Palo Alto Networks NG Firewalls Reviews

In most cases, our use cases were for migration and conversions. People were coming off of dated Cisco platforms and other types of firewall technologies that might not have met next-generation standards, like App-ID. Then, Palo Alto Unit 42 had to go out there and investigate with threat hunters, etc, which was not that well-known or used. Then, Palo Alto sort of showed everybody that world back in 2007 or 2008.

Mostly, I was dealing with people migrating off of their platforms onto Palo Alto. Unfortunately, in most cases, they wound up just converting them into service-based firewalls, like what they were already using, because they weren't ready to accept the requirements behind actually creating an effective App-ID policy yet for their company.

It wasn't well adopted at first. Even though everybody wanted it, people were putting it in and not really fully deploying it. Once I started working for Palo Alto, we had a whole lot more control over getting people to actually utilize the technology, like it was meant to be used. Mostly, it was going in as a service-based firewall with some App-ID. However, people weren't really taking advantage of the SSL decryption and other things necessary to truly utilize the firewall effectively.

I have an active customer who has 600 users using Palo Alto. I have another active customer with 300 users using Palo Alto.

It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance.

Machine learning is definitely here to stay. Machine learning has to be a part of everybody's solution now, especially going out into the cloud where we don't have as much hardware control. We don't control our perimeters as much anymore. We need to have machine learning. So, machine learning has been a critical point in the evolution of this product.

DNS Security incorporates Unit 42, WildFire, and all the rest of their antivirus and threat features. It can be very effective because it will know about these bad actor zones and DNS hacks before it gets to your network, which is important. Everybody should be using it, but I haven't found as many people adopting it as they should.

For anything manipulating TCP 453 or any type of DNS-type application, you will want to be all over that. It is definitely a big problem.

It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,

I worked for Palo Alto for about three and a half to four years. I retired from them last year. Before that, I was with Juniper firewalls. So, I have about 10 years experience, on and off, with Palo Alto in various, different scenarios.

They push stuff out that is not quite ready. If you use the product one version back, then you are pretty good. However, if you try to stay cutting edge, you are going to run into stuff that doesn't work. They are forever releasing stuff that doesn't work right or as designed. Every company does that though, so it is just a question of who is worse. You need to be careful with some of the newer stuff that they release. You need to bake it very well before you put it into production.

I am not absolutely certain they have done a good job in scaling out. They may start to suffer now and going forward because there are other, more cloud-ready platforms out there starting to shine over Palo Alto. They are not the prodigal son anymore.

It has limited scalability since it is still very hardware-centric. They have a cloud VM model, but I haven't had too much experience with it.

The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better.

Several years ago, I would put technical support at eight or nine out of 10. Now, they are down around two or three, which is really low. I have had very bad luck with their support lately.

Negative

It depends on whether you are coming in from a migration, which means that you expect everything that you will be doing to be out-of-the-box. It has to be if you are putting it in place. You can then evolve it from there to make it more capable. 

I find the technology pretty easy to work with. Some people don't find it as straightforward. That probably leaves some areas for improvement, where people almost have to do a boot camp to fully take advantage of the product. That shouldn't be the case for a new customer. It should be a little bit more seamless than it is, but it's not bad. I can't really knock it. It is fairly simple to employ, if you know what you are doing.

Most migrations take anywhere from two to six weeks.

I did the deployment. I was using it while I was at Palo Alto. I am still managing them, even outside of Palo Alto. It has been a consistent experience.

The return on investment doesn't necessarily show right away. However, if a company gets hacked and taken down, they are out of business. So, was your return on investment strong if you put these firewalls in and it prevented that? Absolutely. However, if you put them in and you never get attacked, then you might ask, "Would you have gotten attacked before?

There is a license for DNS Security, which I have never actually licensed, but it is a very powerful tool. DNS security is important, and I think that Palo Alto's capabilities are effective and strong there. However, I don't find a lot of companies taking advantage of it.

This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify. However, my customers will do that if I tell them, "You still need to do that," then they will do it since it is still an entry point into the network. 

You really need Premium Support, Applications and Threats, DNS Security, and antivirus. The extra bolt-ons, such as Advanced URL Filtering, you need to determine by use case where you are going to use those licenses, then see if you really need them. You might be adding a bunch of licenses that you will never actually get to effectively use. Their licensing model has gotten a bit exorbitant and a la carte . You will wind up spending quite a bit of money on licenses and renewals.

There is another company out there that I like quite a bit in the firewall space who does a really good job and has a very fast, inexpensive firewall. That is Fortinet. My two favorite firewall companies are Fortinet and Palo Alto. I recommend Fortinet in cases where people don't have the money, as you can get a very nice solution from Fortinet for a lot less money. Fortinet is a good player. I like Fortinet. 

Palo Alto's interface is a little nicer to work with, e.g., a little easier and more intuitive than Fortinet. This makes Palo Alto a little nicer for the end user, but Fortinet is a kick-ass solution. I would never downplay it. It is definitely really strong. For $600, you can get a fully functional next-generation firewall on Fortinet, and you can't do that with Palo Alto. That is a world of difference in pricing.

Machine learning is taking logs and feeding them back through. Everybody is doing machine learning now. You need to have some type of machine learning in order to understand what is going through your environment since you can't be predictive anymore, like you used to be able to be. There is no way of knowing what things are going to do. Therefore, machine learning helps the firewall become smarter. However, machine learning is only as good as how it is utilized and how effectively it is deployed, and it is not always obvious. With Palo Alto, it was difficult to get the API keys and whatnot to work correctly, getting real, effective, actual, usable machine language stuff to use in the policies. It was a lot more hype than reality.

Their zero-pass architecture is not really zero-pass, but it is better than others. It still has to run the traffic through again, once it is recognized at the port, service, and route level, to be acceptable. Then, it has to bring it back through to try to recognize the application. So, it is not necessarily a 100% zero-pass, but the way it works. 

It is like in the Indianapolis 500 when a car pulls into a pit stop. Instead of having one place in the pit stop where the tires are changed, another place in the pit stop that does the windows, and another place that does the gas, they have all the guys come around the car and do their work on the car at the same exact time. That is what is happening with Palo Alto. The packet gets there and the services attack the packet versus having to run the packet through the mill. That is what makes it faster, but it still has to do it more than once before it really knows. It is definitely better than what anybody else has done up to this point. 

With a single-pass cloud, we are not concerned with hardware as much anymore. Now, we are concerned with technology, implementation, and how controls are deployed. That is more important now than where the hardware is, e.g., if the hardware is integrated or deintegrated. I don't know if that is even that important anymore, but it was at one time.

As long as you are comfortable with the price point, you are not going to make a mistake going this way. It is definitely best-in-class and a first-class firewall. I would never be ashamed of putting Palo Alto Networks NGFWs into my network. It's a very good product. As much as I might complain about this and that, there isn't any product that you would put in the network where you are going to have 100% confidence in it. There will always be something. Palo Alto NGFWs are the best way to go.

I would rate this solution as nine out of 10.

Palo Alto is used as our organization's perimeter firewall. In fact, it is our data center. We use it to protect our perimeter level. The model that we use is the PA-5020, which is a bare metal device.

I currently work in ISP operations, where we host DNS servers for customers and also have a few AAA servers for broadband authentication. In Sri Lanka, there are ADSL customers and broadband customers, who authenticate against our AAA service. Additionally, we also protect our internal members using Palo Alto firewalls.

In the event that Palo Alto Networks NG Firewalls detect evolving and rapidly moving threats, we get help from the Palo Alto teams to resolve the issues. We do the level one troubleshooting and then open a tactic attempt to pass that to tech managers for resolution.

Previously, there were a couple of limited features available from GlobalProtect. However, after introducing these new features, the solution has been very helpful for us. This is very important.

We are a telecommunication service provider and we offer many IT services to our customers. The recent attack has made it very important for us to take precautions. Having a unified platform for our organization is an integral part of being able to identify and address attacks quickly.

Most of the features in Palo Alto are very valuable. Recently, in the COVID pandemic situation, we used SSL VPN through GlobalProtect from Palo Alto, which was very helpful for us to do work at home. We use general category-based filtering. Palo Alto is a very sophisticated firewall.

Palo Alto Networks NG Firewalls machine learning in the core of the firewall to prevent attacks is very important. Previously, our country was not targeted by attackers, but recently, we have identified that there are a couple of situations happening in our country. Recently, there has been an unstable political situation in our country, and during that time period, many attackers have been trying to infiltrate our networks. We definitely have to go to the next-generation features such as the Next-Generation Firewalls.

Having a unified platform that natively integrates all security capabilities is a great feature. We previously used a single management platform, Panorama from Palo Alto, across all of our Palo Alto products. However, Panorama is no longer being supported, due to its end-of-life status.

Having a unified platform helped to eliminate security holes. Between the UTM platforms, and Palo Alto, all features are available in one firewall, so we don't need to buy different products or separate IPS devices and separate antivirus devices. In Palo Alto UTM firewalls, most of the features are available such as antivirus with filtering, which is very important.

The solution is user-friendly.

The pricing of the solution is high and can be improved.

Most other VPN clients include mobile VPNs but Palo Alto does not. We are required to purchase the mobile VPN clients separately. During our RFPs we have noticed that most features by vendors are similar but the price for those features is higher with Palo Alto.

I have been using the solution for seven years.

The solution is very stable.

I'm not seeing scalability problems in my scenario, but overall Palo Alto is doing well in terms of scalability. I'm using ten licenses for V systems and the port density is good.

There are five firewall administrators, two engineers, and three technical staff. In my department, there are thirty users and during the work-from-home scenario, all of them are connecting through the SSL VPN. Thirty plus users in our organization and the request for the service that is in our country, in our broadband customer segment are 1,500 thousand.

The solution is at the end of the life cycle and we are in the process of upgrading.

The support from the tech team is good, and their response is fine.

There is a tendering process in my organization, so products that are technically qualified go through a two-stage process: the first stage is the technical qualification stage and the second stage is the financial qualification stage. However, in the end, everything comes down to finances, and that's why Palo Alto was awarded the tender and we switched from Check Point.

The first thing we did was install a client to manage the Check Point firewall. However, I think the new versions which operate at this time don't need the client. Previously, it definitely required a client, so that was a headache. Palo Alto is not like that, it's a dual-based configuration. Also, when we apply the rules, it's also very easy in Palo Alto. Another important aspect is that Palo Alto uses its own based firewall, and Check Point does not. We have to put the configuration to interfaces and likewise. This is very helpful because in my network, in some cases, we have to have a couple of interfaces that are met with the source, and we have to easily apply rules by selecting the source.

The initial setup is straightforward. I was in the deployment stage when this firewall came to my organization. Palo Alto includes a quick reference guide in the box. For an initial setup, everything is available in that quick reference guide. 

We had the Check Point firewall previously and after the tender process, Palo Alto was selected as the new replacement. We took three to four weeks to migrate all the Check Point rules. We migrated around 100 to 150 rules from Check Point to Palo Alto which was very easy.

There is a team in my organization made up of engineers and technical officers. Working under the engineers the technical officers are responsible for the physical implementation of everything. I am an engineer in my organization, and engineers are responsible for installing programs and configurations. We have a timeline to meet for every new implementation, which is a project for us.

In the deployment stage, we had six or seven members on the deployment team. After deployment, we now have two engineers and three technical staff, for a total of five people who perform maintenance.

The implementation was completed in-house.

My firewall is used to protect my internet servers. This means that the servers provide services to our broadband customers. After taking the revenue from broadband customers, Palo Alto is almost covered. However, there is no direct ROI for Palo Alto in my setup.

We are purchasing an annual subscription for signatures, and categories. Our box has ten perpetual licenses for V Systems.

We don't have licenses for SSL VPNs because it is included in the box. For VPNs, we don't need a license. However, if we use the Power VPN client on our mobile devices, we need to purchase the client software.

Before choosing Palo Alto, we evaluated Check Point and FortiGate.

I give the solution a nine out of ten.

We are currently in the process of procuring a new parallel processing solution. Our current parallel processing solution is reaching the end of its life in 2023, so we need to find a new solution by March 2023. Ideally, we would like to find a new solution from Palo Alto, but the selection process is still in progress so I can't say for sure which model will be chosen.

In the past seven years I have been using the solution, I have only had to open ten tickets for support.

The zero delay signature feature is not implemented because our license is not enabled in our firewall. We use layer seven filtering for our data center.

Palo Alto Networks NG Firewalls are protecting our data center. Almost all our country's broadband users request access through this firewall.

I can recommend the Palo Alto firewall for other companies as a perimeter firewall, as a data center, and as a work-from-home scenario for SSL VPN, but I don't have experience with it as a managed service.

To any potential new users, definitely go for Palo Alto, don't worry about its sophistication. With all my experience using Palo Alto, I have had very minor issues. I recommend Palo Alto as a company network solution.

The configuration of the solution is nice. During the time period that I have used Palo Alto, I have had only a few tickets raised and the tech support is helpful. Palo Alto firewalls cover most security threats.

The primary use case is enterprise-level security. Our organization utilizes Palo Alto Networks Next-Generation Firewalls for internal security measures, including SD-WAN and SSL authentication configurations to establish secure network connections through the firewall.

Palo Alto Networks NG Firewalls provides a unified platform that natively integrates all security capabilities. The integration of machine learning in the core of the firewall that provides inline real-time attack prevention is crucial.

Palo Alto Networks NG firewalls embed machine learning in their core, which aids in preventing real-time attacks. The effectiveness of this technology improves with each release, bolstering confidence in the product's ability to provide robust security.

When we identify a vulnerability, we use Palo Alto Networks Next-Generation Firewalls to mitigate the threat.

We experienced no downtime in the past two and a half years while using Palo Alto Networks Next-Generation firewalls.

The most valuable features include the usual firewall functionalities, such as IPS and antivirus, which are effective. 

The configuration framework for Palo Alto Networks Next-Generation firewalls should be simplified, particularly for applications like ASG authentication. Technical support needs improvement, as issue resolution takes a significant amount of time. Furthermore, vulnerabilities in Palo Alto releases require prompt attention.

I have worked with Palo Alto Networks NG Firewalls for more than ten years, and our company has used them for three years.

The overall stability of Palo Alto Networks NG firewall is good. I would rate it nine out of ten.

The scalability of Palo Alto Networks NG Firewalls is good. I can comfortably rate it as an eight out of ten.

Palo Alto Networks' technical support is generally good. However, some non-popular issues take longer to address.

Neutral

Our organization initially utilized FortiGate firewalls. However, as we grew, we transitioned to Palo Alto Networks NG Firewalls due to their better performance in enterprise-level evaluations.

Standard security configurations were straightforward to set up initially. However, adding portal security and application customizations posed challenges.

The deployment was small and required two to three people.

Our experience with the integrator was mixed. While they provided some assistance, our team faced challenges configuring certain features, requiring additional support from Palo Alto and their partners.

The pricing, setup cost, and licensing depend on the model. Overall, it is commercially competitive compared to Cisco and Fortinet. We paid less than $18,000.

Colleagues looking for the cheapest and fastest firewall can still use Palo Alto Networks NG Firewalls because they are affordable.

We evaluated several top products, including Fortinet, SonicWall, Sophos, and Cisco, before choosing Palo Alto Networks NG Firewalls.

I rate Palo Alto Networks NG Firewalls a seven out of ten. While the features are satisfactory, improving the configuration framework and enhancing technical support would improve the product.

Palo Alto Networks NG Firewalls do not require maintenance.

We have 500 users in our organization.

We use Palo Alto firewalls to secure the enterprise network and connect our branch offices with our data centers.

A lot of Palo Alto's attack mitigation is automatic. It's nice that you can define security policies and profiles, and the firewall can automatically take action to mitigate attacks as they occur.

We can avoid downtime because Palo Alto supports high-availability firewalls, which usually enable us to do maintenance without interruption to the enterprise. We also have redundancy in our wide area, so we are not dependent on one internet provider. If it fails, we can route across an alternate provider through our VPN tunnels. 

Palo Alto solutions are scalable and highly capable. NG firewalls offer a complete solution that's reliable, consistent, easy to manage, and full of rich security features. They're easier than other firewalls and certainly more effective.

NG Firewalls provide a unified platform that natively integrates all security capabilities. It's critical to have a cohesive system that works across the entire organization. Palo Alto embeds machine learning into the firewall's core, which is necessary to keep up with the threat landscape. 

Palo Alto could improve its machine-learning capabilities. That's all new. They integrate the telemetry data and analytics up to the cloud, where they can analyze security policies and best practices like DNS Security. It uses AI tools to sort through all the massive logs and highlight where you can take action or be aware of what's happening. If you don't have many tools in your organization, it's nice to have one tool that does an excellent job across the board. 

I have used Palo Alto NG Firewalls for five and a half years. 

Palo Alto firewalls have excellent scalability. The same techniques and configuration scale from a small branch office to larger data centers. They're consistent in terms of configuration. You have centralized administration through Panorama to manage all of them easily and have global visibility with both configuration and logging.

I rate Palo Alto support seven out of 10. Palo Alto has some excellent engineers, but recently, I've had difficulty finding a technician who can solve the problem quickly.  They're easy to reach, but it's sometimes harder to communicate with the support engineers. Some are more effective, but other engineers take a couple of days to analyze the issue. The support is not as good as it used to be.

Neutral

I've used other brands of firewalls in another company, and this company has used some older firewalls. I have used Juniper SRX and NetScreen firewalls. I've also worked with Cisco ASA and SonicWall firewalls.

Palo Alto firewalls provide better visibility into the data and excellent logging that enables you to track all threats and activity. They seem to be more resilient to attacks. Other brands get overwhelmed by DDOS attacks, whereas Palo Alto has multiple levels of security that can head off some of those floods. They act almost like an intrusion detection system and some form of DDoS protection. They do a good job if you can't afford a separate product.

I rate Palo Alto NG firewalls nine out of 10 for ease of setup. They're easier to set up than Juniper SRX or NetScreen. When I arrived, they had already installed a few firewalls, but they weren't working well. The failover and high availability were not set up properly. 

They were new to Palo Alto. They started deploying a few in their branch offices and configuring them with Panorama, so they're all registered and centrally administered. There are consistent policies and shared objects across your organization for filtering geographic regions and things like that. 

The IT VP administered some of the network after their other engineer left. They had previously used Fortinet and only recently purchased Palo Altos, but they were trying to get them deployed. As a senior network engineer, I deployed it with the IT VP, and the IT manager made some operational changes. I and a member of my team maintain the firewalls. 

Palo Alto enables you to support an extensive, busy network with fewer people. You can centrally administer the solution and apply automated content updates for virus and threat prevention. Once you get these things set up, they do a lot of it independently. You only need to keep a close watch on them. 

Palo Alto can be priced higher than some less capable firewalls. However, they are exceptional when you consider the completeness of the solution and its ability to handle threats. Palo Alto is better than other solutions, which justifies a slightly higher price point. You have other tools that are easier to deploy, reducing your total cost of ownership. The newer models are faster, making the pricing more attractive.

A cheaper solution might be better if you have a small or home business that doesn't have many security requirements. Palo Alto scales down to small offices and larger data centers and enterprises. Their product scales to a wide range of use cases. 

I rate Palo Alto NG Firewalls 10 out of 10. I recommend spending time with Palo Alto and other support partners planning and understanding your network before you deploy. You can simplify many capabilities into common rules that you can apply consistently across the organization to save time. Planning can help you build consistency in naming address objects, VLANs, and network resources.

We use the solution for all the capabilities that the firewall offers, including proxy filtering, VPN connection, and Next-Gen firewall capability. We integrate the solution with clients that use ExpressRoute, which is a very common and popular service in Australia. We route all our client's local traffic, 10.x, and the client's Class B public address traffic all into Palo Alto Networks NG Firewalls. We use the solution to provide hub and spoke integration, web filtering, and for VPN. 

The solution is a fully managed centralized firewall service for both public and private traffic, including on-prem traffic and Azure traffic.

The solution ties into existing services. We offer network-based services and SD-WAN overlay. We use VeloCloud appliances and put the solution at the heart of that to provide Next-Gen security capability. The solution benefits our clients by reducing the number of firewalls required in their organization, which is hosted in Azure. The solution's aggregation gives us the ability to service our clients by reducing their firewall footprint. The solution also enables us to route all traffic, including internet outbound traffic from a client's side onto Palo Alto NG Firewalls across an ExpressRoute connection.

Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities.

In combination with additional tools and services we offer, the solution makes a significant contribution to eliminating security holes.

The solution helps eliminate multiple network security tools and the effort required to have them work together. The solution simplified our operations. We only support and deliver Palo Alto NG firewalls as a service. We don't offer a firewall as a service on any other appliance. We chose Palo Alto because of its Next-Gen capabilities and being the market leader in terms of security appliances. 

I like the native integration into Azure AD and the solution is fantastic from the perspective of managing user access and using the VPN client. The TLS inspection is a fantastic service that's offered in Palo Alto NG Firewalls. In my opinion, the solution is best of breed, which is one of the reasons why we adopted it in the first place.

We have had a couple of DNS attacks and predictive analytics and machine learning for instantly blocking DNS attacks worked well. 

Depending on the license skew, we implement the zero delay signatures feature for some of our customers.

I can enable the features I want and configure the policies based on the user and network traffic, making firewall management much easier.

There are some features of Fortinet such as the virtual domain capability, that I would love to see in this solution, but they don't outweigh the technical capabilities of Palo Alto as the firewall.

We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value. We have developed our own reporting. Sometimes there are limitations around the APIs and it would be great if the APIs could be enhanced.

I have been using Palo Alto Networks for about 10 years, but not the Next-Generation version. Five years ago, we set up a Palo Alto firewall as a service with Palo Alto in the back end. We did this for Telstra in Australia, and we're the only company in the world that can support the default route over ExpressRoute, using the Palo Alto Networks NG Firewalls as a service that we offer.

The stability of this solution is unbelievable and the best on the market. We've never had an outage as a result of a technical problem on hundreds of firewalls that we run or thousands when we include the HA pairs and clusters that we've built.

The solution is scalable and we have never reached the limits. We stuck with Palo Alto because of their Next-Gen capabilities, and we have about 500 clients using this solution as a service.

The technical support is exceptionally good. They have more capabilities in Australia now and we've had no problems. The technical support has been so good, we haven't had to look for another vendor.

Positive

The initial setup is straightforward. We have a multi-tenanted version and a single version. We have different flavors of the implementation and it's all scripted. We can build a fully operational firewall HA pair with follow-the-sun, 24-hour, seven-days-a-week support in about 30 minutes. We use DevOps to set everything up and it is effective because it is all scripted.

The implementation was completed in-house.

Our service is incredibly profitable. We don't feel we can offer an alternative that will give us the same return on investment.

The pricing is straightforward with no hidden costs. There is a cost for the licensing, the Virtual Network if the solution is run in Azure, and there is also a cost for the operational support.

I suggest sizing correctly when in the cloud because the skew can always be changed at a later time.

We've evaluated a couple of other products in the past to make sure that we still have the right solution in the market.

I give the solution a nine out of ten.

The embedded machine learning included in the solution's firewall core used to provide inline real-time attack prevention is an important capability because it gives us the heuristics. The solution uses existing knowledge of the service and how we use the firewall, to determine if something nefarious is being undertaken. I don't believe that we are using the feature to its fullest capability.

We integrate Palo Alto NG Firewalls into Sentinel and we use additional data points to determine attacks.

We use the solution's DNS security for some of our clients.

We use a lot of data points from various systems and not only this solution to determine if a threat is live and active. We don't recommend publishing using the solution. We do local DNS resolution using the Palo Alto NG Firewalls. We're purely an Azure consultancy. We use Azure publishing services to publish. We integrate the solution into virtual networks from a DNS point of view, but we are always on the safe side, and we never use the solution for DNS publishing to the public internet. We are an ISB. We provide managed services, but we are primarily an integrator.

In terms of a trade-off between security and network performance, there will always be a performance lag when doing TLS inspections because the traffic has to be decrypted in real-time, however, the benefit outweighs the disadvantages from a network performance perspective. When the TLS inspections are sized properly, the performance lag is hardly noticeable.

We sometimes work with Palo Alto, for example, to support the default route over ExpressRoute.

The maintenance is all scripted and fully automated. We are always at the current stable release and we update as regularly as we get the updates from Palo Alto. There is no impact, no downtime, and no loss of service unless we've got a customer with a single firewall that requires a reboot, in which case we schedule the outage.

I have worked with many different appliances in Azure over the years, and I still do with some clients who already have incumbent NBAs, but for our firewall as a service, I have always used Palo Alto.

What we find is that clients want to utilize the features but don't know how to implement them or have the capability. We offer that support. Palo Alto is extremely good value for the money if we maximize its capabilities. If we want a cheap firewall, then Palo Alto isn't the answer. If we want a capable value-for-money firewall, when we are utilizing all of the services available, Palo Alto is the best on the market. If we want a cheap solution we can go to Fortinet which is not as technically sound but for someone who is price sensitive and doesn't want to use all the features and functions of Palo Alto NG Firewalls that is an option. We work with Palo Alto for our firewall as a service, and we work with Velo for our network as a service. The operational run cost for us is low with these vendors because those firewalls are extremely reliable and because we don't have problems with the firewalls, we don't need a big operational support team.

We did some work with the NHS Test and Trace program and they had a multi-client solution that we deployed hundreds of firewalls across Azure and AWS, using Palo Alto. The client did explore other vendors that were cheaper and after looking at the operational support capability, features, and how reliable the firewall was, the option was clear and not driven by price. 

I would automate the solution. I would use infrastructure as code deployment and manage my devices using IHC. If I was going for a larger state, I would use the solution's management tool.

The primary use case for Palo Alto is to address traffic-related issues and manage configurations pushed from Panorama to Palo Alto Firewalls. Additionally, it handles GPU-related challenges, global protect, and IP internal problems.

Both FortiGate and Cisco firewalls process network traffic sequentially, meaning each packet passes through security engines, e.g., security profiles and URL filtering, one by one, which can be time-consuming. In contrast, Palo Alto Networks NG Firewalls utilize single-pass parallel processing. When a packet arrives on an interface, the firewall creates multiple copies and sends them to all relevant security engines simultaneously. This parallel approach significantly reduces processing time and increases overall efficiency.

Palo Alto Networks Next-Generation Firewalls offer a comprehensive platform that seamlessly integrates all essential security functions, eliminating the need for multiple platforms. With integrated routing, switching, threat prevention, SASE, and Prisma capabilities, Palo Alto provides a centralized solution. A notable feature is the active-passive router configuration, enabling one firewall to be active while another remains on standby. Additionally, these firewalls incorporate SD-WAN, IPsec, and VPNs for enhanced network security and connectivity.

Palo Alto Networks NG Firewalls effectively utilize embedded machine learning to provide real-time attack prevention. Upon receiving a packet, the firewall performs an initial ingress phase analysis before passing it to the fast path for routing, switching, and connection establishment. Simultaneously, the security policy is checked. If a threat is detected, the initial packet is allowed through for analysis, while subsequent traffic is automatically blocked without the need for manual security policy configuration.

Our organization benefited from the comprehensive feature set of Palo Alto Networks NG Firewalls, eliminating the need for separate purchases of web-based firewalls, load balancers, routers, switches, Prisma devices, and SD-WAN devices. This saves our organizational costs.

Palo Alto provides strong security in our data centers and across all our workplaces.

Palo Alto Networks NG Firewalls reduce downtime and enhance network reliability and security through active-passive setups, where a secondary firewall automatically takes over if the primary one fails, ensuring continuous operation. These firewalls provide a seamless and efficient environment by automatically capturing logs and managing known threats. Advanced features like App-ID and Content-ID inspection enable deep packet inspection, identifying and mitigating threats even within encrypted files or those disguised as legitimate data, such as a virus bound to an MPG file. This comprehensive approach ensures robust security and minimizes the impact of malicious activities, regardless of the attacker's techniques.

The most valuable features of Palo Alto Networks NG Firewalls are Threat Vault and AutoFocus. Threat Vault allows us access to a comprehensive threat database, enabling us to get detailed information on threats and how to mitigate them. AutoFocus provides sandboxing capabilities, automatically addressing global threats.

Palo Alto Firewalls could improve by introducing more features, particularly in load balancing. Enhancing this capability would be beneficial.

I have been working with Palo Alto NG Firewalls for six and a half years.

I would rate the stability of Palo Alto Networks NG Firewalls at eight and a half out of ten.

Palo Alto Networks NG Firewalls are scalable and reliable. I have not faced any limitations with its scalability, and it is suitable for environments ranging from small offices to large data centers.

Palo Alto provides good support.

Positive

I previously worked with Cisco and FortiGate devices. I switched to Palo Alto Firewalls because of the comprehensive features offered by Palo Alto, including better hardware, software, and support.

The initial setup was straightforward, taking about 20 to 30 minutes for one Palo Alto Network NG Firewall.

The level two team was responsible for the configuration and setup process for Palo Alto Network NG Firewalls.

I am not sure about the specific licensing costs of Palo Alto Networks NG Firewalls, but FortiGate and Palo Alto are generally cheaper than some high-end Cisco devices.

I would rate Palo Alto Networks NG Firewalls eight out of ten.

For colleagues seeking a cost-effective firewall, I recommend Palo Alto Networks NG Firewalls. Despite not being the absolute cheapest, their robust hardware and software, combined with excellent support and comprehensive features, make them a more efficient and reliable long-term investment.

Palo Alto Networks NG Firewalls require maintenance.

I recommend considering Palo Alto for small or medium-sized environments due to its cost-efficiency, reliability, ease of use, and extensive features.

We are using PA-820. This Palo Alto series is being used in our separate branch office. We are managing surveillance and internet activities with this Next-Generation security firewall. We are using the UTM features and running best security practices through this firewall. Moreover, VPNs and other remote access security features are being implemented in our environment with this firewall.

It has a very good security database for attack prevention. There are many security breaches, and most of the 2022 security breaches use automation. It has a really good automation engine that clearly prevents new types of attacks. We recently avoided an attack with Palo Alto.

DNS security is super good in this. Its DNS attack coverage is 40% more, and it can disrupt 80% of attacks that use DNS. Without requiring any change in your infrastructure, you can avoid the attacks. With this Palo Alto firewall, we are able to manage DNS security in a single device because it has single-pass architecture.

It provides a unified platform that natively integrates all security capabilities. It has a VPN. We don't need to go for additional security features or devices in our environment. It is an all-in-one solution. With other firewalls, such as FortiGate, you require separate licenses. For example, for high availability, you would require an additional license, which is not the case with Palo Alto. In this way, Palo Alto is completely in line with our budget requirements. We are also planning to go with the higher version of Palo Alto firewalls in our environments.

It has helped to eliminate security holes. It creates a usage pattern with its machine learning and artificial intelligence features. It uses a good amount of artificial intelligence to create a pattern. If there are any changes in the usage pattern, it notifies us, and we are able to take action.

In our environment, we are running a lot of production servers. So, we cannot compromise on security. We give more priority to security than performance in our architecture. We put 70% focus on security and 30% on performance. Palo Alto completely suits our requirements. They have three-tier security. We can see the application layer traffic, network layer traffic, and session layer traffic.

It integrates perfectly. It integrates with SIEM solutions such as Darktrace. For log analysis, we are able to completely retrieve the logs.

The most important feature is advanced threat prevention. It stops most malware. It provides 96% or 97% prevention against malware. It has a leading intrusion prevention system in the industry. It is really good at malware prevention. It ensures that files are saved in a good and secure environment. It automatically detects and prevents unknown malware with its powerful malware prevention engine. 

It has a unique approach to packet processing. It has single-pass architecture. We can easily perform policy lookups, application decoding, and integration or merging. This can be all done with a single pass. It effectively reduces the amount of processing required to perform multiple actions. This is the main advantage of using Palo Alto.

It is a complete product, but the SSL inspection feature requires some improvements. We need to deploy certificates at each end point to completely work out the UTM solutions. If you enable SSL encryption, it is a tedious process. It takes a lot of time to deploy the certificates to all endpoints. Without SSL inspection, UTM features will not work properly. So, we are forced to enable this SSL inspection feature. 

It has been three years.

It is extremely stable.

It is scalable. There is a VM solution also, so it is completely scalable. 

We have about 3,000 users in our branch office. In terms of our plans to increase its usage, we are also planning to go for Palo Alto as our main firewall. We are planning to go with the higher-end version.

I would rate them an eight out of ten.

Positive

In our branch office, before the Palo Alto firewall implementation, we have been using FortiGate. We switched because of the budgetary requirements. With FortiGate, for the high availability feature, we required two devices. We had to buy two licenses, whereas Palo Alto required only one license. It was completely in tune with our budget. So, we had to go with Palo Alto.

FortiGate did not have single-pass architecture. It took a huge amount of resources for each action. For policy lookups, it took a considerable amount of system resources, such as CPU, RAM, etc. The waiting time was too high for policy lookup, application decoding, and signature matching. All this is carried out in a single pass in Palo Alto. So, it is considerably fast and also secure. There is no compromise in terms of security. It is completely secure, and we are able to do more functions in a single pass with the Palo Alto firewall. So, we save a lot of resources. With FortiGate, security was around 50%. After the implementation of PA 820, it has increased to 80%. We have achieved about a 30% increase in security. Even though PA 820 is not a higher-end series, performance-wise, it matches the higher-end series of FortiGate. So, there is a considerable amount of cost savings. We are able to save 20% to 30% extra.

In our organization, we have multiple vendors. We have FortiGate, Cisco ASA, and other security implementations. We have already purchased many other products. So, we cannot simply suggest Palo Alto across the organization. We have to consider the older purchases.

Palo Alto is a good competitor to FortiGate. Cisco, FortiGate, and Palo Alto are the three main competitors. When we compare these products, they have similarities, but I would suggest going with Palo Alto for higher security. If you are giving more priority to security and less priority to performance, definitely consider this. Cisco ASA and FortiGate are more performance-oriented. So, if you are planning to give more priority to security, I would definitely suggest Palo Alto.

Its initial setup was complex. It was not straightforward. It required a considerable amount of time and effort. Migration was a little bit complex because we had a different vendor product. Migrating to this product required a considerable amount of time and planning because we didn't want to disrupt the networking in our existing environment. It took a good amount of planning and decision-making to migrate to Palo Alto.

Its deployment took about a week. In terms of the implementation strategy, we were deploying it at the branch office. We already had a solution there. So, we had to completely migrate the policies and everything else. We also had to identify the interfaces with the utmost urgency. We first migrated important interfaces and made sure that they all are working fine and all the security features are working fine. After that, we enabled all the policies and other features. In this way, we were able to completely migrate in seven days.

It required three network administrators. They are responsible for actively managing the firewall configurations, taking backups, etc.

With this highly secure environment, we are able to maintain our production-level servers on-premises. We were planning to move them to the cloud for security, but with the implementation of Palo Alto, we were able to maintain them on-premises. We could create a considerable amount of production service, and thereby, we had a great return on investment through this.

It is not that expensive. I would rate it an eight out of ten in terms of pricing. Other than the licensing, there are no additional costs.

We didn't evaluate anything other than FortiGate and Palo Alto.

I would recommend this solution if security is more important to you. If the performance of the users is more important, I would not suggest Palo Alto. It gives more priority and weight to security. It has a complete security mechanism with AI, log-based analysis, etc. I would recommend it for higher cybersecurity and IT-related environments.

I would rate it a nine out of ten.

On-premises, we used Cisco but replaced our core firewall world with Palo Alto because we wanted more visibility. Plus, we were looking for features such as IPS for PCI compliance. We wanted next-generation capability, but we had the ASA traditional firewall with Cisco, which doesn't do much, so we replaced it with Palo Alto. 

In the cloud, we use Palo Alto for the zero trust implementation. Initially, we tried to work with the Azure firewall, but we found a lot of limitations in terms of visibility. It couldn't provide us with the same visibility we wanted for Layer 4 and above.

The solution is deployed both on cloud and on-premises. The cloud provider is Azure.

We have about 6,500 endpoints in my organization and five administrators.

One of our key challenges was for the PCI, the new standard 3.1. There's a requirement that financial applications need to have some sort of zero trust architecture. They need to be completely segregated. We implemented zero trust using Palo Alto so that if we are within the same subnet within the network, we have protection.

The unified platform helps us eliminate security holes. We use another product from Palo Alto, called WildFire, which is basically sandboxing. We have layers of products. Because of WildFire, we're able to identify any weaknesses in the upper layers.

We give a copy of the same packet to WildFire, and this helps us identify things that were bypassed, such as malware or malicious files. It's especially helpful when we're transferring files, like on SMB, because it's integrated.

The unified platform helps eliminate multiple network securities, and the effort needed to get them to work with each other. It's a very good product for us because it fits well in our ecosystem. 

Our other vendor is Fortinet. Previously, we struggled with having multiple products. One of them was command-line based and the other one was web-based. The engineers would have some difficulty because not everyone is good with a command line platform. Palo Alto and Fortinet are both managed by the UI and they're very similar products. They work well with each other, so we use certain capabilities here and there.

For example, for some internet browsing, we generally have a separate solution for our proxy, but there are situations where we need to provide direct internet access to a particular server in a certain situation. The problem is when a particular product does not work with the proxy for some reason. This is where we use Palo Alto's web filtering. If we didn't have a solution that could do this, it would be difficult on our side because how can we provide direct access to the server without securities?

When browsing, the logs provide us with the required information. For example, we allow certain URLs to a particular server, and we have that data also. This goes back into our same solution. With Palo Alto, the connectors are built in.

Our Palo Alto Firewall has the zero-delay signatures feature implemented. For the IPS capability, we rely completely on Palo Alto. If we don't have this implemented and there's a new, ongoing attack, we will be exposed. We make sure there are controls on the policies we have on each layer.

Even if a patch is released for that particular issue, it would take us time to implement it. We actually rely on the network layer, which is our Palo Alto box, to prevent that in case someone tries to exploit it. In the meantime, we would patch it in the background.

One of the key features for us is product stability. We are a bank, so we require 24/7 service.

Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.

The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.

It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.

When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.

Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.

There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.

We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.

We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.

Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped. 

Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.

When we have to push configurations, we can push to multiple appliances at one time. 

Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.

We have had some challenges. There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features.

Other products provide you with APIs that allow you to access certain features of the product externally with another solution. In the cloud, we have a lot of products that provide us with these capabilities, such as Microsoft. It has its own ecosystem, which is exposed through Graph API. I would like to have the capability to use the feature set of Palo Alto and provide it to another solution.

For example, if we have a very good system to identify malicious IPs within Palo Alto, we would like the ability to feed the same information into another product using the APIs. These are obviously very advanced capabilities, but it would be great if Palo Alto would allow this in the future.

I have used this solution for more than five years. I'm using version 10.1.

It's extremely stable. We've used it on the parameter and as a core firewall in our data center. In both cases, it's what we rely on today.

The scalability is amazing. When you look at the data sheet, sometimes you'll find that the equipment won't perform well under the same load. However, if something is mentioned on the data sheet and you implement it, you'll find places where you have high CPU and high memory utilization. When you buy something, maybe it should be 50% load, but when you put it into actual implementation, you find out that the CPU and memory remain very high.

With Palo Alto, the CPU and memory are both intact. It's performing well under load. We have different timings where we have a large load and it goes down and then goes up again. In both scenarios, the product is very good. The CPU performs well. Especially during upgrades, it was very stable and straightforward.

We have plans to increase usage. We're doing a migration in the cloud right now, and we plan to move a lot of our services to the cloud. This is where we'll either add more virtual firewalls in the cloud or increase the size and capacity of firewalls that we have there.

The technical support is great. We've faced very, very serious problems where our systems were impacted due to some reason, and they were able to provide adequate support at the same time. When we raised a P1, an engineer started to work with us right away. Some vendors don't touch the customer's product.

Palo Alto's support is great; they're willing to get their hands dirty and help us.

I would rate technical support nine out of ten.

We previously used Cisco ASA. We switched because of the IPS for compliance, but there were other factors as well, such as usability. We didn't have enough engineers who were well trained on Cisco because it's a very traditional kind of product that's completely CLI driven. We only had one or two people who could actually work on it. Even though people understand Cisco, when we asked them to implement something or make a change, they weren't that comfortable. 

With Palo Alto, it was very simple. The people who knew Fortinet also learned Palo Alto and picked it up very quickly. When we had new people, they were able to adjust to the platform very quickly.

It was straightforward for us. For the initial deployment, we had two experiences. In one experience, we replaced one product with Palo Alto. In that particular situation, we used a tool from Palo Alto to convert the rules from Cisco to Palo Alto. It took us around four or five days to do the conversion and verification to make sure that everything was as it was supposed to be. The cloud deployment was straightforward. We were able to get the appliance up and running in a day.

For our deployment strategy, when we replaced our core, one of the key things was if we wanted to go with the same zones and to identify where the product would be placed and the conversion. We tested the rule conversion because we didn't want to make a mistake. We took a certain set of policies for one particular zone, and then we did the conversion and applied it. We did manual verification to ensure that if we went with an automated solution, which would do the conversion for us, it would work correctly and to see the error changes. Once we applied it to a smaller segment, we did all of it together.

For the cloud deployment, we had some challenges with Microsoft with visibility issues. From the marketplace, we took the product and deployed it. We did a small amount of testing to check how it works because it was new to us, but we were able to understand it very quickly. The engineers in UA helped us because the virtual networking for the cloud is a little bit different than when it's physical.

We were able to get it up and running very quickly. Palo Alto provides a manual for the quick start, which we used to do the deployment. It was pretty straightforward after that.

For maintenance and deployment, we have two engineers working in two shifts. We have around 15 or more Palo Alto firewalls, so we can survive with six members. That's more than enough to handle operations.

We offer security services, so it's difficult to calculate ROI. But since we're an organization where we cannot compromise on security, I would say the ROI is very good. We don't have any plans to change the product since we moved from Cisco.

The cost is much better. We've worked with multiple vendors, and Palo Alto is very straightforward. We've done many implementations with Cisco, and they kill you on the licensing. When you enable each capability, it costs a lot. They charge you for the software and for the capabilities. They charge you for the licensing. It's very complicated. 

With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it.

I work for an enterprise, so we have the topmost license for compliance reasons. There is an essential bundle and a comprehensive bundle for enterprises.

Palo Alto also has a security essential bundle, which covers everything that's required for a small organization.

The PA-400 series of Palo Alto is the smaller box for small businesses. The good thing is that it has the same functionality as the big boxes because it runs the PAN-OS operating system in the background. It's a very good product because it provides you with the same capabilities that an enterprise uses. It provides the same operating system and signatures.

It's also good for an enterprise because you get the same level of capabilities of the firewall. There are firewalls that are 20 times more expensive than this. However, on a small box, you have the same capabilities, the same feature set, and the same stability, so I feel it's a very good product.

We chose Palo Alto right away because we couldn't go with the same vendor, which was Fortinet. We needed a different vendor, and the only option left was Palo Alto.

I would rate this solution nine out of ten. 

As a recommendation, I would say go for it. It's a very good product. With implementation, we looked at a lot of different processes that said they offered a lot of capabilities. We've used almost all of them, such as GlobalProtect, which is for the VPN capability, and site-to-site VPN. We have done all kinds of implementations and in most of the cases, it's pretty much worked for us.

At some point, you will have requirements where you have third-party vendors, or you have to integrate with a third party. With Palo Alto, you're safe no matter what. With other open-source solutions, they work but you'll face issues, and you'll have to step up your security. 

With Palo Alto, it's straightforward. You'll have adequate security, it works well, and you'll be able to work with other solutions too, create tunnels, and GlobalProtect.

There are people who utilize open source products also, and it works well for them. But if you're an enterprise that provides 24/7 services, it's better to go with a company that has the support and features that work. We don't have any challenges with it. 

This is very important because maybe you can get a cheaper solution, but stability and functionality matter, especially when we talk about zero-day issues every single day. This is where Palo Alto would be best.

Secondly, with new types of technologies, like with Kubernetes or microservices, it's better that you go with a company that's actually able to cope with all the technology changes that are happening in the background. If you have a multi-operating system, you'll notice that the signatures for the attack are different for different types of operating systems. 

For instance, if you have Linux, Windows, and Unix, you need a product that understands all the different types of attacks on different systems. I think it's better to go with something that's well supported, works well, and is stable.