Palo Alto Networks NG Firewalls Reviews

This solution helps us standardize. We have a presence in the Americas, the Pacific, and Europe and have to manage three firewalls. The previous solution made it difficult to standardize, but with Palo Alto Networks NG Firewalls, it's a little simpler. It just makes it a pleasant experience overall.

Security is the biggest thing nowadays, including threat response, incident response, and root cause. We found that a lot of the logging and dashboard capabilities offered by Palo Alto fill the missing skill gap that you run up against. It makes it easier for our tier-two staff to get involved in some of the deeper root cause analysis. The dashboards, logs, and reports make it easier for our staff to dive right in and not get lost in what tools they should use. It's easy because they're all right there.

Our firewall engineers like the automations that are involved with the firewall rules. For example, we integrate with Azure, and Azure constantly updates the IP addresses for their whitelists. There are hundreds. With the previous solution that we had, our firewall administrators had to hand-jam a lot of their IP addresses, so it became more of a deterrent to manage the firewall because of the overhead involved. Now that it's automated with Palo Alto Networks NG Firewalls, they've been more apt to use the tool than they did previously.

It allows our firewall administrators to speak more confidently when we have an incident response. When they detail their root cause analysis and possibly what the problem is, the leadership receives that information with a little more confidence, and it's a little more palatable. This makes our lives easier when dealing with an incident response.

From a leadership perspective, the reports are genuine, palatable, and easy to understand. They allow me to make logical leaps.

There are servers that go along with Palo Alto, at least for the identity management part. We chose to use a Windows platform, so the only maintenance involved is the patching of the servers and then the occasional agent upgrade for the servers. Palo Alto versions would need to be upgraded as well, along with security patches.

For the most part, we don't see it as a lot of overhead in terms of maintenance. We try to have a maintenance weekend each month for our network team, in addition to a patch maintenance weekend for our system administrators. Overall, we really haven't had to patch.

As part of our internet filtering, we integrate heavily with Active Directory, and we use security groups to separate staff into two groups: those who should have full access to the internet and those who should have limited access. It may be just the way the topology is for our domain controllers and that infrastructure, but at peak usage, there seems to be a delay in reading back against the security group to find out what group the user is in.

We've been using it for roughly five years.

It's deployed on-premises, but we are presently moving into Azure, so we are looking at the Palo Alto appliances for that environment as well.

Stability-wise, we have three regions in which we use Palo Alto, and we are not pegging the resources for these boxes at all. They're meeting and exceeding our expectations in terms of stability, but we're definitely not pushing them to the limit.

In terms of the scalability of the appliance itself, there are some licenses that you can upgrade where you don't have to bolt on any hardware. You may have to upgrade a module. The supporting appliances are VMs that we stand up in the data center, and those handle more of the identity management pieces of the Palo Alto solution.

Palo Alto's technical support has been great. We recently had an issue with DNS where we were having difficulties tracking where an endpoint was making DNS requests. We got a little lost in some of the admin consoles for Palo Alto. We opened a service request, the call was returned within two hours, and an administrator from Palo Alto stayed on the phone with our engineers for about three hours and really helped us by generating some unique queries.

I would rate technical support an eight out of ten with respect to the engineers. They've been very responsive and quick. They have always followed up within the timeframe that Palo Alto said that they would.

We switched because of the end of life in a hardware's life cycle. With us moving into the cloud and having a much larger endpoint presence, we wanted something that was a little more robust. We also had fewer head counts for our firewall or network administrator staff. So, we wanted a tool that we could access easily and not have such a large training curve. We went with Palo Alto Networks NG Firewalls because it made a little more sense for us.

In terms of ROI, protecting our customers is obviously number one. The implementation of our previous solution required agents to be installed on all our endpoints. That was a little more difficult because we have a large number of endpoints globally. The administrative overhead to manage the updates for those agents was not favorable.

Palo Alto Networks NG Firewalls allowed us to rely more on the existing infrastructure, Active Directory, to help us with identity management and security groups. It has made it simpler to manage.

We evaluated two other options. 

The sales team that assisted us with refining our requirements and explaining some of the new feature sets that are coming out helped us see that some of our requirements were no longer needed. It really helped us to learn more about the service that we were looking for, and Palo Alto just made it an easier discussion for us.

I recommend fully engaging Palo Alto's sales team. They're very knowledgeable and very friendly. We have three regions, PAC, Europe, and the Americas, and time zones and the quality of support always come into question when you're spread out. We haven't seen any gaps no matter what time zone we had a problem with in terms of sales and post-support. It has been great all the way around.

Overall, I would give Palo Alto Networks NG Firewalls a rating of eight on a scale of one to ten.

Almost all of my deployments are regulated to each firewall perimeter or as a data center firewall. The perimeter firewalls are deployed to control the user traffic and establish IPv6 VPN connections between a company's headquarter and its branches. This solution comes with threat prevention and URL filtering licenses for perimeter deployment. For data center deployments, the solution is deployed as a second layer of protection for the network traffic, especially for VLANs. It also prevents lateral movement of network attacks.

Almost all of my deployments in the Middle East are deployed on-prem. There is no acceptance of cloud solutions, especially for government and banking rules.

Palo Alto Networks Next-Generation Firewall comes with full visibility into the network traffic. The administrator of this next-generation firewall can troubleshoot the traffic, network issues, or connectivity issues that busted through the Palo Alto Next-Generation Firewall, then detect whether the problem is from the client side or the server side. This solution helps the administrator to troubleshoot and have their network up and running all of the time.

A feature introduced by Palo Alto with the version 10-OS is embedded machine learning in the core of the firewall to provide inline, real-time attack prevention. Machine learning analyzes the network traffic and detects if there is any usual traffic coming from outside to inside. Because of Palo Alto, organizations detect around 91% of malicious attacks using machine learning. The machine learning helps customers by implementing firewalls in critical and air gap areas so there is no need to integrate with the cloud sandbox. 

I integrate Palo Alto with different Security Information and Event Management (SIEM) solutions as well as Active Directory to control the traffic based on users and integration with the email server to send notifications and look at domain recipients. I also integrate Palo Alto with Duo as a multi-factor authentication, which is easy to integrate. 

They have introduced more security components that can be integrated. We are talking about Cortex XDR and WildFire. These are natively integrated with Palo Alto Networks. These help to predict malicious attacks on the endpoint and network. WildFire is easy to deploy and integrate.

SP3 architecture helps distribute the bucket into different engines. Each engine has their own tasks: the networking engine, the management engine, and application and security. Each one of these tasks is done by a single task or dedicated CPUs and RAM for handling traffic.

I have been using this solution for about four or five years.

They have a stable solution, stable hardware, and stable software since they have released multiple OSs. If there are any issues, they release a new OS. Each month, you will see new batches with a new OS introduced to customers. You can update it easily. 

With Palo Alto Networks, you have a dedicated management plan. Therefore, if you face an issue regarding the management interface, e.g., the GUI and CLI of Palo Alto Networks, if you have any problem on that you can restart it without effects on the data streams.

The technical support team is great. We have no tickets open with Palo Alto. There are distributed tech centers worldwide that do not have Palo Alto employees, but have the capability to solve your problem in an easy way. They help you to close your gaps or pains.

Positive

I am expert with next-gen Firewalls, especially in Fortinet and Palo Alto. I am NSE 4, NSE 7, and PCSAE certified.

Palo Alto has introduced new features in their next-generation firewall, such as SD-WAN. However, the technique of SD-WAN implementation is not easy to understand. It is not easy to deploy at this moment. Maybe, in the future, they can improve the process and how the administrators, partners, or support team can easily deploy this SD-WAN solution on their next-generation firewall. The SD-WAN solution from Fortinet is easy to do. It does not take more than five or 10 minutes. When we talk about Palo Alto, it takes extra effort to implement SD-WAN.

If you are looking for a great firewall that helps you stop attacks as well as giving you visibility with the administration, this firewall is the best choice. You should not look at the price the first time. Instead, you should look into the solution's productivity and return on investment.

There are some differences in regards to the integrations between Palo Alto and other vendors. Palo Alto handles the traffic using Single Pass Parallel Processing (SP3) engines unlike other vendors, like Fortinet, who use ASIC processors to handle the traffic. The SP3 engine is a different, new architecture for next-generation firewalls. The SP3 engine curbs the traffic and makes the decision based on the buckets, then it evaluates the bucket and other features regarding routing. 

SP3 helps the customer when we talk about data sheets and the performance of the administration firewall. We introduce SP3 to show them real numbers. When we talk about Fortinet, they introduce a different performance number for networking and application throughputs. With Palo Alto Networks, the deduplication between the firewall throughput to the full inspection mode throughput is minimal. There is no big difference between the networking throughput and full inspection mode throughput.

I use DNS security from other vendors, not Palo Alto. I have tested Palo Alto with some scripts in regards to exfiltration and about 50% to 70% of exfiltration attacks could be stopped by Palo Alto. This year, Palo Alto has improved its DNS security against data exfiltration attacks. They enhanced the DNS security features with Palo Alto Networks Next-Generation Firewall by introducing a cloud solution. The solution now forwards these DNS requests to the cloud, which can analyze it using machine learning and artificial intelligence to decide if it is legitimate traffic or not.

The integration is based on the customer environment and what they need. Enterprise customers have some regulations and compliance so they need to send all their logs to the same solutions. We can integrate it using a syslog protocol over UDP. So, it is easy to integrate Palo Alto with some solutions. However, with other Palo Alto technologies or solutions, I integrate them just with WildFire. WildFire is a dedicated solution related to sandboxing and can be deployed on-prem or in the cloud.

The NSS Labs Test Report information has previously helped me to convince customers to buy Palo Alto Networks Next-Generation Firewalls. However, I am now not using the NSS Labs Test Report. Instead, I am using Gartner reports to offer customers Palo Alto Networks Next-Generation Firewalls.

Machine learning on the Palo Alto Networks Next-Generation Firewall was introduced on version 10.

I would rate this solution as nine out of 10.

We have deployed Palo Alto Networks NG Firewalls and every web filter security available. So, we came to know each website user who got blocked and the "not required" categories. These categories are permanently blocked, and if any changes are required in these categories, we will first get approval from management. 

I like the sandbox feature, and it's very good. It kills each malware deployment in the sense of signatures within five minutes. So, we can secure our network and infrastructure very well within the stipulated time.

The WildFire functionality is very good because a few files are also getting blocked. It's critical as malware attacks are also getting ignored, and the logging is very well maintained in this firewall.

The most valuable solutions in this field are application-based firewalls. That is the main criteria of the firewall and functionality. We can get all the logs related to this and each and every packet. I like that the firewall is working as an application. The application-based entity we have deployed is well maintained and working very well.

We were able to find lots of vulnerabilities when we deployed it, but we could not disclose all. But there were vulnerabilities we could block by updating the firewall and taking actions on clientside machines. So, we got to know that we have lots of vulnerabilities inside the organization too, and we took lots of steps and resolved the number of vulnerabilities.

Palo Alto Networks NG Firewalls is an all-in-one solution. It provides every entity log, which is a very good functionality of this firewall. It gives every packet and aspect that the firewall is performing through its logs, and it does it very well.

This firewall's unified platform helped eliminate multiple network security tools. If anyone uses P2P sites, cryptocurrency websites, or any illegal sites, we can block it easily. It gives us a proper alert for these kinds of sites, and it properly secures our network. Monitoring is the best thing we are doing here, and we can block this kind of vulnerability as soon as it comes to us.

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall.

We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more.

URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

I have been using Palo Alto Networks NG Firewalls for the last three or four years.

Stability in the sense of security and alerts, this solution is very good, and we have not had had any issues. However, web filtering and application-based approach are very poor.

Palo Alto Networks NG Firewalls is a scalable solution.

Palo Alto Networks support could be better. We bought this solution for security purposes, and we asked the support team to convert each and every entity. They have not been able to convert this New Generation Firewall to date. 

Their name suggests that the product will use every application and work as a New-Generation Firewall. Yet, it's not configured, and we can only configure 30% to 40% of the applications. That is also giving us some problems sometimes.

On a scale from one to ten, I would give Palo Alto Networks support a three.

We have a policy in our organization to change the firewall every five years. So, I have experience working on FortiGate, SonicWall, and WatchGuard over the last 20 years.

WatchGuard is very good at web filtering. FortiGate is also very good, and they have their own application to manage the firewall, and SonicWall is also very good. 

Palo Alto is a web-based firewall, and there are no applications to deploy and support. I mean, I take all the logs and all things from the client-side. As it's web-based, it's extremely slow. 

When you click on a particular log, it will take a lot of time because it generates lots of logs. That is a good thing, but performance is a little slow. Both WatchGuard and FortiGate are very good for this kind of thing. Also, WatchGuard is application-based, and I didn't have to deploy it. I came to know about Palo Alto from my friends who said it was very good for application-based security. 

The initial setup and deployment are straightforward. We did not have any issues at all. It took us about 15 to 20 days to implement this solution. 

The policies we have with Atelier and WatchGuard were exported, and we tried to deploy these policies on the new firewall. The reseller helped us configure it but without our concession or permission and could not deploy the firewall. We later had more problems, and the reseller helped us with that as well.

Video Import Solutions is our local reseller in Pune, India. In our experience, not every engineer knew the firewall concept. I mean, not at all. If we wanted something new or had to deal with this application-related issue, they always told us they would log a case and resolve it. But they did not support us at all and did not give us any reason why they could not do it.

I am a technical guy, and I would say that you will not get a return on your investment. Even FortiGate and WatchGuard will offer next-generation solutions that perform better than Palo Alto Networks.

The price could be better. Pricing is very different compared to WatchGuard, which costs around 60 lakhs, and FortiGate, which costs approximately 40 lakhs. Palo Alto Networks costs about a crore which is very high pricing.

We bought this firewall, and our organization did not want to pay so much. We spent around one crore rupees which is not within our budget at all, and we are unhappy with them.

This firewall provides a unified platform that natively integrates all security
capabilities. It will queue all functionalities like firewall protection and alerts and track all DDoS attacks. It shares all the information with us, and we can monitor and take immediate action on the other alerts we receive.

I would advise potential users to only go for this solution if they have the budget and don't require any support. Only buy this firewall if you can install, configure, and solve potential problems on your own. If not, FortiGate and WatchGuard are much better options.

On a scale from one to ten, I would give Palo Alto Networks NG Firewalls a five.

It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.

We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.

I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.

With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings.

It is fairly intuitive. 

The central management of Panorama actually works. It is what FortiManager aspires to be, but Panorama is usable. You can push config down, do backups, and use templates from other sites, copying them over. The reliability and throughput, plus Panorama's control features, are its main selling features.

It is a combined platform that has different features, like Internet security and the site-to-site VPN. Previously, there were different components that did this. If it was a remote access VPN client, then you would have to go onto one platform and troubleshoot. If it was a site-to-site, it was on a different platform so you would have to go onto that one. It would be different command sets and troubleshooting steps. From that perspective, having that combined and all visible through Panorama's centralized management is probably one of the better benefits.

We had a presentation on Palo Alto Networks NG Firewalls a few years ago. I know the number of CPU cores that they have inside the firewall is crazy, but it is because they have to pack all the performance and analysis in real-time. It is fast. I am always amazed at the small PA-220s and how much performance they have with their full antivirus on it. They can pass 300-megabits per second, and they are just about the size of a paperback book. As far as how that single-pass processing impacts it, I am always amazed at how fast and how much throughput it has.

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

I use it every other day.

It is pretty reliable. All the services pretty much work. It is not too buggy. With any hardware/software manager these days, when you get new features, they tend to not be too thoroughly tested and can be buggy. We have been noticing this. For example, they had zero-touch deployment and the first few iterations just didn't work. While we have encountered a few bugs, I don't think they are any worse than anything else we get. The underlying hardware seems to be pretty reliable. You can do configuration changes, reboot and reload them, and they just keep coming back and work.

Our cybersecurity guys tend to do the patching and upgrades when they come around. When one of these things had a hard disk failure, they got that restored or replaced. For day-to-day maintenance, other than typical operational changes and troubleshooting, I don't think there is that much maintenance to be done. Every few weeks, there is probably somebody who goes for a few hours and checks the various patch levels and possibly does upgrades.

The upgrades are fairly easy to do. You just download the software, the central management system, and tick off the devices that you want to deploy it to. It will automatically download it. Then, you just sort of schedule a reboot. I don't know how many hours per week or month people put into it, but it is pretty reasonable.

We have about half a dozen core firewalls and 30 to 40 remote firewalls. We haven't hit any scaling limitations yet. What we have is functioning well. At some point, our main firewall in our data center might be overwhelmed, but it has pretty high throughput numbers on it. So far, we haven't hit any sort of limitations. So far, so good.

The physical appliances are sort of tiered. You have your entry-level, which is good for 300-megabits of threat detection. The next ones have 800-megabits of threat detection. So, if you have a site with around 50 people, you can get the entry-level. However, there is always a point that if you have too many users doing too many things then the physical appliance just can't handle it. Then, you need to upgrade to a higher-level appliance. This is expected. When that happens, we will just sort of get the higher-level model or plan for two years of growth to get the right size. Therefore, as far as scalability, it just comes down to planning. 

As far as the management platform, that would be more of a case of just adding CPU cores into your virtual machine as well as more memory. So far, we haven't had any scalability limitations. It is possible that we will see it at some point, but we haven't so far.

This is not Palo Alto-specific. It seems to be across all the different vendors that there is a little bit of a hit-and-miss on whether you get a tech person who knows what they are doing and are interested in your problem. When you call frontline support, you can get somebody who doesn't know what they are doing and puts you off. Or the next time you call, you can get a tech who is on the ball and super helpful. This is sort of a smaller problem. It is a bit of a crapshoot on how good the support will be. I would rate the frontline technical support as five or six out of 10.

If it tends to be more of a critical problem, and you involve the sales team, then you are forwarded onto somebody who really knows what they are doing. However, the frontline support can be hit-and-miss. Their second-tier support is really good. 

The top-tier support is 10 out of 10. We did have some more serious problems, then they put one of their engineers on it who has been amazing.

Overall, I would rate the technical support as eight out of 10.

Positive

I did work with Cisco ASA, prior to FireEye, where they purchased and integrated it as sort of the next generation part of their ASA. 

One of our remote access solutions for remote access clients was Cisco ASA. That was just getting to its end-of-life. It actually worked quite well. It was pretty hands-off and reliable, but the hardware was getting to end-of-life. Because we had the Palo Alto capable of doing similar functions, we just migrated it over. 

It was similar for our site-to-site VPN, which was Cisco DMVPN that we are still using, but we are migrating off it since its hardware is reaching end-of-life. By combining it into the Palo Alto umbrella, it makes the configuration and troubleshooting a bit easier and more homogenous. 

Before, it was just different platforms doing sort of similar but different functions. Now, we are using similar platforms and devices rather than having three different solutions. This solution is sort of homogenized; it is sort of all in one place. I suspect that makes security a bit more thorough. Whereas, we had three different platforms before. Some of the delineation isn't clear, as they sort of overlap in some respects to what they do, but having it in one location and system makes gaps or overlaps or inconsistencies easier to spot.

I was gone for a few years when they brought this in.

Adding additional appliances is very straightforward. 

Having one manager/system with a common interface and commands, rather than three or four, is more efficient.

It is expensive compared to some of the other stuff. However, the value you get out of it is sort of the central control and the ability to reuse templates.

It is a good product, but you pay for it. I think it is one of the more expensive products. So, if you are looking for a cheaper product, there are probably other options available. However, if you are looking for high performance, reliable devices, then it has kind of everything. Basically, you get what you pay for. You can get other firewalls for cheaper and some of the performance would probably be just as good, but some of the application awareness and different threat detections are probably superior on the Palo Alto Networks.

As far as a firewall solution, it is one of the best ones that I have seen. It is fairly expensive compared to some of the other ones, but if you have the money and are looking for a solid, reliable system, then Palo Alto is the way to go.

For what we use it for, the solution is good.

I am part of the network team. There is a cybersecurity team who has control of its reins and does all the security configuration. I am not the administrator of it or a manager in charge of the group with this appliance.

I find the whole machine learning and AI capabilities a bit overhyped. Everybody throws it in there, but I'm actually a little bit suspicious of what it is actually doing.

I don't follow or monitor some of the day-to-day or zero-day threat prevention protection abilities that it has. 

I would rate the solution as nine out of 10, as I am always hesitant to give perfect scores.

We use it as an Internet-facing parameter firewall. In my environment, it has security and routing. It is on a critical path in terms of routing, where it does a deep inspection, etc.

There have been a lot of improvements from security to service.

It is critical that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. In my environments, we have an integration with a third-party vendor. As soon as there is new information about new threats and the destination that they are trying to reach on any of our network devices, that traffic will be stopped.

Setting up a VPN is quite easy. 

It gives you a lot of information when you are monitoring traffic. 

In terms of user experience, Palo Alto has very good user administration.

Machine learning is important. Although we have not exhausted the full capabilities of the firewall using machine learning, the few things that we are able to do are already very good because we have an integration with a third-party. We are leveraging that third-party to get threat intelligence for some destinations that are dangerous, as an example. Any traffic that tries to go to those destinations is blocked automatically. There is a script that was written, then embedded, that we worked on with the third-party. So, machine learning is actually critical for our business.

There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better.

I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

I started using Palo Alto in 2015.

It is very stable. We had two outages this year that were not good. They were related to OSPF bugs. Those bugs affected our service availability. 

It is quite scalable. I have been able to create a lot of zones to subinterfaces for a number of environments. I don't really have any issues regarding scalability. It meets my expectations.

Palo Alto Networks NG Firewalls technical support is very poor. Three or four months ago, I had a bug where the database of the firewall was locked. You cannot do anything with it. We looked for documentation, giving us a procedure to follow, but the procedure didn't work. We logged a complaint with Palo Alto Networks, and they gave us an engineer. The engineer relied on documentation that doesn't work, and we had already tested. In the end, the engineer gave us an excuse, "No, we need this account to be able to unlock it." This happened twice. The way out of it was just to restart the firewall. You can restart the firewall and everything goes back to normal. Therefore, I think the support that we got was very poor.

Neutral

I have used Check Point and Cisco ASA.

Initially, when I started with Palo Alto, we had Cisco ASA, but Palo Alto Networks beat ASA hands down.

We have a multi-vendor environment with different providers. Our standard is that we can't have the same firewall for each parameter, so there is some kind of diversity. 

We had ASA looking at one side of the network and Palo Alto Networks looking at the other side of the network. We also had Juniper looking at another side of the network. At the end of the day, ASA was very good, I don't dispute that. However, in terms of functionality and user experience, Palo Alto Networks was better. 

Palo Alto Networks beat ASA because it was a next-generation firewall (NGFW), while ASA was not.

When we bought Palo Alto, we had Juniper devices in our environment. We were told that it was a bit like Juniper, so we were happy. However, some people were a bit skeptical and scared of Juniper firewalls. Because of that, it took us a very long time to put them on the network. However, as soon as we did the implementation, we realized that we were just thinking too much. It was not that difficult. 

We deployed Palo Alto Networks as part of a project for data center implementation. The implementation of the firewall didn't take long.

We buy through a third-party. Our account is managed by IBM.

We have seen ROI. There is more visibility in the environment in terms of security. There was a time when we suspected a security breach, and this firewall was able to give us all the logs that we expected. 

Palo Alto is like Mercedes-Benz. It is quite expensive, but the price is definitely justified.

One thing is system administration. In our opinion, Palo Alto administration is easier compared to other vendors. I know other vendors who have Check Point. You have to manage Check Point, and it is a bit cumbersome. It is a very nice, powerful firewall, but you need more knowledge to be able to manage Check Point compared to Palo Alto. Palo Alto is very straightforward and nice to use.

In our environment, troubleshooting has been easy. Anybody can leverage the Palo Alto traffic monitoring. In Cisco ASA and Check Point, you also have these capabilities, but capturing the traffic to see is one thing, while doing the interpretation is another thing. Palo Alto is more user-friendly and gives us a clearer interpretation of what is happening.

One thing that I don't like with Palo Alto is the command line. There isn't a lot of documentation for things like the command line. Most documents have a graphic user interface. Cisco has a lot of documents regarding command lines and how to maneuver their command line, as there are some things that we like to do with the command line instead of doing them with the graphic interface. Some things are easy to do on a graphic interface, but not in the command line. I should have the option to choose what I want to do and where, whether it is in the command line or a graphic interface. I think Palo Alto should try to make an effort in that aspect, as their documentation is quite poor.

We would rather use Cisco Umbrella for DNS security.

I compared the price of Palo Alto Networks with Juniper Networks firewall. The Juniper firewall is quite cheap. Also, Palo Alto Networks is a bit expensive compared to Cisco Firepower. Palo Alto Networks is in the same class of Check Point NGFW. Those two firewalls are a bit expensive.

It gives us visibility. In my opinion, the first firewall that I would put on our network is Palo Alto Network and the second would be Check Point.

Palo Alto Networks NG Firewalls is a very good firewall. It is one of the best firewalls that I have used.

I would rate Palo Alto Networks as nine out of 10.

We basically use it to protect our network from various malicious activities out there. We have two subscriptions. We have the WildFire subscription, which is similar to DNS filtering. We also have Threat Protection, which allows the firewall to inspect traffic up to Layer 7. It inspects applications as well as unknown applications, quarantining and stopping things. So, you are not always chasing, "What applications should I be running on this device?" It does a good job of all of that. The management of it is a little tricky, but that is how it goes.

We are running the PA-3250s. We have two of them. They operate in Active/Passive mode. Therefore, if one fails, then the other one takes over. 

It is pretty important to have embedded machine learning in the core of the firewall to provide inline, real-time attack prevention, because all these different attacks and threats are constantly evolving. So, you want to have something beyond just hard pass rules. You want it to learn as it is going along. Its machine learning seems pretty good. It seems like it is catching quite a few things.

There is a web-based GUI to do management, but you need to know how the machine or firewall operates. There are hundreds of different menus and options. I have used other firewalls before. Just implementing or designing a policy with Palo Alto, if you want a certain port to be open to different IP addresses, then that could take 20 to 25 clicks. That is just testing it out. It is quite complex to do. Whereas, with other places, you tell it, "Okay, I want this specific port open and this IP address to have access to it." That was it. However, not with Palo Alto, which is definitely more complex.

The VPN is only available for Windows and Mac iOS environments. We have a variety of iPads, iPhones, and Android stuff that wouldn't be able to utilize the built-in VPN services.

I would like easier management and logging. They can set up some profiles instead of having you create these reports yourself. However, you should be able to set it up to give you alerts on important things faster.

We have had this in place for four years. I have been at the school for almost a year and a half. So, this is my second year here at the school, so my experience with it has probably been a year and change. I use other firewall solutions, but I have gotten pretty comfortable with the Palo Alto solution.

It is very stable. We have never had any issues with any failures on it.

I haven't felt any performance lags on it. It has been handling everything just fine.

We purchased it a few years ago. Since then, we have had a lot more clients on our network, and it has handled all that fine. You go into it and just have to scale it higher. Palo Alto doesn't give you too many choices. There is not a medium; it is either very small or very big. So, you don't have a choice in that.

We have never had to call Palo Alto. Secure Works does all our support maintenance on it.

I have been here for a year and a half. Before, the firewall that they were using (Barracuda) was barely adequate for what we were doing. We got new ones simply, not because we had a software/hardware-type attack, but because we had a social engineering attack where one of the folks who used to work for us went on to do some crazy things. As a result, the reaction was like, "Oh, let's get a new firewall. That should stop these things in the future."

The initial setup was pretty complex because they did not do it themselves. They actually hired some folks who put it in. 

We use Secureworks, which is a big security company. They actually send an alert when there are problems with the firewall or if there are security issues. They handled the deployment. 

We also use another company called Logically to monitor the firewall in addition to all our other devices.

Active/Passive mode is very redundant, but they require you to buy all the associated licensing for both firewalls, which is kind of a waste of money because you are really only using the services on one firewall at a time.

I would suggest looking at your needs, because this solution's pricing is very closely tied to that. If you decide that you are going to need support for 1,000 connections, then make sure you have the budget for it. Plan for it, because everything will cost you.

If another school would call and ask me, I would say, "It's not the cheapest. It's very fast, but it's not the cheapest firewall out there."

I have been looking at different firewalls because our service and maintenance contracts are up on it. We have two different outsourced folks who look at the firewall and help us do any configurations. My staff and I lack the knowledge to operate it. For any change that we need to make, we have to call these other folks, and that is just not sustainable.

We are moving away from this solution because of the pricing and costs. Everything costs a lot. We are moving to Meraki MS250s because of their simplicity. They match the industry better. I have called the bigger companies, and Meraki matches the size, then the type of institution that we are.

If someone was looking for the cheapest and fastest firewall product, I would suggest looking at the Meraki products in the educational space. I think that is a better fit.

Its predictive analytics and machine learning for instantly blocking DNS-related attacks is doing a good job. I can't be certain because we also have a content filter on a separate device. Together, they kind of work out how they do DNS filtering. I know that we haven't had any problems with ransomware or software getting installed by forging DNS.

DNS Security for protection against sneakier attack techniques, like DNS tunneling, is good. I haven't had a chance to read the logs on those, but it does pretty well. It speaks to the complexity of the firewall. It is hard to assess information on it because there is just a lot of data. You need to be really good at keeping up with the logs and turning on all the alerts. Then, you need to have the time to dig through those because it could be blocking something, which it will tell you.

I haven't read the NSS Labs Test Report from July 2019 about Palo Alto NGFW, but it sounds interesting. Though it is a little bit of snake oil, because the worst attacks that we had last year were purely done through social engineering and email. I feel like this is an attack vector that the firewall can't totally block. So, before you put something in, like Palo Alto Firewalls, you need to have your security policy in place first.

I would rate this solution as eight out of 10. Technically, it is a good solution, but for usability and practicality, I would take points off for that.

The solution is more towards the front of the security stack.

We use both AWS and Alibaba Cloud.

The single pass architecture has helped a lot in the implementation and maintenance of Palo Alto Networks. It changed the customer's opinion on UTM platforms. In the past, when customers used UTM platforms, they feared the security features would impact the performance and slow down the network, causing some instability. However, with the single pass architecture, Palo Alto has demonstrated that you can use a lot of the security features without having an impact on the security and network performance. Therefore, most of our customers will dare to use most of Palo Alto Networks' security features.

• Application identification
• Antivirus
• Vulnerability protection
• URL filtering
• SSL VPN
• IPsec VPN

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities. Most of our customers are busy. They cannot afford the time to learn very complicated user interfaces and configuration procedures. With Palo Alto Networks, they offered a unified user interface for all its NG Firewall products and Panorama. I think it reduces some of our customers' maintenance time. 

Palo Alto NGFW’s unified platform has helped our customers eliminate security holes. With a unified platform, customers can deploy the NG Firewall both in the data center edge, inside the data center, and in the product/public cloud environments. They have the same user interfaces and platform, so they can be maintained by a single unified platform called Panorama. Customers can use Palo Alto Network NG Firewalls in all the places where they need to protect their environments. This helps to decrease security holes.

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

I have been using it for eight years, though my company does not use it.

Compared to its competitors, the stability of NG Firewalls is very good. We have faced some strange problems with the hardware platform or operating system. Most of these customer cases come from complicated configs and bugs. However, stability is very good overall.

Scalability is not that good. Palo Alto Networks NG Firewalls product is for middle-sized and small businesses. It has fixed parts and capacities for processing. Some of their higher-end products have the scalability to expand capacities, but only a few customers can afford their larger product.

I would rate it as eight to nine out of 10. Most of the technical engineers, who provide support for our customers, are efficient. There are one or two Tier 1 tech support engineers who often don't have answers.

Palo Alto NGFW’s unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. Before using Palo Alto Networks NG Firewalls, customers might need to implement Layer 4 firewalls, IPS and possibly an antivirus, gateways, and maybe web proxies for all their devices. With Palo Alto NGFW’s unified platform, if a customer can do all the config and security policies on one platform, then this will merge all their security things onto a single platform.

The initial setup is not complex; it is straightforward. Our users only need a cable and some basic steps to configure the management interface. Then, it can set up the NG Firewall and ensure that the network and routing are working as expected in the environment. I think its steps are easier than most of its competitors. The initial setup takes one or two hours.

The full setup time depends on the features, then whether the environment or customer needs are complicated or not.

For our implementation strategy, we talk to our customers and work out documents for all their configs, which includes basic information that we need to know for implementing the firewall. Then, we follow the documents and do the implementation. We also may modify some content of the documents as the project processes.

It needs one or two employees with enough skills to manage and maintain it. They may need to modify firewalls, firewalls security rules, and possibly inspect alerts that are generated from firewalls.

By having a customer operate on a unified platform, they can do the application control, traffic control, threat protection, and URL filtering on a single platform. This effectively reduces the workload on all their networks and security tools.

Cheap and faster are the opposite sides of security. Security inspections have some technical and money costs. If you just purchase some cheap, fast firewalls, then you will lose a lot of the security features and fraud protection capabilities.

My company uses Cisco Firepower NGFW Firewall, not Palo Alto Networks NG Firewalls. We started our cooperation with Cisco a lot longer than with Palo Alto Networks. We have been working with Cisco to expand their business in China for more than 20 years, which is why the leaders in our company might be choosing Cisco products.  

Most of our customers have been using Palo Alto Networks for a long time and do not want to change to another vendor. The unified user interface is a big benefit for them.

Palo Alto NGFW’s DNS Security is an effective way to detect and block DNS tunneling attacks, because most competitors do not have these techniques to detect the DNS tunneling on a single device. They require maybe a SIM or some analysts. So, this is something quite creative for Palo Alto Networks.

For our customers, I would tell them that Palo Alto Networks NG Firewalls is easy to use, but probably difficult to master. It has a very easy to use interface and configuration utility, but it has a lot of advanced features that need some deep knowledge of the product.

No product can guarantee 100% evasions being blocked, but I think Palo Alto is among the top of the threat inspection vendors. From the NSS Labs Test Report, we can see that Palo Alto Networks always has a top score.

Machine learning in a single firewall is not that accurate or important for our customers. Since it will only see some network traffic, it cannot connect everything together, like endpoints and servers. Therefore, our customers do not value the machine learning techniques on a single firewall very much.

We may review the alerts generated by machine learning modules, then we can see if the alerts are real alerts, not false positives. This may tell us how efficient machine learning is.

Very few customers in China have used the Palo Alto NGFW’s DNS Security module. It is a new feature that was introduced only two years ago. Customers already know what the product can provide in terms of protection. Its DNS Security provides something that is not really easy to understand. Also, it increases the cost of the firewall because it requires another license to be implemented, and the cost is not low.

DNS Security is very impressive, and I think it will be an efficient way to block the rapidly changing threat landscape and maybe Zero-day attack methods.

Biggest lesson learnt: If you want to protect something, you need to gain visibility of the entire network. NG Firewalls provides a deep visibility into network traffic.

I would rate Palo Alto Networks NG Firewalls as nine out of 10.

We use it to segregate traffic between different tenant instances and to manage secure access to environments, DMZ zones, and to communicate what the firewall is doing.

With Palo Alto NG Firewalls, we can pass all compliance requirements. We trust it and we are building the security of our environment based on it. We feel that we are secure in our network.

It also provides a unified platform that natively integrates all security capabilities. It's very important because it gives us one solution that covers all aspects of security. The unified platform helps to eliminate security holes by enabling detection. It helps us to manage edge access to our network from outside sources on the internet and we can do so per application. It also provides URL filtering. The unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. In one appliance it combines URL filtering, intrusion prevention and detection, general firewall rules, and reporting. It combines all of those tools in one appliance. As a result, our network operations are better because we have a single point of view for our firewall and all related security issues. It's definitely a benefit that we don't need different appliances, different interfaces, and different configurations. Everything is managed from one place.

The most valuable features include the different security zones and the ability to identify applications not only by port numbers but by the applications themselves.

The DNS Security with predictive analytics and machine learning for instantly blocking DNS-related attacks works fine. We are happy with it.

And with the single-pass architecture, it provides a good trade-off between security and network performance. It provides good security and good network throughput.

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good.

In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

I have been using Palo Alto Networks NG Firewalls for about three years.

The solution is pretty stable.

The scalability is good.

In terms of the extensiveness of use, it depends on business needs. Every communication from the company is going through this solution, so it's highly used and we are highly dependent on the solution. 

In terms of increasing our use of the solution, it all comes down to business needs. If the business needs it, and we get to the limit of the current appliance, we will consider updating it or adding more appliances. At this point, we're good.

We previously used Cisco. The switch was a business decision and may have had to do with cost savings, but I'm not sure what the driver was.

The initial setup was a little bit complex, but not terrible. The complexity was not related to the product. It was more to do with needing to prepare and plan things properly so that in the future the solution will be scalable. If there were some predefined templates for different use cases, that would help. Maybe it has that feature, but I'm not familiar with it.

The time needed for deployment depends on the requirements. We also continuously optimized it, so we didn't just deploy it and forget it.

Our implementation strategy was to start with allowing less access and then allowing more and more as needed. We made the first configuration more restrictive to collect data on denied traffic, and then we analyzed the traffic and allowed it as needed.

We have less than 10 users and their roles are security engineers and network engineers. We have three to four people for deployment and maintenance and for coordinating with the business, including things such as downtime and a cut-over. The network and security engineers work to confirm that the configuration of the solution is meeting our requirements.

We did it ourselves.

I'm not sure about pricing. I don't know if Palo Alto NG Firewalls are cheaper or not, but I would definitely recommend Palo Alto as an option.

If you need additional features, you need additional licenses, but I'm not aware of the cost details.

We evaluated Cisco, Sophos, Dell EMC SonicWall, and FortiGate. Cost and reputation were some of the key factors we looked at, as well as the flexibility of configuration. Another factor was how many users could comfortably work on the solution when publicly deployed.

The fact that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention is important, but I still don't completely trust it. I haven't really seen this feature. Maybe it's somewhere in the background, but I haven't gotten any notifications that something was found or prevented. At this point, we still use traditional approaches with human interaction.

Overall, what I have learned from using Palo Alto is that you need to be very detailed in  your requirements.

We use them to do quite a bit of URL filtering, threat prevention, and we also use GlobalProtect. And application visibility is huge for us. Rather than having to do port-based firewalling, we're able to take it to an application level.

We have quite a number of security pieces that are implemented for our network, such as a DNS piece, although we're not using Palo Alto for that purpose. But with that, in line with our seam, we're able to better distinguish what normal traffic looks like versus what a potential threat would look like. That's how we're leveraging the NG Firewalls. Also, we have separated the network for our databases and we only allow specific users or specific applications to communicate with them. They're not using the traditional port base, they're using application-aware ports to make sure that the traffic that has come in is what it says it is.

Machine learning in Palo Alto's firewalls, for securing networks against threats that are able to evolve and morph rapidly, has helped us out significantly, in implementation with different security software and processes. The combination allows our security analysts to determine the type of traffic that is flowing through our network and to our devices. We're able to collect the logs that Palo Alto generates to determine if there's any type of intrusion in our network.

The machine learning in the core of the firewalls, for inline, real-time attack prevention, is very important to us. With the malware and ransomware threats that are out there, to keep abreast of and ahead of those types of attacks, it's important for our devices to be able to use AI to distinguish when there is malicious traffic or abnormal traffic within our environment, and then notify us.

The fact that in the NSS Labs Test Report from July 2019 about Palo Alto NG Firewalls, 100 percent of the evasions were blocked, is very important to us. 

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

I've been using Palo Alto NG Firewalls for about five years.

The firewalls are very stable. We've had no issues with downtime.

They're very scalable. Because we use Panorama, we're able to have global firewall rules for areas that we want to block, across the network, for security reasons. We just push those down to all the devices in one shot.

Our corporate site has about 500 users, and our 14 remote sites, because they're retail, usually have anywhere from five to 10 users each.

Their support is generally very knowledgeable. Sometimes it depends though on who you get, but they've always addressed our issues in a timely manner.

We were using older versions of Palo Alto's firewalls and we also had Cisco firewalls in our environment.

For our remote stores we're able to use Panorama, along with Palo Alto's Zero Touch Provisioning hardware. Once a device is connected to the internet and can communicate back to our Panorama, it just pulls the configurations. That means it's very easy to deploy.

It took about two to three months to deploy about 14 sites. That wasn't because we were having issues, it was just the way we scheduled the deployment, because we had to bring down different entities and had to schedule them accordingly with a maintenance window. But if it wasn't for that scheduling, within a week we could have deployed all of the remote sites.

For our implementation strategy, at our corporate site we had both old and new firewalls sitting side by side on the network. As we went to a remote site we would take them from their legacy Cisco and cut them over to the new firewall. Once that was done, we moved all of the firewall rules that were on the old firewall over to the new one.

When it comes to maintenance and administration of the firewalls, my team of five people is responsible. We have a network architect, a network specialist, two senior network specialists, and a security manager.

We did it by ourselves. We have a certified Palo Alto engineer on staff and he did all the installation.

Definitely look into a multi-year license, as opposed to a single-year. That will definitely be more beneficial in terms of cost. We went with five-year licenses. After looking at the overall costs, we calculate that we're only paying for four years, because it works out such that the last year is negligible. If we were to be billed yearly, the last year's costs would be a lot more. With the five-year plan we're saving about a year's worth of licenses.

Based on the quantity of devices we purchased, we found that the hardware price was actually cheaper than most of the other vendors out there.

If a colleague at another company were to say, "We are just looking for the cheapest and fastest firewall," given my experience with Palo Alto's NG Firewalls, my answer would depend on the size of the company and how much traffic they're going to be generating. Palo Alto is definitely not the cheapest, but if you scale it the right way it will be very comparable to what's out there.

One of the things we like about Palo Alto is the fact that the hardware appliances we have are not impacted in terms of resources. The CPU and memory stay low, so we don't have a bottleneck where it's trying to process a whole bunch of traffic and things are slow. We were looking at various brands because we were going from older hardware to newer, and we wanted to evaluate what the other vendors were doing. After that evaluation, we were comfortable that Palo Alto would be able to handle all of our network traffic without impacting performance.

We looked at Fortinet and Cisco. Cisco is a bit pricey when compared to our Palo Altos. Fortinet was definitely cheaper, but we were skeptical about their performance when we bundled all of the features that we wanted. We didn't think it was going to be fast enough to handle the network traffic that we were generating across the board. We believe Cisco would have handled our traffic, but their next-gen platform, along with SD-WAN, required us to have two separate devices. It wasn't something that would have been on one platform. That's probably why we didn't go down that road.

Part of what we considered when we were looking around was how familiar we were with the technology. That was also a big area for us. Most of the guys on our team were pretty familiar with Cisco and Palo Alto devices. They weren't too familiar with Fortinet or Check Point. We narrowed it down based on if we had a security breach, how easy would it be for us to start gathering information, remediating and troubleshooting, and looking at the origin of the threat. We looked at that versus having to call support because we weren't too familiar with a particular product. That was huge for us when we were doing the evaluation of these products.

Other than the SD-WAN, everything else has been functioning like our previous setup because it's a pretty similar license. The way that the new hardware handles URL filtering, threat protection, and GlobalProtect has been pretty solid. I don't have any issues with those.

Overall, I would rate Palo Alto NG Firewalls at nine out of 10. It's definitely not the cheapest product out there. Cost is the main reason I wouldn't put it at a 10.

We use this firewall to segment our network into two parts and control traffic between them, providing a secure and efficient way to manage our network.

The product's most valuable features are the ease of deployment, regularly updated security information, and robust hardware.

Palo Alto's various products need better integration to ensure they work harmoniously.

We have been using Palo Alto Networks NG Firewalls for the past six years.

The firewall is very stable; I rate it ten out of ten in terms of stability.

The solution is highly scalable, accommodating around 5,000 users at our site. We plan to increase usage, which is a matter of purchasing new licenses without affecting current operations.

While I have not used technical support service, my team has, and they have found it to be very good.

Positive

We switched from AWS to Oracle Advanced Analytics because while AWS was easy to use, it was more expensive.

The setup is easy but requires careful planning and expert design to ensure optimal deployment. The process involves planning, reviewing requirements, designing, implementing, and operating the firewall.

Palo Alto NG Firewall effectively prevents threats and helps maintain a secure network environment.

I rate it a nine out of ten.