Solved: Re: ASA's vs Palo Alto firewalls? - Page 3

Andy White · ‎04-01-2010

Hi,

We use ASA's and I really like them, however our boss has invited someone from Palo Alto to introduce teh Palo Alto firewall range, why I don't know. Anyone every used a Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say Palo Alto firewalls are better than cisco because......I need some backup for Cisco

http://www.paloaltonetworks.com/products/

nate_newman · ‎03-08-2012

I've purchased, installed, and/or migrated to/from PIX, ASA, Checkpoint/Nokia/Crossbeam/Solaris/SPLAT, Netscreen, JuniperSRX, and PaloAltoNetworks

Some of them have advantages over others for sure depending on what you want to do especially when some migration has to occur, you find out whos the easiest to manage and who's the nightmare.

PaloAlto is by far the easiest, cheapest, most enjoyable box to use.

With one Palo box you can replace IPS, VPN, firewall, and proxy at a fraction of the cost.

The fastest IPS in existence is only 20Gbit being Sourcefire which will cost you $400k for a cluster, PaloAlto is $90k and you get more than just an IPS.

The entire configuration, rules, objects, users, interface IPs located in one editable text file, try that with Provider-1 or some Linux firewall, no chance. And its not ugly like a FreeBSD firewall yuck.

When using stateful, primitive firewalls you are not protected, your customers are not protected because ports and protocols don't matter anymore, with protocol tunneling and other evasive apps ASA and all the older firewalls have no idea what is happening.

IPS' products have the same limitation, they are watching for a port to determine the application with which they then apply a signature or filter to.

PaloAlto is as easy to use and configure as a netgear router that you get from best buy. Ive deployed one out of the box in 5 minutes, no other firewall can that happen with.

When you look at documentation you find ASA has 50 pages just for HA configuration!! Paloalto is 9 pages and reallly only 2 pages that are relevant to active/standby because its that easy! You just check some boxes and go.

Most firewalls require years and years of practice and a team of people that basically have to have a bachelors degree in the product=ASA or Checkpoint, to be able to do a deep dive and troubleshoot the thing, which is why security pays so well I guess.

NSS labs highest rating for an unconfigured firewall speaks volumes of a real test, not like gartner which is a popularity contest.

Worst firewall ever JuniperSRX, take netscreen whos cli guide was 6000 pages, and grow that 4 times. Incredibly complex, went back to cli managment instead of gui for ease of policy modification. Why make it so hard and make you get a degree in the product just to be able to manage it, I will never use one of those again.

ASA cannot do app inspection for instance just recently I had to disable SQLnet inspection on a 5540 because developers were running a job that was failing after 8 hours, once i disabled that inspection the job finished in 30 minutes! That means ASA cannot inspect traffic like you would want not even one app! PaloAlto can inspect all apps all the time on all ports with no performance hit. The magic of the product is a total redesign and ignoring ports and protocols enabling them to focus their ASICs in another area.

Checkpoint cant do app inspection either, if you tried to turn on smartdefense the firewall crumbled and what are they looking at anyway to see if the right flags are set in the TCP header? thats not inspection as far as im concerned.

Whoever mentioned PBR, no firewall supports assymetric routing.

i Just found this article and learned a couple more things even http://josteinnymoen.files.wordpress.com/2011/02/fact_v_fiction_competing_with_checkpoint_applicationblade.pdf

If you're like this UNIX admin I met once you might like primitive looking old style cli firewalls (ill bet he doesnt surf the internet via command line) the guy wanted it to be as painful as possible becuase thats what he was used to. Well I got used to black and white TV but I'm not going back and leaving my high-def TV/PaloAlto firewall now for nothing!

~NN

benreynolds · ‎03-09-2012

Nate - are the palo units now fully fledged proxy servers as well?

It obviously won't be anywhere near as good as the palo's! But either way just to ensure a fair playing field:

http://www.cisco.com/en/US/prod/vpndevc/ps6032/ps6094/ps6120/context_aware_security.html

Our end solution ASA's Checkpoints McAfee's is working very nicely btw.

Also nice to know that we have a multi vender set-up which is solid from a security perspective.

Regards

nate_newman · ‎03-09-2012

Hey Ben - The Palo units are a full proxy, if i remember they use brightcloud for url categorization? after having setup and supported many bluecoat, and netcache proxies it just another device you have to support and deal with and hope you remember all the commands after having not used it for a year. they don't do reverse proxying and are not a load balancer.

but they do have FIPS compliance capability, dont know much about that because ive never used that gov't sector stuff

one thing Im REALLY VERY tired of is new platforms coming out and having to learn them, entirely new OS's and their packages.

Paloalto has brought out a NAC solution inside their current firewall which seems like a lot of stuff dang, but I looked at that link you posted and i laughed a little... haha, its exactly what Ive gotten used to with Cisco another brand new platform unlike anything youve seen and are used to that is highly complex: I looked at the admin guide and did you see whats involved in setting it up? tons of config on switches at multilayers, oh and its not a firewall or proxy its a NAC product.

the other thing the link talks about is SIO, thats just ciscos SOC, everyone has a soc like that , i mean its not unique.

Also that link to Cisco Mobility solution requires a client to be installed on every phone!! Now you need a team of people just ot support that infrastructure and client phone issues, start hiring now. dont know if paloalto has a mobility thingy, but if it does it would never use a client install, that goes against cutting edge thinking.

The past of cisco security products will tell you the future:

MARS: bankrupt siem product that is gone, so what are 100% cisco shops using for consolidated logging? probably nothing

CSA: discontinued, absolute admin nightmare

IF you are going to look at NAC either Palo or Forefront would be my personal choice, i like my daily work to be easy, enjoyable, understandable. I dont want to have to spend the rest of my career reading pdfs just to understand yet another security platform that is totally unique

That means that asa is a stateful firewall, a technology built in 1993, technology that hasnt *actually advanced in 19 years, asa=dinosaur.

if you want to use asa ssl vpn good luck! you cant because they only have a couple plugins which means if the app you want to use is not browser based it will not work, they have plugins like rdp, java blah etc. just a couple not enough to actually use the product. Ive installed over 30 ASAs so i understand what they are good/not good at.

Using a PA NGFW is so easy it requires NO traiining at all just a familiarity with basic firewall rulebases aand how they work top to bottom so you dont tank something.

T O · ‎03-09-2012

.

nate_newman · ‎03-09-2012

Ive used them on a full time basis, is the box you bought big enough? If you're having capacity issues thats the problem.

If you dont like PA what firewall would you replace it with? This I'm excited to hear...

I havent used the vpn client component so maybe its no good.

T O · ‎03-09-2012

.

nate_newman · ‎03-09-2012

hehe no I dont work for Palo Alto, I work for a Fortune 50 company. I assumed you were having a capacity issue because it sounds like one and.... i read it in your earlier post. If i take a piece of equipment and hammer it beyod what its capable of box is going to have issues.

maybe you have a bug i dont know, havent used the vpn section at all so cant say, havent used the nac part. What I do know is the other firewalls aint so hot in my experience. What firewall would you prefer?

Torex -Whether the firewall hide NATs addresses for URL filtering or proxies them by creating a new connection doesnt matter to me, the end result is the same, soooo your point is?

torex-hiscom · ‎03-09-2012

Nate,

I'm sorry to say, the Palo Alto is not a proxy, neither is the ASA or most other firewalls. They don't break the connection to set up one from the box itself, except for the SSL inspection function. The MS ISA or Forefront TMG is an example of a proxy.

I'm using Palo Alto as well as ASA and can agree with most of the discussed items in all of the messages above. But the way you state it is totally exaggerated. And saying something about the cisco ssl vpn while the PA vpn has the least functionality of them all makes no sense.

Regards,

Albert

ROBERTO GIANA · ‎03-09-2012

Hi

I think the real answer from Cisco to PaloAlto is the ASA CX. It goes pretty into the same direction. ASA CX is a blade that will run on the ASA5585-X plattform. Hopefully the ASA PMs will realize that the market is waiting for this on ALL(!) plattform sizes.

A short intro into ASA CX can be seen here in this video:

http://www.youtube.com/watch?v=4yYlJnJhTVg

Regards

Roberto

MooreIT01 · ‎03-09-2012

In my previous company experience I used the PA-2050 (which replaced a ASA 5510) and supported about 300ish users with that. We had about 12-15 folks using the SSL VPN client with no issues while I was there. Our WAN was a hub and spoke with the corporate office housing all of our data. At that time all Internet traffic came back across the WAN and through the PA box. We were fairly simple with only a few Site to Site VPN's and maybe 30 or so policies / ACL'sgoverning traffic. I have not been formally trained on Cisco security equipment and will readily admit that I have very basic skills in regards to network security. Like most folks I wore (and still do) many hats with lots of other responsibilities requiring my attention. What led me to the PA box was a desire to add content filtering (actually it was management's desire) and some type of IPS. In looking at competing options (Websense mainly) it was actually cheaper to go with the PA and with my skill set it was easier to go with the PA. At that time at that company costs were everything, I liked (and still do) Cisco equipment however many times my choices were to go with a competing product because of costs or don't do it at all.

Thaer Ontabli, if you have specific and detailed experience with the PA's then it might be helpful to disclose which models you're using and the environment you're using them in. When I research the Palo's now it's very difficult to find actual usable information (i.e. real world) so I think most folks would be glad to hear your specifics. There's a lot of marketing speak around the PA's, they need to open up their support forums (or at least have a public side to them) so that folks can learn from others experience.

On the URL filtering issues pointed out I run into the same ones with Websense and the company I'm at now. I'm just not 100% confident of the results (could just be me though) and would have a hard saying to a manger "yes you should fire that employee because they spend all day on facebook". It's more of a "use this information in conjunction with your own then come to a decision". My guess would be that sense both companies are using an agent that looks at your DC's (Active Directory that is) security logs it's only as clean as AD is as far as how it tags users to traffic. I could be wrong and frequently am though.

The new ASA line (available now) plus the new "application aware" code (not available yet) are very exciting and it will be nice to see folks experience with those. If the original poster is still looking to decide between the PA's and the ASA's then these might help to sway things in his favor. It would help also if he would disclose what exactly they were looking for, is it a "UTM" type device? Do they need IDS/IPS, AV scanning, URL filtering etc or are they just looking for a firewall? Honestly if he's just looking for a firewall then the new 55XX-X would make a lot of sense to me. I did and do still like the PA's but "real world" is looking at what fits for your company and you as the admin and making a decision based on that. Alot of the discussions surrounding the PA's right now sound eerily similar to "Apple" versus "Android" etc debates (with a lot of passion on the PA side) and it's just silly. More details less marketing slides please...

**EDIT** just went back and read through the whole thread, looks like at the time (2010) original poster did have URL filtering and IPS. My guess is they've aready made a decision but it would be nice to hear which way they went and subsequent experience. If they were making this decision right now then I think the ASA 55XX-X would make the most sense, at least that's where I would be (even liking the PA's as much as I do). We're facing a similar decsion where I'm at now and if Websense wasn't so dang expensive the decision would be easy, just replace our Pix's with the new ASA's -- yeah, that's right I said PIX's . However looking at the Websense renewal has us asking what else is out there, is it better, and is it cheaper. Cisco's answer to that is either IronPort (on premise appliance) or Scan Safe (cloud based). My guess would be that the IronPort is probably in line with Websense and previous experience with a cloud based filtering solution left me with a bad taste (MX Logic / McAffe).

david.tran · ‎03-09-2012

Nate Newman:

Your comment "PaloAlto limitations, max size 20GB box, support dept

needs some redoing, rebuilding, something major." is really striking.

A product is only as good as the TAC support of the product. That's one

of the reasons why people like Cisco products. The product itself may not

be good but you can feel confident that if you need technical support,

Cisco TAC will be there to work with you and if you have Advanced Network

support, you will get excellent support from Cisco TAC, an added bonus.

If Palo Alto can not provide that kind of support, why even bother with

the product in the first place?

Thaer Ontabli :

Please disclose your specific and detailed experience with us here so that

we can learn from it. Most of us do not get insight information on a

particular product when we make a purchase. Most of the time, we get sale

pitch from an SE who are usually clueless, just repeat what they learn from

the brochure. If you can share with us your particular experience, that

will help everyone here. You can attach the ticket number if that is

possible.

munurewan1 · ‎03-10-2012

Agreed with David

Product should be only evaluated on the following factors:

Tech Support and its availability

Users Experience/online docs, forums

Any vendor claiming specific features should have users to claim that proved under the specific condition with their experience.

Robert Rowland III · ‎04-20-2012

Where does "how it works for you" fit into this ?

To me that is kind of important. Being able to call 1-800-553-2447 in my sleep may not be a good thing. I can still tell you the local Range Rover service department phone number 12 years after I owned two but it is not because they kept giving me free beer on Fridays.

Along with most every other model we have 5550s with VPN Premium licensing. We used to run ICA & voip traffic with QOS through them. Frequently around 9:am in the morning the traffic levels would hit 150 Mb (yes,150 Mb) and cause reboots of the primary ASA which would fail over to the secondary and traffic would climb back to 150 Mb and reboot again - luckily the original primary was back up by now most times.

We had to set the switch ports feeding the ASAs to 100/half to keep them functioning [I was the one with the blue cable] until ...

we had the opportunity to re-engineer our ICA environment with 4 Netscalers instead of CAGs and bypass firewalling our voip.

All the support from TAC didn't help us one bit other than to tell us our box was rebooting.

I like Cisco security products - I went to the `99 Denver Networkers talk by the folks from the Wheel Group ( great.. party ) but sometimes they don't do everything you want or need.

Maykol Rojas · ‎08-12-2012

Robert,

If the ASA crashes, it will generate a crash file that can be reviewed by one of the Cisco TAC firewall engineers like me. I find hard to believe that somebody at Cisco would just say, its crashing and thats it. Did you have a ticket open, if so what´s the ticket?

Mike

Robert Rowland III · ‎08-13-2012

Sure it did - bunches of times- and we did have a ticket(s). The issue did get resolved. It was an SSH bug along with some level of QOS stuff. I'm the guy who had to set the 6509 ports to 100/half duplex to keep the 5550s from crashing enough so we could work - I remember it well.

We stopped running LAN/Wifi voice through the ASAs - we still don't do this today, we do PBR to manage this differently and soon I will have to move this bypass functionality (we call it the voice bypass network) to a pair of Nexus 7010s instead of the 6509s that skip the ASAs (this decision will never be revisited, thank you) - and we purchased 4 Netscalers to be able to have internal VIPs vs DMZ ( the DMZ CAGs would flap and become unreachable ,,,, ) VIPs for 1500+ simultaneous users and we did not run LWAPP mobility anchor traffic through them either, although we do now. Again I know, the Netscaler NS7000s I support go end of life April 1, 2013 and I help ride herd on our mixture of 10 WISMs and 5508s - I'm the guy typing the "config t"

This was the single most expensive and far reaching bug I have ever been associated with or heard of, I suspect the entire Netscaler implementation and support costs - we just migrated the Netscaler 4.5 WI servers to 6.5 (works great) over time ran us easily in excess of 2 Million dollars and over the next 5 years would add another 1.2 Million just in Netscaler hardware/support costs.