Palo Alto Networks NG Firewalls Reviews

The unified platform provided is very important to us as it allows us to manage all traffic and ensure security without using separate tools. It has AI and ML capabilities, which work well for real-time attack prevention.

Since implementing Palo Alto, we've seen an 80-90 percent reduction in issues. It handles ISP links, ensuring minimal downtime. Recently, we upgraded our secondary ISP to 3 Gbps, and when the primary link goes down, it automatically switches to the secondary. As a result, end users do not experience bandwidth shortages or interruptions in internet access.

One area for improvement with Palo Alto Networks NG Firewall would be customer support. Currently, in regions like India, customer support is handled by third-party partners. Unfortunately, the support provided by these partners has not been satisfactory. It would be beneficial if the tool handled customer support directly, similar to how Cisco maintains high-quality customer care. This would ensure that customers receive the level of support they expect.

Getting reliable service is important when you're a customer, especially with critical devices like firewalls. Firewalls are key parts of a network; if they fail, the whole network can become unstable. So, the support you get needs to be just as reliable as the device itself.

I have been working with the product for a year. 

I haven't experienced any downtime. 

We used Cisco ASA before. At that time, Cisco didn’t have a unified next-generation (NG) firewall, and I’m unsure if they offer one now. The main reason we decided to switch was that we needed a unified NG firewall. Besides the unified features that NG firewalls provide, there were other differences between Cisco and Palo Alto Networks NG Firewalls, particularly in terms of features and price. However, the features are mostly similar across different firewalls; it depends on how they’re implemented, how effective they are for end users, and how well they handle security. This varies from company to company and firewall to firewall because each has its architecture, data plan, processing, control, and so on. So, it depends on the original equipment manufacturer.

The tool's deployment is complex and takes seven to eight days to complete. 

The tool's pricing is similar to that of Cisco. It's a security appliance; the cost depends on your network topology and specific requirements. The suitability of NG firewalls should be chosen based on your network and what you need. If a colleague from a different company asked for the cheapest and fastest firewall, I suggest they consider options like Sophos. Sophos took over Cyberoam, which was previously a leader in NG firewalls

I work with the product, and we purchased our box after a demo. We also have IoT security, but I don't personally handle that. I rate the overall product a nine out of ten. 

We use Palo Alto Networks NG Firewalls for our network security. We deployed the solution on both the cloud and on-prem.

Palo Alto Networks NG Firewalls machine learning secures our network against threats that evolve rapidly.

The DNS security feature is already commonly used for authentication by clients, with many threats being pushed from the inside to the outside. DNS security helps improve our network.

The DNS security feature is integral in protecting against DNS tunneling.

The solution provides a unified platform that natively integrates all security capabilities. Palo Alto Networks NG Firewalls' unified platform helps us eliminate security threats. We use all the Palo Alto Networks NG Firewalls' features including the UTM, WiFi, and VPN feature to protect our network. 

Both the network performance and security of the single-pass architecture are good. 

There are many valuable features, such as wireless cloud features. The IP and signals are updated regularly, and all UTM features provide good basic gateway-level security.

Palo Alto Networks NG Firewalls machine learning in the core of the firewall to provide real-time attack prevention is a basic requirement for our private security network.

The bugs can be improved.

I have been using the solution for eight years.

The solution is stable. We encounter small bugs sometimes but they are not a problem.

The solution is scalable.

The technical support is good.

Positive

For experienced people, the initial setup is straightforward. Cloud deployment can be challenging for someone new. The deployment takes around one hour.

We implement the solution for our clients.

I give the solution a nine out of ten.

Our clients are enterprise-level.

The PA400 series has good performance and security.

I recommend Palo Alto Networks NG Firewalls to others.

We use both the NG and VM series of Palo Alto firewalls. We sell and install them for clients to provide the best security that money can buy. Additionally, adding SD WAN on the same edge device has made an all-in-one, security-edge-intelligent routing solution possible without sacrificing performance or a secure environment.

The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us. 

An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications. On one occasion, I was alerted by Palo Alto that something unusual was happening through a particular port at a client location. I blocked the port access because I didn't know what exactly was going on and alerted the client. Then the client called me up and said, "Hey, I need the port that was blocked because [of this]." We could then test what was going on in a secure environment where it couldn't affect anything else to be sure the behavior was not something to be concerned about. In this case, Palo Alto kept the client totally safe. That is a fantastic capability.

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

I have been using the solution with clients since at least 2008 when I became a solutions architect.

Palo Alto is the most stable firewall that I have experience with. Firepower is second to Palo Alto. Fortinet is third coming in just after Firepower. Meraki is in there around number 100. The stability of that solution is absolutely horrific. That it is a security device — a firewall — makes that relatively more frightening because it affects the stability of the entire infrastructure.

Palo Alto's stability means that it is always on the alert and it keeps infrastructure safe.

Palo Alto is quite scalable and versatile.

Easy to speak with, level of professionalism is high.

Anyone should tinker with hardware from different manufacturers, then see what fits with your application. 

The complexity of the setup is somewhere in the middle of the road. It certainly isn't the most difficult, nor is it the easiest. 

MSP

Palo Alto is a little expensive compared to every other solution, but you get what you pay for. The question I have been asking customers since I became a solutions architect is what the best in security is worth. The problem with people seeking security solutions is thinking that all solutions are the same, thinking the newest technology solutions are best and thinking cost-first. A better way to think about it would be how expensive a break-in is. 

If I am shopping around for a firewall solution and I see I have to pay a lot per year for Palo Alto and I see Meraki is a much lower price, I might be attracted by the less expensive product. When it is deployed, we get broken into and lose $10 million worth of design documents. It may be quite possible that break-in could have been avoided by paying more for a better security solution. Because I went the cheap route, I lost many times what I 'saved.' For possibilities like this alone, it is hard to put a price on security. 

Take a deeper look at what happens when you try to save money on security. Meraki does SD-WAN (Software-defined Wide Area Network). That is touted as fantastic because the client is going to save a whole lot of money because they don't need MPLS (Multi-Protocol Label Switching) anymore. But the reality behind it is, there is absolutely no application acceleration, no data deduplication, and no forward error correction. Forward error correction is extremely important when you're using a device between points. But Meraki sells its devices for nickels or pennies on the dollar in comparison to other security solutions. Only then you only learn the lesson of what happens when you go cheap. Your network gets broken into more easily because of the inherent exposure in SD-WAN and it goes down a lot. 

If you have sales offices and those sales offices have Meraki firewalls, the device may observe a problem out on the internet. When it does, the Meraki's failover results in an outage. With Meraki, failover to a better link takes 30-seconds. Whether it is a 30-minute failover or 30-second failover, you can drop a call. If you are cold calling and you dropped a call, you don't get a second chance. It is impossible to say how much money you might lose. For example, if my company sells microchips and that call was going to develop into a $40 million sale, that sale is gone. It is gone because of the small comparative cost savings in security and the instability of the solution you chose to use. But a 30-second outage every single time a route is withdrawn across the internet means your phone is going to ring if you are the IT Director, and you will eventually lose your job. 

The costs for Palo Alto are structured in a similar way to other products. With Palo Alto you can do one, two, three and five years contracts. It is the same thing with Fortinet and Meraki. Hardware cost is very different than the application license. The hardware maintenance agreement is separate. With all of the firewall solutions, you will pay for a hardware maintenance agreement. That protects the hardware itself. That is an annual billing and separate from the software in all cases. Nobody bills for firewalls on a monthly basis. Even the VM version of the Palo Alto is billed per year. Using that license, you can build up a VPN that forces all default traffic to a particular device before it goes out to the internet. It is comparatively pretty cheap in practice, and it works. It works well because you only need one piece of hardware. Build the server and start slicing out VMs. Then it becomes possible for everybody in a network to be protected by Palo Altos security at a lower cost. 

As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.

That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.

Cisco Firepower NGFW (Next-Generation Firewall)

I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.

Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.

I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product. 

Firepower is a capable solution but it is difficult to set up and manage.

Cisco Meraki NGFW (Next-Generation Firewall)

Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.

If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.

There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop. 

It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.

I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.

An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.

Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."

All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.

Fortinet FortiGate NGFW (Next-Generation Firewall)

I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.

Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
     

Comparing the Complexity of Setup

Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.

Rating the Products

On a scale from one to ten with ten being the best, I would rate each of these products like this:

• Meraki is a one out of ten (if I could give it a zero or negative number I would).
• Fortinet is seven out of ten because it is simple but not so secure.
• Firepower is seven out of ten because it is more secure, but not so simple.
• Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.
  
  

An Aside About Cisco Products 

It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.

Palo Alto is my number one choice for firewalls. I support and utilize more Palo Alto firewalls throughout my company and with my customers than any other device. Number two would be Fortinet. I don't really like Fortinet that that much because it is not as secure as Palo Alto, but I have customers who want to use it because it is a lot less expensive. Number three is Cisco Meraki, which I obviously don't like, but people request that because the Cisco name is very popular and a lot of other people are using it. I couldn't recommend against choosing a device more than choosing it by name instead of functionality. 

Palo Alto invented the method of looking at the application identifier in each packet and making a decision. For instance, many companies may want to do something like prohibiting all chat applications with the exclusion of whatever application the company is choosing to use. Let's say the company is using IP Communicator for customers and for employees to chat with each other, but the company wants to block Skype. The reason why might be because they don't want anybody bringing up a Skype call, sharing information via that Skype call, or maybe turning on a Skype call and letting other people see inside the facility. Skype has a very interesting platform in which you block one IP address on the Skype server and it allows another one. You block Skype.com and it creates another URL. Skype loves to get in and around simple security steps. Palo Alto is phenomenal because it takes a look at the application identifier within each packet and will find that it is Skype and block it. If you want to block AOL Instant Messenger, you just block it. Anything out there you don't want employees to use can just be blocked by referencing the identifier.

Netflix is another one that seems to find it's way into corporate networks. It is normal not to want employees sitting around watching movies. The Palo Alto will find out that someone is trying to access a Netflix movie and block it. Then it can also send an email to alert different people of the activity. You could set it up so that when something like that happens, an email goes to the director of IT to say, "Hey, this person may be trying to access Netflix." You may want it to just block the access type and forgo the alert. Or you can block the activity and alert anyone you want that someone appears to have tried to subvert security. The idea of this type of security measure isn't just to lay blame and get people fired, it is to identify different types of breaches and why they occur. It could be that a potential breach requires a sit-down conversation with the persons involved. But the truth is that many malicious sites — like adult related websites, platforms like gambling sites, obviously hacking-related sites, violence or gore — are loaded with malware. You don't want that on your computer, and your employer doesn't want it on the network either. It is just as bad as bringing a device to work and allowing that device to be connected to the network without protection as that is just another potential malware exposure.

Another beautiful thing with Palo Alto is that they have Wildfire. Wildfire can prohibit malware in either direction. Malware is not going to get into the network via a customer or a user surfing and it is not going to get out and affect the network and spread around via a user's BYOD (Bring Your Own Device) that got infected while he was working at home.

We provide localization services and use Palo Alto Networks NG Firewalls to protect our environment.

We have two on-premises Palo Alto Networks NG Firewalls that are managed in the cloud.

Palo Alto Networks NG Firewalls provide a unified platform for centralized management. This is one of the most critical features of the NG Firewalls.

Palo Alto Networks NG Firewalls utilize embedded machine learning to combat the evolving landscape of cyber threats. This is crucial because traditional security methods often fall short against modern malware and sophisticated attacks. By employing machine learning, these firewalls proactively identify and mitigate risks in a way that static rules-based systems cannot, effectively countering the advanced techniques increasingly used by malicious actors.

It helps reduce downtime in our organization by 98 percent.

Palo Alto Networks NG Firewalls offer a comprehensive suite of security features, with Intrusion Prevention System and certificate inspection being among the most valuable.

The machine learning feature, with its continuous potential for improvement, directly enhances the security of Palo Alto Networks NG Firewalls.

I have been using Palo Alto Networks NG Firewalls for almost 12 years.

The technical support is good, and Palo Alto has excellent documentation.

Positive

We also use FortiGate Firewalls in addition to Palo Alto Networks NG Firewalls. Both offer similar features and prices and are considered top competitors in the market.

The return on investment from Palo Alto Networks Next-Generation Firewalls has been significant, as the enhanced security they provide to the enterprise effectively offsets their cost.

Palo Alto Networks NG Firewalls are affordable, and we get what we pay for.

I would rate Palo Alto Networks NG Firewalls ten out of ten.

We have over 10,000 end users.

When choosing a firewall, cost often reflects capability. While budget-friendly options exist, their security levels may not match those of higher-end providers like Palo Alto or Fortinet. Investing in a robust firewall often provides enhanced protection and advanced features, justifying the higher cost.

We have three employees and one consultant who are responsible for the maintenance of our NG Firewalls.

We started using this solution as a basic firewall, and then, we ended up with URL filtering, IPS, and decryption.

It increased visibility, and we can see things that we couldn't see before and are able to decrypt as well. We can actually see what's going on in our network.

Decryption is one of Palo Alto Networks NG Firewalls' best features because we can decrypt by category. For instance, we can decrypt everything except for bank traffic so that we don't interfere with the passwords and two-factor authentication of those checking their bank accounts at work. We can still monitor for malware and other threats that come through a secure channel. It's seamless for users. The URL filtering and IPS are both great as well.

Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. WildFire stops a lot of viruses and malware that come in from the outside. In addition, when you decrypt the traffic you'll be able to see a lot that you couldn't before. You can then integrate that into a SIEM and have visibility into all the different things that are going on. Integration with WildFire provides sandboxing and tells you if it's malicious content or not. Then, you can do URL filtering for the endpoints. All of this data goes into the SIEM. Thus, it's a really good, well-integrated software.

This native integration is very important to us because of the cost. When we get an enterprise license and get all these features on one device, we don't have to buy five devices or virtuals or set up a virtual or cloud farm to do the five things that the solution will do automatically, natively out of the box. We have been able to save money because we are able to get rid of our decryption software and are getting close to letting go of our filtering software.

It's important to us that Palo Alto Networks NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention. This is important because those who exploit us daily use new tactics that are not seen at all times. They employ tactics that use applications that we currently use, such as PowerShell. If a PowerShell script comes in and it's decrypted, launched in WildFire in a sandbox, and blocked, it cuts our threat vector down tremendously.

When we go across all the workspaces, it's simple. The web-facing servers are protected with IPS, and the endpoints are protected with URL filtering in the sandbox and decryption. We log all of the MAC addresses, so we block hackers from getting into different websites when staff use a Wi-Fi connection off-site. In terms of securing data centers consistently across all workspaces, our whole ecosystem depends on having Palo Alto so that we can have one centralized SIEM where all the data is. Our SOC can investigate all the alerts that we get from all of these different areas.

Palo Alto Networks NG Firewalls need better training modules. You have to do a lot of reading prior to watching the training videos, and it's good for people who are really into it. However, often you want to use a video for a TID. You want to see how to do something rather than spend 30 minutes reading and then another 30 minutes watching the class. As a result, I take third-party training classes rather than Palo Alto's training because they are a lot better.

The training should be more accessible because if everybody has to pay for training, it makes it harder for us to get in techs who are qualified to do the work. If there are clear levels and schemes for certification, it would be great.

I've been using this solution for probably five years now.

The firewalls are always on, and we haven't had any stability problems. We haven't even had any hardware failures, and the perishables are great.

The firewall's scalability is nice because you can take a VM and put more memory in it. If you virtualize, then you can scale it out. With an enterprise license, you can load several to get all different points of your internet access. For example, one could do URL filtering just for the desktop, and another one could be an IPS in front of something else.

It's very flexible, and you can use these virtuals to contain all these different situations from an architectural standpoint without having to buy other software.

Palo Alto's technical support is great, and I'd give them a ten out of ten.

Positive

The initial setup is straightforward in the sense that when you put it in it starts doing what it's supposed to do. Then, you have to turn on all the features that you want.

We mainly worked with Palo Alto Networks. They taught us a lot and have been very helpful in getting us onboarded with all of the different features.

We see a return on our investment every day. We have threat hunters who go through the data and tell other state agencies where the problems are or what we were able to stop.

We haven't had a problem with pricing or licensing because we consolidated other software to make Palo Alto more affordable.

If you're just looking for the cheapest and fastest firewall, remember that you'll get what you pay for. Check if the company is able to support its product 24/7. You have to be able to get technical support on the phone at any time of the day or night. In addition, the company has to be able to do training on its firewall, and there has to be a job market for it so that there's an employee pool from which you can pick someone who knows the software. If it's an obscure software company, and they only have two or three people in the country who are certified on it, then it would hurt you a lot because you won't be able to call these two or three people in the middle of the night and expect them to always be there. Palo Alto has a very deep bench, so they can go globally and get you tech support at any time. That's very helpful.

The price is dependent upon how many features you use. If you have a Palo Alto ecosystem where you use Prisma, IPS, URL filtering, and decryption, it's going to be affordable because you will be able to eliminate other software. However, if you're looking to use Palo Alto as just a firewall, it may not help you that much because everybody out there competes to provide a firewall experience.

On a scale from one to ten, I would rate Palo Alto Networks NG Firewalls a ten.

The value I get by attending an RSA Conference is being able to see new up-and-coming software. Some products are new to the market, and others are trying to get their product to market. A lot of times, these products have key features that others don't.

Attending RSAC helps to influence cybersecurity purchases throughout the year because we are able to see a product that we didn't know was available. We learn that there is software that does certain functions that we didn't even know we needed. There are some products at RSAC that may be too expensive, but there are others that we would consider because they are cost-effective and have feature sets that we didn't know about.

We used the solution as an edge or internet firewall where we were running IPS/IDS and doing filtering on it, apart from the other security features. We are still using it for our users' VPN activity and to manage site-to-site VPN tunnels with other clouds, like AWS and Azure, so that there is connectivity back and forth between those cloud providers and our on-prem data center.

The features I like are the debugging and troubleshooting through package capture. It's easy to capture from the CLI and it's also easy to get logs from the CLI.

It's very important that Palo Alto NG Firewalls embed machine learning into the core of the firewall to provide inline, real-time attack prevention. That increases our security posture. It gives us real-time anti-cyber activity and enables us to look at it. The firewall is able to capture it and flag it and it is easy to mitigate as soon as we see something like that happening, to secure the environment more, in real time.

These firewalls have the zero-delay signatures feature, which is really important because you don't want to be lagging behind with any kind of security updates. It doesn't affect our security a lot, but without it, we could be compromised a little bit. If updates are delayed by a couple of hours, there's an opportunity for the bad actors to execute something in that time frame. It gives us a little bit more security, but it's not like it's a high-severity situation.

Overall, they're doing great with the features. They're improving them day by day and year by year, which is really good. They're making new products that are compact inside, which is also really good. Instead of a full rack, they have tiny devices that have the same or even better performance compared to the bigger ones. They are doing well in improving the units, features, and security.

I've been using Palo Alto Networks NG Firewalls for eight years.

They're very reliable and stable. Compared to some of the competitors, they're more reliable.

The scalability is also good. They provide good options for scaling. The only thing that I would think about is that, in the newer firewalls, they have increased the performance but decreased the number of concurrent VPN connections or users. The new, compact devices have better performance, but they have reduced the number of users that can connect. Maybe that's a marketing strategy to sell higher-end models.

In my organization, everybody is using the Palo Alto firewalls because they're connected to the VPN, but the management and operations aspects are limited to the folks in IT.

These firewalls used to bring a lot of value to us, but in my practical experience, in the last three years at least, they have been lagging behind their competitors. The main issue is the support that we can get.

For example, in the past, if something happened, we could just give them a call and open a ticket, and we would have technical support right away to help us. Whether it was a severity-one, critical incident, where we had no connectivity, or just a minor or medium-severity issue, we used to get support right away. But in the last three years, it has been really hard to get hold of an engineer. I have reached out a couple of times to give them a heads-up, "This is a ticket I opened three days ago. I'm trying to get a hold of anybody."

It's okay that they force us to open a ticket on the portal, but after opening a ticket, it's really hard to get support when you need it. You have to wait for them to get back to you and sometimes it's random. And the biggest problem I have is that you have to wait hours on the line when you're calling them to get a hold of the next available engineer.

They should make it easier to get in touch with their TAC. This is what they have called transforming the customer experience, but I believe it's getting worse. That's the only thing they have to improve. When you do get someone, the support from their end stands out, it's a nine out of 10. But getting a hold of an engineer is a two out of 10.

Neutral

The initial setup is very straightforward. You need to connect through the portal manager and to the IP that you want to access remotely. And pushing the configuration from other devices is very easy. They provide tools so that you can get the configuration from competitors' devices and convert that into the Palo Alto version. It's very easy to configure initially and to manage as well.

On the maintenance side, it's really good. We don't have to put a lot of effort into that.

The security and performance of the PA-400 series of Palo Alto NGFWs, versus its price, is really good. It's very inexpensive and has good performance compared to the previous higher-end 3000 models.

Palo Alto provides Panorama where you can manage a bunch of firewalls from a single pane of glass or just one device. It allows you to manage all of the firewalls in one, integrated location. You don't have to make a chain of 50 different firewalls. It will push what you need to be changed to all the other firewalls. We used to use it, but we got rid of it because we replaced all our Palo Altos with competitors' firewalls and we don't use Palo Alto anymore, other than for VPN. We have six firewalls in our organization right now, although we used to have 35 to 40. Because we no longer have a lot of firewalls, we got rid of Panorama. We don't want to pay for it to just manage six firewalls where we are not making any changes frequently. If we had 35 or 40 still, I would definitely recommend having Panorama.

Panorama is for managing the rules. It saves time on configuration, but it doesn't affect your security posture. Whether you're managing each firewall or using Panorama, it's exactly the same thing. But it helps you to execute changes in a very short period of time. It's a way of pushing the config to all your devices.

I design networks for our customers; I always use a high-speed packet filter upfront because I work for a Juniper partner company. This is usually a Juniper SRX series firewall and it does most of the easy work. Behind that, I add a more intelligent firewall, Palo Alto NGFW. We are partnered with Palo Alto, but that's not the main reason we use their solution. I worked with Check Point products for four years, and the Palo Alto alternative seriously impressed me. Here in Hungary, Palo Alto is considered the de facto intelligent firewall, for good reason.

I work for an integrator and support company, and I support our customer's security platforms; we have many customers with Palo Alto Networks NG Firewalls.

The firewalls improved our organization. Creating firewall rules is much simpler. The solution is so straightforward that customers can configure it themselves, and they rarely call us for that, which is great for us as a support company. It makes our job much easier as Palo Alto NGFWs don't require a security specialist to configure; it can be done by systems engineers or IT support staff. 

All the features are valuable, but my main one is the straightforward and well-designed GUI. I'm over 50 and have been in this business since the internet started. I'm not a GUI guy; I prefer using the command line. The product's GUI is excellent, and so is the threat intelligence. It's also straightforward to configure and flexible. The solution even has good networking, such as VLAN and subinterfaces, which is great because, in my experience, if the firewall is good, then the router usually isn't and vice-versa, but Palo Alto has both.

We use the on-premises solution, and it's very impressive; both flexible and intelligent. The machine learning functionality is excellent, and I love the product as a support guy because it makes my job much easier. I have very little troubleshooting, and our customers haven't had a single security incident since implementing Palo Alto. I'm deeply impressed with this solution.

The machine learning against evolving threats works well. The best thing I can say is that none of our customers have had any security issues; I can't find any problems with the solution.

The support is outstanding; we are always alerted about potential issues such as bugs in advance, so we have time to adapt and prepare. Palo Alto has grown more effective; most importantly, there haven't been any security issues. I would give the product a 10 out of 10 for flexibility and at least a seven for security. I can't say precisely what security threats our customers face, but nothing has gotten through.

The solution provides a unified platform, which is essential because there is a significant shortage of experienced IT specialists in Hungary and elsewhere. Their effectiveness is amplified by the quality and straightforward nature of the solution, and the result is more robust security.

I don't have a direct view of our customer's security threats as it is privileged information, but I can say that there have been no security breaches. I would say the solution does eliminate security holes. 

Our Palo Alto firewalls have the zero-delay signature feature implemented, and it works fine. There haven't been any issues with us or any of our customers. This feature makes the whole security system more efficient. 

The network performance is top-notch; I would give it a 10 out of 10. Intelligent firewalls tend to be slower, but this solution is fast. Previously, I used a simple packet filter or zone-based packet filter in conjunction with an intelligent firewall, but Palo Alto is fast and secure enough for standalone use. I've been familiar with the solution's architecture from the beginning, and it's a very nice platform.

I recommend this solution to any engineer; technically speaking, it's the best product on the market. I know it isn't the cheapest, and decisions are often made on a financial level, but Palo Alto in Hungary always gives us a good deal. 

The solution's VPN, called GlobalProtect, could be improved as I've had a few issues with that. 

It can be challenging to migrate configurations between Palo Alto firewalls or restart with a backup configuration using the CLI. That could be improved. I think I'm one of the only people still using the CLI over the GUI, so that's just a personal issue.

I have been working with the solution for four years.

The solution is incredibly stable.

We work with hardware platforms, and they are usually slightly over designed to be on the safe side. The virtual firewall is highly customizable, but I have experience with the hardware platforms, and there is an upper limit on those, but I haven't had any scaling issues thus far.

In Hungary, where I live, the population is 10 million, similar to London. When I say we have 1000 end-users, it may seem like a small number, but that's relatively high for Hungary. Other vendors also supply the solution here, so 1000 is just our customers.

I mostly do deployments and maintenance alone. There are three systems engineers at our company.

The customer service and support are good. I have full support when I have a problem, and they can even do remote assistance. We had a big power failure, and the firewall didn't restart; they provided a hardware expert over the phone to solve the problem. They are very impressive. I would say Juniper offers the best support, but Palo Alto is almost as good, if not just as good for me.

Positive

I have been in this business from the beginning, so I used most firewall solutions. I focused on Cisco for 15 years, but that changed due to license-based selling in a very price-sensitive market. Cisco is not as viable an option as it used to be as customers consider it too expensive. I also used a Check Point solution, which was regarded as the go-to intelligent firewall five years ago, but now Palo Alto has taken that top spot. 

We are partners with several providers, including Juniper, Palo Alto, and a few others, but I always go with Palo Alto because it's a straightforward solution with easy installation.

The setup is easy; it's straightforward for anyone with basic networking and security knowledge. It's comparable to setting up a firewall at home, which is very impressive. It's still easy with very complex network setups, only the VPN concentrator, GlobalProtect, is more challenging, as it requires two-factor authentication, but it's still straightforward.

Initial setup time depends on the specific implementation, but we can do a new deployment in one or two days. It is more complicated when migrating from other platforms because the customer expects the same logic and features in the new platform. Palo Alto has an excellent marketing strategy, so their customers know their product uses a unique logic. This helps keep the implementation straightforward and shorter compared to other solutions. 

My implementation strategy begins with a plan for the customer's network based on their needs. Then I set up all the networking parameters and configure the solution in my lab device, so I can export it and import it on-site. Every setup begins in our lab, as it's more impressive to go to the customer and import the configuration right away. 

I don't know about the price of the platform or the license fees, as the finance department deals with that. I only bill for the materials involved in the design.

I don't know about the price. When there's a new project, I go to the meeting, but after a point, all the engineers leave when it comes to money because it's not our business. I know Palo Alto offers good discounts for the partners, and the solutions are good. They offer free trials and win many customers because it allows them to test products and see how well they perform.

The only thing I can say is it's a top technology. 

I would rate this solution a nine out of ten.

Cloud-based solutions are very unpopular in Eastern Europe, only private clouds are used, but on-premises is the favored deployment method. We use cloud solutions at home and for small companies or companies with particular use cases. I implemented the solution for a customer, and my first task was to disable all cloud-related features. It's exceedingly difficult to find a financial or government institution using a cloud-based platform; this market segment tends to have a more conservative mentality.

I don't use the solution personally, but I'm the first-level troubleshooter. If I can't solve a problem, I open a ticket to Palo Alto's customer support.

I have clients who used separate firewalls and VPN concentrators, but after switching to this solution, they now use the Palo Alto firewall and its VPN, GlobalProtect. I don't think it's the best VPN concentrator, it's an excellent firewall, but the weak point is the VPN.

I advise reading the documentation before configuring, which goes for any platform.

We have deployed Palo Alto Networks NG Firewalls and every web filter security available. So, we came to know each website user who got blocked and the "not required" categories. These categories are permanently blocked, and if any changes are required in these categories, we will first get approval from management. 

I like the sandbox feature, and it's very good. It kills each malware deployment in the sense of signatures within five minutes. So, we can secure our network and infrastructure very well within the stipulated time.

The WildFire functionality is very good because a few files are also getting blocked. It's critical as malware attacks are also getting ignored, and the logging is very well maintained in this firewall.

The most valuable solutions in this field are application-based firewalls. That is the main criteria of the firewall and functionality. We can get all the logs related to this and each and every packet. I like that the firewall is working as an application. The application-based entity we have deployed is well maintained and working very well.

We were able to find lots of vulnerabilities when we deployed it, but we could not disclose all. But there were vulnerabilities we could block by updating the firewall and taking actions on clientside machines. So, we got to know that we have lots of vulnerabilities inside the organization too, and we took lots of steps and resolved the number of vulnerabilities.

Palo Alto Networks NG Firewalls is an all-in-one solution. It provides every entity log, which is a very good functionality of this firewall. It gives every packet and aspect that the firewall is performing through its logs, and it does it very well.

This firewall's unified platform helped eliminate multiple network security tools. If anyone uses P2P sites, cryptocurrency websites, or any illegal sites, we can block it easily. It gives us a proper alert for these kinds of sites, and it properly secures our network. Monitoring is the best thing we are doing here, and we can block this kind of vulnerability as soon as it comes to us.

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall.

We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more.

URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

I have been using Palo Alto Networks NG Firewalls for the last three or four years.

Stability in the sense of security and alerts, this solution is very good, and we have not had had any issues. However, web filtering and application-based approach are very poor.

Palo Alto Networks NG Firewalls is a scalable solution.

Palo Alto Networks support could be better. We bought this solution for security purposes, and we asked the support team to convert each and every entity. They have not been able to convert this New Generation Firewall to date. 

Their name suggests that the product will use every application and work as a New-Generation Firewall. Yet, it's not configured, and we can only configure 30% to 40% of the applications. That is also giving us some problems sometimes.

On a scale from one to ten, I would give Palo Alto Networks support a three.

We have a policy in our organization to change the firewall every five years. So, I have experience working on FortiGate, SonicWall, and WatchGuard over the last 20 years.

WatchGuard is very good at web filtering. FortiGate is also very good, and they have their own application to manage the firewall, and SonicWall is also very good. 

Palo Alto is a web-based firewall, and there are no applications to deploy and support. I mean, I take all the logs and all things from the client-side. As it's web-based, it's extremely slow. 

When you click on a particular log, it will take a lot of time because it generates lots of logs. That is a good thing, but performance is a little slow. Both WatchGuard and FortiGate are very good for this kind of thing. Also, WatchGuard is application-based, and I didn't have to deploy it. I came to know about Palo Alto from my friends who said it was very good for application-based security. 

The initial setup and deployment are straightforward. We did not have any issues at all. It took us about 15 to 20 days to implement this solution. 

The policies we have with Atelier and WatchGuard were exported, and we tried to deploy these policies on the new firewall. The reseller helped us configure it but without our concession or permission and could not deploy the firewall. We later had more problems, and the reseller helped us with that as well.

Video Import Solutions is our local reseller in Pune, India. In our experience, not every engineer knew the firewall concept. I mean, not at all. If we wanted something new or had to deal with this application-related issue, they always told us they would log a case and resolve it. But they did not support us at all and did not give us any reason why they could not do it.

I am a technical guy, and I would say that you will not get a return on your investment. Even FortiGate and WatchGuard will offer next-generation solutions that perform better than Palo Alto Networks.

The price could be better. Pricing is very different compared to WatchGuard, which costs around 60 lakhs, and FortiGate, which costs approximately 40 lakhs. Palo Alto Networks costs about a crore which is very high pricing.

We bought this firewall, and our organization did not want to pay so much. We spent around one crore rupees which is not within our budget at all, and we are unhappy with them.

This firewall provides a unified platform that natively integrates all security
capabilities. It will queue all functionalities like firewall protection and alerts and track all DDoS attacks. It shares all the information with us, and we can monitor and take immediate action on the other alerts we receive.

I would advise potential users to only go for this solution if they have the budget and don't require any support. Only buy this firewall if you can install, configure, and solve potential problems on your own. If not, FortiGate and WatchGuard are much better options.

On a scale from one to ten, I would give Palo Alto Networks NG Firewalls a five.