 of them have visibility into activities, but they don't actually change things. Change control is quite closely guarded.

We have deployed the solution in a couple of data centers. We are deploying it across 30 offices this year and plan to do the next 30 to 30-ish offices in the next 12 to 18 months, as some of their hardware retires or has expired. We are not pushing it out too fast. We are going with the cadence of the business.

The technical support is very good. We had some nasty questions, but they were sorted out quite quickly. The problem that we had, because it was live, was it took us a little bit of time to deploy stuff. We also have a good relationship with their pre-sales engineers who offered advice and guidance, specifically as part of the deployment.

We previously had Cisco ASA Firewalls in some locations and Cisco Security PAK Routers in other locations that gave us a base level of firewall. So, we didn't previously have any next-generation firewalls. These are our first real next-gen firewalls.

We switched solutions because we didn't have enough of the network security covered. Also, we wanted centralized visibility and control, which was key for us.

When we did some red team testing, we found that there was a way to get some data out through our existing DNS environment. We knew we had to fix the centralized DNS management, visibility, knowledge of the DNS queries, and the visibility of the DNS queries as a result of some testing that we did. Whereas, before they were all geographically disparate, having a centralized place to look at to be able to do some analysis and visibility really are the key things for us.

The initial setup was not simple, but it is simplified. What was really good was the free training beforehand. As an architect, I don't get my hands that dirty, but I was able to go through a number of the free courses beforehand, or workshops, that were done online. Their training platform was very useful in helping me get an understanding of the product and how we would deploy it in our own environment. The actual deployment, as with anything network-related, is fairly complex because we have a very connected network with a lot of different entry points. While it takes time, it was very useful to get the training beforehand.

The deployment took about three months, but it was in the midst of a data center migration. It probably only took us a month to deploy it properly, but then we had to migrate services over, which took another six months. Again, this was part of our data center migration project. To actually get the solution installed was very quick, it took only a couple of days to get it up and running. However, to move services onto it, you need to be a bit careful when you start to move the live services onto it.

Our implementation strategy was really focused around our data center migrations and moving stuff out of one data center into another. As we moved services from one data center to the other, we brought them onto Palo Alto's in the new data center rather than onto the existing old routers and firewalls. So, it was really governed by the business, applications, and what we could move when.

We used Palo Alto directly for the deployment. Our experience with them was great.

To deploy it, we didn't employ any more staff. We did send a few people out remotely. With COVID, travel is a little bit tricky. So, we have some remote agreements with some suppliers who will go out for a day, plug a device in, and help us with the initial out-of-the-box config. That is normally two to three hours per site that we have to do, which is what I would expect from this kind of device.

Look at Palo Alto because it is a bit modular, so you can take the components that you need when you need them. You need something that will do the job. It doesn't matter if it's cheap and fast, if it quickly lets through vulnerabilities. You need something that will be reliable.

We were very happy when they released the PA-440s. Previously, we had been looking at the PA-820s, which were a bit of overkill for us. Price-wise and capability-wise, the PA-820s hit the nail on the head for us.

Go for a three-year deal, then Palo Alto will bring in some discounts. We also deployed them as HA Pairs to make sure we had resiliency.

We looked at Cisco and Fortinet. The reason that we went with Palo Alto was they were fairly cost-effective. They were also a bit easier to manage. The central management and control of Palo Alto was a little bit nicer than the Cisco side of things. I think everyone achieves the same things in slightly different ways. The way Palo Alto achieves their centralized management and control resonated a bit better with us and our requirements.

We haven't actually deployed Palo Alto NGFW’s DNS Security yet, but we will be doing that.

It is great that 100% of the tested attacks were blocked in the NSS Labs Test Report from July 2019 about Palo Alto NGFW. It is a great story, but I never trust 100% because that's why we have layered security. However, it definitely provides a great level of comfort in our security structure.

I never give anyone a 10, so I will give the solution a nine (out of 10).