04-01-2010 03:43 AM - edited 03-11-2019 10:28 AM
Hi,
We use ASA's and I really like them, however our boss has invited someone from Palo Alto to introduce teh Palo Alto firewall range, why I don't know. Anyone every used a Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say Palo Alto firewalls are better than cisco because......I need some backup for Cisco
http://www.paloaltonetworks.com/products/
Solved! Go to Solution.
04-09-2010 12:41 PM
I went to a presentation by Palo Alto ("PA") some time ago. I was pretty impressed at the time.
They are still a relatively small, unknown player with an impressive product. However they have a number of challenges to overcome. First, they do not have any little firewalls. There is no such thing as an "ASA 5505" equivalent here, or even an ASA 5510. All of their firewalls are designed to handle a lot of traffic and are priced accordingly. Therefore, there is no little firewall they can sell for a low cost for a company to "Get used" to the solution and kick it around. Implementing Palo Alto is therefore going to be seen as a "risk" for a significant outlay of cash (always important in the current economy).
Compounding this problem is that Palo Alto sells their solution as a replacement to "Traditional" firewalls, which they see as inadequate. They have a pretty convincing argument, however, it is basically a Rip and Replace selling strategy. That is going to encounter resistance when there is significant investment already outlayed in current firewalls. The ROI here is that PA has to bring in something really significant and necessary, and most companies, or engineers who like this solution, will probably be looking at a potential IDS (for example) deployment and decide to try to implement PA instead of IDS, getting the funding that way, and then slowly replacing the Traditional Firewalls with the PA.
PA also has an uphill climb when it comes to government (or government dependant) deployments. As another poster mentioned, Common Criteria is a factor, as well as the myriad of regulations surrounding audits that are already designed for Cisco firewalls (or Juniper), and not for smaller players.
And lastly, as mentioned, PA has Cost issues. They are NOT cheap firewalls. If you have a need for a small firewall connected to, say, a small remote office... PA has no solution there for you (or at least they did not when last I was looking at them). If you are a small company, you will probably not be able to afford the PA Solution (or rather, decide to go for Cisco's "Toyota" rather than PA's "Rolls Royce").
All that said, the PA firewall is extremely powerful, looks easy to manage, and has capabilities that other vendors don't seem to equal right now or require lots of other bolt on solutions. As always, examine your requirements and your budget.
04-10-2010 11:55 AM
I got some exposures to Palo Alto Firewall back in August 2007 when this product was relatively new at the time. The product has some really good new features but also some of the down sides as well. We were looking at Palo Alto as a possible replacements of our existing firewalls at the time. When looking at Palo Alto firewalls versuses Cisco Checkpoint, Juniper firewalls, you need to keep these things in mind:
- There are no low-end Palo Alto Firewalls. Unless you have a big IT budget, Palo Alto is not for you,
- Day-to-Day operation. It is very difficult to find IT people with good Palo Alto firewall skills. You're pretty much at the mercy of people who are responsible for maintaining your Firewall/security infrastructure. If you use Cisco, Checkpoint and Juniper firewalls, there are a lot more people on the market with these skills. If a firewall engineer leaves the company, that person can be replaced much more easily than someone with Palo Alto firewall skill.
- Vendor support. Cisco TAC support, IMHO, is the best. Checkpoint and Juniper TAC support is also very good as well. I can not comment on Palo Alto support because I have not worked with them but I can comment on Riverbed Steelhead TAC support. It is not as good as Cisco TAC. This is because of the size of the companies such as Cisco, Juniper and Checkpoint. The resource is much bigger and better. Small organization can not provide that.
- customers base. The number of customers that use Palo Alto is very small compared to Cisco, Checkpoint and Juniper. Therefore, it is much harder to find bugs/issues and the fix may take longer than other firewall vendors because the customer base is quite small.
my 2c.
04-11-2010 01:50 PM
There is no doubt that PA is smaller than Cisco. But, like I said in my earlier responses today to trustcisco and dpalmero, if your goal is to protect your digital assets, you need a firewall like PA. Gartner calls it next-generation. If you want the details on that, look for Gartner’s October 2009 research report on next-generation firewalls. While I think we are going to be stuck with the term, “next-generation,” the issue is how packets/sessions are analyzed. I like the term, “AppFirst” because it’s technically meaningful. All firewall vendors are going to start using the term "next-generation" because Gartner is.
The question is, does your firewall first discover the application of the session and then execute policies based on the application (preferably in a single pass)? Second, does the firewall continue to monitor the session looking for changes in the application and react to those changes? Third, does it do this at speed with low latency?
As to support issues, I think PA has gotten to the size (1,100 customers) that you can probably find people you know who are using PA now and ask them. BTW, many of them are using PA in conjunction with (behind) Cisco, Juniper, or Check Point. So rip-and-replace is surely not the only deployment strategy.
04-11-2010 05:09 PM
We are going to replace our existing firewalls next year and I am going to checkout Palo Alto Firewall as a possible replacement by looking at it again.
When I first looked at it in 2007, the customer-based for Palo Alto was less than 10 customers, the management piece for Palo Alto, Panorama, was pretty lousy and slugglish at the time. May be the product has lot of improvements since.
I will say that if I interview someone for a Firewall Engineering position, there is about 100% probability that he or she knows Cisco, Juniper or Checkpoint firewall technologies. I've NOT met anyone with extensive experiences with Palo Alto firewalls yet. That makes management nervous about replacement existing firewalls with Palo Alto firewalls.
Last but not least, your comment regarding "if your goal is to protect your digital assets, you need a firewall like PA", that is very mis-leading.
Your "digital assets" can be protected via IPS and most importantly, Data Loss Prevention (DLP) devices.
04-11-2010 01:31 PM
Please review my response to trustcisco from this morning. PA brings something truly new to the table – it can actually protect your digital assets. Traditional stateful inspection firewalls are practically useless in the face of the hundreds and hundreds of port sharing and port hopping applications which most exploits are leveraging to gain access to your digital assets.
Regarding PA being unknown, I would say their appearance as a Visionary on Gartner’s 2010 Enterprise Firewall Magic Quadrant is going to change that. Furthermore, if you analyze what Gartner wrote about PA and the other firewall manufacturers, it’s clear that PA is the only one that meets Gartner’s next-generation firewall criteria.
As to Roll Royce, I would beg to differ. For most mid to large organizations, PA is going to save you money. First, there is appliance consolidation – firewall, IPS, proxy server, and URL filtering. Second, there is policy management simplification and improved responsiveness to the business units we serve.
In conclusion, Cisco's next firewall must be AppFirst.
04-13-2010 12:33 AM
Thanks for your answer Bill, i have read on PA's website about https inspection. Is it true ? and if yes what is the technology used to inspect encrypted traffic ?
04-30-2010 07:06 AM
I've just been through the process of looking at our corporate firewall replacements - To sum up we currently run about 50 clusters of ASA's with AIP SSM-10 and 4 corporate Checkpoint clusters. It's the checkpoints we are looking to replace.
My view of the PA units are:
Good
Powerful units
Well thought out design (built ground-up to do it's job).
Easy to Manage.
Layer 7 Firewalling - really will be the future IMO.
As with cisco I think you can believe the throughput stats.
Bad
No certification full stop! fips / common criteria all missing.
Support and lack of advanced training.
Expensive.
It's quite often sold as a proxy server - PA needs to ensure that this practice does not happen as all it is on that basis is a url filter (US based). We wouldn't call the ASA a proxy server.
It's IPS/IDS credentials still need further testing in the market place.
On a side note - With Checkpoints recent buy-in to the facetime database and soon to be released (2010) "application blade" the primary feature of the PA units becomes shared amongst one of the big firewall players - In fact it's useful to note that whilst PA has approx 950 apps on it's database, Checkpoints will soon have in excess of 5000 apps available to firewall with. Of course it could be said that the PA unit has better throughput....
But if I install Checkpoint on open server platform I can out-perform even the biggest PA unit.
Cisco and Juniper are both playing catch up on the layer 7 firewall at this time. Although it needs to be noted that the Juniper SRX platform is still buggy (move from ScreenOS to JUNOS).
I think possibly the delay from Cisco may have been the emphasis into the server market last couple of years. Non the less I would expect Cisco to soon catch up and provide us all with a true ngfw that covers all our needs alongside the current IPS/IDS. Hoping at least.
End result - I'll put and ASA5520 with SSM-20 facing the internet - Checkpoint cluster with IPS blade with dmz to mcafee webwasher - internal network.
Simples.
Regards
Apologies trustcisco - the PA units use a fairly simple man in the middle attack to decrypt and inspect https traffic. Nothing new - webwasher can cover this in our deployment.
05-02-2010 02:48 PM
Ben, Let me respond to your April 30 post by topics including Policy Management, Fine Grained Application Control, Intrusion Prevention, Latency, QoS, Internal Network Management, Market Acceptance, and Gartner's next-generation firewall analysis. If your organization were to issue an RFP, I believe these topics would be included.
Policy Management - Your Cisco/CheckPoint/Facetime/McAfee solution has a minimum of three points of policy management - Cisco, Check Point, and McAfee. Since the Facetime piece is not shipping yet, it's hard to know what the user interface will be for that. Palo Alto Networks provides a single, unified policy management interface. This will save time/money and enable faster response to business requirements. Depending on the size and complexity of your organization this could be significant.
More specifically, you will still need to manage IP- and port-based rules on the ASAs and probably on the Check Points. PAN will allow you over time to reduce, if not eliminate entirely, IP- and port-based policies. This will dramatically reduce the number of rules needed to implement policies and also enable auditors to more easily determine if the firewall rules actually reflect the organization's policies.
Fine grained application control - While Facetime may have more applications identified, PAN provides more fine grained control of major applications like Facebook. Facetime's Application Guide lists Facebook as one application. PAN's Applipedia shows Facebook, Facebook-apps, Facebook-chat, and Facebook-mail. Therefore you could build a PAN rule allowing Facebook mail and chat but not apps like FarmVille or MafiaWars. This is especially important if your organization wants sales and marketing to interact with Facebook's 400 million users, but not to waste time on games. Furthermore you could allow Facebook-mail but no attachments. We'll see if the CheckPoint/Facetime solution will have this fine grained control. Also, will the CheckPoint/Facetime solution support SSL decryption? If so, what will the performance hit be?
Intrusion Prevention - While Facetime may have more applications identified, how will this be integrated with the intrusion prevention technology Check Point acquired from Network Flight Recorder? When PAN identifies an application, it only checks the vulnerability signatures associated with that application (and of course those related to the underlying protocol). This approach means you don't have to manually "tune" the IPS. My final point on this - put PAN behind Cisco/CheckPoint/Facetime/McAfee and see what additional visibility it provides.
Latency - Your Cisco/CheckPoint/Facetime/McAfee solution could require four or more passes in each direction. PAN is a single-pass process no matter how many features you turn on. PAN's appliance is not a standard Intel server architecture, but specifically built to provide low latency.
QoS - PAN enables you to allocate bandwidth based on application or application category. Will the CheckPoint/Facetime solution? And how will you manage QoS among the Cisco, CheckPoint/Facetime, and McAfee components?
Internal network management - PAN's higher througput capabilities will allow you to use it for internal segment application and user control. For example you could create a policy restricting access to financial databases to only those groups (as defined in your directory service) who need access. And PAN enables you to create multiple virtual firewalls to simplify policy management. While Check Point has this capability, I believe it's only on their high end VSX models.
Gartner analysis - In Gartner's 2010 Enterprise Firewall Magic Quadrant report, PAN is the only firewall that meets the next-generation requirements it established in October 2009. Your point about Cisco and Juniper catching up - perhaps in a couple of years. But don't assume that PAN will stand still. Also, you surely realize that Cisco and Juniper are really focused on bigger markets than security.
Advanced Training - It is my understanding that PAN does now have advanced training.
Support - The feedback I've gotten from customers, while anecdotal, is very positive.
Market acceptance - I believe that PAN has over 1,300 customers now. While still small compared to Cisco, Check Point, and McAfee, it's significant. In fact, let me put this in the context of the "technology acceptance curve." PAN has passed the Early Adopters phase and is now selling into the Early Majority. Organizations who are culturally Late Majoritymay not be ready for PAN at this time. I don't say this in a judgmental way, but how would you rate your organization?
In closing, at the end of the day, your choice really depends on how you and others in your organization weight the topics I discussed above. I would be glad to continue the discussion off line. I am not a PAN employee.
08-13-2010 05:50 AM
Hi All,
I have worked with PIXes and ASAs for years and since a few weeks I'm having the chance to evaluate a Palo Alto box. Of course the application visibility is something that is unique and stands out.
However, if I want to replace one of my PIX/ASA's with Palo Alto I also have to compare the regular functions like access rules, NAT, VPN and how to configure them. I have tried to configure an IPSec VPN, however I haven't succeeded yet to make it work although I followed the Palo Alto Administrator's Guide exactly. It looks al quite tedious and not logical to me. Of course this could come because of my "Cisco-look". Another example: making a NAT exemption is not clear to me and the PA Administrator's Guide doesn't mention this at all. The Palo Alto Guide on the whole is not as elaborate as the Cisco Configuration Guides are. Also the logging and debugging is not as extensive.
I went to the presentation of Nir Zuk and was very enthousiastic about the concept. Nevertheless I recommend everyone to try and get an evaluation box and experience every aspect by yourself. I still think application visibility is a necessary step in the evolution of firewalls.
Albert Bruggeman
Sr. Technical Consultant
iSOFT
The Netherlands
09-30-2010 11:01 AM
I've been using PIx's and ASA's now for a long time and I'm very disappointed in the latest ASA software (8,3). We're evaluating the Palo Alto's right now and I can tell you it's a dream compared to the ASA. Great management interface, very straight-through configuration for most stuff, pretty intuitive interface etc. And the reporting, Layer 7/IDs functionalities are just awesome. We're considering replacing all our ASA's with the Palo Alto units. I would definitely recommend you guys at least look at them and do an eval.
01-24-2012 10:27 AM
.
01-24-2012 10:27 AM
Thanks Thaer this is useful feedback.
Its interesting that there is a conflict between having "one throat to choke" and "eggs in one basket". I think that from a security perspective its ideal to have a dual-vendor solution and implement security in layers.
I like Palo Alto's vision and view of the future, but my main concerns with them are:
1) No relatively small firewall (say like a 5505) that can be used to implement a gradual implementation
2) Cost is much higher, so the entry into this space is relatively prohibitive compared to the established vendors
3) Relative immaturity of product as some have said with VPN and other functionalities.
However I will continue to investigate them as time moves on to see how they evolve.
01-25-2012 11:37 AM
I've used the PA 2050 model at a previous employer and liked it very much. We replaced an ASA5510 with the device. When we started looking at the Palo Alto device we were looking to add a gateway security appliance (Antivirus, Malware, URL / content filtering) to the network and I stumbled across the PA devices. I looked at Websense right away however to make it work in our environment (heavy Citrix Xen App shop) it was going to be very expensive (not that the PA's aren't).
I did the PA web demos and got an eval box then made the decision from there. I won't say it was extremely easy to manage however it was better than the ASA in my opinion and I am by no means a PIX / ASA expert (I would even classify myself as lower middle on skill set). I was able to move all of my existing functionality over (VPN's etc) as well as adding more capabilities (URL and Antivirus). I never realized how many people had that stupid coupon tool bar thingy installed... With my Citrix / TS users I now had the ability to craft separate policies for my Citrix users rather than defining it by the particular server they were one (AD agent and Citrix / TS agent part of the deal with the PA device) which was very nice (they used Bright Cloud for the content filtering at the time I had it, may still).
I was concerned about putting all my "eggs" in one basket as well however the eggs were new to us anyways (URL, Antivirus, SSL VPN, etc) and I was glad to have one vendor to deal with. Sometimes being under one person's mercy is as good as or better than being under several folks. If it were up to Cisco we'd be under their mercy solely (ASA, IronPort, IPS, etc). As far as support goes I used several lines, the reseller who installed the device for us, their actually technical support (which was 24/7 by the way), and their user forums (lots of config docs there). I got help when I needed from all three sources. I did have to wait a while for a 64 bit Citrix / TS agent however it came out within the timeframe support said it would and it worked without a hitch. Something to note, the URL and Antivirus options are subscription based in addition to the firewall price so if you have those solutions in place already you don't need to buy them if you want to keep using them.
In regards to the SSL VPN capabilities I found them a little lacking as well. I didn't have the issues described above however it's a very basic client based VPN only, no office portal type capabilities. With that said you do get almost unlimited (limited by device model) usage for free (no per client licensing), well its part of the overall price that is. To me that capability definitely seems like an add-on rather than something that was designed with the whole device. However I would think a Juniper or even Sonicwall could fill that gap if it was needed.
The Camry versus Roll's argument actually seems valid to me, I do think the PA is a better firewall overall than the ASA however if you've already got an investment in those other services (IPS, Gateway Antivirus / Malware, URL / Content) something like an ASA might be the best option if all you need is a firewall. Palo Alto has recently expanded their product line to include the PA 200 (smallest model, next is the PA 500, 2020, 2050, etc). However having a PA device doesn't exclude you from using an ASA 5505 at your branch offices, if all you need is a Site to Site type VPN.
I would say at a minimum they are worth a serious look, read their public docs, watch some of the demo's, schedule a demo to get specific questions answered, get an eval unit seems like fairly easy things to do.
02-02-2012 09:30 AM
I have been using the PA's for two years now ( not by choice) I do have to say the PA's have a better user interface compared to the ASA and that is about it. their phone support is lacking I have waited more than 4 hours for a call back nor is there away to escalate a case over the phone has to be through email which doesn't help if your firewall is down, PA's response to me on escalating a case over the phone Buy an air card so you can escalate through email also my PA's are running at 75% cpu usage with 90K connections where my ASA has 8M connections and the CPU is running at 20%.. all in all the PA's are for small Business that cannot hire a truly trained firewall staff
03-08-2012 07:52 PM
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide