Palo Alto Networks VM-Series Reviews

The use case varies. I use it as a gateway, and others use it for microsegmentation in the cloud. Additionally, some deploy it on-premises to protect specific environments. Most of the use cases are in cloud environments.

The most valuable features are the DNS security and threat prevention capabilities. The DNS security significantly enhances security through visibility and detection, allowing control over crucial traffic like DNS, which is often exploited by ransomware. Additionally, threat prevention and URL security are crucial licenses I recommend to customers, raising the security level substantially.

There are continuous developments with many new features coming every year. Although I receive feature requests from customers, I don't have any particular areas for improvement in mind right now.

I have been working with Palo Alto Networks VM-Series for more than ten years.

Setting up the VM-Series is usually very easy. The firewall can be deployed and set up within half an hour, though it depends on the complexity of the configuration.

In terms of stability, I would rate it eight out of ten. Perfection is unlikely as the dynamic nature of traffic and constant changes can result in occasional bugs despite regular updates. Perfection in stability remains challenging for any vendor.

I rate the scalability of Palo Alto Networks VM-Series ten out of ten. It is easy to use with an excellent graphical user interface and extensive documentation, which contributes to its high scalability.

I conduct most of the support myself and rate the overall support a nine out of ten. However, sometimes cases take longer to resolve, and there's always room for improvement, especially in terms of response time from higher support levels.

Positive

The initial setup is straightforward and easy. The process involves registering and configuring the software, and with flex mode, it is easy to scale by purchasing additional credits for more CPU and RAM without needing new hardware.

The pricing is more on the expensive side, but it is justified due to its functionality, reliability, and throughput, even with all features enabled. In comparison to FortiGate, Check Point, and Cisco, the performance does not degrade significantly. Although I rate the cost six out of ten, the features justify the higher expense.

Overall, I rate Palo Alto Networks VM-Series an eight out of ten. While no product is perfect, I am satisfied with its performance and value.

Hybrid Cloud

Microsoft Azure

I am the team manager responsible for various security products. My customers use Palo Alto Networks products, and I am working with Palo Alto partners. We support a variety of solutions including Strata firewalls, Prisma SD-WAN, and Wildfire for advanced threat protection.

Wildfire, a sandboxing product, allows for analyzing malware in virtual machines. Its strength lies in threat intelligence, which is significant for proactive defense. Palo Alto's robust threat intelligence supports new updates, and I can open cases directly with their Threat Intelligence team. Customers appreciate the throughput and reliability of VM-Series Firewalls, as they can be managed efficiently through Panorama.

I find it difficult to reach technical support at Palo Alto Networks. Most customers go for partner-enabled support, which involves multiple layers, leading to delays. Additionally, the technical maturity level of support is not always high, resulting in dissatisfaction. The pricing of Palo Alto is relatively high, particularly for smaller companies.

I have been familiar with Wildfire for nearly five years. I have been working with the VM-Series for nearly two years.

Palo Alto products are stable compared to others. Stability issues may arise when exceeding throughput limits, but hardware is generally very stable.

Scalability is a strength of Palo Alto VM-Series. They are easy to upgrade, and with credit licensing, they scale effectively according to demand.

I can give Palo Alto Networks technical support a six out of ten. It is very hard to reach, and the process can be lengthy and frustrating because support involves several layers.

Neutral

Initial setup is easy, especially in public cloud environments where VM-Series can be obtained from the marketplace.

Our ROI is measured in terms of catch rate, however, customers often focus on the total price of the product rather than detailed ROI calculations.

Palo Alto is expensive in terms of pricing, particularly when comparing features to cost. Their Premier Support is also very expensive and not widely chosen by customers.

I would recommend Check Point and Fortinet as alternatives for companies where the budget is a concern.

I would recommend Palo Alto VM-Series to others and rate it an eight out of ten. However, for companies below midsize, it may not be a fit due to cost. For those companies, I suggest considering products like Check Point or Fortinet.

Public Cloud

Other

I use it for two main reasons. In case there is a customer query, Palo Alto firewall is one of the vendors that we support for syslogs, rule management, change management, and traffic monitoring. 

Our product is used to query the firewall and provide a dashboard that raises alarms if any suspicious activity is detected. It involves the management of the firewall. We have a partnership with Palo Alto, and I have worked with VM-Series. 

When a customer encounters an issue with our product in accordance with Palo Alto, I analyze the problem and provide solutions. Additionally, I have constructed a lab with network devices for partner training. This lab uses Palo Alto firewalls for communication.

By using this firewall, we were able to address a lot of customer queries and answer to their VM-Series. This helped us retain our customers and gain confidence from them.

Palo Alto is easy to use. The UI is very easy to understand and does not require any certification or highly skilled technician to handle the firewall. It is very user-friendly and straightforward out of the box.

An area for improvement would be AI-related features, particularly in rule management or threat intelligence. Focusing on AI-based threat detection would be beneficial. 

Additionally, enhancing the ease of accessing technical support would be useful.

I have been using Palo Alto Networks VM-Series for about three to four years.

Stability is good. Once it is configured, it is stable, and I would rate it nine out of ten. I have not experienced any outages with Palo Alto, unlike other vendors like Sophos.

Scalability is good, and I would rate it eight out of ten. We use it for testing with a low load, and it works well. In production setups, I have observed it being used effectively with a large number of transactions per second.

Reaching technical support is challenging, and I may not be eligible for direct support since I'm not a customer. It involves multiple channels. I would rate their technical support seven out of ten.

Neutral

I previously used Cisco ASA, an older version, due to its market leadership at the time. We moved to Palo Alto due to multiple customer requests for other solutions like Sophos, FortiGate, SonicWall, and WatchGuard.

The initial setup was very easy and can be rated nine out of ten. It is straightforward to configure, and the UI is simple.

I did everything myself. One person is sufficient for the deployment and maintenance of five to seven firewalls.

The return on investment is seen in customer retention and addressing their queries rather than in revenue.

I'm not the right person to give a rating for pricing, as I use a not-for-sale license provided by Palo Alto for testing.

We evaluated Cisco ASA, but due to diverse customer demands and requests for vendors like Sophos, FortiGate, SonicWall, and WatchGuard, we extended our support to Palo Alto as well.

For software application firewalls, this is the best solution. If you are using it in a cloud or as an application firewall, then Palo Alto Networks VM-Series is the best one for you.

I would rate it an eight out of ten.

On-premises

All the PwC offices in Pakistan use Palo Alto in their environment. It is a global solution.

Palo Alto is a good product. The features are up to the mark. No other product can compete with Palo Alto’s features. The filtering feature is good. We can block the traffic and examine the report easily. The blocking functionality works very well compared to other firewalls. I rate the ability of the tool to keep up with the trends in firewalls an eight out of ten.

The product must create some awareness in Pakistan. People are less aware of Palo Alto. Everyone knows about Fortinet and Cisco. Very few vendors are promoting the tool.

I have been using the solution for four to five years.

The stability is fine. I rate the stability a seven out of ten.

I rate the product’s scalability an eight out of ten. We have 2500 users. We use the tool daily. All our traffic passes through it.

I rate the ease of setup a seven out of ten. The setup is moderately easy. The product is deployed on the cloud. The deployment takes two to three days since it has global rules.

The tool was deployed in-house.

We have seen an ROI of 60% to 70%.

Companies in Pakistan have limited budgets. Palo Alto is more expensive than other products. So, people are reluctant to put Palo Alto in their environment. It's too costly compared to other tools. I rate the pricing a nine out of ten.

We had deployed the solution in 2018. We used a different product before, but my organization switched to Palo Alto. It was the management’s decision. Overall, I rate the tool an eight out of ten.

We use the solution for network protection. Previously, I worked for a physical organization, but last year we moved to a Proof of Concept. Following the POC, we had to deploy the solution in three different geographical locations. We deployed all of the Palo Alto solutions in the hub environment and connected them to another node.

VM-Series allows us to maintain consistent next-generation firewall protection across virtual, private, and public cloud infrastructures using a unified policy model. We can use the provided templates to generate policies based on both global and local rules.

Panorama plays a vital role in allowing us to maintain a consistent security policy model across on-premises and various public cloud environments. Presently, we utilize Panorama exclusively in the cloud, spanning three different geographical locations: East Asia, Eastern U.S., and Western Europe.

Once we were able to configure Panorama's centralized management system we were able to have uninterrupted connections with no security issues.

Using Panorama helped us streamline our security policies in a cloud-based environment, saving us time. With Panorama, we no longer need to log in and manually adjust the template before transferring data, which increased our comfort level.

Palo Alto Networks VM-Series' security features are all good.

Centralized management is valuable because it allows us to configure settings in one location and apply them across all three locations.

The migration of workloads to the cloud is difficult because the cloud provider and Palo Alto Networks are different platforms. We had to research many articles online and after our research and development were completed we were able to deploy. The migration of data to the cloud can be more user-friendly and has room for improvement.

The utilization monitoring and GUI have room for improvement.

Sometimes we encounter licensing issues where our licenses are not activated, and as a result, we are required to redeploy. This problem could be related to VM-Series or the template image and how they are integrated with Azure Marketplace.

I have been using the solution for one year.

The solution is stable.

The technical support is good.

Positive

Previously, we utilized Azure Firewall, but we found it to be less mature compared to Palo Alto, prompting us to switch to the latter.

The initial setup is straightforward but the deployment portion is complex. We require 15 minutes for one VM deployment.

I give the solution a nine out of ten.

Public Cloud

Microsoft Azure

The most valuable feature of the solution is the zero-trust security architecture.

The solution's licensing could be improved, and training should be included before installation.

I have been using Palo Alto Networks VM-Series for four years.

There are always glitches in every product, but the solution is reliable overall.

I rate the solution a nine out of ten for stability.

I haven’t faced any issues with the solution’s scalability. Our clients for the solution are large corporate or global customers.

The solution’s technical support is very good.

Positive

The solution's initial setup is easy if you have training and know what to do. The solution's deployment time depends a lot on the customer's requirements. It takes around half an hour to install the solution.

The smaller firewalls, like the PA-400 Series, are very good priced. Some of the challenges come with licensing and support on the larger boxes. Sometimes, it's cheaper to buy a new firewall with licensing instead of renewing the licenses of an old firewall.

Suppose you have a PA-3000 Series firewall. By the time of its renewal, Palo Alto will come up with the PA-1400 Series with better performance than the old PA-3000 Series. If the customer had one of the older ones, it would be cheaper for them to buy a new firewall on a lower tier and then get the licenses.

The solution is deployed both on-premises and on the cloud. Palo Alto Networks VM-Series helps in securing our public cloud infrastructure. It is easy to integrate Palo Alto Networks VM-Series with other solutions. We have integrated the solution with Aruba ClearPass Policy Manager. It is easy to maintain the solution.

It is very important for users to get the solution implemented properly in the customer's network.

Overall, I rate the solution ten out of ten.

Palo Alto VM-Series is something we recommend as a firewall solution in certain situations for clients with particular requirements who have the budget leeway.  

The Palo Alto VM-Series is nice because I can move the firewalls easily. For instance, we once went from one cloud provider to another. The nice thing about that situation was that I could just move the VMs almost with a click of a button. It was really convenient and easy and an option that every firewall will not give you.  

We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID, employees were all sitting in the office at the location and the requirements for firewalls were a different thing.  

$180 billion a year is made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems that no one cared that there was COVID they just had to fulfill the contracts. When people claimed they had to work from home because it was safer for them, they ended up having to prove that they could work from home safely. That became a very interesting situation. Especially when you lack a key element, like the Secure Access Services.  

Palo Alto implemented SASE with Prisma. In my opinion, they made a halfhearted attempt to put in DLP (Data Loss Prevention), those things need to be fixed.  

I have been using Palo Alto VM-Series for probably around two to three years.  

I think the stability of Palo Alto is good — leaning towards very good.  

Palo Alto does a good job on the scalability. In my opinion, it has excellent scalability.  

My experience with Palo Alto is that it is really bad when it comes to technical support. When we have a situation where we have to call them, we should be able to call them up, say, "I have a problem," and they should ask a series of questions to determine the severity and the nature of the problem. If you start with the question "Is the network down?" you are at least approaching prioritizing the call. If it is not down, they should be asking questions to determine how important the issue is. They need to know if it is high, medium, or low priority. Then we can get a callback from the appropriate technician.  

Do you want to know who does the vetting of priority really, well? Cisco. Cisco wins hands down when it comes to support. I do not understand that, for whatever reason, Palo Alto feels that they do not have a need to answer questions, or they just do not want to.  

It is not only that the support does not seem dedicated to resolving issues efficiently. I am a consultant, so I have a lot of clients. When I call up and talk to Palo Alto and ask something  like, "What is the client's password?" That is a general question. Or it might be something even less sensitive like "Can you send me instructions on how to configure [XYZ — whatever that XYZ is]?"  Their response will be something like, "Well, we need your customer number." They could just look it up because they know who I am. Then if I do not know my client's number, I have got to go back to the client and ask them. It is just terribly inefficient. Then depending on the customer number, I might get redirected to talk to Danny over there because I can not talk to Lisa or Ed over here.  

The tedium in the steps to get a simple answer just make it too complicated. When the question is as easy as: "Is the sky sunny in San Diego today?" they should not be worried about your customer representative, your customer number, or a whole bunch of information that they really do not use anyway. They know me, who I am, and the companies I deal with. I have been representing them for seven or eight years. I have a firewall right here, a PA-500. I got it about 11 years ago. They could easily be a lot more efficient.  

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

• I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
• I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
• I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
• I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
• I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

Setting up Palo Alto is relatively quick. But I also have an absolute rockstar on our team for when it comes to Palo Alto installations. When he is setting it up, he knows what he is doing. The only thing he had to really learn was the difference between the VM-Series and the PA-Series.  

I lay out the architecture and I tell people doing the installations exactly what has to be there. I sit down and create the rule sets. Early on, the person actually doing the fingers-on-the-keyboard complained a little saying that the setup was a little bit more complicated than it should have been. I agree, generally speaking. I generally feel that Palo Alto is more complicated than it needs to be and they could make an effort to make the installations easier.  

But, installing Palo Alto is not as bad as installing Cisco. Cisco is either a language that you speak or a language that you do not. I mean, I can sit down and plot the firewall and get the firewall together about 45 minutes with a good set of rules and everything. But that is me and it is because I have experience doing it. Somebody who is not very well-versed in Cisco will take two or three days to do the same thing. It is just absolutely horrid. It is like speaking English. It is a horrid language.  

I do not have to do budgets and I am thankful for that. I am just the guy in the chain who tells you what license you are going to need if you choose to go with Palo Alto VM-Series. How they negotiate the license and such is not my department. That is because I do not resell.  

I know what the costs might be and I know it is expensive in comparison to other solutions. I get my licenses from Palo Alto for free because they like me. I have proven to be good to them and good for them. When they have customers that are going to kick them out, I can go in and save the account.  

I will tell you, they do practice something close to price gouging with their pricing model, just like Cisco does. When I can go out and I can get an F5 for less than half of what I pay for Palo Alto, that is a pretty big price jump. An F5 is really a well-regarded firewall. When I can get a firewall that does twice what a Palo Alto does for less than half, that tells me something.  

Sophos decided that they were going to play with the big boys. So what they did is they went in and jacked up all their prices and all their customers are going to start running away now. The model is such that it is actually cheaper to buy a new firewall with a three-year license than it is to renew the Sophos license of the same size firewall for an older product. It sorta does not make sense.  

I make recommendations for clients so I have to be familiar with the firewalls that I work with. In essence, I evaluate them all the time.  

I work from home and I have two Cisco firewalls. I have a Fortinet. I have the Palo Alto 500 and I have a Palo Alto 5201. I have a Sophos. My F5 is out on loan. I usually have about eight or nine firewalls on hand. I never go to a client without firing up a firewall that I am going to recommend, testing it, and getting my fingers dirty again to make sure I have it fresh in my mind. I know my firewalls.  

The VM-Series are nice because you can push them into the cloud. The other nice thing is whether you are running a VM-Series or the PA-Series, we can manage it with one console. Not without hiccups, but it works really well. Not only that, we can push other systems out there. For instance, for VMware, we are pushing Prisma out to them. VMware and the Palo Alto VM-Series do really well with Prisma. The issue I have with it is — and this is where Palo Alto and I are going to disagree — they are not as good at SASE (Secure Access Service Edge). I do not care what Palo Alto says. They do a poor job of it and other products do it better.  

Palo Alto claims it is SASE capable, but even Gartner says that it is not. Gartner usually has the opinion that favors those who pay the most, and Palo Alto pays them well. So when Gartner even questions their Secure Access Service Edge, it is an issue. That is one of those places where you want the leader in the field.  

From my hands-on experience, Fortinet's secure access service edge just takes SASE hands down.  

My first lesson when it comes to advice is a rule that I follow. When a new version comes out, we wait a month. If in that month we are not seeing any major complaints or issues with the Palo Alto firewall customer base, then we consider it safe. The client base is usually a pretty good barometer for announcing to the world that Palo Alto upgrades are not ready. When that happens, making the upgrade goes off our list until we hear better news. If we do not see any of those bad experiences, then we do the upgrade. That is the way we treat major revisions. It usually takes about a month, or a month-and-a-half before we commit. Minor revisions, we apply within two weeks.  

I am of the opinion right now that there are some features missing on Palo Alto that may or may not be important to particular organizations. What they have is what you have to look at. Sit down and be sure it is the right solution for what you need to do. I mean, if the organization is a PCI (Payment Card Industry) type service — in other words, they need to follow PCI regulations — Palo Alto works great. It is solid, and you do not have remote users. If you are a Department of Defense type organization, then there are some really strong arguments to look elsewhere. That is one of the few times where Cisco is kind of strong choice and I could make an argument for using them as a solution. That is really bad for me to say because I do not like Cisco firewalls.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the Palo Alto Networks VM-series as an eight-out-of-ten.  

The primary use case involves using next-generation firewalls, hardware, VM-Series, Prisma Access for SASE solutions, Prisma Cloud for cloud security posture management, and Cloud Workload Protection. It's used primarily for securing customers' virtualized data center environments as well as public cloud environments.

The additional visibility, which was lacking with cloud-native tools, has improved the organization's cloud security posture. Advanced enforcement and granular security controls help manage potential threats.

The most effective feature for threat prevention is the threat prevention model in the VM-Series. This is bundled with advanced URL filtering, decryption, and wildfire sandboxing.

If additional web application firewall capabilities could be integrated into the existing firewall, it would negate the need for additional products.

I've been working with Palo Alto VM-Series for at least five to six years now.

We haven't had challenges with failovers yet.

We've controlled the scalability via VMSS in Azure, using auto-scale groups in AWS. It's quite seamless, though there's room for improvement in cost management, especially during traffic spikes.

The technical support is great. We've had no challenges and there are established channels for customer success and professional services.

Positive

In the past, I used to work with Check Point, but haven't worked with them lately. Given the support from Palo Alto, there hasn't been a necessity to explore others.

The integration process involved using a Panorama setup for centralized firewall administration, transitioning from cloud-native firewalls to VM-Series.

We are primarily a consulting firm and reseller, so we've had significant involvement in the process.

The solution tends to add to costs especially when scaling, although measures like using large compute instances minimize the need for scaling.

Potential competitors mentioned are Check Point and Cisco but haven't been evaluated recently.

For straightforward firewall inspection and basic IPS, IDS requirements, native firewalls might suffice. For more advanced needs, using VM-Series or Palo Alto Firewalls is recommended.

I would rate it an eight out of ten.

Public Cloud