Palo Alto Networks NG Firewalls Reviews

Palo Alto Networks NG Firewalls are being used for cloud security in our organization. Along with that, we have implemented SD-WAN, secure access, and XDR. These are the primary firewalls that we have in place.

Essentially, we have almost all of their products across their three suites.

The previous brand we used had a steeper learning curve for our engineers and analysts compared to Palo Alto, which is easier to use. 

We also have an excellent partner in Costa Rica who works with Palo Alto's team there, providing valuable support. Overall, our experience with Palo Alto has been very positive.

Some of Palo Alto Networks NG Firewalls' valuable features are their powerful capabilities and user-friendliness. 

Our security team has found it easy to learn and obtain the necessary certifications and training from Palo Alto.

Overall, we have had a very positive experience with this suite of solutions, including the training they have provided us.

We like the Palo Alto ecosystem and how its different suites of products integrate seamlessly. 

The sharing of information has enhanced our security posture as a company. Overall, our experience with Palo Alto has been very positive.

I believe that It is important that the firewall integrates machine learning to take advantage of all the information that is available, all the data that is available.

You have to integrate machine learning AI and things like that to be able to be a step ahead of the hackers.

Using Palo Alto Networks NG Firewalls, we have experienced zero downtime.

The solution is user-friendly, which is important as it allows us to concentrate on other essential aspects of the company rather than spending time and effort maintaining the solution.

The level of control and granularity in terms of rule customization could be enhanced. However, compared to our previous solution, Palo Alto provides much better drill-down capabilities.

It is a solid solution.

We have been using Palo Alto Networks NG Firewalls for six years.

It is a very solid, stable solution. We haven't had any issues with it, you know when we have to do updates there are no problems whatsoever. it's a very good solution.

Scalability is an important issue. It is very scalable.

We are currently protecting around 11,000 endpoints.

In my experience, I would rate the technical support a ten out of ten.

They are excellent.

Positive

Initially, I was involved in the setup, but then other team members took over and completed the work. In the end, we reviewed and went over the setup together.

We had a lot of support from their local partner So it was very straightforward at the time.

I didn't come across any significant issues, but as engineers, we are always prepared to face challenges. 

Nowadays, nothing works as simple as plug-and-play like it used to be. However, we try to reduce the likelihood of issues as much as possible by working closely with project managers and performing thorough preparations beforehand.

Before doing the implementation. It was okay.

I believe we have seen a return on investment.

The time we used to spend on various tasks previously has significantly reduced with the implementation of Palo Alto Networks. 

The system is very reliable with no downtime, providing us with a sense of security that is important in cybersecurity.

The price of Palo Alto Networks NG Firewalls is high, but it is worth it if you have the budget for it. 

Budget is always an important factor in decision-making, but it was within our budget, and we were impressed by what we heard, tested, and experienced with Palo Alto.

It is difficult to know and assume the thought process of others. If they have budget constraints, there may be other manufacturers with a lower price point that would be a good fit. We try to evaluate from different angles, not just the budget, but also the technology and how it will fit with our needs. We look for strong capabilities where necessary, such as with Sophos and WatchGuard for smaller companies.

It can be difficult to know the thought process behind a company's decision when it comes to choosing a firewall solution. Budget constraints may play a role, and there are other manufacturers that offer lower price points, which can be a good option. However, it's important to consider technology and how it fits with the company's needs, as well as the strength of the solution. 

Smaller companies like Sophos and WatchGuard also offer solid platforms, and they may be a good fit for those looking for a lower price point. Ultimately, it's important to assess what's important for the company and find a solution that fits those needs, both in terms of functionality and price.

Our process for evaluating firewall solutions usually involves consulting Gartner for their feedback, having sessions with our analysts, and focusing on the leading firewall manufacturers.

We evaluated several firewall manufacturers, including Check Point and Fortinet, but ultimately, we as a group decided that Palo Alto was the best fit for us. 

The decision was not solely mine but rather made by our managers based on the evaluations and presentations given by each vendor. 

We were particularly impressed with Palo Alto's presentation and even visited their headquarters located south of San Francisco. And we just felt comfortable, and it was a good decision.

The RSA sessions have been very informative and enjoyable. Today is actually my last day at the expo, and I've been visiting some of the manufacturers that we already work with as well as some that I want to learn more about. Overall, I think it's been a great experience.

From an engineering standpoint, the expo is a great opportunity to connect with knowledgeable people beyond the marketing façade. It's worth investing time to engage with them, learn about their products and solutions, and find out what they're working on and what's upcoming.

Attending RSA has had a significant impact on our company's cybersecurity purchases for the next year. In fact, I am here with two other colleagues who are actively researching and taking notes on various companies and their offerings. They are gathering valuable information to inform our future purchasing decisions.

We've been coming here for many years now, and we'll not come back. It's a good place to get up to date on what's happening.

I would rate Palo Alto Networks NG Firewalls a ten out of ten.

As a Security Engineer, I use this solution for protection. I put in additional rules and also use the solution for forensic investigations and to look at traffic logs.

I like that Palo Alto Networks does a good job of keeping the firewall updated with the latest threat signatures.

We use Panorama, so we're able to manage an entire array of firewalls in one console. It's really useful because we can make one change and deploy it to all of our firewalls.

Palo Alto Networks NG Firewalls do a great job at providing a unified platform that natively integrates all security capabilities. For example, we can easily export our firewall logs into our SIEM. We have so many tools to manage that having a unified platform makes our job easier.

This firewall is great at securing data centers consistently across all workplaces.

We have high availability, and Palo Alto Networks NG Firewalls helped reduce downtime.

The performance of the Panorama interface needs to be improved. It tends to be very sluggish at times.

I've been using Palo Alto Networks NG Firewalls for five years.

I have not heard of any complaints or issues regarding the stability of the firewalls.

We can easily add nodes into Panorama with no problem. As such, scalability is not an issue. We have an enterprise environment with approximately 15,000 users in multiple countries.

I haven't had to call technical support, but my colleagues have. They've always spoken positively about the experience and would probably rate the technical support an eight out of ten.

Positive

My organization used Cisco Secure Firewall ASA and switched to Palo Alto Networks NG Firewalls because Cisco was lagging behind in many features. For example, the management interface on the ASAs was awful compared to that in the NG Firewalls.

We have absolutely seen an ROI in the fact that we haven't ended up in the news. We can look at any time and see all the threats that have been stopped by Palo Alto Networks NG Firewalls.

If you are looking for the cheapest and fastest firewall, I would say that it's a risky angle to take. Security costs money, and you'll get what you pay for.

The benefits I receive from attending an RSA conference are networking, meeting people and having conversations face-to-face, making contacts in the industry, getting suggestions about products, and attending briefings about specific products.

Also, attending RSAC can have an impact on your organization’s cybersecurity purchases because you may find out about products that you hadn't heard of before.

Overall, I would rate Palo Alto Networks NG Firewalls an eight on a scale from one to ten.

Our primary use for the solution is as a perimeter device and firewall. 

Suppose a packet enters our organization with a new, unknown signature. In that case, the firewall can upload it to the primary database and generate user alerts to inform users of the malicious signature, blocking it if necessary.

The solution's most valuable feature is the robust firewall, which we can also use as a UTM device. 

The Wi-Fi analysis and zero-day threat prevention are very good features. 

The product defends our production, blocks files, and prevents data leakage. It's a complete package for advanced security, which is excellent for a firewall.

It's beneficial and vital to us that Palo Alto NGFW embeds machine learning in the firewall's core to provide inline, real-time attack prevention. Suppose it observes any abnormalities in our traffic. In that case, the product can detect that through machine learning and generate a lock so we can mitigate an attack or a vulnerability in the system.   

Palo Alto NGFW's machine learning works well to secure our network against threats that can evolve and morph rapidly. A particular strategy we encounter on our system is when a packet comes in and behaves abnormally. Palo Alto detects the abnormality, generates an alert, and responds based on our policies by blocking or discarding the package.   

We use the firewall's DNS security, and it's excellent for blocking DNS attacks thanks to the continuously updating Palo Alto threat database. For example, the product blocks users from accessing sites with a known malicious DNS.

The price could be more friendly, which would be good for Palo Alto and us. If the price were a little lower, then it would be a viable option for mid-level businesses, who may not be able to deploy at the current price point.

We've been using the solution for one and a half years. 

The solution is very stable and robust. 

The product is scalable and very easy to configure; we enjoy the configuration and operation of the firewall. 

We contacted Palo Alto technical support on several occasions, and they're excellent; they always try to resolve our issues as soon as possible. 

Positive

We previously used Cisco ASA and Check Point NGFW and switched to the Palo Alto solution because it offers more robust and complete protection and features.

The initial setup is straightforward, and it depends on the network configuration. If we want to make few network changes, we can deploy the firewall in Virtual Wire mode, and we don't have to mess with IP addresses and so on. If we want to deploy with a new configuration, we can do that in Layer 3 mode.

If we upload a pre-planned configuration to our network firewall, the deployment can take as little as 10-15 minutes. We have a team of nine engineers responsible for daily policies, troubleshooting, etc.

We deployed via an in-house team; we have a big team, so we deploy ourselves whenever possible.

The solution is worth the money for organizations operating in critical environments with lots of sensitive data and information. Data leaks can lead to broken trust with clients and a suffering reputation in the business community, including brand damage.

Palo Alto NGFW is relatively expensive compared to the competition.

I rate the solution 10 out of 10.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is an important feature. It provides a robust kind of security counter at the perimeter level.  

The solution's unified platform helps eliminate security holes. For example, the firewall can easily block attempted SQL injections with the help of App-ID. 

Palo Alto NGFW's unified helped to eliminate multiple network security tools and the effort needed to get them to work with each other. The solution provides vulnerability assessment and protection, antivirus prevention, data leak prevention, file blocking, site blocking, and application blocking, all in one product. It's an excellent firewall device and very useful for our network. 

We have the zero-delay signatures feature implemented with our firewall, and it's essential because attack signatures are updated immediately. Attackers are trying to find new ways to harm our network daily, and the zero-delay feature makes it so that the network is updated in seconds, and the first user to see a new threat is the only one to experience first exposure. This functionality improved our security.   

To a colleague at another company who says they are looking for the cheapest and fastest firewall, it depends on their environment. I recommend Palo Alto or Check Point if they are a financial institution. If they are a mid-level non-financial institution, I recommend Cisco Secure Firewall because it's also a good firewall.

To someone looking to use Palo Alto NGFW for the first time, analyze the packet flow of your organization and understand which types of packets you're getting and which type of services you are providing in your data center or enterprise. Multiple data centers require a high security level, so I recommend activating the Layer 7 feature.

The biggest lesson I learned from using the solution is the importance of following all the steps in the operation manual when upgrading or updating. 

It is on-prem. We wanted to implement a multiple architecture for our network security. That is why we looked at the Palo Alto product. It is famous for its multi-layer security architecture and firewall.

There are five users: two senior expert administrators and one junior administrator from our data center team and two security engineers from our security team.

It has a solid network security with some robust tools. We can block unexpected attacks, especially zero-day attacks. Since they use the Pan-OS engine, they can collect attacks from all over the world and analyze them. They can then protect against zero-day attacks and unexpected attacks.

There are regular signature updates. You are filtering your objects from external sources. It has also helped to prevent external attacks more quickly. We have the solution enabled to prevent SQL injection attacks.

Palo Alto blocks loopholes where we cannot fix all our vulnerabilities, providing protection.

With secure application enablement, we can protect against application ID. 

Another feature is its malware detection and prevention. DNS Security filters URLs, blocks malicious domains, and provides signature-based protection. They also have Panorama security. We prefer Palo Alto Networks for our parameter security because of these features.

It is not like a traditional firewall. It has sophisticated technology that uses machine learning against cyber attacks, preventing them.

The DNS Security feature is capable of proactively detecting and blocking malicious domains, which are a headache because you can never filter enough. Malicious domains increase in number everyday. That is why using machine learning is a perfect solution for preventing these types of malicious domain attacks.

We don't have to use other advanced technologies due to the solution's UTM capabilities, such as antivirus, anti-spam, and anti-spyware.

With its single-pass technology, the firewalls are capable of analyzing SSL traffic using less CPU and memory.

I would like them to improve their GUI interface, making it more user-friendly.

I would like the dashboard to have real-time analytics.

We have been using it for almost three years.

Compared to other solutions, it is very stable.

The technical support is perfect. I would rate them as nine out of 10.

Positive

Before 2008, we used only core firewall architecture for our network. Then, we needed to enhance our security as we moved toward the cloud. We needed to protect our network from external threats so we decided to go with multi-layer architecture. 

We use several products: Palo Alto, Checkpoint, and three products. Among those products, Palo Alto's performance and product security features are very good. 

We only used Juniper firewalls for our core Firewall. We switched because we wanted to move to a multi-layer architecture.

The initial setup was straightforward. The initial configuration took one to two hours. You need to configure the policies and features. Since we had to do performance tuning, it took us two to three weeks.

It is very easy to deploy. It needs two network engineers.

It is a good investment with the five-year extended support. You don't have to pay any additional costs for five years. You also save on costs because you don't need to purchase other products or technology to manage attacks. That can all be done from Palo Alto. We have seen a 20% to 30% return on investment.

Compared to other products, the pricing is flexible and reasonable. 

We did a PoC with several products, then we selected Palo Alto for its enhanced security features and multi-layer aspects. We also selected it for its speed and performance. Performance doesn't slow down when analyzing SSL traffic.

We are currently using a single firewall architecture. Next year, we will probably move to a dual firewall architecture.

I would recommend Palo Alto Networks NGFW, especially for parameter-level security.

I would rate the product as 10 out of 10.

We use the solution for IPS. Palo Alto's firewall is really good compared to firewalls like FortiGate, Cisco, or any other competitor.

We're able to monitor traffic based on the source destination and geolocation. The firewall allows us to restrict user access. For example, we have restricted user access to the chat feature on Facebook.

There are about 170 total users on the client side. On the administrative side, we have two or three people.

We're using version PA-200. The solution is deployed on-premises.

We reduced access to unwanted websites by 80%. It allows us to optimize user efficiency. For example, I have restricted the calling feature on LinkedIn, so people can still use LinkedIn, but they aren't able to dial out or receive calls.

We restricted social media sites so that only basic features can be used. The monitoring functionality allows us to see which users are using which websites,  the frequency, and the level of usage. It improves the network monitoring in our organization and gives us the required control level to restrict user access.

Palo Alto Next-Gen Firewall has Panorama, which is a unified platform that natively integrates all security capabilities, but I haven't worked with it yet.

The unified platform gives us more visibility and restricts unwanted guests and unwanted traffic. It gives us more insight into network traffic so that we can analyze it.

It helps eliminate multiple network security tools and the effort needed to get them to work together. Previously, I used other network monitoring tools for bandwidth monitoring. Now, the security features and wireless detection are in a single platform, so it definitely reduces the need for multiple platforms.

It has affected our network operations and network-related costs, but it's not the main benefit. The main benefit is the visibility and not having to maintain or manage multiple platforms. It's a bit costly because it has a lot of features, and each feature has a cost. It's important to do a cost-benefit analysis and know the requirements of your organization. We don't have to manage five to seven platforms and we're getting all the information in a single platform, so we can compromise a little bit on the cost side.

The packet level inspection is the most valuable feature. The traffic restriction features allow us to restrict the sub-features of any platform.

I really like the security aspects. That's why it's highly rated on Gartner. The antivirus definitions, updates, and malware detection are pretty good.

It embeds machine learning in the core of the firewall to provide inline real-time attack prevention, which is a very nice feature. It's part of the add-on services subscription. The autonomous behavior toward malware and potential risk is pretty good. 

Machine learning is really good to have. We received some false positives with machine learning, which was the main problem we had with it.

It's very important to me that the solution integrates natively with security solutions. Inside attacks are very rare. Most attacks are generated from the outside or from a public site, so having Palo Alto is really important on a public site.

Palo Alto is like Microsoft. It has varied features, but it's too technical. A lot of the features could be simplified. The procedure, process, features, and usability could be more simple.

It's too complex and sometimes the process to implement a single thing is hectic.

I have been using this solution for about eight months.

The solution is stable.

It's scalable. If you use the virtual solution, you may need to change the subscription.

I haven't directly worked with Palo Alto's technical support, but their community logs have been really helpful and we can find the answer to almost anything. The documentation is good.

We previously used Fortinet and Cisco.

We switched to Palo Alto because it's an all-in-one solution. We were attracted by its level of detection, level of monitoring, and level of packageable inspection.

The setup is straightforward. Deployment took a week. 

I haven't used it inline directly. First, I did a port mirror. Once I was fully satisfied with the level of detection, I put all of my traffic through it.

We use two or three administrative staff for maintenance. 

The price is high.

We evaluated other features, but we chose Palo Alto early on in the process because of the features and usability.

I would rate this solution an eight out of ten. 

In terms of a trade-off between security and network performance, I would rate it more toward network security. We have a lot of other alternatives for monitoring but not for the security side or antivirus detection.

I would highly recommend Palo Alto. If you want a cheap solution, I would recommend Sophos. But if someone is looking for real-time protection, I would suggest that they go with the virtual instance of Palo Alto, which is PA-200 VM, because it simply fulfills our requirements.

For personal use or SMEs, the price of PA-400 is high, but the security and performance are worth it.

I'm working in a company that focuses on giving support to different enterprise companies. We help customers with a virtual environment as well as on-prem firewalls.

Before the COVID situation, most of the firewalls were on-prem firewalls, and during the pandemic, there were a lot of problems trying to deliver the firewalls and put them in place. It was taking a lot of time. So, most of the customers have taken a virtual approach for that. A lot of customers with on-prem firewalls are going for a virtual approach.

We are using the most recent version of it.

Palo Alto NG Firewalls help you a lot to have a context of everything. With traditional firewalls or Layer 3 firewalls, we're more focused to determine the source and destination IPs on a specific port. It could be USB or something else, but with next-generation firewalls, you can have more information, such as the user who used it, as well as the application consumed by this user. That's a genuine value that these next-generation firewalls bring in understanding that a user on the network is consuming Port 443 but using Facebook. It is determined by the payload. It can examine the packet, check the payload, and identify the applications. The next-generation firewalls are also more focused on protection.

There are new features that are based on machine learning to protect your network and identify any vulnerabilities. They are pretty good too. With the normal firewalls that we have, the policies are based on ports and IP source and destination. For example, as a part of my policy, I have allowed UDP ports 145 or 345, and for authentication, I have allowed LDAP and other protocols. However, there is a possibility of a breach. Even if I have determined that the traffic is from my active directory servers to the users, when I internally open ports 145 and 345 for all the protocols and all the applications, it creates a vulnerability in my network. If I create the specific rule where I establish that my application is going to be LDAP, and these ports will only be open for LDAP, I am closing the gap. I'm making my network safer, and I'm being more specific and more granular. That's the detail we need nowadays to prevent different types of attacks. The idea is to be more specific and only give the permissions that are needed. We should try to avoid giving more privileges because that creates a vulnerability gap. The customers appreciate being specific and having very descriptive rules for their use cases and blocking other types of communications, which is not that good with normal firewalls.

Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention, which is very important. Attackers are innovating every moment, and the attacks are becoming more sophisticated and unpredictable. They are not as predictable as they were in the past. Therefore, it is important to have something at the back in the form of machine learning to help you to interpret and analyze any kind of attack in real-time and protect you from a breach. Technology is very important because you can lose a lot of money or information if you don't have a good security posture and the right tools to prevent a breach or attack.

The machine learning in Palo Alto NG Firewalls is helpful for securing your networks against threats that are able to evolve and morph rapidly. They have advanced threat prevention and advanced URL filtering. WildFire is also useful. It gives you an analysis of malicious files. It detects the files in the sandbox and lets you know in minutes if a new file could be malware, which is helpful for advanced threat prevention. It can quickly give you a lot of context and protection.

DNS security is something that is the focus and a part of the threat prevention profile, and you get different types of options. They collect a lot of information from the experience of other users to determine different problems, such as a malicious page or domain, and use advanced predictive analysis and machine learning to instantly block DNS-related attacks. Their Unit 42 Threat Intelligence team helps the security teams a lot to determine and prevent threats. I haven't had any issue with DNS security. Generally, we recommend the step-by-step approach during the implementation. We recommend starting with a couple of users, analyzing the traffic, and ensuring that the signatures are accurate and policies are established. You have an option to put exceptions for DNS signatures, but in my experience, I didn't have to make many exceptions. You can definitely do it, but it is generally very accurate.

DNS Security provides protection against sneakier attack techniques like DNS tunneling. For DNS tunneling, my approach is to use an SSH proxy. There is a feature in Palo Alto to decrypt SSH traffic and block the application. For example, you see it as SSH, but after you decrypt that traffic, you can see it as SSH tunneling and you can actually block it. You can put things like a sinkhole in order to prevent this traffic.

Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities, which is very important. You get a lot of information. For example, in the monitor tab, you can review whether files are transmitted or not, received or not. You can also see the logs related to a threat or a URL that is malicious or is being blocked by your profiles. You have all that information in your hand, and you can review it in a very organized way, which has been very valuable for me. It helped me a lot to understand the problems that a customer can have in the field.

Palo Alto NG Firewalls allow you to enable all logical firewalling functions on a
single platform. You can segment your network into Zones. With Zones, you can separate and allow the traffic in a more specific way. For example, you can separate your visitors or guests into different zones. It is helpful in terms of the cost. This is something that could help you to reduce the cost because you don't have to put in a lot of tools for doing the same thing, but it is something that I'm not an expert in.

The first time I came across these firewalls, what surprised me the most was their web user interface. It is complete and gives you a lot of information. You can do 80% of the things related to your network and firewall through the web UI. In some of the other devices, the UI is not as complete. App-ID is also very valuable in customer networks. When you're seeing a lot of traffic in your network, you can see in your web UI which users have the applications that are consuming the most bandwidth. You have a broad context, which is very good.

Palo Alto can do a little bit better when it comes to the User-ID part. I've been facing problems related to double authentication. You have a computer user, but you also have a VPN user, and when you do a single sign-on to another page, these logs can sometimes generate a problem notification. It doesn't happen a lot, but in some networks, it could be a problem. It would be very helpful to have the ability to restrict the connections that you can have in your VPN. For example, if you have the credentials, you can connect with the same user account from different computers or devices. If you have the domain information, you can connect from different devices. That's a problem that they need to address and resolve. They should ensure that at any moment, only one person is connected through a specific user account.

I have been using this solution for almost five years.

There are no issues with stability. In most cases, they are very stable. 

We recommend our customers to have an HA configuration with active/passive, which is very good in Palo Alto. It takes seconds to change from one firewall to another, which provides reliability and prevents loss of service because of a hardware problem or a network problem on a device. Having an HA environment makes your network resilient.

It depends on the type. If you have a virtual firewall, it is easier to scale to meet your needs. It also depends on the work that you have done during the implementation. It depends on your design, which should be based on a customer's current needs and growth. There are Palo Alto firewalls with different throughput rates to support traffic and encryption. That's why you need to determine and talk about the expectation that a customer has for growth. We do a lot of that so that the customers can have a very robust tool that will help them to secure their network during the coming years without the need to change the device. We understand that it is a huge investment, and they want this product to be there for them for the maximum duration.

For the firewall part, there are complete and very good resources out there to help you. Most of the time, I go through them, and someone has had the same issue in the past. There is a lot of information about the issues that have been solved in the past and how to troubleshoot them. They're very accurate with that. They're very good.

Positive

It depends. If a customer has had another firewall, you need to go through an analysis of their network to understand the rules they have and then translate and introduce them to the Palo Alto methodology. Palo Alto helps us a lot with tools like Expedition, which is a migration tool. Expedition helps you to import the existing configuration from other brands. Overall, it is very straightforward if you have experience. Otherwise, there is a lot of documentation about how you can use the Expedition tool in order to have a successful migration. 

If it is a greenfield deployment where the customer is going to have it for the first time, the configuration is very straightforward. If you don't have any other firewalls, the implementation duration depends on the granularity that a consumer wants and the complexity of their network. The main job is going to be related to the authentication of the users and User-ID. In general, if you have just ten rules, you can do it in three to four days.

In terms of maintenance, they are continuously checking and reviewing if there are some breaches or there are any exploits or new applications. It is continuously updating itself on a weekly or daily basis. They are continuously developing new versions. They have a lot of documentation that we share with the customers for information about the best-recommended version or the version with fewer issues. Their documentation is complete in that aspect, and it gives you a lot of information. You have access to the known issues of released versions. Palo Alto is continuously working on new versions and fixing the glitches of previous versions. You might have to upgrade to a new version because a particular problem is resolved in it.

To someone who says that they are just looking for the cheapest and fastest firewall, I would say that I understand that businesses need to reduce the cost, but such a solution is an investment, and in the future, it's going to help you. If you go to the cheapest solution that could do most of the things, but not all, you could face problems. You could have a breach that would cost you a lot more money than having a good security posture. The number of attacks is going to increase more and more. We have to take them seriously and invest in new and powerful tools for protection. The investment that you do today can save your company tomorrow.

They are trying to come up with new things and innovate every year with new licenses. For example, a couple of years ago, they brought the IoT part, which is something that became popular. They try to innovate a lot and bring out new licenses, but you need to understand your needs to know which licenses are better for you. You should consult a good team and obtain a license that is good for you. That's because not all the licenses are important for your environment. For example, if you are not familiar, or you don't have any future plans for IoT, you don't require a license for that. You should focus on the licenses that you really need and are going to generate value for you. You should focus on your security needs and understand which firewall model can give you the protection and the ability to grow over time based on your projections. Your licensing should include good threat prevention, URL filtering, DNS security, and WildFire in order to have a very secure environment. 

It is a complete solution, and it provides a lot of protection to the users and the network, but it is not something for device protection. For that, you would need something like Cortex, which can help you determine abnormal behavior in an endpoint. 

Palo Alto is trying to combine different products to protect different areas. A next-gen firewall is very good for your network, but, for your endpoints, you can have Cortex. These two solutions can then work together. They speak the same language and have a full integration to protect all your environment. Nowadays, there are a lot of people working from their homes. They are exposed to different types of threats. They connect to your environment through a VPN, but when they disconnect, they do their daily tasks on the device, and while doing that, they may go through a bad page or execute a file that can corrupt the computer. You can determine this and stop attackers from connecting to and infiltrating your network. Palo Alto tries to separate the breaches or the attack areas, and they have a very good product in each area. You can make these products work together in order to have a very strong platform.

I would rate this solution a nine out of ten.

I have deployed it as my internal firewall in the cloud. I also have it on-premises as my perimeter firewall. I am also running Palo Alto in my DMZ. 

I'm using the PA-5532 Series. We have cloud and on-premises deployments. The cloud deployment is on the Azure public cloud.

We are using it on Azure Cloud as an internal firewall for filtering the east-west traffic. At the same time, we are using this firewall as a second-layer firewall in our perimeter for filtering the application URL and other things for the users. We are using another firewall as a perimeter for the DMZ. So, all internal applications that are connecting users are connecting through this firewall. We have other vendors as well, but the main applications are going through the Palo Alto firewall.

Its predictive analytics work very well for blocking DNS-related attacks. We are moving malicious URLs to the unknown IP in the network. They are reconfigured.

Its DNS security for protection against sneakier attack techniques, such as DNS tunneling, is good.

I'm using most of its features such as antivirus, anti-spam, and WAF. I'm also using its DNS Security and DNS sinkhole features, as well as the URL filtering and application security features.

In terms of application filtering and threat analysis, it's a little bit better as compared to the other UTM boxes, such as Sophos or other brands. It is secure and good in terms of application classification and signatures. It is a trustable solution.

In terms of the network performance, I am not very happy with Palo Alto. Other solutions, such as Fortinet, have better throughput and network performance.

I am in GCC in the Middle East. The support that we are getting from Palo Alto is disastrous. The problem is that the support ticket is opened through the distributor channel. Before opening a ticket, we already do a lot of troubleshooting, and when we open a ticket, it goes to a distributor channel. They end up wasting our time again doing what we have already done. They execute the same things and waste time. The distributor channel's engineer tries to troubleshoot, and after spending hours, they forward the ticket to Palo Alto. It is a very time-consuming process. The distributor channels also do not operate 24/7, and they are very lazy in responding to the calls.

It is expensive as compared to other brands. Its pricing can be improved.

I have been using this solution for more than four years.

Its stability is fine. I'm happy with it.

It is scalable. Its usage is extensive. We are using it daily. It is our core device.

Their support is very bad as compared to the other vendors. The support ticket is opened only through the distributor channel, and it takes a lot of time to get a solution for the issue. I'm not happy with their technical support. I would rate them a four out of ten.

Neutral

Palo Alto is the main core product in our case, but we also have Fortinet, Check Point, and Cisco ASA firewalls. Fortinet is one of the key products in our network.

The process of configuring Palo Alto devices is very easy. There is not much in it, but if we want to add or remove a device in Panorama, it is a very complicated setup. Adding, deleting, and updating a device from Panorama is very difficult. The interaction between Panorama and Palo Alto devices isn't good. They need to improve that. FortiManager works very well in terms of device interaction and other things.

The deployment duration depends on the customer infrastructure and where they want to deploy the box, such as in the data center or at the perimeter, but for me, generally, two days are enough for the setup. I provide customers the ways to design a secure network, and they can choose whatever is convenient for them based on their existing network.

In my environment, there are the four network security engineers who are the owners of these devices. We take care of the deployment and management of security devices.

Its price is higher than other vendors. They need to re-think its pricing. 

With Fortinet, the SD-WAN feature is totally free, whereas, with Palo Alto, I need to pay for this feature. With Fortinet, there is one licensing, and I can get many things, whereas, with Palo Alto, I need to go for individual licensing.

I'm working in a systems and data company, and I recommend Palo Alto and other firewalls to many people. The users can choose one based on their budgeting because Palo Alto is expensive as compared to other brands.

Palo Alto NGFW’s unified platform hasn't 100% helped to eliminate security holes. In some cases, we are using other products. I'm mainly using it for WAF and securing my DMZ infrastructure. It is working well in terms of the functionalities in layer 3 and layer 4.

I would rate this solution a seven out of ten.

Almost all of my deployments are regulated to each firewall perimeter or as a data center firewall. The perimeter firewalls are deployed to control the user traffic and establish IPv6 VPN connections between a company's headquarter and its branches. This solution comes with threat prevention and URL filtering licenses for perimeter deployment. For data center deployments, the solution is deployed as a second layer of protection for the network traffic, especially for VLANs. It also prevents lateral movement of network attacks.

Almost all of my deployments in the Middle East are deployed on-prem. There is no acceptance of cloud solutions, especially for government and banking rules.

Palo Alto Networks Next-Generation Firewall comes with full visibility into the network traffic. The administrator of this next-generation firewall can troubleshoot the traffic, network issues, or connectivity issues that busted through the Palo Alto Next-Generation Firewall, then detect whether the problem is from the client side or the server side. This solution helps the administrator to troubleshoot and have their network up and running all of the time.

A feature introduced by Palo Alto with the version 10-OS is embedded machine learning in the core of the firewall to provide inline, real-time attack prevention. Machine learning analyzes the network traffic and detects if there is any usual traffic coming from outside to inside. Because of Palo Alto, organizations detect around 91% of malicious attacks using machine learning. The machine learning helps customers by implementing firewalls in critical and air gap areas so there is no need to integrate with the cloud sandbox. 

I integrate Palo Alto with different Security Information and Event Management (SIEM) solutions as well as Active Directory to control the traffic based on users and integration with the email server to send notifications and look at domain recipients. I also integrate Palo Alto with Duo as a multi-factor authentication, which is easy to integrate. 

They have introduced more security components that can be integrated. We are talking about Cortex XDR and WildFire. These are natively integrated with Palo Alto Networks. These help to predict malicious attacks on the endpoint and network. WildFire is easy to deploy and integrate.

SP3 architecture helps distribute the bucket into different engines. Each engine has their own tasks: the networking engine, the management engine, and application and security. Each one of these tasks is done by a single task or dedicated CPUs and RAM for handling traffic.

I have been using this solution for about four or five years.

They have a stable solution, stable hardware, and stable software since they have released multiple OSs. If there are any issues, they release a new OS. Each month, you will see new batches with a new OS introduced to customers. You can update it easily. 

With Palo Alto Networks, you have a dedicated management plan. Therefore, if you face an issue regarding the management interface, e.g., the GUI and CLI of Palo Alto Networks, if you have any problem on that you can restart it without effects on the data streams.

The technical support team is great. We have no tickets open with Palo Alto. There are distributed tech centers worldwide that do not have Palo Alto employees, but have the capability to solve your problem in an easy way. They help you to close your gaps or pains.

Positive

I am expert with next-gen Firewalls, especially in Fortinet and Palo Alto. I am NSE 4, NSE 7, and PCSAE certified.

Palo Alto has introduced new features in their next-generation firewall, such as SD-WAN. However, the technique of SD-WAN implementation is not easy to understand. It is not easy to deploy at this moment. Maybe, in the future, they can improve the process and how the administrators, partners, or support team can easily deploy this SD-WAN solution on their next-generation firewall. The SD-WAN solution from Fortinet is easy to do. It does not take more than five or 10 minutes. When we talk about Palo Alto, it takes extra effort to implement SD-WAN.

If you are looking for a great firewall that helps you stop attacks as well as giving you visibility with the administration, this firewall is the best choice. You should not look at the price the first time. Instead, you should look into the solution's productivity and return on investment.

There are some differences in regards to the integrations between Palo Alto and other vendors. Palo Alto handles the traffic using Single Pass Parallel Processing (SP3) engines unlike other vendors, like Fortinet, who use ASIC processors to handle the traffic. The SP3 engine is a different, new architecture for next-generation firewalls. The SP3 engine curbs the traffic and makes the decision based on the buckets, then it evaluates the bucket and other features regarding routing. 

SP3 helps the customer when we talk about data sheets and the performance of the administration firewall. We introduce SP3 to show them real numbers. When we talk about Fortinet, they introduce a different performance number for networking and application throughputs. With Palo Alto Networks, the deduplication between the firewall throughput to the full inspection mode throughput is minimal. There is no big difference between the networking throughput and full inspection mode throughput.

I use DNS security from other vendors, not Palo Alto. I have tested Palo Alto with some scripts in regards to exfiltration and about 50% to 70% of exfiltration attacks could be stopped by Palo Alto. This year, Palo Alto has improved its DNS security against data exfiltration attacks. They enhanced the DNS security features with Palo Alto Networks Next-Generation Firewall by introducing a cloud solution. The solution now forwards these DNS requests to the cloud, which can analyze it using machine learning and artificial intelligence to decide if it is legitimate traffic or not.

The integration is based on the customer environment and what they need. Enterprise customers have some regulations and compliance so they need to send all their logs to the same solutions. We can integrate it using a syslog protocol over UDP. So, it is easy to integrate Palo Alto with some solutions. However, with other Palo Alto technologies or solutions, I integrate them just with WildFire. WildFire is a dedicated solution related to sandboxing and can be deployed on-prem or in the cloud.

The NSS Labs Test Report information has previously helped me to convince customers to buy Palo Alto Networks Next-Generation Firewalls. However, I am now not using the NSS Labs Test Report. Instead, I am using Gartner reports to offer customers Palo Alto Networks Next-Generation Firewalls.

Machine learning on the Palo Alto Networks Next-Generation Firewall was introduced on version 10.

I would rate this solution as nine out of 10.