cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
187195
Views
103
Helpful
84
Replies

ASA's vs Palo Alto firewalls?

Andy White
Level 3
Level 3

Hi,

We use ASA's and I really like them, however our boss has invited someone from  Palo Alto to introduce teh  Palo Alto firewall range, why I don't know.  Anyone every used a  Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say  Palo Alto firewalls are better than cisco because......I need some backup for Cisco

http://www.paloaltonetworks.com/products/

84 Replies 84

.

I've worked with ASAs, Juniper SRX's and SSGs extensively. And now also Palo Alto's.

In summary Palo Alto blows everything away, and ASA is the worse of the lot.

Palo Alto is a next generation firewall so can do policies such as source ip/port to destination "facebook". It also runs BGP which is not available on the ASAs. Check Points are also nextgen firewalls, but I haven't worked with them.

Unfortunately Cisco does not have a NextGen firewall yet.

Maykol,

  Might I suggest that you stop posting to this thread ? 

What the previous poster meant by "facebook" was that even if you ran http over port 22 or udp 53 the Palo Altos are able to determine that you are interacting with facebook and not some weird SSH or DNS queries.

You can even go there via ip address and point your PAs to bogus DNS servers so they can't figure out who you are talking to ... but they do anyway.

Further the PaloAltos can determine if you are doing Facebook mail or some other area ( there is like 20 flavors of just gmail stuff ) and permit or deny those very small subsets - and they do not do it by just portions of the url; I am adding this because I do not know how they do it, I just know that they do ... and it works ...

ASA .. fast boxes , sure.  simple nat rules, yep, I like the new 55xx-Xs

Ability to sort the ACL rules on an interface - nope,   Ability to sort the rules at ALL ? - nope .

Act as both L2 & L3 at the same time - nope .  Active/Active without multiple contexts on all versions of the platform - nope (This wasn't so bad what you could buy a FO-BUN box but now even the standbys cost as much as the primary). More than 4 wire speed interfaces - nope;  PAs can give you 10 or more and with multiple DMZ, core, Internet , site to site, wireless infrastructure connections it is hard to port channel a 5520 or 5550 at wire speed to more than a few devices.

I've worked with them since the PIX Classic  but there are some things they just don't do,

Hi Robert,

Just to talk a little about the hostname feature added on 8.4.2. (Hostnames on the ACL)

-----It does not matter the port it uses on the connection as The asa will match the FQDN so he can deny or permit the traffic so I do not understand what you mean by running http on port 22 or 53 as the ASA will still check and match on tcp or udp connection if configured like that .  I agree with you on the part that the ASA cannot perform "X" like PBR as an example but you cannot be that negative and do not point the great features it has.

And sure my friend you can say a lot of negative stuff about the cisco ASA but what about the Palo Alto firewalls? I mean we cannot  point their negative stuff as we do not know them yet.

Let me know if you don't want me to post back on this particular discussion as well, if that is not the case I will be more than glad to help you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I believe PAN FW uses application signatures to match traffic, not just a FQDN check. Ex: If you have port 80 opened from inside to outside (this is usual for web browsing), it is possible for a inside user to connect to an external server on port 80 using SSH, if the remote server runs SSH on port 80.

Ofcourse then you can do all sorts on SSH, SCP or tunnel traffic to remote servers etc.

PAN FW will stop this from happening. It will allow a TCP session to be established, and on top of that at it will look for the correct APP layer request to the remote server.  PAN does this by default.

Ofcourse I haven't worked on them long enough to find caveats, but right now I can say there is much better support for ASAs (while I am waiting for PAN helpdesk to get back to work after the weekend!).

Tony Ortiz
Level 1
Level 1

Hey folks,

I, too, as someone stated above support both ASA and PAN's. I own PA-500's, two in an ACTIVE-PASSIVE configuration, one in a stand-alone at our DR site.

At first, I thought PAN's were going to be the answer to all my prayers in terms of handling both state-ful packet inspection, packet signature inspection, application categorization and identification. If the firewalls worked, it would be unbeatable, and something Cisco hasn't even come close to matching.

However, we purchased these PA-500's 6 months ago, and I still don't have them 100% in production. I so busy finding bugs, identifying them, documenting and researching over GOTOMEETINGS with tech support people, they are driving me nuts. Bugs that I have personally found and identified to PAN are:

1) ACTIVE-ACTIVE not supported on PA-500's. A design issue they found after they sold them to me. They stopped saying that on their website by the way. We found out after we bought them.

2) HIGH-AVAILABILITY bug created havoc for me initially until they fixed it in 4.1.9. They came out with 4.1.9-H1, then -H2 within 5 days after that. Crazy...

3) CAPTIVE PORTAL issues surrounding USER ID agents don't work without serious tweaks to work around the problems as they relate to TERMINAL SERVERS and the /ADMIN switch. They had me create work-around rules to compensate for both the bug, then later identified as a design-flaw that they admittedly stated they have no intention of fixing.

4) Upgraded the firewalls to hopefully save me some work to 5.0.0, then 5.0.2. WHAT A FRICKEN MISTAKE!!! Not only is there a bug that overutilizes the CPU by 300% (calculated and determined in logs and memory dumps at the CLI), but that was three weeks ago. I told them I had the problem and that I needed the fix ASAP! Found out today, two more weeks. Crap...

5) TODAY, found another bug. If you apply either SERVICE (SSL) or APPLICATION (TEAMVIEWER) variables to a custom URL CATEGORY, it treats the rule as an OR for each variable instead of AND. Why is that a problem? Well, anything needing SSL starts using this rule and because the URL CATEGORY doesn't match, the APPLICATION TYPE cannot be defined and you get an "INCOMPLETE", thus creating crappy BROWSER experiences and weird errors and delays.

Other things:

A) NAT is HORRIFIC configuring!

B) VPN is a NIGHTMARE to configure. The client is a joke!

C) Don't get me started on BGP routing and what I had to do to get that to work!!!

My final opinion, Palo Alto Networks sells a product that is no different than buying a piece of software and having it claim itself a firewall that lives on a dedicated box. Yea, ASA has software, but it does what it does well, and doesn't try to be a WEB FILTER or DLP solution. It leaves that for other products that compliment it, i.e. CISCO IRONPORT WSA. We already own CISCO IRONPORT ESA. I should have gotten the WSA instead. MAN....

Any ways. PAN, if it worked, would be unbeatable. But Palo Alto Networks has a TREMENDOUSLY poor application development department change-control process. They are non-responsive, and treat hurting customers as nothing. Will NEVER recommend this product to any one.

Trying to figure out now how to send them back and get my money back. Fat chance, but I'm hopeful...

can you put in here all the ticket that you have opened with PAN on the issues you discussed above?  I would like to see how the PAN sale engineer about this when he sees this.

Hi David,

Responded to you via Email with a PRINT SCREEN of my ticket history highlighting ALL the tickets I created that addressed every issue I point out, and then some, in my posting above.

Let me know if you need anything else. Thanks.

T

Hi Tony

thanx for your post.

what is real data traffic through firewall Palo Alto PA-500 ?

do you switch on all functions ? state-ful packet inspection, packet signature inspection, application categorization and identification, antivirus?

how many vpn connections?

I did test only packet signature inspection. and it found some.

Hi, responding the the question about "real data traffic". When I put the PA-500's in production, it was a staged approach, keeping the ASA's in production only for the DMZ to be migrated later, and to stage the VPN migration because a whole new client would be required and I didn't want to impact the organization too much. Testing WEB TRAFFIC only and inward traffic for MAIL access only was the ONLY thing I used the PA-500's for.

For VPN's, I set it up, but only for net admins to test. No one else.

PAN is designed nothing like an ASA. When you say stateful packet inspection, the ASA gets the same packet and examines it over and over again in a sequential fashion. Do a PACKET TRACE and you'll see what I mean. PAN gets the packet and gets it and puts it through two process, a DATA PLANE (IP-level) and APPLICATION PLANE (or the part that inspects for services and application signatures and URL inspection and categorization). Packets are obtained, then submitted through the two processes sequentially, both with their unique responsibilities. So long story short, PAN takes stateful packet inspection and amps it up 1000%. It's stateful packet inspection on steroids if you know what I mean. Imagine the packet not only being inspected for basic security rules and NAT translations (like an ASA) (if applicable), but all the other things in terms of identifying the service (or ports) and applications (like facebook) and URL categorization (like pornography). Kind of a really busy, busy process for every single packet.

As for how many VPN connections, we never got that far. I'm pulling the PAN's out of production tonight. I have to change my namespace records tonight and get everyone back to using the ASA for inbound mail access. In terms of the VPN client itself, I was not impressed. Not user friendly. More of a nerd display than an end-user look and feel. Configuring VPN on the PAN is a nightmare. The folks on tech support had to escalate the ticket because the just didn't know either until after a few callbacks. Add to that using a wild-card certificate, which I didn't even attempt, and I'm sure I would have ended up with a nervous breakdown for sure.

Your last comment, when the product was using 4.1.9, it was working beautifully, but it had quirks that were supposed to be fixed in 5.0.2. Sad to say that this release was the WORSE product release and basically broke the camels back for me. After 20 tickets, over half of which identify a bug or design flaw, I had to throw in the towel.

I'll be going with my second choice: Cisco WSA.

Hope this answers your question. PAN needs to put their development team in check, fire their current one, hire one with real change-control experience, and get their act together!

To be clear, I had the PA-500's in production for Web Traffic for almost 6 months, working hard with tech support to fix their issues while I impacted my entire user community of over 750 employees, 22 sites. They've been more than patient with this product as I tried to get it stable and deliver to my user community a champion of ideas in firewall architecture. Just to young of a company. Not mature enough yet.

Humm

Why do you choose a PA500 series device when you have 750 users and around 22 sites?

Seems very low spec when the requirements are very high. URL filtering, access control at application level, VPN and heavy routing tables (BGP)


Sent from Cisco Technical Support iPad App

Agreed. Hind-sight being 20/20, now that I know the machines, I would have never selected a 500 series. I would have gone for the bigger box, which would have given me ACTIVE-ACTIVE by the way. =)

When we did the assessment, their sales engineer measured the need by our utilization of our existing 100mb Internet connection. At any given time, we averaged about 5 mb of use, spiking to 20mb when people would watch video. Isn't that much data. When I had the 4.1.9 version of the software, CPU utilization was barely 45%-60%. The DATA PLANE (where the initial inspection happens) barely hit 5%.

Even today, if the software actually worked, it wouldn't be a bad box. I got over not getting ACTIVE-ACTIVE and settled for A/P and designed it with multiple internet connection with policy based routing.

But its the getting it to work that just didn't happen. I did my best.

what about antivirus and signature inspection protection? did PAN found some? did it protect your network?

why dont you downgrade ios to 4.1.9 ?

Review Cisco Networking for a $25 gift card