Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Firewalls
September 2022
Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: September 2022.
635,162 professionals have used our research since 2012.

Read reviews of Cisco ASA Firewall alternatives and competitors

Ali Mohiuddin - PeerSpot reviewer
Security Architect at a educational organization with 201-500 employees
Real User
Top 10
Provides zero trust implementation, more visibility, and eliminated security holes
Pros and Cons
  • "One of the key features for us is product stability. We are a bank, so we require 24/7 service."
  • "There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features."

What is our primary use case?

On-premises, we used Cisco but replaced our core firewall world with Palo Alto because we wanted more visibility. Plus, we were looking for features such as IPS for PCI compliance. We wanted next-generation capability, but we had the ASA traditional firewall with Cisco, which doesn't do much, so we replaced it with Palo Alto. 

In the cloud, we use Palo Alto for the zero trust implementation. Initially, we tried to work with the Azure firewall, but we found a lot of limitations in terms of visibility. It couldn't provide us with the same visibility we wanted for Layer 4 and above.

The solution is deployed both on cloud and on-premises. The cloud provider is Azure.

We have about 6,500 endpoints in my organization and five administrators.

How has it helped my organization?

One of our key challenges was for the PCI, the new standard 3.1. There's a requirement that financial applications need to have some sort of zero trust architecture. They need to be completely segregated. We implemented zero trust using Palo Alto so that if we are within the same subnet within the network, we have protection.

The unified platform helps us eliminate security holes. We use another product from Palo Alto, called WildFire, which is basically sandboxing. We have layers of products. Because of WildFire, we're able to identify any weaknesses in the upper layers.

We give a copy of the same packet to WildFire, and this helps us identify things that were bypassed, such as malware or malicious files. It's especially helpful when we're transferring files, like on SMB, because it's integrated.

The unified platform helps eliminate multiple network securities, and the effort needed to get them to work with each other. It's a very good product for us because it fits well in our ecosystem. 

Our other vendor is Fortinet. Previously, we struggled with having multiple products. One of them was command-line based and the other one was web-based. The engineers would have some difficulty because not everyone is good with a command line platform. Palo Alto and Fortinet are both managed by the UI and they're very similar products. They work well with each other, so we use certain capabilities here and there.

For example, for some internet browsing, we generally have a separate solution for our proxy, but there are situations where we need to provide direct internet access to a particular server in a certain situation. The problem is when a particular product does not work with the proxy for some reason. This is where we use Palo Alto's web filtering. If we didn't have a solution that could do this, it would be difficult on our side because how can we provide direct access to the server without securities?

When browsing, the logs provide us with the required information. For example, we allow certain URLs to a particular server, and we have that data also. This goes back into our same solution. With Palo Alto, the connectors are built in.

Our Palo Alto Firewall has the zero-delay signatures feature implemented. For the IPS capability, we rely completely on Palo Alto. If we don't have this implemented and there's a new, ongoing attack, we will be exposed. We make sure there are controls on the policies we have on each layer.

Even if a patch is released for that particular issue, it would take us time to implement it. We actually rely on the network layer, which is our Palo Alto box, to prevent that in case someone tries to exploit it. In the meantime, we would patch it in the background.

What is most valuable?

One of the key features for us is product stability. We are a bank, so we require 24/7 service.

Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.

The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.

It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.

When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.

Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.

There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.

We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.

We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.

Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped. 

Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.

When we have to push configurations, we can push to multiple appliances at one time. 

Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.

What needs improvement?

We have had some challenges. There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features.

Other products provide you with APIs that allow you to access certain features of the product externally with another solution. In the cloud, we have a lot of products that provide us with these capabilities, such as Microsoft. It has its own ecosystem, which is exposed through Graph API. I would like to have the capability to use the feature set of Palo Alto and provide it to another solution.

For example, if we have a very good system to identify malicious IPs within Palo Alto, we would like the ability to feed the same information into another product using the APIs. These are obviously very advanced capabilities, but it would be great if Palo Alto would allow this in the future.

For how long have I used the solution?

I have used this solution for more than five years. I'm using version 10.1.

What do I think about the stability of the solution?

It's extremely stable. We've used it on the parameter and as a core firewall in our data center. In both cases, it's what we rely on today.

What do I think about the scalability of the solution?

The scalability is amazing. When you look at the data sheet, sometimes you'll find that the equipment won't perform well under the same load. However, if something is mentioned on the data sheet and you implement it, you'll find places where you have high CPU and high memory utilization. When you buy something, maybe it should be 50% load, but when you put it into actual implementation, you find out that the CPU and memory remain very high.

With Palo Alto, the CPU and memory are both intact. It's performing well under load. We have different timings where we have a large load and it goes down and then goes up again. In both scenarios, the product is very good. The CPU performs well. Especially during upgrades, it was very stable and straightforward.

We have plans to increase usage. We're doing a migration in the cloud right now, and we plan to move a lot of our services to the cloud. This is where we'll either add more virtual firewalls in the cloud or increase the size and capacity of firewalls that we have there.

How are customer service and support?

The technical support is great. We've faced very, very serious problems where our systems were impacted due to some reason, and they were able to provide adequate support at the same time. When we raised a P1, an engineer started to work with us right away. Some vendors don't touch the customer's product.

Palo Alto's support is great; they're willing to get their hands dirty and help us.

I would rate technical support nine out of ten.

Which solution did I use previously and why did I switch?

We previously used Cisco ASA. We switched because of the IPS for compliance, but there were other factors as well, such as usability. We didn't have enough engineers who were well trained on Cisco because it's a very traditional kind of product that's completely CLI driven. We only had one or two people who could actually work on it. Even though people understand Cisco, when we asked them to implement something or make a change, they weren't that comfortable. 

With Palo Alto, it was very simple. The people who knew Fortinet also learned Palo Alto and picked it up very quickly. When we had new people, they were able to adjust to the platform very quickly.

How was the initial setup?

It was straightforward for us. For the initial deployment, we had two experiences. In one experience, we replaced one product with Palo Alto. In that particular situation, we used a tool from Palo Alto to convert the rules from Cisco to Palo Alto. It took us around four or five days to do the conversion and verification to make sure that everything was as it was supposed to be. The cloud deployment was straightforward. We were able to get the appliance up and running in a day.

For our deployment strategy, when we replaced our core, one of the key things was if we wanted to go with the same zones and to identify where the product would be placed and the conversion. We tested the rule conversion because we didn't want to make a mistake. We took a certain set of policies for one particular zone, and then we did the conversion and applied it. We did manual verification to ensure that if we went with an automated solution, which would do the conversion for us, it would work correctly and to see the error changes. Once we applied it to a smaller segment, we did all of it together.

For the cloud deployment, we had some challenges with Microsoft with visibility issues. From the marketplace, we took the product and deployed it. We did a small amount of testing to check how it works because it was new to us, but we were able to understand it very quickly. The engineers in UA helped us because the virtual networking for the cloud is a little bit different than when it's physical.

We were able to get it up and running very quickly. Palo Alto provides a manual for the quick start, which we used to do the deployment. It was pretty straightforward after that.

For maintenance and deployment, we have two engineers working in two shifts. We have around 15 or more Palo Alto firewalls, so we can survive with six members. That's more than enough to handle operations.

What was our ROI?

We offer security services, so it's difficult to calculate ROI. But since we're an organization where we cannot compromise on security, I would say the ROI is very good. We don't have any plans to change the product since we moved from Cisco.

What's my experience with pricing, setup cost, and licensing?

The cost is much better. We've worked with multiple vendors, and Palo Alto is very straightforward. We've done many implementations with Cisco, and they kill you on the licensing. When you enable each capability, it costs a lot. They charge you for the software and for the capabilities. They charge you for the licensing. It's very complicated. 

With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it.

I work for an enterprise, so we have the topmost license for compliance reasons. There is an essential bundle and a comprehensive bundle for enterprises.

Palo Alto also has a security essential bundle, which covers everything that's required for a small organization.

The PA-400 series of Palo Alto is the smaller box for small businesses. The good thing is that it has the same functionality as the big boxes because it runs the PAN-OS operating system in the background. It's a very good product because it provides you with the same capabilities that an enterprise uses. It provides the same operating system and signatures.

It's also good for an enterprise because you get the same level of capabilities of the firewall. There are firewalls that are 20 times more expensive than this. However, on a small box, you have the same capabilities, the same feature set, and the same stability, so I feel it's a very good product.

Which other solutions did I evaluate?

We chose Palo Alto right away because we couldn't go with the same vendor, which was Fortinet. We needed a different vendor, and the only option left was Palo Alto.

What other advice do I have?

I would rate this solution nine out of ten. 

As a recommendation, I would say go for it. It's a very good product. With implementation, we looked at a lot of different processes that said they offered a lot of capabilities. We've used almost all of them, such as GlobalProtect, which is for the VPN capability, and site-to-site VPN. We have done all kinds of implementations and in most of the cases, it's pretty much worked for us.

At some point, you will have requirements where you have third-party vendors, or you have to integrate with a third party. With Palo Alto, you're safe no matter what. With other open-source solutions, they work but you'll face issues, and you'll have to step up your security. 

With Palo Alto, it's straightforward. You'll have adequate security, it works well, and you'll be able to work with other solutions too, create tunnels, and GlobalProtect.

There are people who utilize open source products also, and it works well for them. But if you're an enterprise that provides 24/7 services, it's better to go with a company that has the support and features that work. We don't have any challenges with it. 

This is very important because maybe you can get a cheaper solution, but stability and functionality matter, especially when we talk about zero-day issues every single day. This is where Palo Alto would be best.

Secondly, with new types of technologies, like with Kubernetes or microservices, it's better that you go with a company that's actually able to cope with all the technology changes that are happening in the background. If you have a multi-operating system, you'll notice that the signatures for the attack are different for different types of operating systems. 

For instance, if you have Linux, Windows, and Unix, you need a product that understands all the different types of attacks on different systems. I think it's better to go with something that's well supported, works well, and is stable.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Eric-Smith - PeerSpot reviewer
Solutions Engineer/Consultant at a tech services company with 11-50 employees
Real User
Top 10
A reliable and consistent solution that allows us to manage the entire network from one interface and supports on-premises and cloud deployments
Pros and Cons
  • "One of the nice things about FortiGate is that it can be deployed on the cloud or on-premises. You can actually do both. That's the biggest reason why I stick with this solution as opposed to something like Cisco Meraki. Another nice thing is that I can log directly into a FortiGate or get to it through their FortiCloud access products. They're pretty reliable and consistent. One of the reasons why I started using the product was their single pane of management. I can deploy their line of firewalls in conjunction with their switching and access points, and I can manage the entire network from one interface. I don't have to log into one interface for the firewall, another one for the access points, and another one for the switches. These firewalls have access point controller functionality built right into the system, so I don't even have to purchase additional devices to manage them."
  • "FortiLink is the interface on the firewall that allows you to extend switch management across all of your switches in the network. The problem with it is that you can't use multiple interfaces unless you set them up in a lag. Only then you can run them. So, it forces you to use a core type of switch to propagate that management out to the rest of the switches, and then it is running the case at 200. It leaves you with 18 ports on the firewall because it is also a layer-three router that could also be used as a switch, but as soon as you do that, you can't really use them. They could do a little bit more clean up in the way the stacking interface works. Some use cases and the documentation on the FortiLink checking interface are a little outdated. I can find stuff on version 5 or more, but it is hard to find information on some of the newer firmware. The biggest thing I would like to see is some improvement in the switch management feature. I would like to be able to relegate some of the ports, which are on the firewall itself, to act as a switch to take advantage of those ports. Some of these firewalls have clarity ports on them. If I can use those, it would mean that I need to buy two less switches, which saves time. I get why they don't, but I would still like to see it because it would save a little bit of space in the server rack."

What is our primary use case?

We are a managed services company, and we are also a partner with Fortinet and Cisco Meraki. The firmware that I just started using is 6.4.4. Most of the FortiGates that I sell are 60E and 60F. For some of our larger customers, I have got a handful of FortiGate 80, 100, and 200.

Fundamentally, its primary purpose is security at the edge of the network. I have got some clients who are starting to use the SD-WAN feature for a multi-location setup. I have got other clients who are using a lot of IPSec tunnels. I also have some clients who, with the increase in remote workers, are taking advantage of the FortiClient product that ties in. They are using that for remote VPN connections. 

How has it helped my organization?

We are a managed services provider, and I would say that it has improved the way our client's organization functions. I would also hope that it is seamless for them. They don't even know it. The biggest improvement for us is that it allows us to do more with a smaller staff.

What is most valuable?

One of the nice things about FortiGate is that it can be deployed on the cloud or on-premises. You can actually do both. That's the biggest reason why I stick with this solution as opposed to something like Cisco Meraki. Another nice thing is that I can log directly into a FortiGate or get to it through their FortiCloud access products. They're pretty reliable and consistent.

One of the reasons why I started using the product was their single pane of management. I can deploy their line of firewalls in conjunction with their switching and access points, and I can manage the entire network from one interface. I don't have to log into one interface for the firewall, another one for the access points, and another one for the switches. These firewalls have access point controller functionality built right into the system, so I don't even have to purchase additional devices to manage them.

What needs improvement?

FortiLink is the interface on the firewall that allows you to extend switch management across all of your switches in the network. The problem with it is that you can't use multiple interfaces unless you set them up in a lag. Only then you can run them. So, it forces you to use a core type of switch to propagate that management out to the rest of the switches, and then it is running the case at 200. It leaves you with 18 ports on the firewall because it is also a layer-three router that could also be used as a switch, but as soon as you do that, you can't really use them. They could do a little bit more clean up in the way the stacking interface works.

Some use cases and the documentation on the FortiLink checking interface are a little outdated. I can find stuff on version 5 or more, but it is hard to find information on some of the newer firmware.

The biggest thing I would like to see is some improvement in the switch management feature. I would like to be able to relegate some of the ports, which are on the firewall itself, to act as a switch to take advantage of those ports. Some of these firewalls have clarity ports on them. If I can use those, it would mean that I need to buy two less switches, which saves time. I get why they don't, but I would still like to see it because it would save a little bit of space in the server rack.

For how long have I used the solution?

I have been using this solution since 2007.

What do I think about the stability of the solution?

If you have the firmware version 6.4.3 and are using FortiLink in VLAN, it has trouble with tunneling networks for a wireless network. It won't give it a route to the internet. I found it just last week. There was a version back in 6.2 where it required 12 characters for the password of a wireless network on Web 2.0 as opposed to the traditional eight characters. The problem came when you wanted to edit it. If you upgraded to that firmware from a previous version, it wouldn't let you save any changes without changing the password, making it a requirement. That was kind of problematic for a while, but for the most part, it has been pretty stable and responsive.

What do I think about the scalability of the solution?

It is easy to scale as long as you start with the right firewall. Our clients are of different sizes. We have clients with the home office with two or three employees. One of the clients has about 26 locations in all four time zones and about 400 employees.

How are customer service and technical support?

I haven't used their official tech support, which is actually a good thing. The reason I haven't used their official tech support is that they have a support mechanism in place. I have direct access to a local sales engineer, and when I have problems, I call him up on the cell phone. Based on that, they definitely support their partners 100%. They are definitely channel driven, and it shows.

Which solution did I use previously and why did I switch?

I have deployed SonicWall, WatchGuard, Cisco ASA, Rockies, and Palo Alto. The biggest reason I went with Fortinet is that it felt like it has got Palo Alto type of functionality at a much more reasonable price point.

I spent seven years working at the state level education, and budgets were tough. We had SonicWall subscription services. I could replace them with the brand new FortiGate with a three-year subscription for the same cost. That really changed things. The single pane of management that they have was just the frosting on the cake.

How was the initial setup?

It is pretty simple. For example, I just set up a new network with a 100E, and I have got four stackable switches. It will run a network with 23 access points. I set up all the VLANs, routing, rules, and other things. It won't take more than four hours of work. I am getting ready to box up and ship it out. It will be plug and play once it gets to the site.

What other advice do I have?

Take the training. They've got free training that is available online, and there are different levels for technical training. It is crucial. If you sign up as a partner, which doesn't cost you anything, the training is free. If you want to go for the test and get certified, you got to pay for the test, but the actual training materials are available to every partner for free. I would say that definitely take advantage of those. When you have new employees as network engineers, make this training a part of the routine.

I would rate Fortinet FortiGate an eight out of ten. I have been using it for years, and I do try to evaluate it on a regular basis and continue to stick with them. I just don't have a lot of bad things to say about them. Aside from their product, I'm a also fan of their company and how they do business, which makes it easier to do business with them. I don't necessarily appreciate the business practices of some of their competitors. It is nice not to have to worry about that.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Shrijendra Shakya - PeerSpot reviewer
C.T.O at Sastra Network Solution Inc. Pvt. Ltd.
Real User
Top 5Leaderboard
User-friendly interface, easy to monitor, and has a single pane of glass for reporting
Pros and Cons
  • "With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly."
  • "It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait."

What is our primary use case?

This is our core firewall for the data center network.

We have two on-premises appliances set up in a high availability configuration.

How has it helped my organization?

The VM-Series enables us to extend consistent next-generation protection across different infrastructures with a unified policy model, which makes it very easy for us. It is very important that we have this single pane for monitoring all of the network resources and multiple devices because, today, it's a complex environment where you have to take care of many devices.

This solution makes it very easy to quickly migrate workloads to the cloud.

Since we updated the system, the network has been very stable. Previously, there were issues with traffic throughput. With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly.

What is most valuable?

This is a firewall product and every OEM has claims about their special features. This device is very user-friendly and offers ease of monitoring.

Changes to the configuration happen quickly.

There is a single pane of glass for reporting, which is quite good. 

The interface is user-friendly.

What needs improvement?

It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait. Having a dedicated number where we could send a text message in the case of an emergency would be helpful.

For how long have I used the solution?

We have been using Palo Alto Networks VM-Series for approximately six months.

What do I think about the stability of the solution?

We are very much satisfied with the stability and performance.

What do I think about the scalability of the solution?

This solution is quite scalable because it has options for deploying in a VM as well as an appliance. The interfaces are all license-based, which means that features can be added just by obtaining another license.

Our current environment has more than three gigs of traffic.

We have a team of four or five people that is responsible for the network. They are continually monitoring the firewall and updating the policies, as required.

How are customer service and support?

Pala Alto has very good support. Generally, the response is very good and they address our issues as soon as we contact them. For example, they assisted us during our deployment and it was a very good experience.

My only complaint about the support has to do with complications that we had with communication. Sometimes, support was done over email, and because of the difference in time zone, there was occasionally a long gap in time before we got the proper response.

Which solution did I use previously and why did I switch?

We used to have Cisco ASA and Firepower, and we had some issues with those firewalls. Once they were replaced by Palo Alto, we didn't have any problems after that. 

Compared to the previous devices that we have used from other vendors, Palo Alto is very user-friendly, and we are comfortable with the features and capabilities that it offers.

How was the initial setup?

The initial setup is very straightforward and we had no issues with it. It is not complex because the procedures are properly defined, the documentation is available, and there is proper support. Our initial setup took about 15 days, which included migrating all of the data.

Our deployment is ongoing, as we are adding policies and dealing with updates on a day to day basis. We have a very complex environment that includes a firewall for the data center, as well as for the distribution networks.

What about the implementation team?

The Palo Alto team supported us through the deployment process.

What's my experience with pricing, setup cost, and licensing?

Palo Alto definitely needs to be more competitive compared to other products. The problem that I have faced is that the price of licensing is very high and not very competitive. When a customer wants to implement Palo Alto, even a small box, there are several licenses, and having all of them is sometimes really hard to justify. It is difficult for some clients to understand why such a small box costs so much.

For instance, they have the dashboard license, and then they have the user license, and so on. If the pricing were more competitive then it would be good because more customers would use the product, rather than use simpler firewalls.

Which other solutions did I evaluate?

We have worked with firewalls like Sophos, FortiGate, and Cisco ASA. We have dealt with almost all of the vendors but at this point, our experience with Palo Alto has been the best one. Palo Alto has been doing what it claims to do, whereas the other vendors' products have various shortcomings.

For example, some vendors do not have the performance that they claim in terms of throughput. Sometimes, the user interface is complex, or the device needs to restart whenever you make changes. With Palo Alto, it's simple to use and easy to get things done.

What other advice do I have?

We have not yet used Panorama for centralized management but in the future, we may do so for other projects.

My advice for anybody who is looking into purchasing a firewall is to carefully consider what their requirements are. I have seen that when a customer procures a firewall, they initially choose products like Sophos. Over time, they engage in trials with the majority of the vendors and finally end up with Palo Alto. This is only after spending a lot of time and money on other products.

If instead, a client is aware of the requirements including how much traffic there is and what throughput is needed, it's better to invest in Palo Alto than to try all of the cheaper alternatives. Then, evaluate everything afterward and finally select Palo Alto. This, of course, is providing the client doesn't have limitations on the investment that they're going to make.

I say this because generally, in my practice, what I've seen is that when choosing a firewall, the clients first choose a cheaper alternative. Then, after some time they think that it may not be what they wanted. This could be brought about by a throughput issue or maybe some threats were not blocked or they have had some security incidents. After trying these firewalls, they replace them with another, and yet another, until finally, they settle on Palo Alto.

Essentially, my advice is to skip the cheaper vendors and go straight to Palo Alto.

In summary, this is a very good product and my only real complaint is about the cost. If it were more competitive then more customers would choose it, and those people suffering losses as a result of security incidents would be saved. I find the real reason that people don't choose the right product is due to the cost factor. Even when they know that the product is the best choice, because of the limitation that they have on the investment they can make, they're not able to choose it.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Chris Booyens - PeerSpot reviewer
IT Manager at Thyme IT
Real User
Top 20
A rock-solid and sensible product that works very well, comes at a fair price, and requires minimal handling
Pros and Cons
  • "There are many features. VPN, firewalling, and intrusion detection are the main features that are most useful for us at this time."
  • "Their support is fairly good, and they come back to me. I've had an issue once or twice where I couldn't understand what the support person was saying because those calls were probably routed to India. They were a bit difficult to understand, but it is generally not an issue."

What is our primary use case?

We use it for firewalling. Lately, we are also using it for remote access or VPN access for the users to the firewall and then onto the local network for people working from home. We've seen a huge jump in work from home. Everybody is working from home, so we need a secure connection to the office.

I am not using its latest version. I normally wait for a couple of months before upgrading the unit to make sure there are no bugs or issues. I check on the forums to see what other people are saying and whether there are any issues. 

What is most valuable?

There are many features. VPN, firewalling, and intrusion detection are the main features that are most useful for us at this time.

What needs improvement?

Their support is fairly good, and they come back to me. I've had an issue once or twice where I couldn't understand what the support person was saying because those calls were probably routed to India. They were a bit difficult to understand, but it is generally not an issue.

For how long have I used the solution?

I have been using this solution for seven years.

What do I think about the stability of the solution?

It is stable. We've been dealing with it for such a long time. We know exactly how to set it up. Sometimes, clients have got funny ideas, and I just say to them, "You tell me what you need, and I'll do the config and set it up." I've got two clients who have got technical skills. One of them is fairly proficient on Sophos, so he does the work as well, but for most of our other clients, we set it up, and there are no issues. It just works.

What do I think about the scalability of the solution?

It is scalable provided you purchase the correct product. We do a bit of homework. We don't just sell you the first device on the list because that's not always suitable. We do a scope of the client's business. They may be a startup with just five users, but they might have a plan to have 100 or 200 users. We need to just size according to what they anticipate to be. It is no good if we sell them an entry-level device now, and two months later, it is too small. We purchase according to a client's requirements.

We've got clients with four users, and the number can go up to hundreds. I'm currently busy setting one up for 150 users, and obviously, there is much more work involved in doing the remote VPN setups.

How are customer service and technical support?

I use the local support in South Africa. If they can't help me, then I log a case with their international support. They're fairly good, and they come back to me. 

I've had an issue once or twice where I couldn't understand what the support person was saying because those calls were probably routed to India. They were a bit difficult to understand. They spoke so fast, and I could not hear what they were saying, but it is generally not an issue. It is not a showstopper, and we manage to work. If I don't understand, I say to them, "Can we rather chat by email?", which makes it a lot easier.

Which solution did I use previously and why did I switch?

There some other firewalls that my company is using, but they're way below in terms of specs and what they can do. Sophos XG is a layer 7 firewall, and most of the others are only layer 2 firewalls. Sophos is far superior. 

I do not have any knowledge about Cisco, Juniper, or other firewalls. I don't really use them. I use some open-source firewalls, but they're also a lot lighter. I've got one or two very small clients or non-profits where we run an open-source firewall, but the feature set is way limited compared to Sophos.

Sophos XG comes in at a fair price as compared to some of the other products out there. Its learning curve wasn't that steep. It makes sense, and it is a sensible product. It is not like some of the other products.

How was the initial setup?

It is simple for me. I've done so many setups. I can probably do these things in my sleep. In fact, I have got one in front of me now that I need to configure and install. I'm fairly proficient in the use of these devices. I'm happy with it.

The deployment duration depends on the setup. Some simple setups can be up and running within two hours. Complex ones most probably will take four to six hours. It also depends on the client's needs. Some of them have simple requirements, and they just want firewalling and one or two remote-access VPNs. Others have got a complex setup where we need to set up cameras and VoIP telephone systems. It all depends on a client's requirements.

It doesn't require any maintenance because the definitions are auto-updated. I've got a dashboard where I can manage all of the firewall devices from one dashboard. If I want to upgrade the software on 20 of them, I'll log onto the dashboard and upgrade the software just by selecting it and saying upgrade the software, and it is done. It requires very minimal handling on a day-to-day basis. Antivirus definitions, scanning definitions, and all those things are auto-updated anyway.

What's my experience with pricing, setup cost, and licensing?

It comes at a fair price as compared to some of the other products out there. Its price is in the middle. It is not the cheapest, and it is also not as expensive as Juniper, Check Point, and definitely Cisco. Nowadays, everybody is very cost-sensitive, and people don't want to spend unnecessary money, but even before that, it was a fairly priced product.

You've got your choice of what license you want. There are basically two types of licenses, and it depends on what you need to do, and everything is included in that license. There is no cost for VPN and DMZ. You purchase the license, and you know upfront what you're getting or what you're not getting, and that's it. It is one license fee and done and dusted.

What other advice do I have?

I would definitely recommend this solution to others. I recommend it to all my clients. I'm using it at home as well, and it works great. I'm fairly proficient in it, so I'm very confident. I can recommend it to anybody and everybody. It is a great product, and I've got no issue with it.

I would rate Sophos XG a ten out of ten. It is a rock-solid product that works. We've so many deployments of this solution. I'm just happy with it. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Network Associate at a wireless company with 1,001-5,000 employees
Real User
Top 10
Centrally managed, good antivirus and attack prevention capabilities, knowledgeable support
Pros and Cons
  • "We have between five and ten firewalls on-premises, and if we want to configure or push the same configuration to all of the firewalls, then the centralized management system is very helpful."
  • "The level and availability of training should be improved."

What is our primary use case?

We use firewalls to protect our private environment from the public environment. My IT group is in charge of protecting the environment and maintaining safe usage of the internet. This product gives us a better, safer solution for the users within our company. 

How has it helped my organization?

Using this solution saves us time because nowadays, there are many malicious sites, as well as other threats and viruses on the internet. As it is now, we are not required to do anything because we have the antivirus and regular updates from Check Point. That is very helpful for us because when new viruses emerge, we just install the new signature and it works to protect us.

What used to take me seven days to do, now takes me only five. However, this is not just a time benefit because it better protects our environment as well. I estimate a 20% to 30% reduction in the number of attacks, compared to before.

What is most valuable?

I like the antivirus, attack prevention, three-layer architecture, and data center management features.

The antivirus updates are quite frequent, which is something that I like.

Central management is a key feature. We have between five and ten firewalls on-premises, and if we want to configure or push the same configuration to all of the firewalls, then the centralized management system is very helpful. It means that we only have to push the configuration once and it gets published on all of the firewalls.

What needs improvement?

The level and availability of training should be improved. I have seen people that are not well trained on the Check Point firewall and the reason is simply that the quality of available training is poor compared to that of other firewalls on the market.

The command-line interface (CLI) should be more user-friendly.

For how long have I used the solution?

I have been using Check Point NGFW for approximately four years, since 2017.

What do I think about the stability of the solution?

I work on the Check Point firewall five days a week and the stability is very good. In general, the updates to the software and antivirus are very stable. We have not faced any issues.

What do I think about the scalability of the solution?

It is very easy to scale and extend usage. We started with five firewalls and now there are approximately ten. There is not much effort required to scale and it is not very complex.

Directly or indirectly, there are between 2,000 and 3,000 people using it. Whenever their traffic is required to be sent to the internet from the office environment, the traffic passes through the firewall.

How are customer service and technical support?

We are very happy with our experience with technical support. They are very knowledgeable and the process for resolving tickets or problems is fast. We have had incidents dealt with quickly by their team. 

Which solution did I use previously and why did I switch?

Prior to Check Point, we were using Cisco ASA and we are still using it today. The reason for implementing Check Point is that we wanted more advanced features. What we found was that after 2017, we needed better protection for our environment, and that is something that comes with advanced firewalls such as Check Point and Palo Alto.

I'm very happy with the Check Point firewall because it includes many features that are missing from Cisco ASA. Also, it offers a better and easier experience.

One of the significant differences is that Cisco ASA does not have a central management system. If we want to configure 10 firewalls with the same configuration, it is not possible to push them all at once. Instead, you have to configure them one by one. Apart from that, the antivirus and threat management need additional hardware because the functionality is not present in Cisco ASA. 

One of the positive points about Cisco ASA is that the training is very good, and it is available on the internet. This makes it easy to use for somebody who is new to the product. This is unlike the case with Check Point, where quality training is not available.

How was the initial setup?

We found the initial setup to be straightforward, as we have many experienced people in our team and they have worked with Check Point firewalls. 

We used the central management functionality a lot, and we initially configured five or six firewalls. It took between six and seven months for the complete deployment.

Our implementation strategy included the three-layer architecture, the centralized management system, the console, and the web UI. We followed the process that was recommended by Check Point.

What about the implementation team?

Our in-house team was in charge of the deployment. We have a team of seven people that work in shifts, and we did all of the work, with some support from Check Point.

Six or seven people in different shifts are required for maintenance. At any given time, we generally work with two or three people during the same shift. I think that two people working at the same time are sufficient.

What was our ROI?

We have seen ROI and when you consider the features like central management, antivirus, and threat management, it is a good investment.

We did have cost savings, moving to Check Point from Cisco ASA. We required additional hardware devices, such as an IPS solution, antivirus, and threat management. In addition, we needed too many resources because we had so many individual ASA firewalls. There was no central management system, so more staff were required.

Ultimately, with Check Point, we needed fewer people and we also saved on the cost of hardware.

What's my experience with pricing, setup cost, and licensing?

The price of this solution is average; not too high and not too low. It is more expensive than Cisco ASA but cheaper than Palo Alto.

After the first package of licenses, we have not needed to purchase additional ones. When our license expires then we will purchase another one. 

Which other solutions did I evaluate?

We also evaluated a solution by Palo Alto and we chose Check Point because it was more cost-friendly.

What other advice do I have?

The biggest lesson that I have learned from using this product is that it is good to see a company like Check Point is continuously working on the quality of their product, and we should learn from that. It is good to improve over time because it is very easy to get into the market, but it is not too easy to sustain. 

My advice for anybody who is implementing this firewall is to ensure that they are trained completely because it is not easy to use. Moreover, there is not much training available online, so you want to have trained with the device. This is a product with many features, which are pros, but these same features can become cons if you are not using it with complete knowledge.

In summary, this is a good product and they have been improving continuously, but there are still some areas to improve.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Firewalls
September 2022
Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: September 2022.
635,162 professionals have used our research since 2012.