Palo Alto Networks NG Firewalls Reviews

We're customer facing; each customer uses it for a different purpose. Some use NG Firewalls for IPS capability, some for application capabilities, these kinds of things.

The accessibility, antivirus, and stability features are the most valuable. It's so stable, the customer can use the decryption features without impacting performance.

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

It's a very stable solution.

I am the customer's technical support. If a customer has issues, they would call me.

The initial setup was basic. It was very simple. The basic configuration will only take 15 minutes. Anyone can set it up. If a person has worked with a firewall before, they can do it themselves. You only need one person for deployment.

Licensing is on a three year basis. Customers prefer one to three years. Licencing is pretty expensive. Check Point is cheaper than Palo Alto. There's also an international license. If a customer wants to control different things, they will need an extra license. 

I've helped customers using Fortinet and Check Point. They are compromised. Their firewall is not stable. But for some features, for example, encryption, they want to use this feature, but the firewall feature isn't great. With Palo Alto, there isn't any problem, you can open any feature - IPS feature, data encryption feature - there isn't an issue.

Implementation is simple, the product is stable, but I advise if people get the firewall I strongly recommend the use of the API features. They may not be accustomed to using a next-generation firewall. If they want to use NG Firewalls, they need to use and implement the API features. They need to create uses based on the application.

My understanding is Version 9 will introduce some logic features.

I would rate this solution 9 out of 10.

I use the solution for firewalls.

I find the configuration the most valuable.

The support in our country can be slow sometimes. It's a slow website. It could also use better customer support.

The solution's stability is normal.

My impression of the scalability is that it is easy.

I contacted technical support a lot of times. Most of the time, they were pretty good, but sometimes technical support couldn't resolve the issue, and they don't know what to do.

The setup of the firewalls has medium difficulty. On one configuration it was easy, and on another one it was hard. Sometimes it's normal to configure sometimes it's more complex. You only need one person, maybe two, for deployment at a company.

I did the implementation myself.

At our company, we sell the solution for another vendor, and they sell to another vendor. So our pricing is more expensive than other vendors. 

I didn't look at any other vendors.

The functionality is good and so are the features. In terms of implementing the solution, I wish it was better. I would rate the solution 8 out of 10, mostly due to the technical issues I've experienced.

The primary use for this product is for security as a firewall by a sales engineer for the guest environment.

It allowed us to evaluate traffic in the customer environment by providing detailed reporting on the traffic and applications.

The WildFire feature is one of the best features in this firewall. WildFire extends the capabilities of Palo Alto firewalls to block malware. The best feature for the reseller is Service Lifecycle Reviewer, SLR. You deploy Palo Alto Network Firewall to the customer environment and it collects data about customer environment, customer traffic. After a week, Palo Alto generates a report to review the traffic. The report tells what applications were touched and how users used these applications in the environment, as well as additional details. So for resellers, you just go to the customer, deploy the Palo Alto in the basic mode so the customer doesn't need to customize anything in their environment because Palo Alto works to meter traffic out of the box.

Of course, the reports register app ID, user ID, the space of the app IDs, the database of these app IDs and other common data. It is a great feature in the Palo Alto product.

The manufacturer can improve the product by improving the configuration. Some of the menus are difficult to navigate when trying to find particular features. It is not entirely intuitive or convenient. You might need to configure a feature in one menu and next you need to go to another tab and configure another part of the feature in another tab. It's not very user-friendly in that way. On the other hand, it's still more user-friendly than using the console. But this is certainly one feature they can improve.

It's a great firewall, really one of the best in the market. It is one of few firewalls that can claim to be better than Cisco. It functions well, is very stable, and its reputation is known in the market.

I think that the product is very customizable. If you don't need to protect a lot of assets, you can buy a small firewall at a low price for small needs, but if you need you can buy a bigger solution with more features. Scalability is very easy with Palo Alto Networks.

Actually, I have moved away from using this product because of changes in duties.

Installation is really very straightforward. You just need to plug it in and connect to the environment and that's all. Deployment time depends on the size of the environment and customer needs. Some customers just need two or three policies and that's all. But some customers need more policies designed to cover the needs of specific departments. So deployment depends on the size of your environment. If it's a small company, it's not very hard to deploy the main features of Palo Alto, it may take an hour but not more than a day. It depends on the customer needs and size of the environment.

I work as the system integrator, so I install instances of Palo Alto myself. It was the first security product that I learned to work with.

I use the PA-220 to protect the LAN at my small-ish (about twenty people) office. We have several remote users who use the GlobalProtect VPN. As we move into a data center for hosting, I'll buy a second PA-220 to set up a site-to-site VPN. We also have a VM-50 for internal testing and lab use. 

I'm writing this review because it's a great product and I think it's ranked much too low on the review ratings. One of the things I really like about it is that we have the same features and functions available on the entry-level device (PA-220), as do large corporations with much more costly appliances.

With all the bells and whistles turned on, I can block access to websites based on their location (country), content, or other criteria. The reporting is really useful and shows me the most frequently used applications, and provides me with great visibility as to what my network users are doing on the internet. With this firewall in place, I can finally enforce the variety of acceptable use policies which have existed only on paper. 

The most valuable features are blocking traffic by country, and URL filtering to improve policy compliance and our overall cybersecurity posture. The ad blocker is also pretty handy. Moreover, the VPN client has turned out to be more useful than I initially thought, and the users love the 'one-click' connect. 

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

Technical support for this solution is great.

Previously we used a pfSense firewall. I was very unhappy with it, as it had a limited feature set and was not intuitive to configure. 

The initial setup is complex, due to all the features offered. You really have to know what you're doing.

Implemented through a vendor who was knowledgeable with the product. It took at least a few months of tweaking before we got the firewall to the point it's currently at. 

It will be worth your time to hire a contractor to set it up and configure it for you, especially if you are not very knowledgeable with PA firewalls. 

We looked at Cisco Meraki, but I wasn't really all that happy with it. 

I've used it and I'm very happy. Frankly, I think this site under-rates the technology, as it should be in at least the top three.

We use this solution to block malicious or suspicious activity by creating policies that define which action should be blocked or allowed.

The firewall is a security device. We use this solution to create policies like ISPs for a specific purpose. We only allow the policies for a particular application, so this is a way for the firewall to secure an unwanted connection.

The most valuable feature is the ability to deeply analyze the connection or connection type.

Overall it is good. It is reliable and easy to understand. However, the monitoring feature could be improved.

They have many solutions already. I don't think I have seen any missing features. Every device has different functions, but as a firewall, this solution has a lot.

Stability is good.

There are no scalability issues to date.

We have about 2,500 users behind the firewall using this solution. I think we don't have any requirement to increase usage. Currently, we have around 2,500 users, but if this increases, we may need a new requirement.

We hired one or two people to maintain the solution.

Technical support is good. Once you call up with your issue, it takes around one or two hours for them to contact and give you a solution accordingly.

We were using Cisco ASA. We switched because of legal reasons and difficulty to understand. That's why they had decided to change to Firewall.

It is very easy to use. It's straightforward, easy to understand, and easy to configure.

Deployment time depends on your requirements. If you talk about the system requirements, it hardly takes up to 15 or 20 minutes for the configuration.

That said, it totally depends on your requirements: What kind of policy you require that supports what kind of block, etc.

The deployment time would change based on these requirements, but the system configuration: accessing the internet and creating policies hardly takes 20 minutes.

Deployment is configured by administrators, so if we have any kind of issue in policies or any confusion, we get tech support.

Pricing is yearly, but it depends. You could pay on a yearly basis or every three years.

If you want to add a device or two, there would be an additional cost. Also, if you want to do an assessment or another similar add-on you have to pay accordingly for the additional service.

We also evaluated Check Point and Fortinet solutions.

This solution is easy to understand, reliable, and user-friendly.

I would rate this solution as eight out of ten.

Firewall.

We standardized on the product and got rid of several other types of firewalls from different vendors.

The firewall has a lot of sub-capabilities underneath it.

I would like integration with Evident.io and RedLock.

The data loss prevention (DLP) capabilities need to be beefed up.

The stability is good.

It is very scalable.

We have had that many problems, so we haven't had to engage with their tech support.

I was not pleased with my previous solutions.

We switched to Palo Alto for better manageability and overall features.

The initial setup was pretty straightforward.

We deployed in-house.

Annually, the licensing costs are too much.

I would certainly encourage someone to look into this solution.

Finding a solution for easy management, where the company is protected in a matter where an unwanted software is blocked.

Functional and very futureproof but a bit hard to manage, and the worst thing is that it takes almost 20 mins to boot up, and to commit a config takes half that time.

• GlobalProtect
• URL filtering
• Threat prevention. 

These features are great, but they have drawbacks and could be a bit better, flexible, and easy to manage since it takes the admin time to get them right. 

• Boot time
• Easy UI for the non-network specialists
• Commit time
• Virtualization
• Credit to Palo Alto knowledgebase. 

I used Palo Alto firewalls for plenty of projects and have many use cases.

When working with App-ID, it is important to understand that each App-ID signature may have dependencies that are required to fully control an application. For example, with Facebook applications, the App‑ID Facebook‑base is required to access the Facebook website and to control other Facebook applications. For example, to configure the firewall to control Facebook email, you would have to allow the App-IDs Facebook-base and Facebook-mail.

I like to install Palo Alto mainly on the data center side to have visibility and protection into the network because we can configure the SVI (layer 3) on Palo Alto instead of the core switch.

It gives us full visibility and protection for the core of the network.

Visibility and Protection

It gives us good visibility into the network, and this is very important because it's the core of the network. All the packets go through the firewall.

MFA is a new feature in Palo Alto and it's good to use it.

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic.
Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic. 

Palo Alto is very stable. I worked on Cisco products like FTD and Firepower, and they are not as stable as Palo Alto. Also, some Fortigates are not stable. Palo Alto, as far as I know, is the most stable firewall compared to these others.

The solution is scalable because they are now using the next generation security network. They are integrating with endpoint protection. Palo Alto now has traps, so they integrate their traps and the next generation with the cloud. So it is scalable.

Technical support in Cisco is better than Palo Alto. In Cisco, you can directly talk to the top engineers.

We were using Cisco ASA. When Cisco moved to the next generation firewall or tried to move to the next generation firewall when they acquired Sourcefire, and they announced Firepower on ASA, it was not a good option.
They had tool management so you could configure ASA from the CLI and you could configure it on the Firepower. You need to redirect the traffic from ASA to Firepower. It was not a good idea. The packets were processed but there was latency in the packets. 
Nowdays, FTD has many problems and bugs.

When selecting a vendor, the important criteria is how much the appliance is powerful and if it gives me the feature that I want, not an appliance that does everything and it will affect the throughput. Also, the value of the product, the price. 

There has to be a match between the price and the features.

Palo Alto, Cisco.

Buy Palo Alto and try its features. In Palo Alto, you have select prevention, scan over AV, anti-spyware, vulnerability protection. and file blocking. you have good feature like WildFire to protect against unknown malware.

I rate Palo Alto at eight out of 10 because it gives me visibility and protection. This visibility and protection are very important nowadays to protect you from hackers.