Palo Alto Networks NG Firewalls Reviews

We use Palo Alto as our perimeter firewall. We also use the GlobalProtect VPN solution.

It gives visibility into different threats. There is a wide range of threats that can be identified.

We collect logs from Palo Alto into our Rapid7 SIEM solution. It's pretty well integrated. This integration is important because we don't necessarily want a solution from the same vendor. I know Palo Alto has Cortex for collection. Being open to other vendors in order to ingest the data or logs is a great thing.

Palo Alto has embedded machine learning in the core of the firewall to provide inline, real-time attack prevention, which is important because AI is the future. All cybersecurity companies are going to start using it. It's definitely a good thing. We just need to make sure that there's still the human component because AI can still fail.

Palo Alto has a wide range of different appliances or virtual machines. It can be installed anywhere from a small branch to a data center. It helps to secure small businesses to large enterprises.

The most valuable feature is advanced URL filtering. Its prevention capabilities and DNS security are also valuable. It pinpoints any suspicious activities and also prevents the users from doing certain things. For example, DNS security prevents users from reaching certain websites, so it's really interesting.

Palo Alto should improve their support. It's sometimes difficult to get the right technician or engineer to fix the problem as soon as possible.

We have been using Palo Alto for at least five years. 

They're pretty robust. They also have Unit 42, which is their threat intelligence team. They make you feel safer because they can identify the threats and then implement protection from those into their firewall.

Scalability is pretty good on the virtual side. Because the virtual environment licensing model is based on credit, if you don't wanna use UI protection tomorrow, you can get rid of it and use those credits for another product or another license.

Because of the pandemic, there's a lot of turnover and the quality of the support technicians is not great. I hope they will improve. I would rate their support a seven out of ten.

Neutral

I didn't use any other solution previously.

It was straightforward. They have great documentation. We use Palo Alto in the Azure environment, and their Azure documentation is one of the best documentation I've ever seen. It's very detailed. It can be confusing sometimes because there's a lot of information, but it's definitely good. They're good at documenting, and their knowledge base is really interesting for troubleshooting. There's a lot of useful information.

We deployed it ourselves. We didn't use any company to deploy it.

It's hard to tell. It's preventing attacks, but I don't have any specific case where I can say whether a particular attack would not have been blocked by another vendor.

It can be quite expensive, but there's a good incentive for the three-year contracts. The part that is especially confusing is for the virtual environment. The credits or the licensing system can be very confusing.

We didn't evaluate any other options.

As a result of my experience with Palo Alto NGFW, to a colleague at another company who says, “We are just looking for the cheapest and fastest firewall,” I would say that the cheapest and fastest means there is a potential risk of breach. Even though Palo Alto is quite expensive, it definitely makes you feel secure. The configuration of the appliances or virtual machines is pretty straightforward, so you don't need to be highly trained in order to be the administrator of the platform.

It's important to attend an RSA Conference even if you're already a customer. That's because you might not be necessarily aware of the new products, so going to an RSA Conference can help you identify new solutions that may be valuable for your company. 

Attending an RSA Conference will have an impact on our organization’s cybersecurity purchases made throughout the year afterward. There are a lot of different vendors that I've found, and I will probably get in touch soon.

Overall, I would rate this solution a nine out of ten.

I am a customer of Palo Alto Networks. If any issue arises, I raise a ticket with Palo Alto.

We are currently using Palo Alto in our national data center, which is a large Tier Three data center. As all communication is now going through APIs, it would be beneficial to improve Palo Alto by adding an API scanner in the future.

The most valuable feature of the solution is the network protection.

We decided to use Palo Alto because they are the leader in the market.

Palo Alto does provide a unified platform that natively integrates all security capabilities.

These days, DDoS attacks are becoming more frequent, especially in external data centers. Therefore, we need to enhance the DDoS attack block list and update patches in our national data center.

The API scanner could be improved.

The support could be improved. 

Palo Alto does not have a support team located in Bangladesh, and their support team operates from another location. Therefore, when we raise a ticket, it takes some time for them to respond, which can be problematic for us.

I have been working with Palo Alto Networks NG Firewalls for seven years.

Since we have definitely used Palo Alto Networks NG Firewalls, it's not possible to compare them with any other product.

The stability of Palo Alto Networks NG Firewalls is good.

The current solution is satisfactory, but we require more scalability from Palo Alto.

Technical support is good.

I would rate the technical support a nine out of ten.

Positive

Previously, we did not use another solution.

The initial setup was straightforward, as we prioritize quality over price for our federal work. Our main concern is protection, as we need to safeguard national assets.

I am the consultant.

We have observed a positive return on investment because if a DDoS attack were to occur, it would result in a loss of business and other adverse effects.

By using Palo Alto to protect our data, we can prevent such attacks and ensure that our business runs smoothly.

We always aim to reduce the pricing, as it is currently a bit high and needs to be lowered.

Before my organization purchases any product, they must obtain my permission and also conduct an evaluation.

From the very beginning, we have been using Palo Alto Networks NG Firewalls, I cannot make a comparison with other firewall solutions.

Palo Alto is the market leader in firewall technology, and we also use their firewall. However, we have been experiencing DDoS attacks and are using Palo Alto to protect against them. 

In some cases, we may need to increase the DDoS block list and update patches through Palo Alto.

As someone who works in the national data center, we always strive to use the very best, not the cheapest.

I would rate Palo Alto Networks NG Firewalls a nine out of ten.

We use Palo Alto Networks NG Firewalls with Prisma and cloud environments.

As a firewall, it effectively protects our environment from threats.

In general, I appreciate the regular firewall function of the Palo Alto Networks NG Firewall.

Overall, it is a good networking device product.

From my perspective, having machine learning integrated into the core of the Palo Alto NG Firewalls is very important for enabling real-time attack prevention.

As far as I know, the use of Palo Alto Networks NG Firewalls has resulted in reduced downtime, but I am not directly involved with that department.

One main issue I've encountered is customer service. Occasionally, when I open a request, it gets closed automatically, without any explanation, leaving me unsure of what happened to it. However, overall, the product itself works well. As for Prisma Cloud, it could benefit from some additional functionality, but the main issue is the lack of communication regarding closed requests.

There is room for improvement in the area of customer service.

I have had experience working with Palo Alto Networks NG Firewalls for three or more years.

The stability of Palo Alto Networks NG Firewalls is good.

Technical support is lacking. I would rate the technical support a seven out of ten.

Neutral

Previously, we worked with Cisco Secure Firewall.

We switched to Palo Alto Networks NG Firewalls because it was a good deal for the company.

I was not involved in the deployment.

Another team was responsible for running the proof of concept.

I don't have any knowledge or experience regarding the unified platform and native integration of all security capabilities provided by Palo Alto Networks NG Firewalls.

Based on my experience, evaluating the security solution for all workplaces from the smallest office to the largest data centers cannot be assessed by a single path. However, in general, the solution is performing its intended job well.

I would rate Palo Alto Networks NG Firewalls an eight out of ten.

Attending the RSA conference provided me with an enormous amount of knowledge on various topics such as new technologies, and threats in different environments, including cloud and on-premises. Which impacts my purchase throughout the year afterward.

One of our objectives is to search for new solutions, whether to replace current ones with more modern options or to explore new sandboxes, technologies, and vulnerabilities.

We have had a couple of big projects with government companies here in Ukraine. One of those projects involved three data centers with a lot of security and network requirements, and we implemented Palo Alto as part of this project.

The use case was to build the new data centers with a firewall that would not only work on the perimeter but also for internal traffic. We deployed eight PA-5200 Series firewalls and integrated them with VMware NSX, and they're working together.

One of the points that helped us win the tender is that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention. The customer's security team was asking for this feature from the firewalls because machine learning makes things much easier than manually sitting there with some kind of SIEM and searching for all kinds of attacks and critical issues. The machine learning is really helpful because it's doing the work automatically.

We had a small project with the PA-800 Series appliance where we implemented DNS Security. DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network.

In general, Palo Alto NG Firewalls are 

• easy to manage
• good, reliable appliances
• easy to configure.
  

They also have a good balance between security and traffic. They have good hardware and, for management, they have their own data plane. If traffic is really overloading the data plane, you still have the ability to get into the management tools to see what's going on. You can reset or block some traffic. Not all firewalls have that feature.

They have really good clients, such as a VPN client. You can also enforce security standards on workers in the field. It's a really good product. And now, for endpoint security, they have Cortex XDR. You use the same client, but with additional licenses that enable more features.

The only area I can see for improvement is that Palo Alto should do more marketing.

We work with customers, but we are not using the solution ourselves.

The scalability is really good because they have a chassis version of appliances. They plan to build new chassis. But for the really big projects here in Ukraine, we can easily cover what we need with the PA-8000 Series with Palo Alto chassis appliances.

In our project with the three data centers, each data center was able to process 40 gigs.

First-level support is provided by our distributor Bakotech. They are technical guys and they really know the product. Unlike some support providers who just send you manuals to ready, they're really helpful. You can call them at any time and they get back to you shortly and help.

The initial setup is really easy. If you're working with Palo Alto Panorama, which is their management server, it's very easy to deploy a lot of appliances in a couple of days, because you're just sending out the configuration and templates on a blind device. In a couple of hours that device is working like the rest.

Another valuable aspect of Palo Alto NG Firewalls is that the appliances and software are really reliable in terms of stability and performance. Some firewall vendors don't write real information on their datasheets and, after implementing them, you see that the reality is not the way it was described. For example, when it comes to threat prevention and how much traffic appliances can handle, there was a project where we beat another vendor's firewall because Palo Alto has the real information on its datasheets.

I have some experience with Cisco, on a small project but there was a somewhat older software version, and there was a lot of lag. When changing something in the configuration, once you pushed "commit" you could go have a coffee or do other stuff for 20 minutes or more, because it took a really long time to push that configuration to the device.

If a colleague at another company said to me, "We're just looking for the cheapest and fastest firewall," I would tell them that the cheapest is not the best. If you need really reliable hardware and software, and don't want headaches after the implementation, just buy Palo Alto.

The PA-400 is really strong and not only for SOHO or SMB companies. They have a really big throughput with Threat Prevention and DNS Security enabled. It's a really good appliance in a small size. But it's not only for small companies. The PA-460 can easily handle the traffic of a midsize company, one with 100 or 200 employees, and maybe even a little more. The PA-460 can handle about 5 gigs of traffic. With Threat Prevention, they can handle 2.5 gigabytes of traffic. For a regular office, that's good. It might be a little small for big companies.

Regarding DS tunneling, it is mostly peer-type attacks. With tunneling, it depends on what type of tunneling is used. You need to look at the specific case, at things like whether it was an internal DNS tunnel or one from the outside to the inside between branches. Most of the time, you can see that kind of traffic with a firewall if you have enabled full logging and you drop the logs into a good SIEM, like ArcSight or others. You will see the anomaly traffic via tunnels. You can also switch on decryption so you can decrypt a tunnel and see what is going on inside.

We have had no issues from our customers who are working with Palo Alto NG Firewalls. They fully cover all our customers' needs.

We deployed the Palo Alto Next Generation Firewall on the perimeter of the network, so all traffic that flows to the company from the internet and from the company to the internet scanned by the Palo Alto Networks Firewall. In addition, all of the internal traffic from LAN users to services that are on the DMZ zone traverse the Palo Alto Firewall.

The strengths of Palo Alto Networks NG Firewalls are application visibility and application awareness. Their strong point is identifying applications for traffic. So all of the policies that are configured are related to the application and not to a port.

For example, let's say you want to allow HTTP traffic and the server is not listening on the standard http port which port 80 but listens on port 25 which Is the standard port for SMTP, this is not an obstacle has the firewall is focusing on the application, it identify the HTTP application and allow the HTTP application and block any other application on port 25. So we don't care on which port the app traverses.

It is easy to install and is stable too.

There is another solution from Palo Alto for endpoints - XDR  that integrates with the firewall  thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls.

The price could be lower.

I've worked with Palo Alto Networks NG Firewalls within the last 12 months.

So far, it's stable. I haven't had any problem with it. I'm always authorizing to have the minor version aligned with the latest version. There haven't been any published vulnerabilities with the product so far.

I'm using the cluster, and that's a great long term solution. So I haven't needed to expand.

There are more than 10,000 employees in the company. We hope to migrate the other branches that have a different vendor to Palo Alto.

The initial setup was straightforward from my point of view.

From a financial perspective, this solution is quite expensive.

The licensing is on a yearly basis even though we close the deal for three years upfront.

I would advise that those thinking about Palo Alto Networks NG Firewalls need to switch how they think about a policy on the firewall. They should not to look at it from the point of view of the service and what port that policy is related to. Instead, they should look at it from the application side. Don't pay too much attention to the port. Just look at the application. For example, the NGFW doesn't care if SMTP traverses on port 25 or 65. It just enforces the protocol.

From a technical point of view, I don't think that there's something that's missing from the Palo Alto Networks NG Firewalls. So, I would rate it at nine on a scale from one to ten.

We primarily use Palo Alto Networks NG Firewalls as Foundry Network devices, but we also use them to filter internal network traffic.

I don't believe there is a significant difference. It is similar to any Google firewall product in that it works as long as they are reliable.

The most important part of this solution is its reliability, as it just works without any fancy features. Users are mainly concerned about their ability to function consistently and dependably.

I believe that companies could potentially gain an advantage by leveraging their engineers' familiarity with certain interfaces. Typically, the familiarity factor plays a significant role in product selection, and if they have experience using certain interfaces, they are more likely to opt for those products.

In terms of the interface, I don't feel there is any distinction between this vendor and others. I believe that familiarity with the products itself is an important consideration.

With the use cases that I am familiar with, I don't believe that additional features would be of any benefit. 

Adding more features generally causes more issues. I would prefer they focus on improving reliability rather than adding new features.

My preference would be to exclude machine learning since it must be capable of explanation. This is really important to us, and the performance must also be highly predictable. If it is implemented, at the very least, the option to disable it completely must be available.

In my view, machine learning is often a bothersome addition that can potentially compromise security by allowing unauthorized traffic to pass through undetected. 

From my experience, this tends to occur in networks where all the traffic is clearly defined.

Enhancements could potentially be made to the firmware to improve its inspectability.

In my current job, I have been using Palo Alto Networks NG Firewalls for three years.

In my experience, Palo Alto Networks NG Firewalls have been a stable solution.

It has been as scalable as you would expect.

I have experience working on both small office networks as well as larger ones spanning multiple locations, typically around three to five locations.

I have worked with a range from small office setups with around fifty devices to larger ones with a scale of maybe a thousand, two thousand, or even five thousand devices.

I have experience with quite a lot of other vendors.

In my opinion, I find the configuration of this product more appealing than that of Cisco, but ultimately, it comes down to the preference of the organization's administrators. In terms of features, I don't see a significant difference between them; they all seem pretty standard to me.

I find their syntax more appealing, especially for the command line.

 I am rarely involved in the deployment.

When assessing firewalls for securing data centers consistently and across all workspaces or places, Palo Alto Networks NG Firewalls are suitable products. 

From my experience, they have demonstrated excellent performance.

While it may not necessarily decrease downtime, it also doesn't cause any increase in downtime.

Attending events like RSA has proven to be quite beneficial for me in terms of meeting new people and discovering interesting products. These events generated new contacts and partnerships for my organization.

I believe that we will likely evaluate and purchase at least one of the products in the near future.

It's a decent product, I would rate Palo Alto Networks NG Firewalls an eight out of ten.

It is used for protection against attacks and it is very fast and reliable. We have a lot of use cases for it.

We are an implementation partner for Palo Alto. One of the companies we implemented its Next-Generation Firewalls for was previously using Barracuda. A ransomware attack happened and they lost all their backup data, and their configuration. Once we implemented Palo Alto for them, there were similar attacks but they were blocked.

Along with Prisma, it helps in preventing a lot of attacks, especially Zero-day attacks.

The sandboxing is valuable and they are frequently updating their signature database. We get new updates every five minutes. That makes it easy to detect new and unknown attacks.

The configuration part could be improved. It's very difficult to configure. It doesn't have a user-friendly interface. You have to know Palo Alto deeply to use it.

Also, it doesn't support open-source protocols like EIGRP. We had to find another solution for that.

I've been using Palo Alto Networks NG Firewalls for the last six years.

Palo Alto suggests version 9.1.7 for stability. When new features come out, things are not as stable.

It's scalable. I recommend it for its scalability.

We generally deploy these firewalls into larger environments, but the PA-400 series is affordable.

There are problems with the technical support. When we are facing an attack, it's very difficult to get a hold of people from the TAC. It's not like Cisco, especially in India. There are very few members of Palo Alto TAC in India. Sometimes we get support from people in other countries.

Neutral

The initial deployment of these firewalls is very complex. The registration is a very difficult task. You have to go to the partner portal to register and it's not user-friendly. All the other solutions are not like that. With Juniper, for example, it's very easy to handle their portal.

The deployment time depends on the customer environment but it normally takes around three weeks. Our implementation strategy is to first understand the network we are dealing with and how we can deploy Palo Alto.

The pricing for Palo Alto is very high. The price difference with other vendors is huge because Palo Alto has been the market leader for the last five or six years, and they have a reliable product. Everybody knows Palo Alto, like Cisco routing and switching. It's likely that only enterprise-level customers can afford this kind of firewall.

Palos Alto's firewalls have machine learning software and sandboxing. Everything is one step ahead of all the competitors.

Still, almost all vendors provide the same things. They call their technologies by different names, but that's the only big difference in features.

According to the industry reviews Palo Alto has been the market leader for the last five or six years. They have better technology and the hardware is also good. It's the pricing and user interface where there are issues. Apart from them, everything is fine.

These firewalls are only used for perimeter purposes, in gateway mode.

In addition to our environment being secure, we can monitor compliance of VPN users. Security and monitoring are the two big benefits.

It's also very critical for us that it provides a unified platform that natively integrates all security capabilities. We have multiple vendors and multiple solutions. Palo Alto has to work with them. For example, when it comes to authentication, we can integrate LDAP and RADIUS, among others. And in one of our customer's environments, we have integrated a new, passwordless authentication.

Apart from the security, Palo Alto NG Firewalls have nice features like App-ID and User-ID. These are the two most useful features.

With App-ID, we can identify exact traffic. Even if someone tries to fool the firewall with a different port number, or with the correct port number, Palo Alto is able to identify what kind of traffic it is.

With User-ID, we can configure single sign-on, which makes things easy for users. There is no need for additional authentication for a user. And for documentation and reporting purposes, we can fetch user-based details, based on User-ID, and can generate new reports.

Another good feature is the DNS Security. With the help of DNS security, we can block the initial level of an attack, and we can block malicious things from a DNS perspective.

The GlobalProtect VPN is also very useful.

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

We have been using Palo Alto Networks NG Firewalls for two years. I've worked on the 800 Series and the 3000 Series.

It's quite stable. They are launching a new firmware version, but compared to other products, Palo Alto is quite stable.

I have worked with Palo Alto's support many times and it is quite good. Whenever we create a support ticket, they are on time and they update us in a timely manner. In terms of technical expertise, they have good people who are experts in it. They are very supportive of customers.

Positive

The initial deployment is straightforward; very simple. The primary access for these firewalls is quite simple. We can directly access them, after a few basic steps, and start the configuration. Even the hardware registration process and licensing are quite simple.

The time it takes to deploy a firewall depends upon hardware and upon the customer's environment. But a basic to intermediate deployment takes two to three months.

Our customers definitely see ROI with Palo Alto NG Firewalls, although I don't have metrics.

I am not involved in the commercial side, but I believe that Palo Alto is quite expensive compared to others.

One of the pros of Palo Alto is the GlobalProtect, which is a VPN solution. GlobalProtect has broader compliance checks. I have worked on Check Point and FortiGate, but they don't have this kind of feature in their firewalls. Also, Check Point does not have DNS Security, which Palo Alto has.

If you're going with Palo Alto, you have to use all its features, including the DNS Security, App-ID, and SSL decryption. Otherwise, there is no point in buying Palo Alto.