I work as an IT Consultant and in Project Management. I have more than 14 years of experience designing and implementing IT, LAN, WAN, and MAN infrastructures for organizations with medium to large enterprises.
We are evaluating Palo Alto as an option for an on-premise or cloud hybrid IT network. Is this the best option and if not, which alternative would you recommend? What are the main differences between Palo Alto and other vendors?
Thanks for your help. I appreciate it!
You can choose Palo Alto as one of the best security product lines. For a hybrid network use central management to get a consolidated view of the security status.
I have been working with Palo Alto for more than 5 years now and I think I have worked with almost every other firewall platform out there. Palo Alto is my go to firewall for several reasons: Always a leader with Gartner, performance, support, centralized management with Panorama, ease of use, human readable logging, etc... They are not the cheapest solution but you definitely get what you pay for.
It depends on how you want to deploy.
The main difference between PA and other vendors is, that you can mix Virtual wire(transparent) interfaces, L3 interfaces or L2 interface types on the same firewall. Instead of choosing only transparent mode firewalling. For the rest, it's quite a flexible firewall. In regards to application type rules, they are much easier to implement than on a Fortinet. I have worked with PA's inactive/active and active/standby setups without any problem. (active/active does have it's own caveats in regards to design and deployment). In regards to the hybrid cloud, we have an HA pair between our datacenters and direct connects going to AWS. For in the cloud itself you best read reference guides that Palo Alto has and probably checkpoint and Fortinet as well. In regards to performance, I have found that Palo Alto lives up to its specs.
I work for Check Point based on conviction. CloudGuard is the best cloud security either on-prem or public.
Palo Alto gets very high marks from the research groups like Gartner and Forrester. I like them because of their Zero Trust framework and ability to define security policies based on App-ID, Content-ID, and User ID versus just defining what IP addresses and TCP/UDP ports are allowed. The only downside of PA is that they are "proud" of their solution. One of my specialties is working with large enterprises that are looking to adopt a Zero Trust strategy. You can email me if you would like more info. I did a workshop yesterday on Zero Trust. sorell@unitieditsystems.com
If you are evaluating different options to test a few different solutions side by side, for example in virtual wire mode (lots of vendors supports that mode of installation ) you can get the best final view. Each case is different from another. The simplicity of everyday operation (Security, NAT rules, etc), the stability of the HA cluster, even migration from smaller hardware to bigger with minimal impact for infrastructure.