IT Central Station is now PeerSpot: Here's why

Firewalls Forum

Rajagopal Naidu Vaddapalli - PeerSpot reviewer
Rajagopal Naidu Vaddapalli
Divisional Engineer at Aptransco
Aug 16 2022

Hi members,

What kinds of throughputs should we consider while designing/estimating the required firewall throughput in our organization?

Thank you.

fdiazm - PeerSpot reviewer
fdiazm
Product Manager at Entel Chile
Jun 22 2022
Hi peers, At the moment, we are evaluating a solution where tunnel concentrators are going to be in virtual machines. And despite the fact where we should go in terms of technology, space, payment model and everything, this solution is something new in the company.  So, we're looking for any pr...
Read More »
Kowligi Prakash - PeerSpot reviewer
Kowligi PrakashFatPipe Networks Inc - Hybrid Networking Connectivity.  We use our patented MPSec technology in order to provide bandwidth aggregation, redundancy, common management, compression and inbound/outbound load balancing. This solution is used by many of our customers for video conference, VoIP and data for the seamless switchover. Please check www.fatpipeinc.com
Frank Theilen - PeerSpot reviewer
Frank TheilenIn my opinion,y the way SD-WAN is designed, you will need multiple network endpoints or network-based concentrator hardware to handle multiple tunnels incoming.  If you host them as virtual devices, you share the underlying network hardware and therefore lose performance, not gain it. If you want to virtualize them, use several, many endpoints (not just one).
Michael Velasco - PeerSpot reviewer
Michael VelascoDefinitely look at Aruba EdgeConnect (formerly known as SilverPeak).  My main client has had them in production for years for five hospital campuses and their headquarters site. They have hardware appliances and Virtual Appliances. Assuming you go the VA route, make sure you're thinking about providing enough bandwidth on the pNIC(s) you have connected to the vSwitch your VA(s) in a site are connected to the outside world through.  You'll be fine if you have something like a C7000 with Flex10 pNICs, but even if your hypervisor is some sort of 1U make sure it has 1G, 10G, 25G, 40G, 50G, or 100G pNIC(s) in it according to what your total MPLS and/or broadband Internet connections, i.e., Comcast or whatever, can provide and make sure there are no network chokepoints between your hypervisor(s) with your VA(s) and your enterprise WAN/Internet (for IPsec virtual WAN underlay tunnels) connections. Start doing your homework NOW on what applications in your catalog are the highest priority, high priority, medium priority, best effort, etc. over the SD-WAN.  Prepare yourself for difficult conversations with leadership about non-working vacillating de facto lack-of-decision like, "It's all top priority." No, you, leadership, set the POLICY on when something gets pitched over the side what goes first and what goes last. We implement YOUR policy.
3 Answers
Niranjan Prajapati - PeerSpot reviewer
Niranjan Prajapati
Network & System Support Engineer at ITCG Solutions Pvt Ltd
May 24 2022

Hi infosec pros,

When choosing to purchase a firewall for an enterprise, what are the most important features and "must-haves" you'd be looking for?

Thanks for sharing your opinions!

Luis Apodaca - PeerSpot reviewer
Luis Apodaca-Dual WAN -Load Balancer -Capability of failover -IPS/IDS -PBR (Policy Based Routing) -Static route -Multi-gateway -And all the basic ones: LAN, SNAT, DNAT, etc.
Tarek Menshawy - PeerSpot reviewer
Tarek MenshawyBefore answering this question, we have to understand the business case which depends on many factors: Firewall position in the network, for example, but not limited to Internet premiere or data centers.  Services design for example: multi-tenant, virtual or physical environment, on-premises, or cloud... many possibilities.  The services criticality level will guide us to the security accepted level.  Current and future traffic capacity and connectivity capability. Plus, physical port density. Finally, your available budget. 
Timpa D Angaye - PeerSpot reviewer
Timpa D AngayeChoosing a firewall is your organization’s first defense against unwanted IT security threats. Your choice of the firewall will be dependent on the size and scope of your organization. The following are some important features to consider when making a choice of the firewall: VPN - For safe and secure infrastructure, a VPN is a critical feature to include. Web filtering – This feature is used in filtering any compromising content that has been forbidden or flagged. Packet Filtering – This is used to examine every packet of data passing through your network. Built-in High Availability – A standard backup feature should be included if you cannot risk losing your firewall. Bandwidth control and monitoring - it’s important to control the use of bandwidth you have available. With this feature, you can control the bandwidth available for applications, sites and users Logging - Access to logs on a firewall gives you up-to-date information about your network. Sandboxing – This is an important firewall feature. It takes a file or executable as you’re downloading it and opens it in a completely isolated and separate “test” environment. A sandbox then opens the file, runs it, scans it, and looks for malware or activity that is suspicious. Where the files or the URL have been validated to be safe, they will pass it onto the end-user. Intrusion prevention system - An intrusion prevention system (IPS) is the latest advancement from intrusion detection systems (IDS). IPS continuously monitors your network and captures information on possible malicious attacks. Easy Interoperability Scalability
7 Answers
Ariel Lindenfeld - PeerSpot reviewer
Ariel Lindenfeld
Sr. Director of Community
PeerSpot (formerly IT Central Station)
May 19 2022
Let the community know what you think. Share your opinions now!
WiseCat - PeerSpot reviewer
WiseCatSecurity, aye, it is most important. But I would like to add the aspect of "self-sufficiency" for want of a better word. What I mean by this is, that a firewall has to be the "last man standing" of sorts if a network is under attack or already compromised. So a firewall in my opinion should never be dependent on other components, be it on premises or in the cloud. I have come across installations where firewalls are integrated with Microsoft AD for user authentication or where they were configured to accept input from cloud services as to how their policy should be enforced. Call me oldfashioned, but for me a firewall still hast to work even if all other services in the network are dead and it still has to provide security controls to the last interface alive on the net. We should very much mistrust all that new "AI" stuff and accept it only as "on top" of a good old static policy of who may access what - down to every single IP and port.
it_user339975 - PeerSpot reviewer
it_user339975Awesome answers all around! The most important aspect to look for is relative to one question: How informed are you with the actual needs of your network? Overall I think there are too many specific details to choose any one primary aspect when selecting a security appliance and/or firewall device based on functionality alone. Any company that is online and running with proven technology has offered a solution that meets the minimum standard for most situations and customers. However some do perform better than others in certain environments and this depends on the needs of the network and resources. Firewalls fulfill one general role in the network: the protection of key resources. This can be expanded upon in a number of ways but the idea is the same all the time; the protection of key resources and the inspection of traffic in and out of these resources. That being the case, it would require in depth research based on specific needs and see how that relates to the network in question when selecting a device. The one aspect that will always matter regardless of the device capability is Integration and Administration. Although customer support from the vendor is extremely important, the first line of response will always be the in-house technical resource. - How easily can I role this out? - Am I replacing a pre-existing device or adding this in tandem? - Do I have people who can manage this device currently and if not, can they be trained easily? - If I have a single admin/engineer who manages this device and they leave the company, how easy is it to find another qualified person? I think these aspects and questions matter a great deal. Regardless of specific strengths for a single device, if that device cannot be installed easily or managed easily, that equals more confusion and downtime which usually means a loss of money. When considering a new firewall device or security appliance, I encourage my clients to review their short and long term goals before allowing too much time in debate over which device is better.
Girish Vyas - PeerSpot reviewer
Girish VyasThere are already some good answers about it but this is what I understand for a firewall. It is a luxury when compared in a networking domain. So basics first, we would need to suit your networking requirement. For this you need to settle down for Vendor whom you need to buy this firewall. From an organization level, Try to get a best deal. Now from networking perspective, take that spec sheet out and look for the models they offer and see which one fits your network. I mean check the throughput of the firewall. Can it handle the load you are going to push it through ? Ok so you got your vendor and the model but wait let's see that spec sheet again. Why? The features. Yes the features are also important as everyone already pointed it out. You need to compare the feature and see if it meets your organization policy. Most of the firewalls have all that is required for an organization. This includes but not limited to deployment mode, high availability, application visibility, custom application definition, central management (required if you have more than one firewall to standardize your policy), Throughput post going through IPS / URLF, SSL VPN capability (I don't want to spend more to get this new extra feature right), IPSEC VPN, and others. The core of deploying the firewall is the throughput. I don't know how to emphasize more on that. Once you get this checklist complete. I believe you are good to purchase a firewall for your organization. I would request people to try these firewalls on the VM instance for demo and see how they function. Check with your vendor for demo. This is to ensure that your IT engineer is comfortable with the look and feel as he is the one going to handle your firewall right ? All the best ! on getting a new firewall.
48 Answers
Shibu Babuchandran - PeerSpot reviewer
Shibu Babuchandran
Regional Manager/ Service Delivery Manager at ASPL INFO Services
May 19 2022

Hi community,

What are your top 5 (or less) cyber security trends in 2022?

Thanks in advance!

Pablo Cousino - PeerSpot reviewer
Pablo Cousino1) Security in endpoints (especially because of remote work), especially to protect from phishing, Business Email Compromise (BEC), and ransomware. 2) Security data in transit (use SDP to protect, replace VPNs). 3) Security in Cloud adoption with security in DevOps (use Cloud-based SOCs with their sensors). 4) Security in SaaS applications (protection of SaaS-specific applications, CRM, AI, CDP, etc.). 5) Security in crypto transactions.
Bret Mantey - PeerSpot reviewer
Bret Mantey Look to the most recent Presidential order regarding security: Executive Order 14028 and what it states are the most formidable cyber-security threats (and what they are now expecting you to do to meet NIST and other compliance standards). It will force many to adapt or face non-compliance and possibly loss of cyber insurance (or worse, all your insurance coverage). We're seeing it creep up already in certain industries. Security initiatives important to thwart it all: 1) Zero-Trust Architecture! 2) Immutable file storage and backup. 3) Non-signature-based AV (AI for all your security/endpoints). 4) Improved email security/control/training to better handle phishing/Malware and other attacks. 5) Air gapping data. 6) Better resiliency to withstand Denial of Service attacks which are increasing. and lowest on everyone's list - better, more secure password management. Still there after all these years.
Jairo Willian Pereira - PeerSpot reviewer
Jairo Willian Pereira1. [True!] Cloud Security hardening/assessment.  2. AI (for massive data processing). 3. Data (protection) and breaches. 4. eGRC (enterprise GRC integrated with eRM and vendor-neutral xLAP visual presentation platform). 5. Collective Intelligence (MISP/Hive and similar platforms for normalization).
10 Answers
Niranjan Prajapati - PeerSpot reviewer
Niranjan Prajapati
Network & System Support Engineer at ITCG Solutions Pvt Ltd
Mar 23 2022

Hi professionals,

Which factors do you need to take into account to calculate the size of a firewall required for your network?

Thanks for the help!

Luis Apodaca - PeerSpot reviewer
Luis ApodacaThe "old" answer: calculate how many concurrent connections you are gonna get from the devices in your network. But, nowadays, you should also define if it's an HW-based or SW-based router.  Also, check how many; -VPN connections you need -if you're gonna use QoS (consumes a lot of processor and RAM). -if you're gonna use traffic analysis (same as above). If you can get the sales area from any brand they gonna ask you those and more questions!! Good luck!
Alexandre RASTELLO - PeerSpot reviewer
Alexandre RASTELLOHi Niranjan, In my case, I use this simple template: Throughput: - Total WAN Bandwidth (Mbps) - Average WAN Consumption (Mbps) - Anticipated WAN growth over 3 years (%) - Anticipated Peak Growth - Anticipated Average Growth WAN Protection: - SSL/TLS Decryption (Yes/No) - Intrusion Prevention (Yes/No) - Application Control (Yes/No) - Anti-Malware Protection (Yes/No) - Web Protection (Yes/No) VPN: - Concurrent IPSec tunnels - Concurrent SSL VPN tunnels -IPSec peak throughput requirements (Mbps) Authentication: -Nb users After filling this template, I compare it with the market firewall's constructors.  At this point, the calculator is my experience to choose the best solution :) Regards, A.Rastello
Andrew Ramsey - PeerSpot reviewer
Andrew RamseyThese are some excellent comments.   I would add the throughput of NGFWs for the internal nets to my list.  Most people only focus on their WAN and forget they may have internal networks they need to protect from one another. Well, those networks operate at 1 GB normally if not higher.   If your firewall cannot handle the traffic odd things can happen. For example, on certain Sophos models if you attempt to pass more traffic than it can handle the firewalls simply reboot themselves. Thus, pay attention to the numbers.  
7 Answers
Niranjan Prajapati - PeerSpot reviewer
Niranjan Prajapati
Network & System Support Engineer at ITCG Solutions Pvt Ltd
Mar 23 2022

Hi peers,

I have the following question: which type of firewall is more secure: packet filtering firewall or circuit-level gateway and why?

Thanks!

Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)

Hi,

When would you suggest using an internal SOC and when SOC-as-a-Service? What are the pros and cons of each?

Shibu Babuchandran - PeerSpot reviewer
Shibu BabuchandranHello, Below there are views on the pros and cons of Internal SOC and SOC-as-a-Service. Pros and cons of outsourced SOC: Outsourcing pros Trained personnel. The MSSP has experienced personnel immediately available, saving the organization the time and expense of hiring and training the dedicated people needed to do the analysis. Infrastructure. The MSSP also already has the facilities and tools required to do the job, saving more time and the upfront expense of building out an internal SOC. Continuous threat monitoring. MSSPs should provide SIEM capabilities that filter false alerts so forensics are only conducted on legitimate threats. This type of proactive, continuous threat hunting and monitoring may be difficult for a company's cybersecurity team to conduct on its own. Intelligent analysis. Outsourcing cybersecurity operations can provide security analysis capabilities while an organization builds its own in-house SOC. Outsourcing cons How much analysis is the MSSP going to provide? Outsourcing the cybersecurity operations function does not usually provide features such as multi-tier analysis of alerts or an incident response service. Instead, many outsourced cybersecurity operations only provide the equivalent of a Level 1 cybersecurity operations analysis. What happens to alerts that the MSSP cannot clear? The MSSP may only be able to analyze a subset of alert logs generated by an organization. Alerts from applications like databases and web applications may be outside of its area of expertise. If the MSSP is also a tools or hardware vendor, it may only be able to analyze logs from its own products. Who is going to provide a detailed analysis of potential threats? An organization still needs some internal analysis capabilities to deal with the smaller number of alerts that cannot be easily cleared by the MSSP and thus returned to the client. Does the MSSP provide compliance management? The SOC must operate in compliance with regulations and standards that the company must conform with. The MSSP should provide templates for required and recommended compliance processes and consider regulatory standards when developing vulnerability assessments for the company. For some organizations, complete and permanent outsourcing of cybersecurity operations is a desirable option. This is a reasonable approach for governmental organizations, in particular, where obtaining, training and managing people and facilities, as well as predicting cost-effectiveness, are preferably handled under a services contract rather than in-house. Governmental organizations may also have significant compliance obligations regarding cybersecurity where it may be convenient to transfer regulatory mandates to a contractor. In-house cybersecurity operations center Building an in-house cybersecurity operations center provides the greatest degree of control over cybersecurity operations and the best opportunity to get exactly the services that an organization needs. Building an in-house cybersecurity operations center can also provide the foundation for building future comprehensive cybersecurity services, including vulnerability management, incident response services, external and internal threat management services, and threat hunting. Compared to outsourcing the cybersecurity operations function, building in-house capability has the following pros and cons. Pros and cons of internal SOC In-house pros Tailors the operation to meet demands. Design the security operations and monitoring capabilities that best meet the organization's requirements. Tracks capabilities that are stored on-site. Storing event log data internally lessens the risks that come with the external data transfer required to report security incidents. Improves communication. Breach transparency and coordinating incident response are typically much easier and faster when the processes are conducted in-house. Builds a unified security strategy. An in-house cybersecurity operations center can be the foundation for comprehensive security, threat and incident response capability. In-house cons Planning and implementation. The time required to get an in-house cybersecurity operations center up and running can easily be a year and is likely longer. CISOs and other security personnel will face a significant time investment in planning and implementing the SOC. Costs. Establishing an in-house SOC requires a significant budget, with upfront IT and personnel investment. Finding appropriate personnel. Hiring people who have the right skills, training and experience or developing and training existing in-house staff can be time-consuming and expensive. Acquiring multiple security technologies. Continuous threat detection and compliance monitoring across several departments likely will require purchasing several AI-driven security tools. This may be out of reach for security departments budget-wise, especially in smaller organizations. As with many cybersecurity decisions, the right approach for many organizations is to find the correct balance between managing the cybersecurity operations function in-house and outsourcing it to an MSSP. One reasonable option -- particularly for companies that intend to build an internal cybersecurity operations function -- is to take advantage of the speed that outsourcing provides while the organization builds its own cybersecurity operations. Outsourcing can provide at least some of the cybersecurity services needed today, and the organization can take advantage of the trained, experienced staff that an MSSP has at its disposal while building the services that it wants to provide on its own. When Should you Consider SOC as a service? There are many reasons why your business could benefit from a SOC as a service company: Having your own SOC is expensive: If you’re a small business owner, keeping your SOC in-house may be too expensive, as it can cost a lot to hire security specialists. Not only this, but you’ll also have to increase your office space to cater to them, which can take even more of a toll on your budget. Most SOC as a service companies offer 24/7 monitoring: Having an in-house SOC will only benefit you so much, as you can’t have your security specialists monitoring your systems for 24 hours a day (unless you pay them a lot to do so). Most SOC as a service companies offer 24/7 monitoring to their clients, so you’ll always be protected from cyber threats. They offer state-of-the-art protection: SOC as service companies offer the most up-to-date cybersecurity protection, and it’s likely that you will have a higher level of security if you outsource your SOC. It’s a lot easier for hackers to get into your systems if they are self-contained, and you are a lot more at risk if you decide to keep your security in the office. The security engineers are highly skilled: You could hire some security specialists in-house, but the likelihood is that they aren’t as highly skilled as those in SOC as a service companies, who deal with current threats on a daily basis. By going through SOC as a service companies, you can get access to these specialists, without paying the premium costs that you’d have to fork out if you were going to hire them directly. It offers you a good balance of human and tech support: Not only do SOC as a service companies offer the best technology that you can get when it comes to detecting issues, but they also have skilled people on hand to identify any potential issues, too. These companies offer a good balance between the two types of cybersecurity protection, for any type of business. They offer training to your members of staff: These SOC as service companies also can take the time to educate your staff members, so that they can identify any issues, and react appropriately. This means that you’ll have people on hand who can notice problems immediately. Peace of mind: When you outsource to a SOC as a service company, you can rest easy knowing that your cybersecurity is being looked after by expert analysts who know exactly what they’re doing. Having in-house cybersecurity has the tendency to be more unreliable, and it’s difficult to know that you’re hiring the right people for your business's needs. Regular reports: Some of these companies will send you regular reports on the status of your services (even hourly reports, in some cases) so that you are always up-to-date with the status of your cybersecurity. Flexibility: Some SOC as a service companies offer full support to your business and its cybersecurity needs, whereas others take a bit more of a backseat when it comes to your SOC. You can choose the level of support that you require, and tailor your SOC as a service plan to your budget, and your needs as a company. A SOC is something that could secure any organization and provide immense value, whether you decide to manage your cybersecurity in-house, or with an external SOC as a service company. However, SOC as a service companies offer an array of extra benefits for the business owner… if you partner with the right company.
Manuel Gellida - PeerSpot reviewer
Manuel GellidaEvgeny I think, SOC on-premise means a huge investment (=monthly payment) because of the people you need to operate your SOC.  Pro: it's the total control of your SOC and logs but using the logs in a SOC-as-a-Service does not mean that they use your information. It's just the logs and I think you don't compromise your sensitive info. Have a nice day. Manuel
reviewer935298 - PeerSpot reviewer
reviewer935298This is a truly good and difficult question.  If we could have MSSP that is reliable and offers good services at a reasonable price this will be Pros for SOC-as-a-Service, for most of the companies. Otherwise, CONS for having your own SOC are huge: CAPEX + OPEX (Yearly upgrades and  licenses, expenses for having experts for security in-house, ...) PROS for own SOC, In-house knowledge and strategy.
10 Answers
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)

Hi security and IT professionals,

In what cases should an organization choose a Firewall as a Service (FWaaS) solution? 

When should FWaaS be a complementary product to the on-premise FW/NGFW?

Carolyn Raab - PeerSpot reviewer
Carolyn RaabFWaaS offered by an MSSP is a way to ensure your security keeps pace and is always 'fresh'.  When an organization has better things to do than constantly upgrade and monitor their firewalls, FWaaS - especially when it's built by an MSSP using centralized virtual firewalls - allows the organization to focus its IT and network security teams on digital transformation and other strategic initiatives.
Stuart Berman - PeerSpot reviewer
Stuart BermanI have looked at FWaaS for years (originally from Value Added Network service providers such as Virtela) and my best answer is based on the organization's scale/size. Is the organization large enough to support managing your own firewalls? (Let's say perhaps >10,000 people). Smaller organizations need some form of managed services as you can't afford dedicated firewall experts. The second criteria is network architecture, how does you organization connect to the Internet? If your ISP can provide FWaaS or an overlay for a third party without leakage and being affordable then FWaaS is worth considering. Third criteria, who is offering FWaaS? How competent is the service provider? Will they be able to provide the kind of derive you need in terms of your specific needs? How complex are its needs or do you need something very generic? How much risk is in your data in your network?  I have been moving many of our systems to cloud providers (SaaS ideally) but when building our own SaaS platforms then we need more sophisticated firewall services like WAF and ADC. 
reviewer1357092 - PeerSpot reviewer
reviewer1357092Generally, FWaaS would be a preferred option for organizations that: 1) Don't have a dedicated security expert team available. 2) Are looking for the perimeter security to be provided by the ISP, typically. 3) Don't want to invest their resource/time in managing the perimeter firewalls. Nowadays, internet links are provided as clean pipes where the internet service provider uses the cloud firewall and allocates the vDOM to the customer in the cloud, hence a value-added service on top of the internet link. As long as the ISP is flexible enough to configure/change the FW policies as per the requirement, it is a win-win situation for both. Also, it eliminates the capex investment on day 1 for any organization. Further, ISP (tier-1) have access to all the latest policies from the OEM and other bodies to keep the FW tables updated, ensuring better security for your organizations from malicious traffic.
5 Answers
Tarun Mehta - PeerSpot reviewer
Tarun Mehta
Associate Consultant at SoftwareONE

I'm researching two firewall products for a company with 1000+ employees and I'm looking for a technical comparison between Palo Alto Network VM-Series and Fortinet FortiGate Firewall.

Please assist.

Darshil Sanghvi - PeerSpot reviewer
Darshil SanghviHello Tarun, we have been designing solutions with Palo Alto Networks NGFW for 6 years now and we have 95%+ customer retention.  I would suggest looking into customer requirement on the basis of the following things, and priority is given by the customer: 1. Internet Bandwidth 2. No. Of users - In-house and users connecting from home/outside organization network. 3. Security features required - Sandoxing, DNS Security, etc. 4. Port density required on the firewall. 5. SSL decryption. 6. Deployment - On-prem or virtual DC or on Cloud. 7. HA requirement 8. MFA requirement 9. Local presence of Palo Alto/Fortinet expert team. 10. Integration for other (operational) solutions like SD-WAN, Load balancer, etc 11. Integration with other security solution like EDR/XDR or XSOAR 12. Customer's current solution (firewall/UTM and engineers/IT team working on it). 13. Customer's current IT Team strategy 14. Customer future IT strategy (to move on the cloud, etc) 15. Customer's growth and scalability in 5 years. 16. Reporting and logging requirement. 17. Customer's budget for IT Security. Well, I guess with these parameters, and customer's priority you can recommend them a suitable solution. Palo Alto NGFW will be best recommended for the following: 1. Deployment on the cloud - It has a very stable PANOS for VM-Series 2. Security Innovations - Considering security, in terms of today and future, Palo Alto is disruptive and groundbreaking. 3. Predictive Bandwidth - Palo Alto NGFW gives us Predictive bandwidth, and hence, once sized, it will last longer than defined. The throughput numbers are test cases of real-world scenarios, and after enabling all the features. It operates on its patented SP3 architecture and defines device throughput after enabling all security features and operational functionalities. 4. Integration with EDR/XDR and SOAR/XSOAR platforms. 5. User/SSL VPN - When you are planning for SSL VPN on Palo Alto NGFW, it will not charge you additionally for users connecting their Windows or MAC systems on NGFW over SSL VPN. For users that are Android/IOS/Linux/etc, and required additional HIP checks and Clientless VPN, there is a single subscription you will need to purchase. 6. Sandboxing - Palo Alto came up with Wildfire which is a threat intel cloud, which can be termed as Palo Alto Network's Sandboxing solution, but it does much more than that. it has a response SLA of 5 mins, where it can convert any unknown to known in 5 minutes or less. Also, after it identifies the file, it auto-updates other engines like URL filtering, DNS Security, Anti-Spyware, Bad IP and Domain list, CNC tunnel signatures. 7. Reporting and alerting - Foremost reason why users started implementing Palo Alto firewalls inside their network was to get the visibility - in terms of User-level visibility, Network traffic (depth to application layer), and Content (files and threats) level visibility. Also, logging and reporting is provisioned on the appliance itself and no additional subscription or any appliance is required, unless the customer requires the storage of logs for more time frame. The NGFW also co-relates all the events and alerts to give critical visibility like Botnets and hosts and users accessing malicious websites, or resolving malicious domains. 8. EDL - again external dynamic lists(EDL) helps you reduce the attack surface by minimizing the traffic to and from Malicious and Bad - IPs and Domains. This list is automatically updated by Palo Alto Networks by default by its threat research teams (Unit 42), Threat Intel (Wildfire), DNS Security module, and other sources. It has also a provision for you and/or the customer to integrate other third-party URL lists to be blocked. 9. Security features: -- DNS filtering - by intercepting DNS traffic, you will not need any additional solution and/or modification in your current network for protection against threats related to DNS traffic. Its DNS module is cloud-based and tightly integrated with other modules and features of NGFW. -- Credential phishing - This feature will avoid users sharing/uploading their credentials which are the same to access internal resources and external websites. This will prevent the leak of user credentials. -- ML Powered NGFW - Currently, PA NGFW is the only firewall powered by ML to prevent unknown threats in real-time. 10. Application layer firewall - complete identification of all and any traffic based on application rather than port and protocol. Not only the known but also if the application is not identified it will classify that traffic as unknown. Also, you can create a custom application as required. and many more... Benefits in Fortigate firewall will be: 1. More port density. 2. Better SD-WAN configuration 3. Easy User interface and hence lacks granular controls. 4. Provides seamless integration with FortiToken for MFA(additional cost). 5. Seamless integration with Forti Load balancer. 6. Low cost (than Palo Alto least). Thanks Darshil Sanghvi
João Garcia - PeerSpot reviewer
João GarciaPalo Alto, Fortinet, and Checkpoint are the best NGFW. You can choose one of them. The Fortinet advantage is the Security Fabric. Many other Fortinet's products (switches, AP, EDS, XDR, DDoS, FortiClient, etc) are integrated and a Fortigate can communicate with another product to block an attack.  
reviewer1461459 - PeerSpot reviewer
reviewer1461459Because PA has FPGA based architecture, which no other firewall has, due to this firewall processes the traffic from all the engines simultaneously. it increase efficiency of the product and provides way better throughput as compare to other vendors. The performance of security engines of PA are better then other vendors. PA provides on-box reporting, you have to purchase forti-analyzer separately for reporting in fortinet. PA provides granular view of policies, providing insight to you which policies are used in and which are not. it also provides you the feature, that tells you which of the firewall's features are not being utilized, this way you can plan your renewal to only purchase the feature you need. 
9 Answers
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi peers, In my opinion, it's very important for your enterprise firewall/NGFW to support ID-based rules.  What products do provide this feature? What kind of identity-based rules are supported by them? Thanks.
Read More »
Manuel Briones - PeerSpot reviewer
Manuel BrionesWe use Check Point for this solution through the Identity Awareness blade where when integrating with the domain controller or LDAP, we can see the entire organizational unit of the Active Directory where we can generate rules through the user's profile to make access more dynamic to the internet services, DMZ or others.  It is a good experience that gives us greater control and agility when debugging users since these changes are reflected in the FW when they are eliminated from the AD.
1 Answer
M Mari - PeerSpot reviewer
M Mari
Head of the Migration Research Division at International Organization for Migration (IOM)
Hello, In my organization (10K+ employees) we have had Cisco products for decades and currently, we're exploring whether Palo Alto Networks VM-Series is a good alternative (vs Cisco FTDv) that can leverage our security posture.  Dear community members, please share your technical recommendations!
Read More »
Mike Bulyk - PeerSpot reviewer
Mike Bulykhello. Capability is on par between the two vendors. Your best bet is to think about integration and how the FW will work with other tools/processes in your environment. Thanks
4 Answers
Ravindra  Kumar - PeerSpot reviewer
Ravindra Kumar
TD at NIC

Hey,

I work in a Tech Services company with less than 1,000 employees. I'm looking for a firewall to replace Cyberoam 200ing. 

Any suggestions?

Thanks.

Shyam Biswas - PeerSpot reviewer
Shyam BiswasDepending on budget, Palo Alto 3000 series will be very helpful. If you want to discuss more on this, please contact me.
AnnDeryckere - PeerSpot reviewer
AnnDeryckereWe can recommend Watchguard as a worthy alternative. Don't hesitate to contact me for more information 
Basil Dange - PeerSpot reviewer
Basil DangeCheck Fortinet. It provides faster l3 processing. Also with NGFW firewall you can get SDWAN features as well.
25 Answers
Nirmal Unagar - PeerSpot reviewer
Nirmal Unagar
Cyber Security Intern at ECS BIZTECH PRIVATE LIMITED

I'm researching Firewalls. Which NGFW do you recommend between Fortinet Fortigate and Cisco Firepower NGFW?

Thanks!

David Storey - PeerSpot reviewer
David StoreyMore than the products themselves and their capabilities, you must consider the support you get from their respective vendor.  In our case, we're a Cisco shop and have several Firepowers. We scan them for vulnerabilities or have FIPS as a requirement.  In some cases, the cipher settings for SSH or SSL are old and can't be updated to use ciphers that are a few years old.  Putting them in the FIPS mode can also create problems that Cisco isn't interested in fixing.  "Smart" licensing is also problematic as we don't technically allow the management plane of our infrastructure from accessing the public internet.  I'd recommend staying away from Firepowers.
3 Answers
Fedayi Uzun - PeerSpot reviewer
Fedayi Uzun
Cyber Security Analyst at CyberNow Labs

I'm researching firewall options. What are the differences between Palo Alto and Cisco Firewalls solutions in terms of advantages, disadvantages, usage and practices?

reviewer1461459 - PeerSpot reviewer
reviewer1461459There are some major differentiators that make Palo Alto more preferable. First of all Palo Alto's Hardware is FPGA based, which has no parallel. Due to this capability it supports SP3 technology which provides single pass parallel processing architecture. This means PA processes traffic through all the engines i.e. application, IPS and others simultaneously. This improves resiliency and provides exactly the same throughput which committed in PA data sheet. PA has been in the leaders magic quadrant of Gartner for the 7th consecutive time in a row, which shows its block capability is above power. Moreover, it is very user friendly and easy for configure. Palo  Alto provides all routing features plus IPsec tunnels without any license - license subscriptions are only required for security bundles. Palo Alto has on-box (without any additional license or cost) reporting capability that no other firewall has at the moment. On the contrary, Cisco Firewall and its management center is not stable and lacks user friendly operations.
Philippe Panardie - PeerSpot reviewer
Philippe PanardieWell they are two leaders, one from US, another from Israel. Checkpoint is the first well known firm to launch firewalls. Palo Alto is certainly now the leader, but could be expensive in strong configurations. It supports virtualization very well and is number one for reporting. Checkpoint NGFW is strong but under competition for high volumes when compared referred to a comparable appliance (Fortinet for instance). It needs perhaps more technical knowledge to administrate, in spite of an amazing choice of blades in the NGFW offering. The reliability depends on your partner or integrator and a good definition of needs to have a proper sizing of your equipment.
Kirtikumar Patel - PeerSpot reviewer
Kirtikumar PatelPalo Alto has more visibilities and control instead of Cisco Firewall.
6 Answers
Ron Zelt - PeerSpot reviewer
Ron Zelt
User

Hi peers, 

If you could go back in time, would you change your decision to buy that firewall and why?


Girish Vyas - PeerSpot reviewer
Girish VyasThis answer depends on the provider one has. These days people in enterprise are moving away from big names to Fortinet, WatchGuard. I would recommend them to stick to secure architecture than just names. Check the frequency at which their threat database is updated. Ask them about their threat Intelligence provider. Is it in-house vs third-party? Check if they have an integrated suite rather than just a one-off product. See how long have they been in the market and where are they positioned in Gartner Report. Now coming to the original question, do I want to change my Vendor for my security services. My answer is no.
Werner Schonborn - PeerSpot reviewer
Werner SchonbornIf I could go back and buy a different firewall, I would do so immediately. The main reason is that when layer 7 capabilities are implemented, everything changes in terms of: * Performance * Functionalities * Routing * Reliability I would buy a much stronger firewall i.t.o. CPU power, more ethernet ports. Salespersons always try to sell you what they think will be best, but the technical person should have the final say in the decision-making process. .
it_user1143093 - PeerSpot reviewer
it_user1143093If it is about saving money answer is no. Saving money is not aways the case. Some products has easy way of maintaining than other.
40 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
PeerSpot (formerly IT Central Station)

Why or why not? If so, which are the best providers for this configuration?

PrideChieza - PeerSpot reviewer
PrideChiezaThat is very good question, for SIP we highly recommend using SIP security on the firewall this prevent issues with SIP attacks resulting in unknown phone calls being made from your PBX causing a high phone call bill that you didn't generate however in some cases when working with the Fortigate firewall and older versions of PBX you may need to disable this function its called SIP ALG (Application Layer Gateway) this usually cause problems with SIP VoIP phones registration and call processing but you need to make sure you only allow the PBX to only communicate with the specific voip server for security. Regarding to NAT Traversal it is mostly used when you have devices that are not SIP aware and the firewall is then used to NAT the actual ip address of the SIP phone when communicating with the external ips or VoIP servers,with the use of security policy this can ensure that the voip traffic is also secured by the firewall.
Rupsan Shrestha - PeerSpot reviewer
Rupsan ShresthaSIP is a protocol used for session management in VoIP or video communication, On the other hand NAT Traversal is a technique used to maintain connectivity over networks where NAT is used. You are probably looking to implement VoIP in your network if I'm not mistaken. There is no choice here because some VoIP devices require the implicit use of SIP protocol, That is what they use to initiate, manage, and terminate sessions. While there are some vendors that use their proprietary protocol, SIP like protocol is necessary regardless. And about NAT traversal, if you have a NAT device or a firewall that implements NAT in between or as a gateway NAT traversal must be used to make sure your communication works because in VoIP communication the client also acts as a server, meaning the communication has to be both ways. When there is a NAT in between NAT masquerades the original IPso there is a probability that the communication may fail. However, some VoIP solutions have their own mechanism to bypass NAT and maintain communication while some require NAT Traversal to be configured on the firewall.
Rias Majeed - PeerSpot reviewer
Rias MajeedIf you have SIP phones which need to access PABX from wan (internet) you need forward sip from wan to LAN PABX. If you have more than 2 devices that need to share the same internet connection. You have to enable NAT. NAT support devices are following devices 1. Any Broadband router. ( Cisco, D-link, TP-link, Linksys, Asus,…etc) 2. Firewall /Router/VPN (Fortigate, Cisco, Sonicwall, Paloalto, Watchguard….etc) My preference is FortiGate. It supports SIP, NAT Configuration & VPN in the same appliance device. SSL VPN is free of charge included with the devices.
12 Answers
Rick Briggs - PeerSpot reviewer
Rick Briggs
User at CUProdigy Cloud Services, LLC
Hi community, I'm in the process of implementing a new ERP. It will allow customers to order (food service) via mobile device.  ~100 to 200 customers.  10 inside users. 10 outside sales. 2 locations I'm using SonicWall, VPN and SSL VPN. I'm planning on bringing in VoIP and Fibernode is...
Read More »
Norman Freitag - PeerSpot reviewer
Norman FreitagHi @Rick Briggs, Do you really want to run this by yourself? If yes, i go with @Javier Medina, give it a try. If no, look for a "local" hero to run, configure and update the stuff you need. Why taking a local provider? Because they care maybe more than the big ones. Thats my brief introduction :). Have a nice day and stay healthy. Best, Norman
Chirosca Alecsandru - PeerSpot reviewer
Chirosca AlecsandruYou should take a look at OpnSense.  Even for small setups, we recommend using dedicated hardware for routing and firewall. The basic firewall should be good enough for your needs but there is an option for Sensei (but we recommend choosing an appropriate server for this as it may require more resources than a small setup). The learning curve is not so steep and you can configure it relatively quickly according to t your needs. You can evaluate the product on a virtual server. Cisco also has good routers within the ASA platform but the older models have hardware issues. I think the newer ones are better.
5 Answers