Palo Alto Networks NG Firewalls Reviews

We use it to control what users may access internally and externally, which covers everything. We are using its latest version. The model that we are using is 3220.

Its flexibility is the most valuable.

Its price can be better. They should also provide some more examples of configurations online.

I have been using this solution for one and a half years.

It is very stable.

We haven't scaled it because if you want to scale it upwards, you have to change the firewall.

I have sometimes used the local support here in Norway. That has been okay. There are no problems.

I have tried Sophos, Cisco, and FortiGate. This is the best firewall.

The initial setup is easy. There is good documentation for this.

Its price can be better. Licensing is on a yearly basis.

I would rate Palo Alto Networks NG Firewalls a ten out of ten. It is the best solution I have tried. I am happy with this solution.

Our solution is now based on clustering and load balancing. We can add more nodes to our environment to accommodate the new load within our company.

We have about 2,000 to 2,300 users on Palo Alto NG firewall support.

Palo Alto has a line of products for different customers. If you do the sizing it from the beginning, considering that you are a growing company, it is fine.

You need to plan for the future, which means that you have to pay in advance through investment. With Palo Alto NG Firewalls, the cost will be higher.

We would like to have the processing power to be enhanced with every new CPU so that we are getting more cores. Palo Alto is incorporating this. 

We are requesting now a new firewall that will come in with higher power, i.e. the 5220.

I found Palo Alto NG firewalls more intuitive compared to other products. I value the capability to identify a cloud solution.

Palo Alto has a good product and end-user experience. It's great. They can maybe add more processing power to their hardware. That's it. 

Sometimes it's stuck and you need to restart it. They have been adding a lot of things, so we need to upgrade for the new features.

Palo Alto NG is a stable product as long as it's working. It does what it expected to do. But sometimes for some reason the hardware resources spike, so it stops responding. 

The only fix is to restart the firewall,i.e. a  hardware restart. This is one of the issues. It's not related to the software because of the troubleshooting that we did. 

It's about resource consumption. Some hardware and software issues Palo Alto needs to work on. They released their Palo Alto Operating System which enhanced their product suite.

The scalability compared to other products is not good. You need to change the box whenever you want your number of connection sessions to increase. 

You can't just upgrade the parts with a software key or with adding additional hardware. You need to replace the entire box. It's not scalable. 

The solution's technical support is responsive. They are good.

We previously used a different solution that was Fortinet. I'm still using it. There's another area in the network where we use Fortinet.

We shifted from Fortinet to Palo Alto. It's just mapping the network from the available firewall to another firewall. It wasn't complex. 

Between deployment and stabilization, the product was completed in two weeks, i.e. 10 working days.

One of my team did the installation under my supervision.

You have to do proper network design from the beginning. You have to look into future expansion. Otherwise, after a year, you have to replace the entire box.

On a scale from 1 to 10, I would rate this product a seven because the point of scalability within their product is a big issue. 

If you have to put a huge investment in front to accommodate future expansion, it is fine. 

It requires forecasting. If your forecast is not correct and you are not growing to that point, then all your investments will be a waste. 

If you're adding a block so that it can accommodate your user traffic demand, then that would be perfect. 

I buy one block at a time now. I can't buy two blocks at the same time. That's a waste of money with Palo Alto NG firewalls.

I use the PA-220 to protect the LAN at my small-ish (about twenty people) office. We have several remote users who use the GlobalProtect VPN. As we move into a data center for hosting, I'll buy a second PA-220 to set up a site-to-site VPN. We also have a VM-50 for internal testing and lab use. 

I'm writing this review because it's a great product and I think it's ranked much too low on the review ratings. One of the things I really like about it is that we have the same features and functions available on the entry-level device (PA-220), as do large corporations with much more costly appliances.

With all the bells and whistles turned on, I can block access to websites based on their location (country), content, or other criteria. The reporting is really useful and shows me the most frequently used applications, and provides me with great visibility as to what my network users are doing on the internet. With this firewall in place, I can finally enforce the variety of acceptable use policies which have existed only on paper. 

The most valuable features are blocking traffic by country, and URL filtering to improve policy compliance and our overall cybersecurity posture. The ad blocker is also pretty handy. Moreover, the VPN client has turned out to be more useful than I initially thought, and the users love the 'one-click' connect. 

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

Technical support for this solution is great.

Previously we used a pfSense firewall. I was very unhappy with it, as it had a limited feature set and was not intuitive to configure. 

The initial setup is complex, due to all the features offered. You really have to know what you're doing.

Implemented through a vendor who was knowledgeable with the product. It took at least a few months of tweaking before we got the firewall to the point it's currently at. 

It will be worth your time to hire a contractor to set it up and configure it for you, especially if you are not very knowledgeable with PA firewalls. 

We looked at Cisco Meraki, but I wasn't really all that happy with it. 

I've used it and I'm very happy. Frankly, I think this site under-rates the technology, as it should be in at least the top three.

We have two 3000 Series Firewalls placed in our primary location. We have two sites and the secondary site uses the primary site for internet access. All traffic to the secondary location goes through a VPN tunnel. I'm a network administrator. 

The value of this solution for me is the protection from a single packet and ease of making security rules. It also doesn't require a special dedicated network team, I'm able to do it myself. It's a time saver for me and now in this pandemic period, users have access from home.  

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem. 

I've been using this solution for 10 years. 

It's been 10 years and I don't remember any outages because of a hardware failure or a logical error in configuration. We had problems with servers or switches initially but it works like a charm now. 

Scalability is the main disadvantage of Palo Alto. They call themselves a firewall with router capabilities but it's not a router and it requires a good bandwidth in VPN which could become a problem because you have to scale to really big hardware. We can solve the issue with other solutions, but for me the idea is to have less devices in your environment.
It's all about the hardware.  

The support is quite good. A couple of months ago, I sent an email with an issue and we got an answer in 15-20 minutes. In my experience, Palo Alto support is one of the best, maybe the best support available.

We previously used Juniper which is currently called Net Screen. I also looked at Sonic Wall. We carried out a proof of concept five years ago and they had to decide whether to go with Palo Alto or another vendor. 

For me, the initial setup is very easy. To get the device running with some capabilities but maybe not all security rules takes about an hour and it's the same for any upgrades. We have around 900 users and one admin person from our organization who deals with any issues. 

Palo Alto is an expensive solution, we currently have a three year contract. I'm not sure what our terms are. People always want cheaper, nobody wants to pay more. In our region, I think if Palo Alto was cheaper, more companies would buy the solution. 

I would absolutely recommend this product, it's expensive but I trust it. There is always room for improvement such as with scalability capabilities in Palo Alto. I know I'm not the only one who thinks this is an issue. It's possible that next time we will try virtualized firewalls, it may be a little cheaper for us. We would consider switching to something else but it would be a big move and quite complicated. Moving to a different vendor is a whole other story.

I rate this solution a nine out of 10. 

We are using this solution for IDS, IPS, and VPN services.

Also, we are using it for gateway purposes. The development team accesses the data center, and the file intrusion prevention policy.

The most valuable features are the content ID, IPs, and the URL filtering service to enable protection. 

The structure is much faster and more sophisticated than Cisco.

Their cloud support is smart.

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device.

The hardware is weak.

In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security.

I would like a collaboration system and reporting ASA policy needs to be smarter.

It's definitely a stable solution.

For LAN purposes, we have 700 plus users.

The technical support is good enough.

We are using Cisco support and they are very good. 

The Palo Alto support is faster and their support is also good.

The initial setup is straightforward.

It takes a maximum of two days to deploy.

Two or three guys are enough to deploy and maintain it.

We used vendor support for the deployment.

We plan to continue the usage of this solution in the future and I would recommend it to others. 

The product is very good, I would rate Palo Alto Networks NG Firewalls a nine out of ten.

We have multiple IPS applications, and other multiple use cases.

We are using pretty much all of the features. This is deployed in our parameter and pretty much provides for different functionalities, for all incoming traffic and outgoing traffic.

The support could be improved.

The next release could use more configuration monitoring on this one, and additional features on auditing.

The solution is generally stable. There are no issues. We have forty-thousand users.

The solution is scalable, yes. We don't plan on increasing usage.

We are being provided with decent support but some of the RCS, some of the issues can be resolved much faster.

We were using Check Point. We switched because of certain features: entire equity, ideas, application visibility, single interfacing, etc.

The initial setup was complex. We're in the process of replacing it in seventy or so locations, and setup is still ongoing, but going well. It was complex because of the multiple zones that we had to create. We had multiple interfaces so there are multiple complexities that we had to address. We don't require extra staff to maintain the solution.

We implemented through a system integrator.

We have seen a return on investment. 

I don't have data points, but some of the use cases that we have already delivered to the organization have shown that a lot of threats have been identified and has been blocked. I don't know how you can quantify that. At the same time, the effort was significantly reduced on the deployment of new routes based on this.

I think, if you compare, they're a little costly next to Cisco of Check Point, but they offer a lot of other additional features to look at. The licensing is annual, and there aren't any additional fees on top of that.

We actually did not but we were using two or three other products already, so we had a good idea of what to expect.

I'd say the blueprint of the implementation needs to be ready before you start the implementation of the product. The product is generally stable and the team provides a good presence on it, but at the end, if you're putting it in the mission-critical data center, the planning needs to be extensive.

I would rate this solution an eight and a half out of ten.

We primarily use the solution as a datacenter firewall for 0 trust security model

From my experience, comparing it to other products, the granularity you can have in the application is very good. The application detection is excellent. It's certainly one of the best. 

The engine detector application is usually one of the best compared to any other firewall on the market, in my opinion.  With it, I can do a lot of rules based on the application. If you have multiple internet links, you can have an application export from one link, and an application wire from another link. You can have security on the application. The security, for example, can have different functionalities. Basically, the granularity of rules is amazing in Palo Alto.

They have a good reputation for their antivirus capabilities.

The solution offers a strong URL based system or detection for malicious URL or malicious files. 

They even have a machine learning algorithm. They do a lot of very advanced detection for files and URLs. 

Once you deploy the product, you can basically forget about it. It has high customer satisfaction because it's always just working.

The solution would benefit from having a dashboard.

From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

We've been working with Palo Alto for about six years now.

From my experience, it's the best hardware compared to other NG firewalls from the perspective of performance stability. While the other firewalls lose 50 or 60% of performance when enabling all policies, Palo Alto loses 10 to 20% maximum, even with enabled IPS and fire detection and all. From our experience performance-wise, it's one of the best hardware solutions for firewalls. 

We haven't lost performance really, so I would describe it as very stable. There are not any issues.

Since the solution is hardware, there are some limitations in terms of scalability.

Usually, in hardware, you can't say it's scalable or not due to the fact that you have the limitations built-in related to the size of the box. The box has a maximum number that it can reach. You can add more hardware, however, the hardware itself is finite.

We usually do a POC first so we can get the figures for performance and we can put in a box that can support 20 or 30 people extra for future expansion.

In general technical support is very good. That said, usually, when we face an issue, we try to solve it ourselves internally before going to level one support. 

In general, we never have had a big issue with support. I don't have much experience with the support team to tell you if they're really good or not. Usually 80% of the cases we open, we talk with the distributor and finish the operation case directly with Palo Alto. It's more like a backend request and therefore I don't have much input that would be objective.

As resellers, we also work with Cisco and some Forcepoint solutions.

I like that in Cisco there's more security parts, like IPS, and a Demandware engine.

I like Cisco, in general, more than Palo Alto if I'm comparing the two. However, from an application perspective, our application's usability and detection and firewall control using an application, it's Palo Alto that's the best on the market. That's, of course, purely from a  firewall point of view. Even in terms of detection of the applications, it has the best system.

The deployment depends on the client's environment as well as how they are using it. For example, an internet NG firewall on the internet, it takes, on average, a week between installation, integration, and tuning. Usually we don't do all the policies because we are system integrator. We do the main policies and we teach the customer and then do a handover to the user for tuning and all the installation extras.

If it's a data center project, it takes more time and effort. It takes a month sometimes due to the fact that we'll be dealing with a lot of traffic. The application and server are usually harder to control than internet applications like Facebook and other standard applications, and easier on the internet. Then there's also internal applications, custom applications, migrating applications, finance education applications, etc., which are not always direct from the customer or directly known.

In short, the implementation isn't always straightforward. There can be quite a bit of complexity, depending on the company.

In general, I prefer hardware, and Palo Alto's is quite good. However, we have a couple of virtual deployments for cases as well.

I would definitely recommend the solution. It's one of the best firewalls on the market. I've worked with four different vendors in the past, and some of the most mature NG firewalls are Palo Alto's. It's their main business, so they are able to really focus on the tech. They spend a lot of time on R&D. They're always leading the way with new technologies. 

While Cisco has more main products, Palo Alto really does focus in on NG firewalls. That's why I always see them as a leader in the space.

I'd rate the solution nine out of ten.

We have had a couple of big projects with government companies here in Ukraine. One of those projects involved three data centers with a lot of security and network requirements, and we implemented Palo Alto as part of this project.

The use case was to build the new data centers with a firewall that would not only work on the perimeter but also for internal traffic. We deployed eight PA-5200 Series firewalls and integrated them with VMware NSX, and they're working together.

One of the points that helped us win the tender is that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention. The customer's security team was asking for this feature from the firewalls because machine learning makes things much easier than manually sitting there with some kind of SIEM and searching for all kinds of attacks and critical issues. The machine learning is really helpful because it's doing the work automatically.

We had a small project with the PA-800 Series appliance where we implemented DNS Security. DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network.

In general, Palo Alto NG Firewalls are 

• easy to manage
• good, reliable appliances
• easy to configure.
  

They also have a good balance between security and traffic. They have good hardware and, for management, they have their own data plane. If traffic is really overloading the data plane, you still have the ability to get into the management tools to see what's going on. You can reset or block some traffic. Not all firewalls have that feature.

They have really good clients, such as a VPN client. You can also enforce security standards on workers in the field. It's a really good product. And now, for endpoint security, they have Cortex XDR. You use the same client, but with additional licenses that enable more features.

The only area I can see for improvement is that Palo Alto should do more marketing.

We work with customers, but we are not using the solution ourselves.

The scalability is really good because they have a chassis version of appliances. They plan to build new chassis. But for the really big projects here in Ukraine, we can easily cover what we need with the PA-8000 Series with Palo Alto chassis appliances.

In our project with the three data centers, each data center was able to process 40 gigs.

First-level support is provided by our distributor Bakotech. They are technical guys and they really know the product. Unlike some support providers who just send you manuals to ready, they're really helpful. You can call them at any time and they get back to you shortly and help.

The initial setup is really easy. If you're working with Palo Alto Panorama, which is their management server, it's very easy to deploy a lot of appliances in a couple of days, because you're just sending out the configuration and templates on a blind device. In a couple of hours that device is working like the rest.

Another valuable aspect of Palo Alto NG Firewalls is that the appliances and software are really reliable in terms of stability and performance. Some firewall vendors don't write real information on their datasheets and, after implementing them, you see that the reality is not the way it was described. For example, when it comes to threat prevention and how much traffic appliances can handle, there was a project where we beat another vendor's firewall because Palo Alto has the real information on its datasheets.

I have some experience with Cisco, on a small project but there was a somewhat older software version, and there was a lot of lag. When changing something in the configuration, once you pushed "commit" you could go have a coffee or do other stuff for 20 minutes or more, because it took a really long time to push that configuration to the device.

If a colleague at another company said to me, "We're just looking for the cheapest and fastest firewall," I would tell them that the cheapest is not the best. If you need really reliable hardware and software, and don't want headaches after the implementation, just buy Palo Alto.

The PA-400 is really strong and not only for SOHO or SMB companies. They have a really big throughput with Threat Prevention and DNS Security enabled. It's a really good appliance in a small size. But it's not only for small companies. The PA-460 can easily handle the traffic of a midsize company, one with 100 or 200 employees, and maybe even a little more. The PA-460 can handle about 5 gigs of traffic. With Threat Prevention, they can handle 2.5 gigabytes of traffic. For a regular office, that's good. It might be a little small for big companies.

Regarding DS tunneling, it is mostly peer-type attacks. With tunneling, it depends on what type of tunneling is used. You need to look at the specific case, at things like whether it was an internal DNS tunnel or one from the outside to the inside between branches. Most of the time, you can see that kind of traffic with a firewall if you have enabled full logging and you drop the logs into a good SIEM, like ArcSight or others. You will see the anomaly traffic via tunnels. You can also switch on decryption so you can decrypt a tunnel and see what is going on inside.

We have had no issues from our customers who are working with Palo Alto NG Firewalls. They fully cover all our customers' needs.