Palo Alto Networks NG Firewalls Reviews

Some of my customers have Palo Alto firewalls, and the use cases include security policies, VPN connections, remote access, side-to-side VPN, and some user ID functionality. To solve these problems, I usually use the web UI monitor, system logs, end capture, CLI, etc. 

We don't have large-scale implementations in Poland as you'd find in Western Europe, but last year I did a big Palo Alto project with 20 Next-Generation firewalls and it was a success. We deployed eighteen PA 800 CVS firewalls for branch offices and a PA 52 series and NPA 5200 series at the data center. It was a high-availability model. The project was a migration from previously used Palo Alto firewalls, including the PA 500, 3000 series, PA 800 series, and PA 32 series. About 95 percent of our firewalls are on-premises, but some customers in Poland want to move to cloud solutions like Prisma Cloud. 

The most significant benefit is threat protection. Anti-malware uses signatures, so dynamic analyzers like WildFire are the best way to protect the company. It is a firewall based on application control, user ID, and security policy. We can use it based on user and application ID without a stateless firewall or TCPIP ports.

Palo Alto Next-Generation Firewalls have security functionality like a traditional IPS system. You can configure it to download new signatures from the threat intel cloud every five minutes. We also have data filtering, disk protection, SD-1, and machine learning functions. We only have one full working path on a Palo Alto Networks solution, but it is not a classic UTM. In a traditional UTM, checks occur in a series, but everything in Palo Alto Networks is inspected in parallel. 

The security features are the most valuable aspect of Palo Alto's Next-Generation Firewalls. It has all the typical static threat protection based on signatures and WildFire dynamic analyzers. I love this feature. Palo Alto Networks updates the signatures of global threats on the cloud every 60 seconds, so we are protected against the latest threats. 

It also has SD-1, but unfortunately, very few customers in Poland want to enable SSL decryption. From time to time, we have customers who want to test this. Machine learning is crucial to security features like anti-spyware and URL security profiles. Palo Alto was one of the first firewalls to have this capability. It helps us analyze real-time traffic using machine learning instead of signatures. Palo Alto has a better web interface than other firewalls I've used.

The DNS Security checks if your DNS queries are valid because infected computers try to connect to the DNS domain. We have this configuration to block access to the domain. We can use the application to block the DNS tunnel link. 

When we enable security functions like threat prevention, performance generally degrades, but this is normal. Of course, Palo Alto could always improve its security. 

I have been working with Palo Alto's Next Generation Firewalls for four or five years because some of my customers use them. 

Palo Alto firewalls are stable compared to Fortinet, Check Point, or Cisco. From time to time, the firewall is unstable, but that's related to the connection 99 percent of the time. I recommend doing a test with a resource monitor to see if the model is right for you. 

Palo Alto firewalls are scalable because we can find models suitable for any infrastructure in the company's portfolio. 

I rate Palo Alto Networks' support eight out of ten. I periodically have problems, but I typically try to resolve the issue myself. Sometimes I need to send a troubleshooting file to support, but that's rare. Palo Alto Networks provides us with lots of troubleshooting information we can use.

I worked with Fortinet and Cisco firewalls, like PEAK, FirePOWER, and ISA. I also used Check Point firewalls from time to time. I believe Palo Alto has the best technology in the world, and there is a significant demand for these solutions in Poland, so I want to be a person who can implement and configure this technology.  

Many customers think about security in terms of their entire ecosystem, so we have on-premises firewalls and Prisma Cloud, plus endpoint protection solutions like Cortex XDR. I have two customers in Poland who have WildFire in an on-premise sandbox. 

Before implementation, I have to prepare a technical project document containing information about what I will do on this infrastructure, like migration or something like that. I start implementation once the customer approves this document. 

Prior to the physical installation in the server rooms, I need to connect the management interface to the network to update the software and signatures. I have to perform tasks to prepare a device to work. Once I've configured the device, I can switch the firewalls from the current security setup to Palo Alto's firewall. 

It depends on the customer, but sometimes my customers want to enable dynamic protocols first, but they don't enable them. About 95 percent are in working route mode, but we have L3 interfaces from time to time. Generally, migration is simple because I don't use an expedition tool. I made some changes, switching the firewall from the older models to the new ones. After that, I used the optimizer to convert rules, including the TCP UTP power services. 

Then I enabled this project's network and security functions, like the aggregation interface and the trunk. I use aggregation interfaces with virtual interfaces, like the 802.1 queues, sub interfaces with VLAN, and DHCP server relay. I haven't used dynamic working protocols. I only used static working protocols, but maybe my customer will be ready for dynamic working protocols in the future.

The time it takes to deploy depends on the project. Usually, it's about two weeks for the basic installation. However, my current project took between one and two months. Some customers require a lot of other tasks, so the installation might take six to eight weeks.

I'm able to do everything by myself, but I have some problems with functionality every now and then. For example, I recently had a problem with the side-to-side VPN, but the configuration was okay. In the end, I found it was a problem with the internet connection, not the VPN. Initially, our internet provider told us that everything was okay on our networks. 

Unfortunately, Palo Alto Networks products aren't cheap, but you have to pay the price for good security technology. I don't know the exact price, but it's about $10,000 to $15,000 without a subscription. Cisco is priced similarly. FortiGate is inexpensive in Poland, so a lot of customers prefer that.

Though it's pricey, customers ultimately realize Palo Alto is the best security solution because it's stable and the network security functions are practical. Cisco has some problems from time to time, but I feel comfortable with Palo Alto Networks. 

I rate Palo Alto Networking Next-Gen Firewalls seven out of ten. I have to qualify that by saying that I probably don't know enough about Palo Alto Networks technology because we don't have advanced projects in Poland. I want more opportunities to develop my skills with this technology. I want to know more about Prisma Cloud and Strata products. 

Depending on the client's infrastructure, I would recommend a different Palo Alto firewall. I would use PA 220 or maybe a PA 420 maybe for a small office. These devices are for small and medium-sized businesses. We would use a 52 and a 54 series or a 7000 series for a large enterprise.

A VM deployment might be suitable for some security projects. We've even deployed Palo Alto in Polish government institutions. For example, I implemented a VM 500 security solution two years ago. This device works in high availability mode. I think VM is a good starting point for a customer. It allows them to try the security product, open the Web UI, etc. After that, we should develop a proof of concept test and show the customer how this device works on their infrastructure. 

I would recommend a Palo Alto firewall with next-generation security functions like IPS, and the ability to use user or application IDs. I will tell my customers about dynamic functionality and threat intelligence in the Palo Alto Networks cloud.

We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

We have deployments in other campuses, as well.

As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

Overall, our experience with ProSys was good. We like working with them.

Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

I would rate this solution a ten out of ten.

In our country, there are multiple use cases. Usually, it is for virtual cases or virtual environments and source areas.

The most valuable feature is threat prevention. SSL VPN is also very valuable. These are essential for our clients, especially for access to local infrastructure while preventing Internet threats.

Our clients can have a unified cybersecurity system if they subscribe to it. This firewall is an important part of access to any data center or branch office. They have site-to-site connectivity.

It is a good product, but they can add some functions for port scanning and network scanning. More network functionality would be beneficial.

I have been working with the new generation firewall from Palo Alto Networks for two years.

The solution is very stable and reliable. I have not experienced any outages or issues. I would rate it a ten out of ten for stability.

The solution is scalable if the right model is purchased. It is important to assess the infrastructure size before choosing a model.

The technical support is very good. They offer fast and competent assistance. I would rate them a ten out of ten.

Positive

Its deployment is easy. It takes two to three days.

The initial setup process involves basic and network configuration, security and policy configuration, and then getting the device to the client.

It does not require much maintenance. One person is enough for it.

Its price is quite high but is justified for the features and capabilities provided, although I would prefer a lower price.

If you have the budget, I would recommend using Palo Alto Networks NG Firewalls instead of other brands because they offer the greatest functionality.

I would rate Palo Alto Networks NG Firewalls a ten out of ten.

I use Palo Alto Networks NG Firewalls to handle my perimeter security, which is the most critical point of my network.

Layer 3 and Layer 4 are part of the core functionality of any firewall, but this firewall brings more information into the inspection via Layer 7. Thus, the entire threat landscape has changed for us as a company.

We can integrate all the Palo Alto firewalls to have a single insight experience across all firewalls.

On a major scale, Palo Alto NGFW can be helpful in eliminating some security tools. It doesn't eliminate all of our other security tools, but it does bring down the dependency on some tools.

Security and network performance are of equal importance to us. This solution doesn't compromise your network's performance for security, which is a good trade-off.

The most valuable features are application inspection and sandboxing. Application inspection decides where traffic is transmitted. If I have a perimeter report for a particular service, then other services or malicious services cannot use an open port. In this way, application inspection is doing a fantastic job. We also have a very good sandbox with almost no rate limit. It will inspect any file that comes in and goes out in a dedicated patch to identify malware. Therefore, these two things help me to protect our organization from any bad actors.

It is extremely important for me that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. The way that they handle the traffic is very useful for us. The firewall creates a benchmark of known traffic patterns that every endpoint would have using machine learning. Machine learning creates a baseline of how the traffic goes in and out. When there is a deviation in the normal behavior, it gives me a threat indication via a reporting feature that shows us how the current traffic has deviated from the usual traffic. This is a very good feature, which is important for my organization to have on a daily basis.

It gives me a better experience when handling security holes. 

Our upgrades brought some rule reviewing features by default, without having to depend on third-party tools to perform the rule reviewing. That has been a good feature.

I would like them to bring in some features that would encourage traffic shaping or bandwidth routing, like other UTM firewalls, because the solution should be capable of limiting the bandwidth for rules.

If Palo Alto Networks could bring in session tracking, like FortiGate, then we can remove another cybersecurity tool. If they could say "This is user-based, not IP-based," using user attribute-based rules, then that would be helpful for a small- or medium-scale company because they could use a single device instead of two or three devices.

I have been using it for four years.

The stability is very good. After the upgrade, every other process was smoother. We haven't often seen bugs or operational hazards in terms of the device. 

Scalability is always available. If you are ready to invest the money, then you can add another box. Every device has its limitations though. NGFW has its own limitations, where it cannot scale beyond a certain point. Those limitations have already been published and users need to be aware of them when they are planning to buy a firewall.

The size of my environment is 3,000 to 4,000 users. We are a larger organization with 60 to 80 VLANs. There are approximately 3,600 endpoints accessing them. Day in, day out, we have a lot of network access change requests coming in that need to be performed. 

In terms of maintaining the firewalls for our space and cost, there are about 15 team members. It is a huge environment with 10 different clusters of Palo Altos. From our operational perspective, we need 15 team members.

On a practical scale, it depends on the size of your organization. If it is a small organization, I think two to three members should be sufficient enough to handle the solution. When you have a smaller organization with a maximum of 20 different VLANs, where there is a size limit of 50 to 100 users/employees, then two or three members would be sufficient enough to handle it. However, it all depends upon the number of endpoints that are the nodes and how many nodes the firewall is protecting.

The technical support is good. I would rate them as 10 out of 10. 

They are able to support me and the issues that have arisen, which have been very minimal. For cases where we break something in the configuration or any bug that is out of control, they are good in understanding and analyzing our issues as well as providing a solution for them. That is why I rated them as 10.

Positive

The initial setup was straightforward, not complex. We migrated from a different vendor to this platform. We had our goals and objectives in front of us. So, we had a good project plan before migrating everything.

I have multiple clusters. For the largest cluster, the migration took three to four weeks.

We used an integrator for the deployment.

We are monitoring the metrics. We have certain metrics to find ROI, e.g., it could be zero-days, the number of inclusions that this solution has blocked successfully, or the amount of malware that it has stopped. We identify this information via the sandboxing feature, which determines what other normal firewalls would have let in. We consider the amount of data that we process and the regulatory fines that would have arisen, if not for this solution. That is how our return of investment is calculated.

If the cost is your main priority, Palo Alto would be a bit high. However, if you are ready to hear about return of investment, then I would convince you to go for Palo Alto.

I am using three or four firewalls from different vendors. I know their capabilities as well as the strengths and weaknesses of each vendor. 

We have evaluated different firewalls and found Palo Alto best suited for boundary networks. Fortinet handles our user-facing firewalls. Between FortiGate and Palo Alto, there is Cisco.

We did a SWOT analysis on all the firewalls. We determined the best firewalls based on their throughput and protection suites. For example, a user-facing firewall doesn't need to be jam-packed with security features. However, a perimeter firewall is between the trusted and untrusted networks, so more security features are needed.

We are using a different DNS Security solution, so we haven't used Palo Alto NGFW’s DNS Security.

Explore the features that the solution offers. There are a lot. If you can use the features to their fullest potential, that would be best. 

If you are just doing an L3 and L4 inspection, then Palo Alto Networks might not be best suited for that environment. If you are going to use the features of an NGFW, then I would tell you about the solution's features and return of investment based on what you are protecting. 

It is a data center firewall solution and a centralized management for remote office firewall solutions. We have 30-odd remote offices where we are putting firewalls in to replace the standard routers that we used to have. This solution will give us a little bit of routing and firewall capabilities.

We are deploying the PA-440 Series in our remote offices.

Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration. 

The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.

The firewall feature is great because we didn't have specific firewall capabilities beforehand. The anti-malware features and the ability to plug into our mail scanning are valuable as well, so we can share data between our email antivirus scanning solutions. That integration has been quite useful.

Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is another string to the bow of our layered security approach. So, it is important. It is not the big reason we bought it, but it is a useful component to our layered security approach. Security best practices push for a layered approach because there are so many different factors that you need to cover: 

• Email threats
• Malware
• Viruses
• Accidental human mistakes made internally to your network.
• Malicious humans in your network and outside your network. 

Therefore, a multi-layered approach really is a security best practice way of attacking security. You can't just worry about the parameter; you need to worry about what's inside your network and how things come in.

The key thing is that we don't have to try and play Whac-A-Mole. The machine learning-powered firewalls do that for us. As a recruitment company, we can never have the necessary technologies available to us to try and do this ourselves, so leveraging the machine learning power from Palo Alto reduces the risk for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is very useful. This prevents us from having to go to a lot of different systems, and in some cases, many different systems in many different regions, because we are a global company with 60 remote offices around the world in 30 different countries. Its centralized platform is really what we look for in all services, whether it be security or otherwise.

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

We started with a couple of firewalls about 18 months ago. We started them in our data centers and are just about to deploy them in our remote offices.

It has been very stable.

On the maintenance side, we haven't increased our team at all. One of the great things that we have been able to improve is the capability of our team without increasing the number of heads who are using Palo Alto.

It is scalable with what we need. I am not looking at thousands and thousands of devices, so it is well within what we need for our few hundred devices.

We often didn't deploy tools because it was too hard to try and manage them with our small team. This solution has enabled our small team to be way more effective than they were before. It gives us the visibility and control that we need.

We have a senior network administrator and about five operational guys. There are also some service desk-level guys and about 12 of them have visibility into activities, but they don't actually change things. Change control is quite closely guarded.

We have deployed the solution in a couple of data centers. We are deploying it across 30 offices this year and plan to do the next 30 to 30-ish offices in the next 12 to 18 months, as some of their hardware retires or has expired. We are not pushing it out too fast. We are going with the cadence of the business.

The technical support is very good. We had some nasty questions, but they were sorted out quite quickly. The problem that we had, because it was live, was it took us a little bit of time to deploy stuff. We also have a good relationship with their pre-sales engineers who offered advice and guidance, specifically as part of the deployment.

We previously had Cisco ASA Firewalls in some locations and Cisco Security PAK Routers in other locations that gave us a base level of firewall. So, we didn't previously have any next-generation firewalls. These are our first real next-gen firewalls.

We switched solutions because we didn't have enough of the network security covered. Also, we wanted centralized visibility and control, which was key for us.

When we did some red team testing, we found that there was a way to get some data out through our existing DNS environment. We knew we had to fix the centralized DNS management, visibility, knowledge of the DNS queries, and the visibility of the DNS queries as a result of some testing that we did. Whereas, before they were all geographically disparate, having a centralized place to look at to be able to do some analysis and visibility really are the key things for us.

The initial setup was not simple, but it is simplified. What was really good was the free training beforehand. As an architect, I don't get my hands that dirty, but I was able to go through a number of the free courses beforehand, or workshops, that were done online. Their training platform was very useful in helping me get an understanding of the product and how we would deploy it in our own environment. The actual deployment, as with anything network-related, is fairly complex because we have a very connected network with a lot of different entry points. While it takes time, it was very useful to get the training beforehand.

The deployment took about three months, but it was in the midst of a data center migration. It probably only took us a month to deploy it properly, but then we had to migrate services over, which took another six months. Again, this was part of our data center migration project. To actually get the solution installed was very quick, it took only a couple of days to get it up and running. However, to move services onto it, you need to be a bit careful when you start to move the live services onto it.

Our implementation strategy was really focused around our data center migrations and moving stuff out of one data center into another. As we moved services from one data center to the other, we brought them onto Palo Alto's in the new data center rather than onto the existing old routers and firewalls. So, it was really governed by the business, applications, and what we could move when.

We used Palo Alto directly for the deployment. Our experience with them was great.

To deploy it, we didn't employ any more staff. We did send a few people out remotely. With COVID, travel is a little bit tricky. So, we have some remote agreements with some suppliers who will go out for a day, plug a device in, and help us with the initial out-of-the-box config. That is normally two to three hours per site that we have to do, which is what I would expect from this kind of device.

Look at Palo Alto because it is a bit modular, so you can take the components that you need when you need them. You need something that will do the job. It doesn't matter if it's cheap and fast, if it quickly lets through vulnerabilities. You need something that will be reliable.

We were very happy when they released the PA-440s. Previously, we had been looking at the PA-820s, which were a bit of overkill for us. Price-wise and capability-wise, the PA-820s hit the nail on the head for us.

Go for a three-year deal, then Palo Alto will bring in some discounts. We also deployed them as HA Pairs to make sure we had resiliency.

We looked at Cisco and Fortinet. The reason that we went with Palo Alto was they were fairly cost-effective. They were also a bit easier to manage. The central management and control of Palo Alto was a little bit nicer than the Cisco side of things. I think everyone achieves the same things in slightly different ways. The way Palo Alto achieves their centralized management and control resonated a bit better with us and our requirements.

We haven't actually deployed Palo Alto NGFW’s DNS Security yet, but we will be doing that.

It is great that 100% of the tested attacks were blocked in the NSS Labs Test Report from July 2019 about Palo Alto NGFW. It is a great story, but I never trust 100% because that's why we have layered security. However, it definitely provides a great level of comfort in our security structure.

I never give anyone a 10, so I will give the solution a nine (out of 10).

Palo Alto Networks NG Firewalls are our perimeter firewalls that protect the network from external attackers. They provide visibility into network activity, from layer four to layer seven, including application visibility, user awareness, and content awareness. These features are crucial for any network and organization, regardless of size, whether it's 20 users or two million users – they all need a firewall.

It's crucial that the entire cybersecurity landscape shifts from traditional methods to artificial intelligence and machine learning. When vendors stay current with emerging and future technologies, they're better positioned for success. This proactive approach ensures they remain relevant and effective in the ever-evolving cybersecurity space.

Palo Alto Networks NG Firewalls helped reduce our downtime.

The most valuable features of Palo Alto Networks NG Firewalls are DNS sync calls, enabled security features, and Wildfire.

The machine learning component on the firewall level requires more computing power to perform at the full production level. Therefore, the ML is currently providing partial real-time attack prevention.

In large data centers, enabling multiple features, such as SSL decryption, can lead to performance degradation. This is especially noticeable in Palo Alto firewalls when SSL inspection is enabled. Ideally, this shouldn't happen. To address this, enterprises are often forced to upgrade to higher-end models, which is unnecessary. Palo Alto needs to address this issue. When performance degrades due to full packet inspection, the solution should be to increase the computing power within the same firewall, not to recommend upgrading to a larger, more expensive model. Performance issues during full inspection need to be resolved without requiring hardware upgrades.

The technical support has room for improvement.

I have been using Palo Alto Networks NG Firewalls for five years.

I would rate the stability of Palo Alto Networks NG Firewalls six out of ten. After the upgrade, we are experiencing performance issues. Occasionally, we need to reboot the firewalls to refresh and recreate sessions. Gradually, performance returns to normal. Immediately following the upgrades, performance and utilization spike significantly.

I would rate the scalability of Palo Alto Networks NG Firewalls eight out of ten.

We previously used Checkpoint firewalls, but the performance was subpar and lacked an available interface. In contrast, Palo Alto Networks NG Firewalls offered more interfaces.

The initial deployment was not complex but we did face some issues with respect to dynamic routing configurations.

We used a third-party for the deployment.

We have observed an average return on investment from Palo Alto Networks NG Firewalls.

Palo Alto Networks NG Firewalls are expensive. The total cost of ownership is high.

I would rate Palo Alto Networks NG Firewalls six out of ten.

For those looking for the cheapest NG firewall, I would recommend Fortinet.

We deployed a total of four Palo Alto Networks NG Firewalls, two in the data center and two in the data recovery center. We have a total of 1,800 endpoints in our organization.

Frequent updates necessitate regular maintenance, which requires a team of four people.

Before purchasing, conduct a proof of concept to verify functionality, alignment with use cases and organizational requirements. Validate hardware compatibility and ensure correct sizing. Opt for direct Palo Alto OEM support instead of partner-enabled support.

We use the solution to filter out the traffic from our internal networks, not a public-facing network.

The predictive analytics and machine learning for blocking DNS-related attacks keep track of IP addresses and DNS names from other countries requesting access to our resources. The solution helps us identify any malicious activity and maintain our network safety. We first check the DNS issue and put it into the blacklist. If we get a similar DNS issue from another country in the future, we block the IP range altogether.

Apart from traditional technologies, we have been relying on signature-based identities. For example, we have been following up on what is in the data system and the firewall. These systems can only detect what has already been returned by the data system. If any security vendor does not update its databases or firewalls, or if its upgrades or firmware are not up to date, then malicious attacks can occur. The advantage of Palo Alto is its real-time analysis, as opposed to traditional methods that use signatures. Palo Alto Network NG Firewall has come up with some great behavioral analytics and the Wildfire feature, which helps organizations stay safe from false positive notifications or alerts.

The unified platform helps eliminate security gaps. We had certain servers that we hosted with open ports and we needed to ensure that these ports were closed. When we first set up the solution in the production environment for testing purposes, we detected traffic coming from ports on the server that had not been identified by our previous firewall. Palo Alto Network NG Firewalls uses all of its resources to detect security threats. The solution helps our organization close security vulnerabilities, Palo Alto Network NG Firewalls provide us with the instruments we need to complete our job. 

The unified platform helped eliminate multiple network security tools and the effort needed to get them to work together. We need to be able to detect the type of traffic being generated from which applications are on which systems and by which users. This will help us identify which IPs are making the requests. Previously we had to rely on multiple tools to collect this information. Palo Alto Network NG Firewalls also provide one graphical interface to display all the information. The solution simplified the process by dropping two to three tools and giving us a clear view of some first-hand data, especially data that has been preliminarily investigated in the case of cybercrime, which is essential.

Security is our primary concern which we build our networking concept around and networking is secondary. We have a single sign-on agent and a dedicated service to run the firewalls. Our architecture is set up in a way that, if a DDoS attack occurs, all the traffic would go down and we have to be prepared. When we consider both the network and security features, we are more inclined toward the security side. Our clients are usually understanding if the downtime is only two to ten minutes and we can recover quickly. 

There are no actual delays happening on the side of setting the solution up because we have all the resources documented on YouTube and on the website itself. We haven't experienced any delays in identifying and collecting the documents or installing the server. However, once we began the onboarding process, some technical issues arose. We forgot to include a customer's request for support from Palo Alto and as a result, the customer executed support themselves either through our website or a call, but a customer service agent acknowledged and resolved the request quickly. Because of that issue, we have been able to allocate adequate resources for implementation. We feel as if we are receiving premium service.

The most valuable features of Palo Alto Network NG Firewalls are policy editing and rule assigning for firewalls, as well as Wildfire. The solution does a great job of identifying malicious items and vulnerabilities with URL filtering. When combined with Fortinet, we have instant results.

Palo Alto Network NG Firewalls is doing impressive work with its AI technology, which is important to our organization. I have forwarded the papers to the director board in a recommendation to make the solution public-facing. We are considering using Palo Alto as an internet-facing firewall for our next project because the solution is an excellent firewall appliance with impressive features and a great UI.

The user interface can be significantly simplified. The dashboard and other features can be more thoughtfully designed. We get all the data in a single dashboard, which gives us additional insights. However, it takes time to sort it all out so it's easily accessible. If the data can be presented in a more graphical and structured way, it would be more helpful.

I have been using the solution for eight months.

We have had a very minimal number of false positives with the solution and it has been very stable. There have been no issues with the firewall itself. In the previous case, we had a lot of tension between the firmware update and the customer service department. This was due to the system working itself up. We had absolutely zero capability issues.

The solution is scalable with the Azure environment. I believe it is scalable because we have many data connectors. We were able to speed up the process within the hybrid environment.

We had some technical support from Palo Alto at the time of installation.

Positive

We have been using the FortiGate firewall for almost 20 years in our environment, but we recognized the Wildfire feature and some of the AIM firewall systems. FortiGate is not a next-gen firewall. Other applications such as Gartner insight offer better connections and recommend a firewall, similar to Palo Alto Networking NG Firewalls, for better application performance. We procured the solution and we have been testing it. We don't like to put all our eggs in one basket. We need multiple firewall solutions to connect with our environment. If one fails for any reason, we can have the second one take over the job. We have servers hosted in the cloud environment and each server has a different firewall installed. If we lose our connection due to a firewall issue, a firmware issue, or if Fortinet couldn't detect malware or a zero-day attack, we would be out of luck without Palo Alto Networks NG Firewalls. We are considering utilizing both solutions to best suit our needs. 

The initial setup is straightforward. Depending on the resources and skill set of the network engineers the deployment should take between 15 and 20 minutes.

The solution provides good protection and is worth the price.

The only additional cost to our organization comes from having to train our engineers on the proper use of the solution.

I give the solution an eight out of ten.

We have two network administrators, which have been working on the design end, three analysts working on the system itself who are continuously monitoring the firewall status, three cybersecurity engineers, and two network engineers to deal with the networking concepts and any delays with the networking protocols. We also have three cybersecurity engineers to follow up with the monitoring, checking the security incidents, and responding. In total there are five users administrating this firewall on eight servers. The firewall acts as a router, filtering the packages between five servers on the other side. This provides an eight versus five network filtering job. The firewall is not public-facing. We are utilizing it to filter up the data, and packets of files, which are moving between the load balances.

We have an environment for production and for development. The development environment is for scaling our application. The production environment goes to the public, and we have a staging environment for testing our application. We have a joint venture with our clients, which we call UIT. This joint venture helps to reduce costs and create an environment that is beneficial for both our clients and us. We only use our staging environment occasionally, whenever we need to push something new to our service for testing purposes. It will be used around two to three days a week, or twelve to fifteen days a month. We are underutilizing the solution currently because we have only completed five percent of the development. We have analyzed the cost and are trying to procure the solution in our live environment.

The cost of security can be expensive when we analyze new technology and the need for new technologies to cover emerging vulnerabilities and malicious acts. I recommend Palo Alto Networks NG Firewalls because most of the colleagues in our environment, such as Cognizant, Deloitte, and many other IT companies use Palo Alto Networks NG Firewalls. 10 to 12 years ago, Fortinet was the leading security solution that most people were using followed by Cisco Firewall. Presently Palo Alto Networks NG Firewalls provide the most value from a security solution, such as the detection of vulnerabilities and malware, in a cost-effective way. 

Apart from the standard features of any firewall system, Palo Alto Networks offers some additional benefits that make it worth the price. These features include URL filtering and deep packet inspection, with the best feature being Wildfire. I recommend the solution.

I mainly use Palo Alto Networks NG Firewalls as the firewall device, and I deploy it at the perimeter of the networks to secure our infrastructure.

By implementing Palo Alto Networks NG Firewalls, we mainly wanted web security and protection from DDoS and other attacks. We also wanted to provide a VPN solution so that mobile users could work from anywhere.

Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. This is very important because with a single box, we can enable multiple security features and have web security, application security, and network security. It works on OSI model layers one to seven. It provides end-user security and enables us to allow any URL, website, or application for a user.

Palo Alto Networks NG Firewalls provide VPN solutions. With site-to-site or remote VPN, anyone from the organization can work from anywhere in the world. They only need Internet connectivity on their devices to connect to our enterprise network and access the required resources. It supports secure remote work through VPN connectivity.

Palo Alto Networks NG Firewalls are effective in preventing attacks by blocking abnormal behaviors. It detects any anomalies using signature-based detection and automatically alerts administrators. Palo Alto Networks NG Firewalls have machine learning embedded in the core to provide inline, real-time attack prevention.

We can use Palo Alto Networks NG Firewalls for securing data centers consistently across all workplaces, from the smallest office to the largest data centers. We can deploy the firewall anywhere based on business requirements. We can use Palo Alto Networks NG Firewalls at a broad level to secure our data center. Within the data center, we can also segment the network and deploy the perimeter firewalls between different departments. For example, if a salesperson is communicating with the database team or marketing team, the traffic has to pass through the firewall. The firewall inspects the behavior. If an internal employee is trying to delete a database file, the action will be prevented at the application level.

The solution provides web security, application security, and network security. We have app security, app gateway, and app ID. There are multiple models.

Palo Alto Networks NG Firewalls should be more flexible and user-friendly. 

There should be more comprehensive documentation, case histories, and technical training on new technologies available on their portal. It will help us with troubleshooting.

I have been using Palo Alto Networks NG Firewalls for ten years.

Palo Alto Networks NG Firewalls are very stable. I would rate Palo Alto Networks NG Firewalls a nine out of ten for stability.

Palo Alto Networks NG Firewalls are highly scalable, allowing deployment in various modes, including virtualized, cloud, and bare metal. We are using it at multiple locations.

I would rate Palo Alto Networks NG Firewalls a nine out of ten for scalability.

Palo Alto's tech support is fine. They are proactive, responsive, and effective in logging cases and troubleshooting.

Positive

We previously used Cisco ASA and switched to Palo Alto Networks NG Firewalls. It is very fast. We are not getting any latency. Palo Alto Networks NG Firewalls have a unique vertical packet inspection feature. It checks all parameters in a single shot, which makes it fast. Other firewalls, such as Check Point and Cisco, do the inspection horizontally, so there is a delay.

We have on-prem, hybrid, and cloud deployments. We have deployed Palo Alto Networks NG Firewalls on the AWS platform.

The initial setup was a bit complex initially, but with experience, it has become straightforward.

It does require maintenance. There could be a hardware fault. This is why we recommend deploying them in an HA environment.

I did the implementation myself. We have a team of five people.

For maintenance, one person is usually enough, but if you have multiple firewalls, you might require more people.

Everyone has different requirements. Palo Alto Networks NG Firewalls are a good and stable choice. They also have solutions for medium-sized enterprises. I would recommend trying Palo Alto Networks NG Firewalls.

Overall, I would rate Palo Alto Networks NG Firewalls an eight out of ten.