Showing results for 
Search instead for 
Did you mean: 

Andy White

ASA's vs Palo Alto firewalls?


We use ASA's and I really like them, however our boss has invited someone from  Palo Alto to introduce teh  Palo Alto firewall range, why I don't know.  Anyone every used a  Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say  Palo Alto firewalls are better than cisco because......I need some backup for Cisco


Are you kidding me?   Palos blow away the ASA's.  I have rolled out Palos our our entire infrastructure with very little issue.  Although we went with 800, 3000 and 5000 models but pan os is pan os . Cisco list the firewall battle many years ago and I believe Cisco will never be a leader in this silo again

Jade Rampulla

Lots of great conversation here. A very good read. It's difficult to find good blogs with real opinions from actual IT admins and engineers on firewall products.

I work for a consulting company and we're partners with Cisco, Avaya, Aerohive, Microsoft, Juniper, hopefully Palo Alto soon, and a few others. I haven't personally installed ASA's, but I've seen them in action and reasonably understand their capabilities. Other people on my team are ASA experts. I've seen Palo Alto's in action and have hands on experience with them. I'm running a demo PA-500 at home right now. I'm a Palo Alto fan boy just like others who've posted here and I recently passed the ACE exam. There's free online Palo Alto training geared towards passing the ACE exam here.

Personally I love the PA-500 but the interface is a bit sluggish. I don't want to repeat what others have said on comparisons, but rather give some new info.

Several people mentioned the Cisco ASA CX as a NGFW contender. There's a fair and detailed review of pro's and cons here:

Seems like a pretty good firewall in progress.

There's a great list of Palo Alto application support here (Currently 1,771):

It was very informative to read about support issues people had. I'm sure my boss will want to review before we become partners and start making promisses to our customers about "good" support. The current software release is 5.0.7 from August 27, 2013. I found release notes here:

You can monkey around with the "versionNumber" portion of the URL and see other releases. There was about a month and a half between 5.0.6 and 5.0.7. I see tons of bug fixes in the 5.0.7 release notes so I'm assuming their development team is pretty active even though others have reported bad experiences in the past. Maybe things are getting better.

I haven't heard Wildfire mentioned here. It's a pretty nifty feature on PA firewalls. When the firewall sees a file pass through that it doesn't have a malware signature for, the file is automatically uploaded to the "cloud" and the behavior is analyzed inside a VM to see if it's a threat. New signatures are automatically pushed to the firewall for new threats. I'm pretty sure new signatures are shared between all firewalls in the world with an active subscription. Obviously a skilled attacker can re-wrap a file to look like something else with a different signature, but Wildfire could potentially stop the spread of many common malware attacks without waiting for weekly or even daily signature releases like other products do. More details here:

I only heard 1 person mention panorama. I haven't played with it yet, but seems like a cool feature. You can centrally manage and monitor multiple firewalls with a single unified policy (With exceptions of course). The ACE free training link I added earlier has tons of cool screenshots and info. The sales lingo isn't spectacular but here it is:

Palo Alto firewalls can run as a VM instead of just a hardware appliance:

For those looking to see who else is running a Palo Alto firewall, feel free to get your daily dosage of sales brainwashing:

As a side note on specialized firewalling for BYOD and mobile devices...

I would use wireless products capable of differentiating corporate domain devices and BYOD devices to different VLAN's and subnets, then apply different firewall policies to those subnets. I work primarily with Aerohive and advocate it everywhere I can because controller-less wireless is the wave of the future (Just like Palo Alto in the firewall arena) and controllers will soon be a dead technology. If you ask the right people, you'll find out that even Cisco is working on a controller-less solution and not just something based off the flawed H-Reap design...they're a few years away from having anything though. Aerohive AP's are capable of differentiating between device types like I mentioned. There's a good blog post here with some info:

For those more comfortable with controllers, I think Aruba can do the same thing.


   I think we are all capable of Google searching.  Are you contributing something new ?

Ummm....yes...did you read my post or just see that there's links?

I rounded out some missing info on topics that others mentioned, including yours on mobile device security policies for a network. I also provided ammo to the Cisco "die hard" security buffs that want to know more about what Cisco is doing to compete with the same type of firewall as a Palo Alto. No one else mentioned much detail on that, but the original poster was looking for it.

If every person in this forum knows every bit of info from the links and content I posted, I guess my post was a waste of time. I don't think that's the case. If you don't like the content of my post, then don't read it or ignore it.

fight, fight, fight!!! Just kidding.

Nice info Jade,

I will take a look at it!



follow me on http://laguiadelnetworking for more information

Julio Carvajal
Senior Network Security and Core Specialist

I found an interesting article on a major flaw with Palo Alto's AppID capabilities here:

Not sure if they fixed it but would be interesting to hear a response from them.

Speaking of AppID, I've had problems using it during my demo. Sometimes traffic matches my policy rules for applications that they shouldn't. For example, N-Able has remote control capabilities to endpoint software. The Palo Alto picked up some of the traffic as bittorent when it's definitely not.

Besides the problems with Palo Alto AppID, I'm expecting that all NGFW's will have issues with encrypted applications like Microsoft Lync. Since the traffic can be encrypted with TLS and no firewall will ever be able to decrypt the traffic because they don't have the keys and can't get them, the traffic will never be properly categorized as an application without port and/or IP address rules.


Regarding your test and not being able to properly catch/categorize APPID traffic, you may want to be careful with how you set up the security policy. Every column is logically separated with an "AND". Meaning, if you don't have 100% match on your traffic for all columns, the rule simply doesn't apply. My point is, if you're matching an APPID, you cannot put anything in the SERVICE column. If you just so happen to want to match on both a SERVICE and an APPID (not sure that's possible considering APP's are a culmination of many services and types of traffic), you're going to have issues. When I run into that type of scenario, I create two rules, one for the APP ID, and one for the SERVICE, both matching the SOURCE/DEST. It is clean and matches everything I've ever wanted to do, and I got some pretty complex stuff going on in mine.

So concerning your demo, if you're not getting it to work and you're new to creating security policies, don't hesitate to call tech support. I learned the hard way what I mentioned above.

Lastly, concerning the article, the dude's a total "PAN HATER". Guys like that are NOISE and simply don't have a lot of credibility in my view. If it is true that the APPID issue is a problem that needs solving, they will. But to be so condescending and preachy is a huge sign to anyone wanting a valid biased opinion.

Take care.

Tony Ortiz

GVHC - Own three PA-500's, two at CORP, one at DR, both at CORP are set up ACTIVE/PASSIVE, using PANORAMA to manage all.

Here is Palo Alto Networks response to the APPID Cache vulnerability.


Being now on a place where I cna take a look at both firewall options I consider the following.

There is no way we compare the ASA 5500 family against the Palo Alto family of Firewalls. The Palo-Alto as a Next-Generation Firewall will beat them with no doubts.

But there is where Cisco understood the market was going to a world where the Web 2.0 is being deployed more and more and now firewalls need to be able to inspect till layer 7 on a deeper level and also be able to work as an SSL proxy.

This is where the Cisco ASA 5500-X family appeared.

So what you could check is the following

-Check as much as possible from all of the features supported on the PAN-OS 6.0

-Do the same thing with the ASA 5500-X series.

Looking for some Networking Assistance? 
Contact me directly at

I will fix your problem ASAP.


Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist


Palo Alto and 5500X Family are good firewalls.

But before you decide

you need to consider your Network Design.

Identify your main goal on upgrading a firewall

3rd generation firewall are good as application firewall

depends on you purpose of deployment.

more people are using Palo alto because they can save  money having  all in one solution.

If you are network admin and you have thousands of users BOOM

Managing all one in one  firewall with so many  features, POLICY and user will take you  HELL

the more features  you activated  the more it will become degraded .

I suggest if  you want content filter use proxy and integrate antivirus

This will also give you bandwidth saving unlike PALO ALTO the content database  is only cache


Recognize Your Peers
Content for Community-Ad