ASA 5585X vs Palo Alto 3020 - differences - help needed understanding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2014 10:37 AM - edited 03-11-2019 09:23 PM
I was hoping to get some clarifications on the ASA technology vs the Palo Alto 3020. Below are the specs from the website for the 3020.
Questions
1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?
2) The ASA doesn't have zones, only Security Contexts, right?
3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.
Thank you,
Palo Alto PA-3020 Hardware Firewalls
• 2 Gbps firewall throughput (App-ID enabled1)
• 1 Gbps threat prevention throughput
• 500 Mbps IPSec VPN throughput
• 250,000 max sessions per second
• 50,000 new sessions per second
• 1,000 IPSec VPN Users
• 10 Virtual routers
• 1/6 virtual systems (base/max2)
• 40 security zones
• 2,500 max number of policies
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2014 01:52 AM
1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?
No, the 5525X with a 10 context license would be a more accurate match for the Palo Alto settings you posted. The only difference would be the new sessions per second is 20,000 on the ASA...all other stats match.
2) The ASA doesn't have zones, only Security Contexts, right?
Correct, the ASA contexts are virtual firewalls. Though secure zone and non-secure zone would either be defined by a security context or security-levels on the interfaces (accompanied with ACLs)
3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.
This I am not sure of, as I am not very familiar with Palo Alto...yet ;-) But for a little explanation, the ASA is a firewall, with some routing capabilities and each context has its own routing table. So I would assume that virtual routers and virtual systems could be combined into what the ASA defines as a security context. Cisco routers have zones defined when using the zone based firewall, however the ASA does not define security zones in the same way. Zones on the ASA would be the administrator defining a interface security level, or a context and defining the network connected to the interface or context as being a highly sensitive subnet, regular user subnet, internet...etc.
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2015 05:27 PM
Hi ,
I believe that asa 5585-x does not support trafficfic shaping the way palo alto is doing .?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2015 11:38 PM
Both the ASA and PA support traffic shaping. This is actually a great feature to limit unwanted traffic too - if designed correctly.
As with Cisco and Palo Alto, the higher end hardware will obtain better results for traffic shaping.
Hope this helps!
Ricky Boyd
CCIE 2901
Security and Data Center Consultant
Dimension Data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2015 01:43 AM
Hi,
In palo alto we can create 8 classes where we can give priority (high ,low..)
and Egress Max and Egress Guaranteed . Is it possible in the same way
Moreover that
based on the appication (for example skype , windows update ) we can limit the traffic
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2015 12:42 PM
I don't think the Palo Alto chassis setup is redundant. You have to buy 2.
With the 6500, 2 sups, 2 ASA-SM, 2 Line cards, 2 power supplies in one box!!
Also, the Palo Alto only supports 64k prefixes.
My .02 worth
Frank
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2014 10:26 PM
I use Palo Alto firewalls extensively in the past and also have used ASA's since inception.
Questions
1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?
The correct firewall to size against the PA-3020 would be the ASA 5585-X SSP-20 w/ FirePOWER Services. An important thing to note is sizing needs to be with full Application/IPS detection. Here is a great reference: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-732253.html
2) The ASA doesn't have zones, only Security Contexts, right?
Both the ASA and Palo Alto have similar zones and virtual firewalls you can bring up. The wording is a little different but function similarly.
3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.
Cisco leverages 'contexts' while Palo Alto leverages 'VSYS'. Here is a reference for ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1002608
Here is the reference for Palo Alto: https://live.paloaltonetworks.com/docs/DOC-3892
I hope this helps.
Ricky Boyd
CCIE
Please rate if helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2015 10:54 AM
I believe starting at version 12.4(6) and version 15.x Cisco does support zone based firewalls
Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
