Palo Alto Networks NG Firewalls Reviews

On-premises, we used Cisco but replaced our core firewall world with Palo Alto because we wanted more visibility. Plus, we were looking for features such as IPS for PCI compliance. We wanted next-generation capability, but we had the ASA traditional firewall with Cisco, which doesn't do much, so we replaced it with Palo Alto. 

In the cloud, we use Palo Alto for the zero trust implementation. Initially, we tried to work with the Azure firewall, but we found a lot of limitations in terms of visibility. It couldn't provide us with the same visibility we wanted for Layer 4 and above.

The solution is deployed both on cloud and on-premises. The cloud provider is Azure.

We have about 6,500 endpoints in my organization and five administrators.

One of our key challenges was for the PCI, the new standard 3.1. There's a requirement that financial applications need to have some sort of zero trust architecture. They need to be completely segregated. We implemented zero trust using Palo Alto so that if we are within the same subnet within the network, we have protection.

The unified platform helps us eliminate security holes. We use another product from Palo Alto, called WildFire, which is basically sandboxing. We have layers of products. Because of WildFire, we're able to identify any weaknesses in the upper layers.

We give a copy of the same packet to WildFire, and this helps us identify things that were bypassed, such as malware or malicious files. It's especially helpful when we're transferring files, like on SMB, because it's integrated.

The unified platform helps eliminate multiple network securities, and the effort needed to get them to work with each other. It's a very good product for us because it fits well in our ecosystem. 

Our other vendor is Fortinet. Previously, we struggled with having multiple products. One of them was command-line based and the other one was web-based. The engineers would have some difficulty because not everyone is good with a command line platform. Palo Alto and Fortinet are both managed by the UI and they're very similar products. They work well with each other, so we use certain capabilities here and there.

For example, for some internet browsing, we generally have a separate solution for our proxy, but there are situations where we need to provide direct internet access to a particular server in a certain situation. The problem is when a particular product does not work with the proxy for some reason. This is where we use Palo Alto's web filtering. If we didn't have a solution that could do this, it would be difficult on our side because how can we provide direct access to the server without securities?

When browsing, the logs provide us with the required information. For example, we allow certain URLs to a particular server, and we have that data also. This goes back into our same solution. With Palo Alto, the connectors are built in.

Our Palo Alto Firewall has the zero-delay signatures feature implemented. For the IPS capability, we rely completely on Palo Alto. If we don't have this implemented and there's a new, ongoing attack, we will be exposed. We make sure there are controls on the policies we have on each layer.

Even if a patch is released for that particular issue, it would take us time to implement it. We actually rely on the network layer, which is our Palo Alto box, to prevent that in case someone tries to exploit it. In the meantime, we would patch it in the background.

One of the key features for us is product stability. We are a bank, so we require 24/7 service.

Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.

The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.

It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.

When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.

Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.

There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.

We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.

We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.

Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped. 

Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.

When we have to push configurations, we can push to multiple appliances at one time. 

Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.

We have had some challenges. There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features.

Other products provide you with APIs that allow you to access certain features of the product externally with another solution. In the cloud, we have a lot of products that provide us with these capabilities, such as Microsoft. It has its own ecosystem, which is exposed through Graph API. I would like to have the capability to use the feature set of Palo Alto and provide it to another solution.

For example, if we have a very good system to identify malicious IPs within Palo Alto, we would like the ability to feed the same information into another product using the APIs. These are obviously very advanced capabilities, but it would be great if Palo Alto would allow this in the future.

I have used this solution for more than five years. I'm using version 10.1.

It's extremely stable. We've used it on the parameter and as a core firewall in our data center. In both cases, it's what we rely on today.

The scalability is amazing. When you look at the data sheet, sometimes you'll find that the equipment won't perform well under the same load. However, if something is mentioned on the data sheet and you implement it, you'll find places where you have high CPU and high memory utilization. When you buy something, maybe it should be 50% load, but when you put it into actual implementation, you find out that the CPU and memory remain very high.

With Palo Alto, the CPU and memory are both intact. It's performing well under load. We have different timings where we have a large load and it goes down and then goes up again. In both scenarios, the product is very good. The CPU performs well. Especially during upgrades, it was very stable and straightforward.

We have plans to increase usage. We're doing a migration in the cloud right now, and we plan to move a lot of our services to the cloud. This is where we'll either add more virtual firewalls in the cloud or increase the size and capacity of firewalls that we have there.

The technical support is great. We've faced very, very serious problems where our systems were impacted due to some reason, and they were able to provide adequate support at the same time. When we raised a P1, an engineer started to work with us right away. Some vendors don't touch the customer's product.

Palo Alto's support is great; they're willing to get their hands dirty and help us.

I would rate technical support nine out of ten.

We previously used Cisco ASA. We switched because of the IPS for compliance, but there were other factors as well, such as usability. We didn't have enough engineers who were well trained on Cisco because it's a very traditional kind of product that's completely CLI driven. We only had one or two people who could actually work on it. Even though people understand Cisco, when we asked them to implement something or make a change, they weren't that comfortable. 

With Palo Alto, it was very simple. The people who knew Fortinet also learned Palo Alto and picked it up very quickly. When we had new people, they were able to adjust to the platform very quickly.

It was straightforward for us. For the initial deployment, we had two experiences. In one experience, we replaced one product with Palo Alto. In that particular situation, we used a tool from Palo Alto to convert the rules from Cisco to Palo Alto. It took us around four or five days to do the conversion and verification to make sure that everything was as it was supposed to be. The cloud deployment was straightforward. We were able to get the appliance up and running in a day.

For our deployment strategy, when we replaced our core, one of the key things was if we wanted to go with the same zones and to identify where the product would be placed and the conversion. We tested the rule conversion because we didn't want to make a mistake. We took a certain set of policies for one particular zone, and then we did the conversion and applied it. We did manual verification to ensure that if we went with an automated solution, which would do the conversion for us, it would work correctly and to see the error changes. Once we applied it to a smaller segment, we did all of it together.

For the cloud deployment, we had some challenges with Microsoft with visibility issues. From the marketplace, we took the product and deployed it. We did a small amount of testing to check how it works because it was new to us, but we were able to understand it very quickly. The engineers in UA helped us because the virtual networking for the cloud is a little bit different than when it's physical.

We were able to get it up and running very quickly. Palo Alto provides a manual for the quick start, which we used to do the deployment. It was pretty straightforward after that.

For maintenance and deployment, we have two engineers working in two shifts. We have around 15 or more Palo Alto firewalls, so we can survive with six members. That's more than enough to handle operations.

We offer security services, so it's difficult to calculate ROI. But since we're an organization where we cannot compromise on security, I would say the ROI is very good. We don't have any plans to change the product since we moved from Cisco.

The cost is much better. We've worked with multiple vendors, and Palo Alto is very straightforward. We've done many implementations with Cisco, and they kill you on the licensing. When you enable each capability, it costs a lot. They charge you for the software and for the capabilities. They charge you for the licensing. It's very complicated. 

With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it.

I work for an enterprise, so we have the topmost license for compliance reasons. There is an essential bundle and a comprehensive bundle for enterprises.

Palo Alto also has a security essential bundle, which covers everything that's required for a small organization.

The PA-400 series of Palo Alto is the smaller box for small businesses. The good thing is that it has the same functionality as the big boxes because it runs the PAN-OS operating system in the background. It's a very good product because it provides you with the same capabilities that an enterprise uses. It provides the same operating system and signatures.

It's also good for an enterprise because you get the same level of capabilities of the firewall. There are firewalls that are 20 times more expensive than this. However, on a small box, you have the same capabilities, the same feature set, and the same stability, so I feel it's a very good product.

We chose Palo Alto right away because we couldn't go with the same vendor, which was Fortinet. We needed a different vendor, and the only option left was Palo Alto.

I would rate this solution nine out of ten. 

As a recommendation, I would say go for it. It's a very good product. With implementation, we looked at a lot of different processes that said they offered a lot of capabilities. We've used almost all of them, such as GlobalProtect, which is for the VPN capability, and site-to-site VPN. We have done all kinds of implementations and in most of the cases, it's pretty much worked for us.

At some point, you will have requirements where you have third-party vendors, or you have to integrate with a third party. With Palo Alto, you're safe no matter what. With other open-source solutions, they work but you'll face issues, and you'll have to step up your security. 

With Palo Alto, it's straightforward. You'll have adequate security, it works well, and you'll be able to work with other solutions too, create tunnels, and GlobalProtect.

There are people who utilize open source products also, and it works well for them. But if you're an enterprise that provides 24/7 services, it's better to go with a company that has the support and features that work. We don't have any challenges with it. 

This is very important because maybe you can get a cheaper solution, but stability and functionality matter, especially when we talk about zero-day issues every single day. This is where Palo Alto would be best.

Secondly, with new types of technologies, like with Kubernetes or microservices, it's better that you go with a company that's actually able to cope with all the technology changes that are happening in the background. If you have a multi-operating system, you'll notice that the signatures for the attack are different for different types of operating systems. 

For instance, if you have Linux, Windows, and Unix, you need a product that understands all the different types of attacks on different systems. I think it's better to go with something that's well supported, works well, and is stable.

For Palo Alto Networks NG Firewalls, clients mostly use this as a ZTNA solution, so it works as a perimeter firewall combined with ZTNA for external access and all other related functions.

We usually work with a whole bundle of subscriptions with Palo Alto Networks NG Firewalls, offering the ATP, URL filtering, DNS, and everything that the firewall can provide.

We use all the subscriptions that Palo Alto is offering, including WildFire, URL filtering, and ATP; basically, everything they provide is something we are offering to our customers.

My clients use AI technology with Palo Alto for analytics; Palo Alto Networks NG Firewalls has machine learning integrated into the firewalls that is actively utilized.

Palo Alto Networks NG Firewalls have precision AI that can recognize AI traffic, allowing you to control it within the company by blocking it if you have policies against employee use.

Segmentation and policy management in Palo Alto Networks NG Firewalls are mandatory, and that is why customers are using it.

The only room for improvement I see for Palo Alto Networks NG Firewalls is with their pricing; it could be more flexible for clients.

It could be cheaper because Fortinet is very aggressive with their pricing, but the functionalities of Palo Alto are really good.

The technical support from Palo Alto could be better; I find that it can be improved.

The issues are mainly with response time and quality, as their first level support used to be better a couple of years ago, but now you sometimes get support that isn't as good.

I have been working with Palo Alto Networks NG Firewalls for six to seven years.

The initial setup for Palo Alto Networks NG Firewalls is not easy to implement since it is an enterprise solution, but I find it intuitive.

For stability, I would rate Palo Alto Networks NG Firewalls a nine out of ten.

For scalability and the ability to expand, I rate it a nine out of ten.

The technical support from Palo Alto could be better; I find that it can be improved.

The issues are mainly with response time and quality, as their first level support used to be better a couple of years ago, but now you sometimes get support that isn't as good.

Positive

When comparing Palo Alto Networks NG Firewalls and Fortinet, it ultimately depends on the different types of customers they serve; Fortinet offers everything on one device, including wireless controllers, but Palo Alto has better functionality, stability, and is less compromised.

The initial setup for Palo Alto Networks NG Firewalls is not easy to implement since it is an enterprise solution, but I find it intuitive.

I would rate Palo Alto Networks NG Firewalls a nine out of ten, as it is a very good and stable solution, and I recommend it over Check Point, Fortinet, and Cisco; it stands out as the leader.

I can recommend Palo Alto Networks NG Firewalls for every company size; we are just starting to offer it for the SMB market, but it is an enterprise solution and they also have a series for small businesses.

We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

We have deployments in other campuses, as well.

As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

Overall, our experience with ProSys was good. We like working with them.

Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

I would rate this solution a ten out of ten.

We use the solution to filter out the traffic from our internal networks, not a public-facing network.

The predictive analytics and machine learning for blocking DNS-related attacks keep track of IP addresses and DNS names from other countries requesting access to our resources. The solution helps us identify any malicious activity and maintain our network safety. We first check the DNS issue and put it into the blacklist. If we get a similar DNS issue from another country in the future, we block the IP range altogether.

Apart from traditional technologies, we have been relying on signature-based identities. For example, we have been following up on what is in the data system and the firewall. These systems can only detect what has already been returned by the data system. If any security vendor does not update its databases or firewalls, or if its upgrades or firmware are not up to date, then malicious attacks can occur. The advantage of Palo Alto is its real-time analysis, as opposed to traditional methods that use signatures. Palo Alto Network NG Firewall has come up with some great behavioral analytics and the Wildfire feature, which helps organizations stay safe from false positive notifications or alerts.

The unified platform helps eliminate security gaps. We had certain servers that we hosted with open ports and we needed to ensure that these ports were closed. When we first set up the solution in the production environment for testing purposes, we detected traffic coming from ports on the server that had not been identified by our previous firewall. Palo Alto Network NG Firewalls uses all of its resources to detect security threats. The solution helps our organization close security vulnerabilities, Palo Alto Network NG Firewalls provide us with the instruments we need to complete our job. 

The unified platform helped eliminate multiple network security tools and the effort needed to get them to work together. We need to be able to detect the type of traffic being generated from which applications are on which systems and by which users. This will help us identify which IPs are making the requests. Previously we had to rely on multiple tools to collect this information. Palo Alto Network NG Firewalls also provide one graphical interface to display all the information. The solution simplified the process by dropping two to three tools and giving us a clear view of some first-hand data, especially data that has been preliminarily investigated in the case of cybercrime, which is essential.

Security is our primary concern which we build our networking concept around and networking is secondary. We have a single sign-on agent and a dedicated service to run the firewalls. Our architecture is set up in a way that, if a DDoS attack occurs, all the traffic would go down and we have to be prepared. When we consider both the network and security features, we are more inclined toward the security side. Our clients are usually understanding if the downtime is only two to ten minutes and we can recover quickly. 

There are no actual delays happening on the side of setting the solution up because we have all the resources documented on YouTube and on the website itself. We haven't experienced any delays in identifying and collecting the documents or installing the server. However, once we began the onboarding process, some technical issues arose. We forgot to include a customer's request for support from Palo Alto and as a result, the customer executed support themselves either through our website or a call, but a customer service agent acknowledged and resolved the request quickly. Because of that issue, we have been able to allocate adequate resources for implementation. We feel as if we are receiving premium service.

The most valuable features of Palo Alto Network NG Firewalls are policy editing and rule assigning for firewalls, as well as Wildfire. The solution does a great job of identifying malicious items and vulnerabilities with URL filtering. When combined with Fortinet, we have instant results.

Palo Alto Network NG Firewalls is doing impressive work with its AI technology, which is important to our organization. I have forwarded the papers to the director board in a recommendation to make the solution public-facing. We are considering using Palo Alto as an internet-facing firewall for our next project because the solution is an excellent firewall appliance with impressive features and a great UI.

The user interface can be significantly simplified. The dashboard and other features can be more thoughtfully designed. We get all the data in a single dashboard, which gives us additional insights. However, it takes time to sort it all out so it's easily accessible. If the data can be presented in a more graphical and structured way, it would be more helpful.

I have been using the solution for eight months.

We have had a very minimal number of false positives with the solution and it has been very stable. There have been no issues with the firewall itself. In the previous case, we had a lot of tension between the firmware update and the customer service department. This was due to the system working itself up. We had absolutely zero capability issues.

The solution is scalable with the Azure environment. I believe it is scalable because we have many data connectors. We were able to speed up the process within the hybrid environment.

We had some technical support from Palo Alto at the time of installation.

Positive

We have been using the FortiGate firewall for almost 20 years in our environment, but we recognized the Wildfire feature and some of the AIM firewall systems. FortiGate is not a next-gen firewall. Other applications such as Gartner insight offer better connections and recommend a firewall, similar to Palo Alto Networking NG Firewalls, for better application performance. We procured the solution and we have been testing it. We don't like to put all our eggs in one basket. We need multiple firewall solutions to connect with our environment. If one fails for any reason, we can have the second one take over the job. We have servers hosted in the cloud environment and each server has a different firewall installed. If we lose our connection due to a firewall issue, a firmware issue, or if Fortinet couldn't detect malware or a zero-day attack, we would be out of luck without Palo Alto Networks NG Firewalls. We are considering utilizing both solutions to best suit our needs. 

The initial setup is straightforward. Depending on the resources and skill set of the network engineers the deployment should take between 15 and 20 minutes.

The solution provides good protection and is worth the price.

The only additional cost to our organization comes from having to train our engineers on the proper use of the solution.

I give the solution an eight out of ten.

We have two network administrators, which have been working on the design end, three analysts working on the system itself who are continuously monitoring the firewall status, three cybersecurity engineers, and two network engineers to deal with the networking concepts and any delays with the networking protocols. We also have three cybersecurity engineers to follow up with the monitoring, checking the security incidents, and responding. In total there are five users administrating this firewall on eight servers. The firewall acts as a router, filtering the packages between five servers on the other side. This provides an eight versus five network filtering job. The firewall is not public-facing. We are utilizing it to filter up the data, and packets of files, which are moving between the load balances.

We have an environment for production and for development. The development environment is for scaling our application. The production environment goes to the public, and we have a staging environment for testing our application. We have a joint venture with our clients, which we call UIT. This joint venture helps to reduce costs and create an environment that is beneficial for both our clients and us. We only use our staging environment occasionally, whenever we need to push something new to our service for testing purposes. It will be used around two to three days a week, or twelve to fifteen days a month. We are underutilizing the solution currently because we have only completed five percent of the development. We have analyzed the cost and are trying to procure the solution in our live environment.

The cost of security can be expensive when we analyze new technology and the need for new technologies to cover emerging vulnerabilities and malicious acts. I recommend Palo Alto Networks NG Firewalls because most of the colleagues in our environment, such as Cognizant, Deloitte, and many other IT companies use Palo Alto Networks NG Firewalls. 10 to 12 years ago, Fortinet was the leading security solution that most people were using followed by Cisco Firewall. Presently Palo Alto Networks NG Firewalls provide the most value from a security solution, such as the detection of vulnerabilities and malware, in a cost-effective way. 

Apart from the standard features of any firewall system, Palo Alto Networks offers some additional benefits that make it worth the price. These features include URL filtering and deep packet inspection, with the best feature being Wildfire. I recommend the solution.

In our country, there are multiple use cases. Usually, it is for virtual cases or virtual environments and source areas.

The most valuable feature is threat prevention. SSL VPN is also very valuable. These are essential for our clients, especially for access to local infrastructure while preventing Internet threats.

Our clients can have a unified cybersecurity system if they subscribe to it. This firewall is an important part of access to any data center or branch office. They have site-to-site connectivity.

It is a good product, but they can add some functions for port scanning and network scanning. More network functionality would be beneficial.

I have been working with the new generation firewall from Palo Alto Networks for two years.

The solution is very stable and reliable. I have not experienced any outages or issues. I would rate it a ten out of ten for stability.

The solution is scalable if the right model is purchased. It is important to assess the infrastructure size before choosing a model.

The technical support is very good. They offer fast and competent assistance. I would rate them a ten out of ten.

Positive

Its deployment is easy. It takes two to three days.

The initial setup process involves basic and network configuration, security and policy configuration, and then getting the device to the client.

It does not require much maintenance. One person is enough for it.

Its price is quite high but is justified for the features and capabilities provided, although I would prefer a lower price.

If you have the budget, I would recommend using Palo Alto Networks NG Firewalls instead of other brands because they offer the greatest functionality.

I would rate Palo Alto Networks NG Firewalls a ten out of ten.

It is a data center firewall solution and a centralized management for remote office firewall solutions. We have 30-odd remote offices where we are putting firewalls in to replace the standard routers that we used to have. This solution will give us a little bit of routing and firewall capabilities.

We are deploying the PA-440 Series in our remote offices.

Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration. 

The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.

The firewall feature is great because we didn't have specific firewall capabilities beforehand. The anti-malware features and the ability to plug into our mail scanning are valuable as well, so we can share data between our email antivirus scanning solutions. That integration has been quite useful.

Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is another string to the bow of our layered security approach. So, it is important. It is not the big reason we bought it, but it is a useful component to our layered security approach. Security best practices push for a layered approach because there are so many different factors that you need to cover: 

• Email threats
• Malware
• Viruses
• Accidental human mistakes made internally to your network.
• Malicious humans in your network and outside your network. 

Therefore, a multi-layered approach really is a security best practice way of attacking security. You can't just worry about the parameter; you need to worry about what's inside your network and how things come in.

The key thing is that we don't have to try and play Whac-A-Mole. The machine learning-powered firewalls do that for us. As a recruitment company, we can never have the necessary technologies available to us to try and do this ourselves, so leveraging the machine learning power from Palo Alto reduces the risk for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is very useful. This prevents us from having to go to a lot of different systems, and in some cases, many different systems in many different regions, because we are a global company with 60 remote offices around the world in 30 different countries. Its centralized platform is really what we look for in all services, whether it be security or otherwise.

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

We started with a couple of firewalls about 18 months ago. We started them in our data centers and are just about to deploy them in our remote offices.

It has been very stable.

On the maintenance side, we haven't increased our team at all. One of the great things that we have been able to improve is the capability of our team without increasing the number of heads who are using Palo Alto.

It is scalable with what we need. I am not looking at thousands and thousands of devices, so it is well within what we need for our few hundred devices.

We often didn't deploy tools because it was too hard to try and manage them with our small team. This solution has enabled our small team to be way more effective than they were before. It gives us the visibility and control that we need.

We have a senior network administrator and about five operational guys. There are also some service desk-level guys and about 12 of them have visibility into activities, but they don't actually change things. Change control is quite closely guarded.

We have deployed the solution in a couple of data centers. We are deploying it across 30 offices this year and plan to do the next 30 to 30-ish offices in the next 12 to 18 months, as some of their hardware retires or has expired. We are not pushing it out too fast. We are going with the cadence of the business.

The technical support is very good. We had some nasty questions, but they were sorted out quite quickly. The problem that we had, because it was live, was it took us a little bit of time to deploy stuff. We also have a good relationship with their pre-sales engineers who offered advice and guidance, specifically as part of the deployment.

We previously had Cisco ASA Firewalls in some locations and Cisco Security PAK Routers in other locations that gave us a base level of firewall. So, we didn't previously have any next-generation firewalls. These are our first real next-gen firewalls.

We switched solutions because we didn't have enough of the network security covered. Also, we wanted centralized visibility and control, which was key for us.

When we did some red team testing, we found that there was a way to get some data out through our existing DNS environment. We knew we had to fix the centralized DNS management, visibility, knowledge of the DNS queries, and the visibility of the DNS queries as a result of some testing that we did. Whereas, before they were all geographically disparate, having a centralized place to look at to be able to do some analysis and visibility really are the key things for us.

The initial setup was not simple, but it is simplified. What was really good was the free training beforehand. As an architect, I don't get my hands that dirty, but I was able to go through a number of the free courses beforehand, or workshops, that were done online. Their training platform was very useful in helping me get an understanding of the product and how we would deploy it in our own environment. The actual deployment, as with anything network-related, is fairly complex because we have a very connected network with a lot of different entry points. While it takes time, it was very useful to get the training beforehand.

The deployment took about three months, but it was in the midst of a data center migration. It probably only took us a month to deploy it properly, but then we had to migrate services over, which took another six months. Again, this was part of our data center migration project. To actually get the solution installed was very quick, it took only a couple of days to get it up and running. However, to move services onto it, you need to be a bit careful when you start to move the live services onto it.

Our implementation strategy was really focused around our data center migrations and moving stuff out of one data center into another. As we moved services from one data center to the other, we brought them onto Palo Alto's in the new data center rather than onto the existing old routers and firewalls. So, it was really governed by the business, applications, and what we could move when.

We used Palo Alto directly for the deployment. Our experience with them was great.

To deploy it, we didn't employ any more staff. We did send a few people out remotely. With COVID, travel is a little bit tricky. So, we have some remote agreements with some suppliers who will go out for a day, plug a device in, and help us with the initial out-of-the-box config. That is normally two to three hours per site that we have to do, which is what I would expect from this kind of device.

Look at Palo Alto because it is a bit modular, so you can take the components that you need when you need them. You need something that will do the job. It doesn't matter if it's cheap and fast, if it quickly lets through vulnerabilities. You need something that will be reliable.

We were very happy when they released the PA-440s. Previously, we had been looking at the PA-820s, which were a bit of overkill for us. Price-wise and capability-wise, the PA-820s hit the nail on the head for us.

Go for a three-year deal, then Palo Alto will bring in some discounts. We also deployed them as HA Pairs to make sure we had resiliency.

We looked at Cisco and Fortinet. The reason that we went with Palo Alto was they were fairly cost-effective. They were also a bit easier to manage. The central management and control of Palo Alto was a little bit nicer than the Cisco side of things. I think everyone achieves the same things in slightly different ways. The way Palo Alto achieves their centralized management and control resonated a bit better with us and our requirements.

We haven't actually deployed Palo Alto NGFW’s DNS Security yet, but we will be doing that.

It is great that 100% of the tested attacks were blocked in the NSS Labs Test Report from July 2019 about Palo Alto NGFW. It is a great story, but I never trust 100% because that's why we have layered security. However, it definitely provides a great level of comfort in our security structure.

I never give anyone a 10, so I will give the solution a nine (out of 10).

I mainly use Palo Alto Networks NG Firewalls as the firewall device, and I deploy it at the perimeter of the networks to secure our infrastructure.

By implementing Palo Alto Networks NG Firewalls, we mainly wanted web security and protection from DDoS and other attacks. We also wanted to provide a VPN solution so that mobile users could work from anywhere.

Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. This is very important because with a single box, we can enable multiple security features and have web security, application security, and network security. It works on OSI model layers one to seven. It provides end-user security and enables us to allow any URL, website, or application for a user.

Palo Alto Networks NG Firewalls provide VPN solutions. With site-to-site or remote VPN, anyone from the organization can work from anywhere in the world. They only need Internet connectivity on their devices to connect to our enterprise network and access the required resources. It supports secure remote work through VPN connectivity.

Palo Alto Networks NG Firewalls are effective in preventing attacks by blocking abnormal behaviors. It detects any anomalies using signature-based detection and automatically alerts administrators. Palo Alto Networks NG Firewalls have machine learning embedded in the core to provide inline, real-time attack prevention.

We can use Palo Alto Networks NG Firewalls for securing data centers consistently across all workplaces, from the smallest office to the largest data centers. We can deploy the firewall anywhere based on business requirements. We can use Palo Alto Networks NG Firewalls at a broad level to secure our data center. Within the data center, we can also segment the network and deploy the perimeter firewalls between different departments. For example, if a salesperson is communicating with the database team or marketing team, the traffic has to pass through the firewall. The firewall inspects the behavior. If an internal employee is trying to delete a database file, the action will be prevented at the application level.

The solution provides web security, application security, and network security. We have app security, app gateway, and app ID. There are multiple models.

Palo Alto Networks NG Firewalls should be more flexible and user-friendly. 

There should be more comprehensive documentation, case histories, and technical training on new technologies available on their portal. It will help us with troubleshooting.

I have been using Palo Alto Networks NG Firewalls for ten years.

Palo Alto Networks NG Firewalls are very stable. I would rate Palo Alto Networks NG Firewalls a nine out of ten for stability.

Palo Alto Networks NG Firewalls are highly scalable, allowing deployment in various modes, including virtualized, cloud, and bare metal. We are using it at multiple locations.

I would rate Palo Alto Networks NG Firewalls a nine out of ten for scalability.

Palo Alto's tech support is fine. They are proactive, responsive, and effective in logging cases and troubleshooting.

Positive

We previously used Cisco ASA and switched to Palo Alto Networks NG Firewalls. It is very fast. We are not getting any latency. Palo Alto Networks NG Firewalls have a unique vertical packet inspection feature. It checks all parameters in a single shot, which makes it fast. Other firewalls, such as Check Point and Cisco, do the inspection horizontally, so there is a delay.

We have on-prem, hybrid, and cloud deployments. We have deployed Palo Alto Networks NG Firewalls on the AWS platform.

The initial setup was a bit complex initially, but with experience, it has become straightforward.

It does require maintenance. There could be a hardware fault. This is why we recommend deploying them in an HA environment.

I did the implementation myself. We have a team of five people.

For maintenance, one person is usually enough, but if you have multiple firewalls, you might require more people.

Everyone has different requirements. Palo Alto Networks NG Firewalls are a good and stable choice. They also have solutions for medium-sized enterprises. I would recommend trying Palo Alto Networks NG Firewalls.

Overall, I would rate Palo Alto Networks NG Firewalls an eight out of ten.

Palo Alto Networks NG Firewalls are our perimeter firewalls that protect the network from external attackers. They provide visibility into network activity, from layer four to layer seven, including application visibility, user awareness, and content awareness. These features are crucial for any network and organization, regardless of size, whether it's 20 users or two million users – they all need a firewall.

It's crucial that the entire cybersecurity landscape shifts from traditional methods to artificial intelligence and machine learning. When vendors stay current with emerging and future technologies, they're better positioned for success. This proactive approach ensures they remain relevant and effective in the ever-evolving cybersecurity space.

Palo Alto Networks NG Firewalls helped reduce our downtime.

The most valuable features of Palo Alto Networks NG Firewalls are DNS sync calls, enabled security features, and Wildfire.

The machine learning component on the firewall level requires more computing power to perform at the full production level. Therefore, the ML is currently providing partial real-time attack prevention.

In large data centers, enabling multiple features, such as SSL decryption, can lead to performance degradation. This is especially noticeable in Palo Alto firewalls when SSL inspection is enabled. Ideally, this shouldn't happen. To address this, enterprises are often forced to upgrade to higher-end models, which is unnecessary. Palo Alto needs to address this issue. When performance degrades due to full packet inspection, the solution should be to increase the computing power within the same firewall, not to recommend upgrading to a larger, more expensive model. Performance issues during full inspection need to be resolved without requiring hardware upgrades.

The technical support has room for improvement.

I have been using Palo Alto Networks NG Firewalls for five years.

I would rate the stability of Palo Alto Networks NG Firewalls six out of ten. After the upgrade, we are experiencing performance issues. Occasionally, we need to reboot the firewalls to refresh and recreate sessions. Gradually, performance returns to normal. Immediately following the upgrades, performance and utilization spike significantly.

I would rate the scalability of Palo Alto Networks NG Firewalls eight out of ten.

We previously used Checkpoint firewalls, but the performance was subpar and lacked an available interface. In contrast, Palo Alto Networks NG Firewalls offered more interfaces.

The initial deployment was not complex but we did face some issues with respect to dynamic routing configurations.

We used a third-party for the deployment.

We have observed an average return on investment from Palo Alto Networks NG Firewalls.

Palo Alto Networks NG Firewalls are expensive. The total cost of ownership is high.

I would rate Palo Alto Networks NG Firewalls six out of ten.

For those looking for the cheapest NG firewall, I would recommend Fortinet.

We deployed a total of four Palo Alto Networks NG Firewalls, two in the data center and two in the data recovery center. We have a total of 1,800 endpoints in our organization.

Frequent updates necessitate regular maintenance, which requires a team of four people.

Before purchasing, conduct a proof of concept to verify functionality, alignment with use cases and organizational requirements. Validate hardware compatibility and ensure correct sizing. Opt for direct Palo Alto OEM support instead of partner-enabled support.