Palo Alto Networks NG Firewalls Reviews

Our primary use case of the Palo Alto firewall is to control incoming and outgoing traffic as the firewall is deployed at the perimeter. Also we have used a VPN in that device so remote users can access the internal networks. We are partners with Palo Alto and I'm from the implementation team and work as a technology consultant. 

The GUI is very simple in Palo Alto and I like that. We rarely have any issues but when we do, the stability of the solution is very good. All the options they offer; creating objects, configuring VPN, it's all pretty simple and straightforward. The solution is continuously in use in our company. 

The support could definitely be improved. Whenever I call the tech engineers, there's a long wait time. For an additional feature, I'd like to see the segmentation in policy. Check Point has a good feature for segmenting policies that I'd like to see implemented in Palo Alto. It would make things easier for the operation team to create & identify particular policies, or to place a policy in that segment. Finally, there are limitions to the hardware in the number of objects & policy we can create is limited which is not the case with Check Point or FortiGate.

The stability is good in the Palo Alto firewall.

The Palo Alto firewall cannot increase the RAM and we can't do that either. We're unable to increase any physical boundaries of the firewall. That is one of the cons of Palo Alto. Our organization is pretty large and I am currently working on Palo Alto for three clients. I have a total of about 10 clients who are using the Palo Alto firewall. 

The initial setup is pretty straightforward. We just had to do the initial configuration of hardware, deploy our Panorama VM and integrate with hardware firewall, and it is pretty simple. It's also quite self-explanatory. 

We have five-year contracts with Palo Alto. I know the solution is on the expensive side but I'm not involved in licensing and don't have the numbers. 

I have also worked on Check Point and FortiGate, the hardware firewall. The Check Point Firewall has three-tier architecture where one security gateway & management server is there & smart dashboard is deployed on Windows. The application is required to control the Gateways. On other hand In Palo Alto, we just take GUI access of the firewall or Panorama to deploy any security policies and the architecture is very simple. As mentioned, the downside of Palo Alto is that there is a limitation to the number of objects that can be created. 

I would 100% recommend this solution and they have provided pretty good documentation on their website, so it's easy for operations as well.

I rate this solution a nine out of 10. 

We use it as a firewall. We have VPN, IPSec, or site-to-site VPN. We also protect our few internal web services. 

Everything is easy in Palo Alto Networks NG Firewall. It is very stable, easy to configure, and easy to upgrade. It is also very easy to create custom policies and applications. Everything can be done with the click of a button. 

It is also good for the protection of web services. Nowadays, they have a rather new DNS security feature, which is pretty good and functional. We did a one-month trial, and it is the best product for the firewall network.

Its price can be improved. It is expensive.

Other vendors have pre-configured policies for the protection of web servers. Palo Alto has an official procedure for protecting the web servers. Many people prefer pre-configured policies, but for me, it is not an issue. 

I have been using this solution for almost six years.

Our version is not scalable. The new version is scalable on the network interface. It comes with slots where you can put your SFP if you want a fiber or copper. 

We have almost 600 users who use it for accessing the internet. We have about 50 to 70 VPN connections.

I didn't contact them because I don't get any technical issues with any feature of the firewall. I didn't have the need to open a case. If I have any issue, I am able to resolve it by using my cell phone and taking help from the internet. 

I was using Check Point before Palo Alto. I am very disappointed with Check Point because I had to reboot power three to five times a week. Palo Alto Networks NG Firewall is comparatively very easy to manage and use. It has better logic for configuration than other firewalls.

The initial setup was straightforward. When I migrated from Check Point to Palo Alto Networks NG Firewall, it took about an hour and a half to reconfigure all policies and services.

I deployed it myself. The logic is very easy when you configure it. I did 90% percent of deployment on my own. For the remaining 10% deployment, I found the information on the internet. 

I am the only user working on this firewall. I am a system administrator.

It is a little bit expensive than other firewalls, but it is worth every penny. There are different licenses for the kinds of services you want to use. When we buy a new product, we go for a three-year subscription.

We have not had any issue with this solution. I really hope that we continue to use this solution. Its price is higher than other solutions, and the company might go for another firewall.

I would recommend this solution to other users. I would rate Palo Alto Networks NG Firewalls a nine out of ten.

We primarily use the solution for the firewalls. We're also using the next-gen features to shape what's going on. For example, to figure out what is allowed out and what isn't allowed out on a layer-7 application-aware firewall. We can block based on the application, as opposed to port access.

The solution helped us stop being policemen to our users. We don't have to run around telling people they can't do certain things. We can just not allow it and walk away from it. We're not out there seeing who is doing what, we just don't allow the what.

The solution allows us to set parameters on where our users can go. We can block certain sites or ads if we want to.

The firewall capabilities are very good.

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. 

The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes.

Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly.

The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam. 

I've been using the solution for five years.

The stability is awesome. I haven't had any issues with the solution stability-wise. I've got the same firewalls that have been out there for five years and they work great.

I don't work with enterprise-class products. I'm not in that environment. However, so as far as I know, Palo Alto has products that will go that large. Panorama may be able to scale quite well. You can manage all your appliances out of it. They are a very popular license.

Their GlobalProtect license is very much like Cisco's AnyConnect. It does the endpoint security checks. It makes sure they've got the latest patches on and the antivirus running and they've got the latest antivirus definitions and whatnot installed before they allow the VPN connection to happen. It's quite nice.

Their support is very good. I've never had any issues with their support. I would say that we've been satisfied with their level of service. 

Occasionally there may be a bit of a language issue based on where their support is located.

The initial setup is pretty typical. It's like any firewall. As long as you've worked with next-gen firewalls, it's just a matter of getting your head around the interface. It's the same sort of thing from one firewall to the other. It's just a matter of learning how Palo Alto does stuff. Palo Alto as a system, for me, makes a whole lot of sense in the way that they treat things. It makes sense and is easy to figure out. That's unlike, for example, the Cisco firewalls that seem to do everything backwards and in a complicated way to me. 

I haven't worked with enough Cisco due to the fact I don't really like the way they work. That isn't to say that Cisco firewalls are bad or anything. It's just that they don't operate the way I think. That might have changed since they acquired FireEye which they bought a couple of years back.

I know the solution is not inexpensive. It depends on what you ultimately sign up for or whether you just want the warranty on the hardware. 

I'm not really a customer. I'm like a consultant. I'm an introduction expert. If I think a client needs a certain technology I point them in the direction of whoever sells it. I do go in and configure it, so I do have experience actually using the product.

When I'm looking for something, I just find someone that sells Palo Alto and I redirect the client towards them. I'm not interested in being in a hardware vendor. There's no money in it. There's so much competition out there with people selling hardware. It doesn't matter where the client gets it from.

We tend to use the 200-series models of the solution.

I'd rate the solution eight out of ten. They do a very good job. The product works well.

An NG firewall provides an additional level of network security and vigilance. It also helps us manage activities using privileges and a zero-trust approach. 

I like the firewall's vulnerability management features, which give you reminders to update your system and update your OS. Palo Alto Networks NG Firewalls provide a unified platform that integrates all security capabilities. It provides pretty good consistency across locations. 

The built-in machine learning features provide some automation, but I think there should be an option for manual review because nothing replaces the human eye. 

We have used NG Firewalls for a little more than a year and a half. 

Palo Alto Networks NG Firewalls are pretty stable. 

Palo Alto Networks NG Firewalls scale up enough for my workplace. Beyond that, I could not say. 

We are a solution provider and this is one of the firewalls that we implement for our clients.

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

The scalability is very good.

We have a small number of clients with this solution in place.

The support is good.

I have experience with multiple firewall vendors and I have seen that products from other vendors have bugs. My feeling is that Palo Alto does not have this problem.

Some of the vendors that I have worked with are Fortinet and Sophos. The setup and management of these products are easy compared to Palo Alto.

Implementing this product can be a little bit difficult. The configuration is difficult compared to other products, so it would be nice if there were videos are other instructions available. It can be very time consuming for the network administrator.

The pricing is very high.

My advice for anybody who is implementing this firewall is to follow the guide or instructions that are available. There are multiple resources and examples of use cases available on the Palo Alto website, and you can directly follow them.

I would rate this solution a nine out of ten.

I used Palo Alto firewalls for plenty of projects and have many use cases.

When working with App-ID, it is important to understand that each App-ID signature may have dependencies that are required to fully control an application. For example, with Facebook applications, the App‑ID Facebook‑base is required to access the Facebook website and to control other Facebook applications. For example, to configure the firewall to control Facebook email, you would have to allow the App-IDs Facebook-base and Facebook-mail.

I like to install Palo Alto mainly on the data center side to have visibility and protection into the network because we can configure the SVI (layer 3) on Palo Alto instead of the core switch.

It gives us full visibility and protection for the core of the network.

Visibility and Protection

It gives us good visibility into the network, and this is very important because it's the core of the network. All the packets go through the firewall.

MFA is a new feature in Palo Alto and it's good to use it.

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic.
Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic. 

Palo Alto is very stable. I worked on Cisco products like FTD and Firepower, and they are not as stable as Palo Alto. Also, some Fortigates are not stable. Palo Alto, as far as I know, is the most stable firewall compared to these others.

The solution is scalable because they are now using the next generation security network. They are integrating with endpoint protection. Palo Alto now has traps, so they integrate their traps and the next generation with the cloud. So it is scalable.

Technical support in Cisco is better than Palo Alto. In Cisco, you can directly talk to the top engineers.

We were using Cisco ASA. When Cisco moved to the next generation firewall or tried to move to the next generation firewall when they acquired Sourcefire, and they announced Firepower on ASA, it was not a good option.
They had tool management so you could configure ASA from the CLI and you could configure it on the Firepower. You need to redirect the traffic from ASA to Firepower. It was not a good idea. The packets were processed but there was latency in the packets. 
Nowdays, FTD has many problems and bugs.

When selecting a vendor, the important criteria is how much the appliance is powerful and if it gives me the feature that I want, not an appliance that does everything and it will affect the throughput. Also, the value of the product, the price. 

There has to be a match between the price and the features.

Palo Alto, Cisco.

Buy Palo Alto and try its features. In Palo Alto, you have select prevention, scan over AV, anti-spyware, vulnerability protection. and file blocking. you have good feature like WildFire to protect against unknown malware.

I rate Palo Alto at eight out of 10 because it gives me visibility and protection. This visibility and protection are very important nowadays to protect you from hackers.

We use it to see and detect malware. It is also used for antivirus, anti-spyware, anti-malware, vulnerability, and Wildfire analysis. We support different kinds of authentication as well: Kerberos, LDAP, TACACS, and SAML. All in all, it is a security device that you can have anywhere on your network, as per the design considerations.

It is deployed in two different ways, either on-premises or on the cloud, which may require a different hypervisor. 

Nowadays, because of the pandemic, everyone is working from home or users are not sitting in the office to work. So, security has become a challenge. For that, we provide GlobalProtect, which is a VPN solution. This will connect to your organization's network, and then you can access anything that is required. This is the most widely used tool that we provide, and it is used worldwide. During the pandemic, it was a massive success for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities which is really important from the end customer point of view. If I have to set up an organization, I will go ahead and buy different devices or platforms. However, if I go ahead and buy Next-Generation Firewalls and put them on the edge of the network where I connect with ISPs, my Next-Generation Firewalls will take care of the security parameters. I don't need to worry about it that much anymore.

Its security profiles are a valuable feature. 

All the logs can be stored in a single place.

Panorama lets all the devices be managed centrally in a single place. This provides the best view for admins into any particular firewall, which decreases those admins' tasks because they can view everything in a single place. 

The machine learning tracks how many packets per second are coming into the firewall.

Any request coming in will go into the DNS sinkhole first, not to the user. We protect our users that way.

Within this one platform, you are getting everything that you want. This single device can provide you with antivirus, anti-spyware, volumetric protection, URL filtering where decryption is required, and file blocking with Wildfire analysis.

Palo Alto Networks NG Firewalls have a Single Pass Parallel Processing (SP3) Architecture, which has a different kind of code doing the work. It increases the packet processing rate. Whereas, without the SP3 Architecture, you are waiting for each job to complete, even if you have 100 jobs assigned.

There is always scope for improvement on any particular device in any particular organization. For example, when there was change from IPv4 to IPv6, some of the firewalls still didn't support IPv6. In North America, we have seen most customers are using IPv6, as they are getting the IPv6 IPs from their ISPs. Sometimes, when they go through the firewall, it denies the traffic.

It has been almost three years.

From a stability point of view, the firewall is very stable because the PAN-OS version doesn't change very often. If a new PAN-OS version is out in the market, our engineering team checks it multiple times.

The network performance is never compromised.

It is scalable. We have small and big clients.

For small clients, there is the PA-220 device, which is very small but still very productive and secure. 

I have worked with one of the TACs, where there are almost 500 TAC engineers present. They have different rules for case priority when a customer opens something. If a customer is paying more to get support, then we have a dedicated engineer assigned to that particular customer. This is much easier for the customer, as they are getting one of the best engineers out there to troubleshoot their network. They never compromise on that.

Sometimes, due to some issues, tickets don't get assigned. Or, they assign the tickets manually if something goes wrong, which is a very odd case. Customers don't understand that. So, we always apologize to customers, and say, "How can we help you out?"

Support is 10 out of 10. 

Positive

We ask the end customer, whosoever has the legacy network in their organization, if they don't need all their extra devices in order to cut down on costs. We then do an IPSec tunnel on the cloud as a gateway. From there, they can route the traffic to the Internet or wherever they would like.

Palo Alto is a unified device with a very streamlined voice. I have worked on Cisco routers and ASA as well, where you have to do a lot of stuff through the CLI and Linux shell scripting. With Palo Alto, those things are streamlined and engineering takes care of everything.

The initial setup is pretty straightforward. It is very user-friendly. Everyone in an organization can learn the platform quickly. When we give training to our new candidates, they learn it very quickly. So, it is a streamlined device.

There is an interface type called V-Wire. You just connect it to your network. It will not disturb anything. You don't need to provide IPs. It doesn't need a separate Mac address. It just connects to a particular interface as a bump in the wire. It inspects your traffic, giving you an overall idea of what applications your organization is using and what user is doing what. If needed, you can deploy it in your network later on. This makes it very easy for our customer to deploy the product in their network before they buy it.

When it comes to installing a new PAN-OS version, it doesn't require you to go to Linux and write tons of commands in order to download and activate the latest PAN-OS version. You just have to download it, click the download tab, click the install tab, and then you are done. Therefore, it is hassle-free and super easy like Windows.

We have a very large team for deployment.

If you buy Palo Alto Next-Generation Firewalls, everything is in a single platform. You don't need to go and buy the Wildfire analysis to track zero-day attacks and lots of other things. Therefore, cost is cut down by 50% to 60% if you go for Palo Alto Next-Generation Firewalls.

If someone doesn't have a security platform in their network, then the following licenses will be required: antivirus, anti-spyware, vulnerability, and Wildfire analysis. There are also licenses for GlobalProtect and support.

Overall, Palo Alto Networks NG Firewalls is a market leader.

With other devices, you need a controller and console to manage them. That is not the case with Palo Alto Networks NG Firewalls, where most of the work is done through the GUI. If you want to deep dive, then you go to the CLI. 

Cisco ASAs give some information on the Nexus Firewall, but they are not streamlined. Whereas, Palo Alto Networks NG Firewalls is a streamlined device and easy to use.

If someone is in a routing and switching domain and wants to come up to a security domain, they should choose Palo Alto Network NG Firewalls.

We are happy to assist customers whenever support is missing. Over a period of time, we see customers raise tickets because they are looking for a particular feature that is not available on the platform. We don't say to our customers, "We don't support this." Instead, we take it as an opportunity, giving that information to our engineering team.

I would rate the solution as nine out of 10. I am leaving room for improvement.

We shifted an existing network from Cisco to Palo Alto. It was like a branch to head office network.

We have done public and private cloud deployments as well as on-prem deployments. We are using versions 8, 9, and 10.

IoT security is most valuable in the current version. Content IDs, DDoS protection, zone protection, and DLP are the most prominent features in Palo Alto Networks NG Firewall. It is easier to configure than other solutions.

People sometimes find it more expensive as compared to other solutions. There are also fewer training opportunities for Palo Alto than Cisco and other vendors.

I have been using this solution for the last four or five years.

It is working fine.

Its scalability has been fine for our use cases. It is good for large-scale environments, and there are no problems.

Their technical support is excellent. 

It is very straightforward. They also have a very good script, so it runs very smoothly.

It is expensive as compared to other brands.

If we are comparing firewalls, this is the best firewall. I would rate Palo Alto Networks NG Firewall a nine out of ten.