Palo Alto Networks NG Firewalls Reviews

I have used it in a couple of different ways. One way was to use it as a perimeter device and to act like a traditional firewall for controlling the traffic in and out of the network and doing intrusion detection. It was more of a filtering-type device for remote access and VPNs. 

At another job, we used it as a site-to-site VPN. We scanned customer applications and code over a site-to-site VPN. These were the two main use cases that I have done over the last eight years with Palo Alto.

It integrates very well with AWS Cloud. We use the VM-Series of Palo Alto firewalls. It is good.

It is very important that Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. That is because it is a very sophisticated environment when you start talking about the cloud and software-defined networking. When you think about that level of complexity, to have somebody like Palo Alto and AWS work together to make the deployment of those devices seamless is an incredible benefit to users.

There are different types of modules to provide defense for customers. It is pretty amazing.

It can secure data centers consistently across all workplaces. It is no secret that Palo Alto has made a large footprint in the industry when it comes to those types of security services. When you talk about the data centers and things like that, Palo Alto scales well. They are doing a great job.

In terms of downtime reduction, downtime is relative. There are many different types of elements that can cause downtime. It could be some type of attack or just a configuration change. However, things like Panorama and high availability embedded in the platform allow for high availability.

The ease of updating the platform was valuable. We could easily update the OS and different modules within the platform. It was a fairly user-friendly and easy-to-use platform. 

We found it to be fairly stable as well. It was largely stable.

Overall, when you consider how sophisticated the appliance or the platform is, they have done a remarkable job. It is probably as good as it can be in terms of being highly sophisticated but having a very small leap to learn the platform and deploy it. I do not have many complaints about the platform.

I have worked with this solution for about eight years.

Palo Alto has a great support ecosystem. I only had one issue with somebody, but we got that addressed. It was just like any industry or business. You are going to have some people who do not want to act right, but overall, they have high-quality support.

I would rate them an eight out of ten. I am a customer, and I am involved in high-pressure situations. I am always going to say that I want a quicker response, but when I am being flat-out honest and reasonable, they are as good as they could possibly be without overstepping.

Positive

We have used Check Point. I did not like Check Point at all. It is very cumbersome, so I definitely would not recommend it. 

I found the Cisco ASA line to be overly complicated for what it needs to be, but that is the history of Cisco. They have very capable devices, but they are definitely not as friendly, in my opinion. I would give a nod to Palo Alto. Palo Alto GUI seems to be a little bit easier to navigate. Cisco devices have always been very capable, but they have a steeper learning curve.

It is fairly simple. It is as simple as it can be to get started.

The number of people required depends on the environment and the type of project that you are doing. If you are designated to deploy it as a perimeter device, you do not need that many people. If you have a situation where it is in the cloud and you have to do a lot of other things to get traffic to the device, configure the interfaces in the cloud, and later create policies and bring everything into Palo Alto, it is a more sophisticated process. You need somebody very knowledgeable about that, or you need multiple people to work that out.

We have had some complex scenarios, but I was fairly knowledgeable about AWS and the firewalls, so I was able to put everything together myself. I did not require any third-party help.

It is a pretty significant return on investment if a device does what it says it will do, and it has a small learning curve and good stability.

I do not have much opinion on that because I have not been involved in the procurement process of the Palo Alto devices with the exception of pay-as-you-go through AWS, but all of this stuff is very expensive, in my opinion.

I will be a little bit pessimistic and rate it a nine out of ten, but I feel that it is a ten.

I am using it primarily for on-premise network protection.

I find all the features valuable, including the segmentation and cloud-distributed security profiles. The Altice Optice spyware, URL protection, and additional features are valuable since they prevent breaches and downtime. I can put it in standby mode and failover to another firewall if needed, which enhances security.

The product is already good, so I do not have specific future features to recommend. These are not the cheapest firewalls; they are quite expensive.

I have been using the solution for about ten years.

The product is very stable. I hardly encounter any stability problems.

Scalability is not really the case. Since the NextGen Firewalls are hardware-based, if I want to scale up, I need new hardware. It is not really scalable.

Customer service is great. I always work with a support center, and they escalate issues to Palo Alto if needed. It depends on the support center, and sometimes, if there is a complex problem, it can take a while. However, most of the time, it is quite fast. I would rate it at eight or nine out of ten.

Positive

It is hard to measure security benefits as long as I am secure and not experiencing issues.

Solutions like Fortinet are available. I always receive orders from Fortinet offers something similar to the Palo Alto universe, however, it is always more expensive.

I would suggest implementing virtual software firewalls. This allows scaling to any size and migrating to the cloud if desired. I would rate this firewall a nine out of ten. It is a very good firewall.

We partner with vendors primarily to foster better understanding and relationships. Our core business is system integration, where we cater to diverse customer requirements. A customer might approach us with a specific need, and we deliver. A product like Palo Alto's XDR or EDR endpoint protection is popular due to its features, but ultimately, the choice depends on individual customer requirements, including extra services or integrations. We currently have around six customers using Palo Alto.

Aside from the usual content filtering and application filtering, the primary driving force for Palo Alto Networks NG Firewalls has been the SD-WAN. Additionally, ADR has also been a significant factor. All our clients also use Palo Alto as their firewall solution.

Palo Alto NG Firewalls offer a comprehensive platform that consolidates all security features, making them the preferred choice for our clients implementing SD-WAN and ADR solutions due to their integrated threat management capabilities.

Palo Alto NG Firewalls' embedding of machine learning into the firewall's core is crucial. They provide a cloud-based sandbox platform, enabling offloading of numerous tasks and offering AI-powered solutions to detect advanced or new threats. Palo Alto's methods for achieving this are impressive.

Some of the benefits our clients have seen using Palo Alto NG Firewalls include rapid deployment to their branches thanks to SD-WAN, improved control over branch networks, and enhanced overall environmental protection. It's important to remember that firewall security is product-dependent, and attackers often target widely deployed products for maximum impact. This explains the prevalence of attacks on popular firewalls like FortiGate and Checkpoint. Interestingly, Palo Alto is not as frequently targeted because attackers seek large-scale impact, making niche platforms like Palo Alto less appealing. Staying on a less common platform can offer a security advantage by attracting less unwanted attention from potential attackers.

Palo Alto NG Firewalls help secure our data centers across all workplaces. We also leverage a cloud platform for edge security.

Palo Alto NG Firewalls help reduce our clients' downtime. They are rarely attacked, and their uptime is over 99 percent.

Our clients find the most valuable features in Palo Alto Networks NG Firewalls to be the user-friendly interface, extensive capabilities, and highly granular rule creation process. This level of granularity allows for precise control and customization in network security policies.

Some of our clients find the price of the NG Firewalls to be expensive.

The UI needs to be more user-friendly to attract novice users.

I have been using Palo Alto Networks NG Firewalls for four years.

I would rate the stability of Palo Alto Networks NG Firewalls nine out of ten.

The entry-level Palo Alto Networks NG Firewalls lack scalability, but their higher-end counterparts offer this feature. Overall, I would rate their scalability a six out of ten.

The Palo Alto support is excellent.

Positive

The initial deployment is straightforward for technical people. The number of people required for deployment depends on the environment, but one or two people are usually sufficient. For example, in a branch scenario, one person might handle the headquarters while the other visits the branches. However, even at headquarters, there could be more than one person depending on the customer's services, enabling them to collaborate on creating rules, modifying requirements, or gathering information while someone else focuses on the deployments.

Usually, our clients see a return on investment after the first year of deployment.

I find the pricing of Palo Alto Networks NG Firewalls to be reasonable. The price is based on that selected package, with the lowest starting at $3,000 annually.

I would rate Palo Alto Networks NG Firewalls nine out of ten.

I would recommend Palo Alto Networks NG Firewalls, but it ultimately comes down to the organization's needs. Some organizations are almost entirely cloud-based, while others rely on the Internet for a few specific tasks and may have on-premises processing or branch offices. The ideal firewall solution varies depending on the specific environment and use cases; a firewall that performs well for one organization might not be the best fit for another.

The primary reason people opt for cloud or hybrid solutions is to manage workloads or services already operating in the cloud. This trend extends to Palo Alto Networks NG Firewalls, where the cloud versions are gaining popularity. However, many users prefer the on-premise version of the firewalls to safeguard their on-premise infrastructure. This may involve physical or virtual appliances as long as they remain on-premise and not in the cloud.

Other than updates, Palo Alto Networks NG Firewalls rarely require physical maintenance because most data centers are clean.

Palo Alto Networks NG Firewalls are excellent firewalls but require technical expertise and dedicated resources for deployment. However, with technical know-how, they are easy to configure and deploy and offer flexibility for adaptation to various environments. We highly recommend them for SD-WANs and VPNs due to their high compatibility.

I primarily help users migrate from traditional firewalls to Palo Alto NG Firewalls. This involves troubleshooting, assisting with application control and backup configuration, and teaching users how to optimize the firewall for their needs. Additionally, I guide users through the process of redesigning their firewalls and migrating their servers, which often includes helping them understand and manage the vast number of applications they have. Sometimes, the firewall cannot identify specific applications, requiring customization to ensure accurate recognition and security. Currently, I am working on a management query language, which involves collaborating with other teams to assess the necessity of specific applications and connections between the firewall and various assets. This ensures optimal security and network efficiency.

Although Palo Alto Networks NG Firewalls now utilize machine learning, its significance wasn't initially apparent to me. My first experience with Palo Alto revealed the power of their machine learning through features like WildFire, which uses real-time analysis to understand and combat hacker attacks. While early versions had tools like Power Tool that hinted at machine learning capabilities, Palo Alto didn't explicitly promote this functionality until version 10, likely in response to increasing market competition and the growing prominence of machine learning in firewalls. The embedded machine learning is helpful.

Palo Alto NG Firewalls has improved our organization's security by providing strong protection through network segmentation and XDR. The firewall has proven effective in reducing security risks and monitoring endpoint activity. It offers excellent application recognition and thorough threat analysis, boosting overall network security.

Palo Alto NG Firewalls have reduced over 90 percent of our network downtime.

Palo Alto NG Firewalls offer an efficient interface that simplifies log checking, troubleshooting connection issues, and firewall policy configuration. The process is user-friendly, guiding users through network infrastructure setup, interface creation, settings application, and policy configuration in a clear and intuitive manner.

Palo Alto Firewalls can improve their support structure, especially concerning longer working hours for engineers. Enhancing support teams' capability to handle cases without much delay would be beneficial. Additionally, the high cost of the product could be re-evaluated.

I have been using Palo Alto Next Generation Firewalls for over ten years.

Palo Alto NG Firewalls are stable. On a scale of one to ten, I would rate them around seven or eight for stability.

I find Palo Alto NG Firewalls to be highly scalable, and would rate their scalability as eight out of ten.

Customer support's effectiveness depends on the clarity and completeness of information provided by users.

Neutral

I've used Check Point and Fortinet in addition to Palo Alto, but I prefer Palo Alto's interface and performance.

The initial setup for Palo Alto NG Firewalls is clear and instructive, detailing network infrastructure setup before advancing to policy configuration.

A fresh deployment of Palo Alto NG Firewalls can be completed in three days, followed by a two-day handover session to train users. This totals five days for deployment and training. However, migrations for companies with over 10,000 users and 20 subnets can take up to a month, potentially involving additional user requests or a phased approach.

I have vast experience deploying these firewalls on-premises within our team, making use of the intuitive interface provided by Palo Alto for implementation.

Although Palo Alto is expensive, its superior security functions, application identification, and overall performance justify the cost and make it stand out from the competition.

I would rate Palo Alto NG Firewalls nine out of ten. The Palo Alto NG Firewalls are great, but they are expensive.

I'm most interested in Palo Alto NG Firewalls, specifically how to improve their efficiency and application identification capabilities. Sometimes applications have unique requirements or behave differently, making accurate identification crucial. Palo Alto NG Firewalls excel at application-level security because they can block traffic, prevent attacks, and identify potentially compromised applications. Unlike traditional firewalls, Palo Alto NG Firewalls go beyond basic policy enforcement and traffic filtering by incorporating intrusion prevention systems and antivirus functionality. This allows them to analyze internal traffic for risks, similar to how antivirus software protects endpoints.

Future users need to appreciate the costs involved in using Palo Alto, and the manual configuration required is beneficial because it ensures clarity and control over what is being configured. To enhance your organization's security posture and management, I recommend implementing Palo Alto Networks NG Firewalls.

Three people in our organization are directly using the Palo Alto NG Firewalls.

Upgrading Palo Alto Next-Generation Firewalls requires some maintenance.

We primarily use Palo Alto Networks NG Firewalls for a DMZ firewall. Its primary function is to separate our network into four layers: a DMZ zone for all publishing services, an internal zone for internal user access to publishing services, a zone for terminating connections between VPN consultants and internal services, and a zone for Internet access.

We implemented Palo Alto Networks NG Firewalls to secure our network and control access using filtering and application control. We also use Palo Alto WildFire for vulnerability scanning.

We have Palo Alto Networks NG Firewalls deployed on the cloud and on-prem.

Palo Alto helps us secure our network against suspicious activity from both internal and external sources. Its integration with our SIEM aids our SOC team in blocking malicious activity.

Palo Alto Networks NG Firewalls do a good job securing our environment. To access any solution, the first step is to calculate the required throughput. Because we are working with a small network or environment, we need a specific amount of throughput from a Firewall model. I chose this particular model based on my throughput requirements. The second consideration is the level of security achievable by the solution. We are using additional methods, such as performing a gap analysis and assessing the solution, to determine this. This involves simulating attacks passing through the Firewalls to observe how the solution detects or blocks them.

The most valuable feature of Palo Alto Networks NG Firewalls is its application visibility, which allows us to see all users and their accessed resources. Additionally, its user-friendliness and customization options contribute to its overall value.

The reporting feature needs significant improvement. Generating reports in Palo Alto is challenging because it relies on specific attributes and source IDs. We want to create reports to view the number of users and consumption, but customization is difficult. The interface for generating reports is user-unfriendly, making it difficult to find information. Overall, the reporting capabilities are weak compared to other firewall solutions.

The SD-WAN feature needs improvement. It currently relies on the physical interface instead of the sub-interface, requiring Panorama rather than a local firewall. Furthermore, the configuration customization for SD-WAN application source and subnetting is significantly limited compared to other firewalls.

The technical support is slow and needs improvement.

I have been using Palo Alto Networks NG Firewalls for five years.

I would rate the stability of Palo Alto Networks NG Firewalls ten out of ten.

I would rate the scalability of Palo Alto Networks NG Firewalls ten out of ten.

Palo Alto does not provide direct support to customers. Each region has support partners, so to get direct support from Palo Alto, you need to be a very large customer. This is why resolving issues with Palo Alto takes a long time. We go through our partner, and they take some time to investigate and try to solve the problem. If they can't, they escalate the case to Palo Alto, which takes additional time to investigate and try solutions. This is why our cases may take days or weeks to resolve.

Negative

I work with numerous firewall solutions, including FortiGate, Cisco Firepower, Cisco Sourcefire, and Forcepoint Firewalls. I've found that each firewall excels in specific areas. For instance, I recommend Cisco Firepower for central firewall management. However, for DMZ and application control, I suggest Palo Alto. Finally, I recommend FortiGate for perimeter firewall deployment based on its extensive features and overall stability.

The initial deployment is straightforward and can be completed in a few hours for small environments. However, larger environments with multiple policies will require additional deployment time.

We have seen a return on investment of 30 percent from Palo Alto Networks NG Firewalls. 

Palo Alto is a more expensive firewall solution than others. However, it is the top choice for a DMZ and a valuable investment overall. We still need to invest in an additional firewall with more advanced features to enhance perimeter security.

I would rate Palo Alto Networks NG Firewalls seven out of ten.

Those looking for the cheapest and fastest firewall won't find that combination. They must invest money to get a fast firewall suitable for their environment. Gather their requirements before choosing a firewall that fits their budget and features. They can opt for the quickest or cheapest option or select a device compatible with their needs.

We have Palo Alto Networks NG Firewalls deployed in multiple locations, serving both on-premises and cloud departments. There are three people in our organization that work with the NG Firewalls. Our clients are enterprises.

Palo Alto Networks NG Firewalls require maintenance for software upgrades, and after several years, the hardware will also need upgrades.

I recommend Palo Alto Networks NG Firewalls for their stability and high level of security. If the security of your infrastructure is critical, Palo Alto is a strong choice, though it comes with a higher price tag. If budget is a concern or security isn't a top priority, then Palo Alto may not be the best fit.

The tool's most valuable features are its security features, which are highly valued based on market standards and Gartner reports. We conducted a POC before procuring it, and from that perspective, it is very good. The machine learning feature helps prevent more threats, but no device or firewall can be 100 percent secure because threats evolve daily.

We use geofencing in our firewalls to prevent unknown attacks from other countries. The solution stops these attacks in the cloud so they don't reach my firewall. Only allowed countries can access it.

The solution provides a unified platform that natively integrates with other security platforms. It is a must as a compliance requirement and aligns with standard security best practices. The platform also helps to prevent security holes by 70-80 percent. 

We have implemented the Zero-Delay Signature feature. It is important to prevent unwanted network penetration and information theft, so having it in the firewall at the gateway level is mandatory. 

The setup was complex. We have perimeter firewalls and multiple voice devices handling calls. Directing traffic through gateway perimeter firewalls becomes quite complex in such a scenario. The implementation took around two months and required three to four people for deployment.

I have been working with the product for four years. 

Palo Alto Networks NG Firewalls' stability is very good. 

Based on our expected growth, we have some buffer and procured a model that offers an additional 10-20% capacity. Around 1,500 people in our company use it, and two to three administrators manage it around the clock. Currently, we have no plans to increase usage.

The technical support is very good. We log a call and get a response within five to ten minutes. If there is any critical issue, they get on a call and resolve it. We opt for OEM direct support. It depends on whether an integrator will assist us or we must log in through the portal. 

Positive

I decided to switch from FortiGate to Palo Alto Network NG Firewalls because we found that it performs better regarding security standards. It's considered an industry standard.

A system integrator helped us with the implementation. 

Cost-wise, I don't see much difference in network-related costs, but this is a premium-grade firewall. There is a cost involved, and you must pay for that to get the most out of it. Its licensing costs are straightforward. There aren't any hidden costs. 

I need to check DNS security with Palo Alto Firewalls. I set it up initially, but my team manages it daily. I approve any changes, but my team handles the hands-on work. I can't say all tools will be integrated, but other tools might also be needed based on our business and use cases. This alone might not suffice.

Network performance is okay but not great because multiple hops are involved. Each tool, like an endpoint with antivirus, scans the traffic before it moves to the firewall, which also scans it before sending it out. So, there will be some performance regulation. We cannot expect 100% performance in any network once you have any firewall with all the built-in security features implemented.

When I recommend the tool to others, I first check their business needs and understand what they're looking for. If they're focused on security posture and are ready to invest, I'd recommend Palo Alto Networks NG Firewalls. But if they want something cheap, I'd suggest options like FortiGate or SonicWall. Also, I'd check if they have the in-house skills to manage it day-to-day.

I'm familiar with the PA-400 series of Palo Alto Networks NG Firewalls. It's good for small offices, and we use the same series in one of our branch offices. 

I've learned that using this solution is a continuous learning process. Every day, I analyze and evaluate the differences between each product to see if it meets our business requirements and is cost-effective. I rate it a ten out of ten. 

As a reseller, our primary customers utilizing Palo Alto Networks NG Firewalls are in the financial services, government, and manufacturing sectors. They select Palo Alto Networks NG Firewalls due to their superior performance and security capabilities compared to alternative firewall solutions.

Palo Alto Networks NG Firewalls provides a unified platform that natively integrates all security capabilities for our customers.

Palo Alto Firewalls integrate machine learning into their core functionality to offer real-time, inline attack prevention that our customers rely on.

Palo Alto Networks NG Firewalls offer a variety of models designed to protect data centers in all work environments. These models share standard features.

Palo Alto Networks NG Firewalls can significantly reduce downtime, and replacing a firewall typically takes only one to two minutes.

Palo Alto Networks NG Firewalls' single-path architecture offers a valuable feature, ensuring stable performance for our customers.

Palo Alto Networks NG Firewalls pricing has room for improvement.

I would like Palo Alto Networks to provide a free virtual firewall.

I have been using Palo Alto Networks NG Firewalls for three years.

I have not encountered any stability issues using Palo Alto Networks NG Firewalls.

The scalability of Palo Alto Networks NG Firewalls is limited because of the lack of a virtual firewall.

The local support is better than the corporate support.

Neutral

Palo Alto Networks NG Firewalls are expensive compared to other solutions.

I would rate the price eight out of ten, with ten being the most costly.

I would rate Palo Alto Networks NG Firewalls eight out of ten.

Although Palo Alto Networks NG Firewalls are more expensive than other firewalls, they provide better protection and are a better value for your money.

On certain levels, it protects our information. Luckily, I had switched to Palo Alto as our VPN solution for our users. We finished that in December of 2019, just in time for COVID to hit. We had a system that was able to support 650 to 700 users remoting into our campus through the VPN. This was a huge use case for us, as it was not intended to be the solution for COVID, but it turned out to be the solution for COVID. So, it was a great use case. Obviously, we want to protect our servers, virtual servers in the cloud, and on-prem. 

We have the eighth fastest supercomputer in the world. Unfortunately, we don't get to protect that because it has so much data going through it, i.e., petabytes a day. There isn't a firewall that can keep up with it. We just created a science DMZ for that kind of stuff as well as large data movers since we do weather data for the world. We research the ocean, sky, and solar weather. We have 104 universities who work with us around the world. Therefore, we need to have data available for all of them. We need to be protected as much as we can.

We started with Palo Alto 5060, then the 3060 came in, which was the next form. We have now switched to an HA system and have four firewalls as our base: a pair of 5220s and a pair of 5250s. We have been running the different OSs from PAN-OS 8.0, 8.1, 9.0, 9.1, and then 10.1. We are about to move to 10.2. We are in the process of doing that over the next week. We like to stay on the cutting edge because they are always adding more features and security.

We have it deployed in a number of different ways. We have our four main firewalls, which have two high availability pairs. One is set primarily for users and outward-facing functions. Therefore, our DMZ servers, staff, and guest networks are on one pair of firewalls. Back behind the scenes, labs and our HR department are on a separate set of firewalls. We call them: untrust and trust. Then, we have another set of firewalls, both in our Wyoming supercomputing center and in our Boulder main campus, which runs a specific program that has a DOD contract that requires more security, so they have their own set of firewalls. We also have firewalls in Azure Cloud for our tests and production environments. I am in the process of purchasing another VM firewall to put on the AWS Cloud. The last set that we have is at our Mauna Loa Solar Observatory, where we have an HA pair of just 800s because we only have a one gig radio link down the side of the volcano to the University of Hawaii.

We have between 1,200 and 1400 staff at any given time. Essentially all of them use the solution one way or another, either to access systems or through the VPN. We also have remote users who aren't employees but instead collaborators, and they can be anywhere in the world and remote into our systems. We then have people who are doing PhD programs at universities around the world who need to get into our systems to download data sets as part of their PhD or Master's program. Thus, the solution is not limited to our employees.

We have been around since the late 50s to early 60s. We were one of the original people who helped set up the ARPANET, which was a precursor to the Internet. Historically, our science has been open science. We want everyone to have it. The mindset has been that our network is flat and open to everything, and we have slowly reeled that in. Now, more of our stuff is behind firewalls. We are now going through a project where we are doing some more segmentation within the protected part. Each lab is protected from each other, or at least can be. They still talk to each other all the time, so we have rules for that. If we need to, we can shut access down right away because of the firewalls.

One of the best features is that Palo Alto NGFW can embed machine learning in the core of the firewall to provide inline, real-time attack prevention. We aren't using the AWS-offered firewalls in the cloud or Azure. When I read over the specs on it, it is more like a traditional firewall where a port is open to an IP address, and that is all you know. Palo Alto can decide if traffic is of a certain kind, regardless of what port and protocol it is using. Then, it can figure that out and I can write my rules based on that. That is a huge functionality and super important to me. The machine learning as well as being able to send stuff to WildFire is pretty important too. We like to get those types of reports and know that we have more protection from zero days than most traditional companies would.

The WildFire reporting and Cortex XDR platform have huge infrastructures in the cloud that secures the network against threats. So, we have the potential on the system, specifically for users, where we take care of this since the user is the most dangerous. We get reports back from WildFire on a minute-by-minute basis, rather than a daily or weekly update like I used to with different AV vendors. These features can detect viruses and malware more quickly, which is super important.

We have some large data movers that we can't put behind the firewalls. We don't have the largest firewalls, we have the 5200 Series firewalls. Their throughput is about 20 gigs a second, and it is protecting networks that have 100 gig connections. So, we have to be kind of choosy as to what we put behind the firewalls, but for the stuff that we put behind it, the latency really isn't problematic at all. Even though the firewall location is just one aspect, we have three different areas that talk to each other over multiple 240 gig links or 200 gig lengths. The firewall is not hindering that at all.

The biggest thing that needs to be improved with them is their training. I took a training class for the 8.0 build, then I took it again for the 9.0 and 10 builds. They add new features every time that they do a new major release, but the training doesn't keep up. It is the same basic training that probably was with the 3.0 build, and they just change the screenshots. I would love to see them do some more work since they have all these bells and whistles, but we don't know how to use those features on a large scale.

I know this little section here about the firewall, but I know there is a huge amount that still could be done with it. I am not touching enough of it because I just don't know how. It seems like the more I learn about it, the more I learn that there is to learn

We have been using Palo Alto Firewalls for the past six years. We started with a single firewall, then built up from that.

It is very stable. A lot of times, it depends on what our network tweaks are, e.g., we monitor the link between the firewall and the router. If it misses some heartbeats on that, then it will switch over. That is part of how the HA process works. If it says I am not getting network connectivity, then it tells the other one to take over. We actually have an exciting way to do that because we have one data center at the top of the hill at the front-end of Boulder (or on the south-end.) We have another one in the HA link about 13 miles away at the north-end of Boulder. We actually do an HA pair across there using a 200-gig link with dark fiber between them. Most people, with their HA pairs, will be right next to each other, but ours are only that way on a globe.

The firewall tech support team has been very good and responsive. Sometimes, they are too responsive. They call when I am in a different meeting, then I have to figure out with whom I am going to talk. The sales engineering team is also really good because they will monitor some of that, then call me about it separately to see if I need additional support.

For the VPN only, we used Cisco's old ASA firewalls. That was set up before my time. We moved away from that when we went to GlobalProtect in December 2019.

Primarily, I wanted a single platform. We had Palo Alto Firewalls doing firewalling things and Cisco firewalls doing the AnyConnect VPN solution. Paying maintenance of both sets didn't make a whole lot of sense to me. Also, ASAs didn't seem to be able to support as many users concurrently as the Palo Alto solution looked like it could support. So, I just got rid of the Ciscos and went to the Palo Alto NG Firewalls and GlobalProtect.

I have actually done a lot of initial setups. They are fairly straightforward at this point. The hardest part was where I had to just send them out to Mauna Loa, and I wasn't allowed to go to Hawaii for that. I had to set them up in Boulder, then I would think how they should be used and ship them over. That was a little difficult, since once they were on the ground in Hawaii, the final steps were slightly difficult to handle. As soon as they unplugged from the switch that was currently handling traffic and plugged into the switch where the firewall was connected, the person at the other end's laptop no longer had a connection for all the stuff that had been having traffic. We had to do everything by the old phone method. It was challenging, but we got through it.

Usually, I can get the initial deployment done in a few hours. However, going through and working with people to get what they need set up, as far as the rules and different areas behind the firewall, that takes a few weeks to a couple of months. A lot of that is based on people's time.

The first thing is get the basic things working: the networking, any routing that we need to do, and build communication to our RADIUS servers and Active Directory so we can log in and use our multi-factor authentication to manage the firewall. After that, I work with different groups who will be behind the firewall to find out what IP ranges they need supported, what kind of routing, who they want to talk to, and with whom they want talking to them. I have to know all that stuff. A lot of times, it is kind of teasing out information as far as what protocols they will be talking on or will they be using SSL or SNMP.

A lot of times that is a do-it on-the-fly kind of thing. You sort of stand stuff up, and say, "Check it now," and then they say, "Well, this one is not working now." Or, we just added a new service and this needs to be turned on. So, there is a lot of movement back and forth.

I have done all of it by myself, except for the very first installation of the firewall that was done in conjunction with a reseller. That was before my time.

There are two of us on the firewall team. There are another three or four guys from the networking side team who also help out.

We had an external pen test a couple of years ago. They found a number of findings for the areas of our network that hadn't yet moved behind the firewall and no findings at all for the ones that had. This was just because of the way that we wrote the rules and because of the firewalls, which prevented an external source from being able to view and enumerate our systems. If something wasn't behind the firewall, they were able to get a response back in many cases, even when they weren't supposed to be outward-facing.

I have information that Palo Alto NGFW has blocked malicious activity. We use the Palo Alto High Confidence block lists. 

There is an advantage to going with the high availability pair licensing model versus the standalone. It gives you a high availability pair, but the pricing is only a slight increase over a single system. It makes sense to take a look at your add-on functionality, like the Applications and Threats subscription and URL protection subscription. On the user side, I might want everything. However, on the server side, I might not need very much. I might want the Applications and Threats subscription and not much else. So, you don't have to buy all the bells and whistles for every firewall. Depending on what the function is, there are ways around it.

There are a lot of other subscriptions available, such as DNS Security and URL protection. I have heard there is an advanced URL protection going to be released soon. Also, there are a few others, like SD-WAN and GlobalProtect, which is one that we have because we have users who use Macs, Linux Boxes, and Windows systems. So, we need to support all of that.

Someone else made the decision to buy the initial Palo Alto gear. When they left, I had to learn the Palo Alto gear. At that point, I said, "I know Palo Alto. I like it. Why would I change away from it?" So, I have looked at different solutions throughout the years, but Palo Alto is one of the best out there.

We use Cisco Umbrella for DNS. We have done this for 15 years since it was open DNS as part of an MSF stipulation.

All data goes through the firewall,since our HR and finance departments are behind the firewall. A lot of our labs are behind the firewall. We have some plans to expand, as I am about to put a virtual firewall in AWS Cloud for a project. We have a C-130 hub that has been flying into hurricanes and tornadoes for years. I want to put a firewall on that to protect the instrumentation from outside sources.

If you are just looking for the cheapest, fastest firewall out there, that is a foolish attitude. The point of a firewall is to increase your security, not to increase your throughput. You don't want it to degrade your throughput, but the cheapest solution and the solution that makes sense aren't necessarily the same thing.

The main advice would be to plan on starting small, then build up. Don't try to do everything at once. Also, make sure you do the available training prior to use or at the same time, at least the basic one, because that is important. 

Make sure you have a good networking background or a good network engineer standing next to you because talking to the routers is key.

I would rate it at about eight and a half to nine out of 10. There is no perfect answer, but this is a pretty good one.