Telindus, our company, is an integrator. We sell Firepower and we do use it ourselves. I use all the different versions of the product.
We either replace our customers' other brands of firewalls with Firepower, or we upgrade their old Cisco ASA Firewalls to the new Firepower firewalls. The type of device we advise them to install depends on the customer's requirements and the throughputs needed.
Our primary use case for Firepower is for big networks.
The most important feature is the intensive way you can troubleshoot Cisco Firepower Firewalls. You can go to the bit level to see why traffic is not handled in the correct way, and the majority of the time it's a networking issue and not a firewall issue. You can solve any problem without Cisco TAC help, because you can go very deeply under the hood to find out how traffic is flowing and whether it is not flowing as expected. That is something I have never seen with other brands. That is why, when people move from another brand to Cisco, they never leave Cisco. They see that advantage.
Something I like about Firepower, in general, is that it still relies on the old ASA code. That's something customers really like because when they go into the CLI, they remember, "Oh, that's the ASA, that I am familiar with," but it's enriched with all the next-gen features of Snort. When a customer has knowledge of the ASA codes, they can do intensive troubleshooting because they know the device.
Customers also like Talos, which is the intelligence behind all of Cisco's security products, including Firepower. Talos is very good and is actually the most important part of a security product. It's important that you have something in the background that is continuously enriching intelligence so that you get information about upcoming threats on time. That keeps you protected as soon as possible when a Zero-day happens. Something that customers like about Cisco Firepower, in combination with Talos intelligence, is that full-time people are working in the background to provide information to Cisco security products.
Customers really want visibility into their networks. For example, they want identity management and that is something you can use Firepower for. With it, in addition to an IP address going somewhere, you can also see the username. That's a big advantage of Firepower, and can be set up quite easily.
Also, in very large networks, our customers use Cisco DNA Center. They have automation orchestration for their access network and that works seamlessly with Cisco Firepower firewalls. Security Group Tags can be used from DNA to an edge Firepower firewall. That way, they have microsegmentation within their access network for DNA. And they can extend that to their firewall rules for Firepower.
Our customers also use Cisco ISE to get user information. ISE is connected to DNA Center. That is something that Firepower works seamlessly with, and we do sell it a lot. We sell a lot of Cisco's other security equipment, and they all send their information to SecureX. Having more Cisco security products means your security information is becoming enriched within the SecureX platform. The integration among these Cisco products is more than easy. Cisco documents everything, in detail, when it comes to how to integrate the different parts. I've never had an issue with integrating Cisco security products with each other.
And for smaller networks, like those our government customers have, what they like about Cisco Firepower, and why they purchase it nine out of 10 times, is its ease of use and the reporting in Firepower Management Center. That is something they really like. They can look up things themselves and they like the SecureX integration.
The Firepower FTD code is missing some old ASA firewalls codes. It's a small thing. But Firepower software isn't missing things that are essential, anymore.
I've been using Cisco Firepower NGFW Firewall since it came out; from the time Cisco started to use the name Firepower and they bought Snort. That's when they put in the next-generation features.
Firepower is rock-stable. So far, I have not seen any failed firewall. The only thing that was not quite stable in the past was Firepower Management Center, but since version 6.6 that has also been rock-stable. I haven't had any failed components in the last couple of years. I did have them two years ago and further in the past, where firewalls were not functioning and needed a reboot, but since 6.6, the stability is very good. We don't have priority-one tickets anymore.
In the Netherlands, where I work, we don't have very big customers requiring very high throughput. So I cannot say anything about clustering where you can pile different ASAs or Firepower devices together to increase performance when you require it.
But scalability, in general, is pretty hard. Competition-wise, sometimes it's hard to sell Cisco security products because, in my opinion, Cisco is quite honest about the real throughput they are able to provide. Other vendors may be giving figures that are a little bit "too perfect." Sometimes it's hard for us to sell Cisco firewalls because a customer says, "Well, when I go to other brands they say they have double the throughput for half the price." Well, that's great on paper, but...
In general, after we have installed Cisco firewalls, our customers are very pleased by the performance. They also like that they can tweak settings to get more performance out of the firewall by enabling specific policies for specific traffic, and by disabling inspection for very internal data center traffic. That provides a big boost to the overall firewall performance. When a customer complains that we didn't scale it correctly, and they say it's not performing as well as they expected, I'm always able to tweak things so that it performs the way the customer requires.
I have interacted with Cisco's technical support many times. Nowadays, it sometimes takes a while to get to the person with the correct knowledge, but that is happening in the world in general. First-line people are common around the world and they are trying to figure out if an issue is actually a second-or third-line issue. But when you do reach the correct department, and they know that you are knowledgeable and that you are really facing a high-priority issue or a strange behavior, Cisco's support does everything it can to help you fix things, including involving the development department. I'm very happy with their tech support.
Most of the time we replace Sophos, Check Point, SonicWall, and Fortinet firewalls with Cisco firewalls. Customers really like the overall integration with SecureX. They see the advantage of having more security products from Cisco to get more visibility into their security. We also replace old, non-next-generation firewalls from Cisco; old ASAs.
The initial deployment of Firepower is a straightforward process. For me, it's pretty easy. If you have never worked with it, I can imagine it might be complex.
Cisco makes it easier all the time. You can now deploy a remote branch by managing the device on an external interface. In the beginning, with previous software versions, that was hard. You needed to configure the file as a remote branch, but for that you needed the central Firepower Management Center to configure it and you didn't have a connection yet. It was a big issue to set up an initial firewall remotely when there was no connection to the Management Center. But that's been fixed.
In general, you just put down some management IP addresses and configure things so that the devices see each other and it starts to work. It's far from complex.
Generally, the initial setup takes four hours. The implementation strategy depends on the customer. I always have a conversation with the customer upfront. I explain how the connectivity works for Cisco Firepower, and then I say that I want to be in a specific subnet field. Then I start configuring the basics, and that is the part that takes about four hours, for Firepower Management Center and two firewalls in HA. Then, I start to configure the firewalls themselves, the policies, et cetera.
I have experience with SonicWall, Fortinet, Juniper, and Sophos firewalls, among others. We work with Fortinet and Palo Alto. It's not that we only do Cisco. But I can say from my experience that I am really more convinced about Cisco products.
What customers really like about Cisco, the number-one thing that they are really happy about within Firepower—and it was also in the old ASA code, but it's even more a feature in Firepower—is that the configuration is in modules. It's modular. You have different policies for the different functions within your firewall, so that your access control policy is only for your access lists and that's it. You have a different network address translation policy. It's all separated into different policies, so a customer knows exactly where to look to configure something, to change something, or to look at something which is not working properly.
Also, with Cisco, when a customer is not totally certain about a change he's going to make, he can make a copy of the specific access control policy or the NAT policy. If something doesn't go right, he can assign the copied policy back to the device and everything is back to the way it was.
These are the biggest advantages our customers see. When a customer doesn't have any knowledge about firewalls, I can explain the basics in a couple of hours and they have enough familiarity to start working with it. They see the different modules and they know how to make a backup of a specific module so that they can go back to the previous state if something goes wrong.
My advice is "buy it." A lot of people prefer a specific brand and it's fairly hard to convince them that something else, like Cisco, is not bad, as well. They are so convinced about their existing firewall that they want to keep that brand because they are familiar with it and they won't need to learn a new firewall. It's hard for a customer to learn how a firewall works in the first place.
But my advice is that people should read about how Cisco security, in general, is set up and how it is trying to protect them with Talos. They need to understand that Cisco security is very good at what it does. They shouldn't blindly believe in what they have at the moment. I always hear, "My firewalls are good enough. I don't need Cisco. I will just buy the same ones, but new." Cisco Firepower is superior to other firewalls and people should not be afraid to dive in. By educating themselves about the firewall, they will be fine in managing it.
Practically speaking, Cisco firewalls are easier to manage than the firewalls they have at the moment, but they need to make the leap and try something else. That is the hardest part. When I do show them what they are capable of, and how you can configure all kinds of different things, they start to understand.
We don't have many customers that use other vendors' security products together with Firepower. We convince nine out of 10 customers to go over to Cisco fully. We do have customers who don't do that, and then we try to find a way to get the solutions to work together. For example, we try to integrate other brands' switches or firewalls with Cisco security products, but most of the time that is pretty hard. It's not the fault of Cisco. It requires that the other brands speak a protocol language that will support integration, but in the end, it's not perfect and the integration does not work very well. The majority of the time, we are not able to integrate into other security products. Cisco is using standard protocols, but the other vendor is abusing some sort of protocol and then it doesn't work well.
I don't prefer using applications in firewall rules, but our customers do use the application visibility and control, and it works perfectly. Firepower is very good at recognizing the application and is very good at showing you the kind of application that has been recognized. Customers use that in their access control policy rules, and I have never heard bad things about it. Cisco Firepower works very well in recognizing applications.
I get questions from customers because they do not understand threat messages generated by Firepower. Sometimes, it's hard to read what exactly the message is saying. In my opinion, that is not something that is specific to Cisco security or Firepower, rather it is an issue with security in general. Most networking people get these fancy firewalls and they get fancy security events. It's hard for some of them to understand what is meant, and what the severity level is of the message. It's more that a networking guy is trying to read security events. Firepower is doing a good job, but customers sometimes have problems understanding it and then they stop looking at it because they don't understand it. They assume that Firepower is taking the correct actions for them.
Firepower is not a fire-and-forget box. It is something you actually do have to take a look at. What I tell customers is, "Please enable Impact-One and Impact-Two messages in your mailbox, and if it's really something that you cannot understand, just forward it to me and I will take a look for you. Most of the time they are not very high-impact messages. There are only one or two high-impact messages per month.
There are customers who say, "We want you to review the messages in Firepower once a week." I have a look at them when I have time. We try to help the customer check security events once a week or so. That's not great, but it's always a question of finding a good balance between the money a customer can spend and the security aspects. When we do monitor all the events, 24/7, for a customer, you can imagine that it is quite expensive.
I configure every customer's automatic tweaking of IPS policies so that the IPS policy is enabled for the devices seen by Firepower, for recognition of what kinds of clients and hosts are in the network. Other than that, we do not do a lot of automation within Firepower.
Since 7.0, I don't have a lot of things to complain about. If I do have suggestions for improvements, I will give them during the beta programs. The speed of the FMC is very good. The deployment time is much better. They added the policy deployment rollback. That was something I really missed, because if I destroyed something I was able to undo that. Now, for me, it's actually almost perfect.
In most cases, our use cases were for migration and conversions. People were coming off of dated Cisco platforms and other types of firewall technologies that might not have met next-generation standards, like App-ID. Then, Palo Alto Unit 42 had to go out there and investigate with threat hunters, etc, which was not that well-known or used. Then, Palo Alto sort of showed everybody that world back in 2007 or 2008.
Mostly, I was dealing with people migrating off of their platforms onto Palo Alto. Unfortunately, in most cases, they wound up just converting them into service-based firewalls, like what they were already using, because they weren't ready to accept the requirements behind actually creating an effective App-ID policy yet for their company.
It wasn't well adopted at first. Even though everybody wanted it, people were putting it in and not really fully deploying it. Once I started working for Palo Alto, we had a whole lot more control over getting people to actually utilize the technology, like it was meant to be used. Mostly, it was going in as a service-based firewall with some App-ID. However, people weren't really taking advantage of the SSL decryption and other things necessary to truly utilize the firewall effectively.
I have an active customer who has 600 users using Palo Alto. I have another active customer with 300 users using Palo Alto.
It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance.
Machine learning is definitely here to stay. Machine learning has to be a part of everybody's solution now, especially going out into the cloud where we don't have as much hardware control. We don't control our perimeters as much anymore. We need to have machine learning. So, machine learning has been a critical point in the evolution of this product.
DNS Security incorporates Unit 42, WildFire, and all the rest of their antivirus and threat features. It can be very effective because it will know about these bad actor zones and DNS hacks before it gets to your network, which is important. Everybody should be using it, but I haven't found as many people adopting it as they should.
For anything manipulating TCP 453 or any type of DNS-type application, you will want to be all over that. It is definitely a big problem.
It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,
I worked for Palo Alto for about three and a half to four years. I retired from them last year. Before that, I was with Juniper firewalls. So, I have about 10 years experience, on and off, with Palo Alto in various, different scenarios.
They push stuff out that is not quite ready. If you use the product one version back, then you are pretty good. However, if you try to stay cutting edge, you are going to run into stuff that doesn't work. They are forever releasing stuff that doesn't work right or as designed. Every company does that though, so it is just a question of who is worse. You need to be careful with some of the newer stuff that they release. You need to bake it very well before you put it into production.
I am not absolutely certain they have done a good job in scaling out. They may start to suffer now and going forward because there are other, more cloud-ready platforms out there starting to shine over Palo Alto. They are not the prodigal son anymore.
It has limited scalability since it is still very hardware-centric. They have a cloud VM model, but I haven't had too much experience with it.
The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better.
Several years ago, I would put technical support at eight or nine out of 10. Now, they are down around two or three, which is really low. I have had very bad luck with their support lately.
Negative
It depends on whether you are coming in from a migration, which means that you expect everything that you will be doing to be out-of-the-box. It has to be if you are putting it in place. You can then evolve it from there to make it more capable.
I find the technology pretty easy to work with. Some people don't find it as straightforward. That probably leaves some areas for improvement, where people almost have to do a boot camp to fully take advantage of the product. That shouldn't be the case for a new customer. It should be a little bit more seamless than it is, but it's not bad. I can't really knock it. It is fairly simple to employ, if you know what you are doing.
Most migrations take anywhere from two to six weeks.
I did the deployment. I was using it while I was at Palo Alto. I am still managing them, even outside of Palo Alto. It has been a consistent experience.
The return on investment doesn't necessarily show right away. However, if a company gets hacked and taken down, they are out of business. So, was your return on investment strong if you put these firewalls in and it prevented that? Absolutely. However, if you put them in and you never get attacked, then you might ask, "Would you have gotten attacked before?
There is a license for DNS Security, which I have never actually licensed, but it is a very powerful tool. DNS security is important, and I think that Palo Alto's capabilities are effective and strong there. However, I don't find a lot of companies taking advantage of it.
This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify. However, my customers will do that if I tell them, "You still need to do that," then they will do it since it is still an entry point into the network.
You really need Premium Support, Applications and Threats, DNS Security, and antivirus. The extra bolt-ons, such as Advanced URL Filtering, you need to determine by use case where you are going to use those licenses, then see if you really need them. You might be adding a bunch of licenses that you will never actually get to effectively use. Their licensing model has gotten a bit exorbitant and a la carte . You will wind up spending quite a bit of money on licenses and renewals.
There is another company out there that I like quite a bit in the firewall space who does a really good job and has a very fast, inexpensive firewall. That is Fortinet. My two favorite firewall companies are Fortinet and Palo Alto. I recommend Fortinet in cases where people don't have the money, as you can get a very nice solution from Fortinet for a lot less money. Fortinet is a good player. I like Fortinet.
Palo Alto's interface is a little nicer to work with, e.g., a little easier and more intuitive than Fortinet. This makes Palo Alto a little nicer for the end user, but Fortinet is a kick-ass solution. I would never downplay it. It is definitely really strong. For $600, you can get a fully functional next-generation firewall on Fortinet, and you can't do that with Palo Alto. That is a world of difference in pricing.
Machine learning is taking logs and feeding them back through. Everybody is doing machine learning now. You need to have some type of machine learning in order to understand what is going through your environment since you can't be predictive anymore, like you used to be able to be. There is no way of knowing what things are going to do. Therefore, machine learning helps the firewall become smarter. However, machine learning is only as good as how it is utilized and how effectively it is deployed, and it is not always obvious. With Palo Alto, it was difficult to get the API keys and whatnot to work correctly, getting real, effective, actual, usable machine language stuff to use in the policies. It was a lot more hype than reality.
Their zero-pass architecture is not really zero-pass, but it is better than others. It still has to run the traffic through again, once it is recognized at the port, service, and route level, to be acceptable. Then, it has to bring it back through to try to recognize the application. So, it is not necessarily a 100% zero-pass, but the way it works.
It is like in the Indianapolis 500 when a car pulls into a pit stop. Instead of having one place in the pit stop where the tires are changed, another place in the pit stop that does the windows, and another place that does the gas, they have all the guys come around the car and do their work on the car at the same exact time. That is what is happening with Palo Alto. The packet gets there and the services attack the packet versus having to run the packet through the mill. That is what makes it faster, but it still has to do it more than once before it really knows. It is definitely better than what anybody else has done up to this point.
With a single-pass cloud, we are not concerned with hardware as much anymore. Now, we are concerned with technology, implementation, and how controls are deployed. That is more important now than where the hardware is, e.g., if the hardware is integrated or deintegrated. I don't know if that is even that important anymore, but it was at one time.
As long as you are comfortable with the price point, you are not going to make a mistake going this way. It is definitely best-in-class and a first-class firewall. I would never be ashamed of putting Palo Alto Networks NGFWs into my network. It's a very good product. As much as I might complain about this and that, there isn't any product that you would put in the network where you are going to have 100% confidence in it. There will always be something. Palo Alto NGFWs are the best way to go.
I would rate this solution as nine out of 10.
Our customers use SonicWall TZ for network security and also for connectivity, e.g. when our customer is a company with HQ and branches, and they want to secure their branches the way they secure their HQ, we recommend SonicWall TZ so we're able to protect both the users in the HQ and the users in the branches. We also use this solution to optimize the bandwidth that they have by configuring SD-WAN services.
Another use case for this product is when using switches, e.g. when people want to connect their IP phones, their access points, and their access control devices, we recommend the switches and utilize SonicWall TZ, but mostly this firewall solution is for network security monitoring, analytics, and reporting.
SonicWall TZ has a number of benefits to customers.
One benefit is the visibility of the network and activities that are happening on the network, which enables customers to improve on their policies. For example, if a customer sees that YouTube is consuming a lot of bandwidth, they can revise the policies and allocate less bandwidth to YouTube, then give more bandwidth to business critical applications.
Another benefit of this solution is that it's able to bring a lot of visibility to things that are hidden from a normal IT person's view, so now that these things are visible, users are able to make quick decisions. For example, there was an organization that was complaining that they have less bandwidth, so we implemented the firewall and noticed that whatever they were getting, they needed to add more, before they're able to add more bandwidth from their ISP.
The simplicity of SonicWall TZ is also one of the things I like about it.
I found many features in SonicWall TZ that are valuable. The NSM (Network Security Manager) is great when you have more than one firewall, e.g. two, three, five, etc., because it's a central place where you can configure the firewalls.
Even for users who only have one firewall, SonicWall TZ is great, because it's very easy to use. It's user-friendly. I have used other firewalls, and I've worked with Fortinet and Palo Alto, and if I compare their user interface with SonicWall TZ, this solution has an interface that's so much easier to use.
In this product, configuring the policies and everything else that needs to be configured is straightforward. You don't have to move through multiple pages and tabs. It's easy to configure and use.
The analytics feature of SonicWall TZ is also good, because users are able to see information on bandwidth utilization, including applications that are traversing the network.
I also like the Capture ATP (advanced threat protection) feature of this solution, because it shows the unknown files that have been detected in the network, how they were scanned, and what the results are. It's a very good feature.
I like the licensing scheme of SonicWall TZ. If you have high availability requirements, you don't need to buy two licenses. You just buy one. This is cost-effective for the customers. I also like the secure upgrade promotion, e.g. If you have an existing firewall from Cisco, Fortinet, or another competitor, SonicWall will give you a two-year license for the price of a one-year license.
SonicWall TZ has good features that I can really position to my customers, and that's how we're able to win new business.
I also like the form factor uniqueness of this product. You can use it even in an office with 10, 15 people. That's very great. That's a day one capability, and it's not licensed, e.g. it's something you can get out-of-the-box. I also believe that SonicWall TZ 570 and 670 series can accommodate SFP (small form-factor pluggable), and I find that very unique.
SonicWall TZ also has high availability, so it's a perfect solution.
Support for SonicWall TZ needs improvement, particularly the time it takes before you're able to speak to a support person, e.g. you have to wait for at least 30 minutes on the phone, and this needs to be improved.
This is an affordable solution, but a competitor like Sophos can give SonicWall a run for their money. Sophos and Fortinet are major competitors of SonicWall, and the way they package their solutions, especially Sophos, they're cheaper, so for some customers who aren't technical, they will just run to these competitors because they're cheaper. However, once you explain to the customer that this is the situation, mostly we're able to win the business for SonicWall.
An additional feature I'd like to see in the next release of SonicWall TZ is enhanced automation.
I've worked with SonicWall TZ since 2019. I've been working with it for three years now.
I didn't have any issues with SonicWall TZ in terms of stability. I started working with SonicWall in 2019, and all the customers I sold this to, not a single device has failed, apart from one customer who had a failure in Ethiopia last year, but that customer bought the device for quite some time, e.g. in 2018 or 2019, so that one had been onsite. I've not heard of any breakage apart from that one, so this product is stable.
SonicWall TZ is scalable. I just have one customer here who is suffering because of issues with sizing and scoping initially, but from what I've seen, this solution is scalable. It scales well.
I was able to contact the SonicWall technical support team a few times, but before I was able to talk to a support person, I had to stay on the line for almost 30 minutes, sometimes even longer than 30 minutes. This is something that they need to improve.
The initial setup for this solution was very straightforward. I don't have an issue with setting up SonicWall TZ.
I find the licensing scheme of SonicWall TZ cost-effective for customers. SonicWall also has a secure upgrade promotion that lets you enjoy a two-year license for the price of a one-year license, if you have an existing firewall from competitors, e.g. Cisco, Fortinet, etc.
I was able to evaluate Fortinet FortiGate briefly. I also evaluated Palo Alto.
I've used Fortinet FortiGate briefly. SonicWall TZ is what I'm using at the moment. We are an authorized distributor of SonicWall, so we sell SonicWall products, including SonicWall TZ, to resellers and partners.
We deal with the latest versions of this solution: the gen 7 series and the gen 7 NSa series. These are what we've been selling to most of our customers.
We have not been able to sell SonicWall TZ on cloud. We have received requests for quotes, particularly for cloud deployment, but what we were able to sell were on-premises deployment, e.g. physical devices.
Deployment of this product usually takes less than a day, but it really depends with the setup, with the network. We recently had one that took two days, but it's usually just less than a day.
We sell SonicWall TZ to different companies. One company has 10 users. Another company has a hundred users. There's another company with 500 users. We sell to partners, and that's our main job. The partners sell to the customer, so you'll find one partner has five customers, another partner has two customers, etc. We are just not covering Kenya. We cover east Africa all the way up to Congo, Ethiopia, Djibouti, and Eritrea. We cover all those areas.
What I usually tell people who are looking into implementing this product is that it's the easiest to use among the many firewalls I've seen.
I have not been disappointed with SonicWall TZ, so I'm giving it an eight out of ten, not a perfect score, because there's still room for improvement.
This is our core firewall for the data center network.
We have two on-premises appliances set up in a high availability configuration.
The VM-Series enables us to extend consistent next-generation protection across different infrastructures with a unified policy model, which makes it very easy for us. It is very important that we have this single pane for monitoring all of the network resources and multiple devices because, today, it's a complex environment where you have to take care of many devices.
This solution makes it very easy to quickly migrate workloads to the cloud.
Since we updated the system, the network has been very stable. Previously, there were issues with traffic throughput. With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly.
This is a firewall product and every OEM has claims about their special features. This device is very user-friendly and offers ease of monitoring.
Changes to the configuration happen quickly.
There is a single pane of glass for reporting, which is quite good.
The interface is user-friendly.
It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait. Having a dedicated number where we could send a text message in the case of an emergency would be helpful.
We have been using Palo Alto Networks VM-Series for approximately six months.
We are very much satisfied with the stability and performance.
This solution is quite scalable because it has options for deploying in a VM as well as an appliance. The interfaces are all license-based, which means that features can be added just by obtaining another license.
Our current environment has more than three gigs of traffic.
We have a team of four or five people that is responsible for the network. They are continually monitoring the firewall and updating the policies, as required.
Pala Alto has very good support. Generally, the response is very good and they address our issues as soon as we contact them. For example, they assisted us during our deployment and it was a very good experience.
My only complaint about the support has to do with complications that we had with communication. Sometimes, support was done over email, and because of the difference in time zone, there was occasionally a long gap in time before we got the proper response.
We used to have Cisco ASA and Firepower, and we had some issues with those firewalls. Once they were replaced by Palo Alto, we didn't have any problems after that.
Compared to the previous devices that we have used from other vendors, Palo Alto is very user-friendly, and we are comfortable with the features and capabilities that it offers.
The initial setup is very straightforward and we had no issues with it. It is not complex because the procedures are properly defined, the documentation is available, and there is proper support. Our initial setup took about 15 days, which included migrating all of the data.
Our deployment is ongoing, as we are adding policies and dealing with updates on a day to day basis. We have a very complex environment that includes a firewall for the data center, as well as for the distribution networks.
The Palo Alto team supported us through the deployment process.
Palo Alto definitely needs to be more competitive compared to other products. The problem that I have faced is that the price of licensing is very high and not very competitive. When a customer wants to implement Palo Alto, even a small box, there are several licenses, and having all of them is sometimes really hard to justify. It is difficult for some clients to understand why such a small box costs so much.
For instance, they have the dashboard license, and then they have the user license, and so on. If the pricing were more competitive then it would be good because more customers would use the product, rather than use simpler firewalls.
We have worked with firewalls like Sophos, FortiGate, and Cisco ASA. We have dealt with almost all of the vendors but at this point, our experience with Palo Alto has been the best one. Palo Alto has been doing what it claims to do, whereas the other vendors' products have various shortcomings.
For example, some vendors do not have the performance that they claim in terms of throughput. Sometimes, the user interface is complex, or the device needs to restart whenever you make changes. With Palo Alto, it's simple to use and easy to get things done.
We have not yet used Panorama for centralized management but in the future, we may do so for other projects.
My advice for anybody who is looking into purchasing a firewall is to carefully consider what their requirements are. I have seen that when a customer procures a firewall, they initially choose products like Sophos. Over time, they engage in trials with the majority of the vendors and finally end up with Palo Alto. This is only after spending a lot of time and money on other products.
If instead, a client is aware of the requirements including how much traffic there is and what throughput is needed, it's better to invest in Palo Alto than to try all of the cheaper alternatives. Then, evaluate everything afterward and finally select Palo Alto. This, of course, is providing the client doesn't have limitations on the investment that they're going to make.
I say this because generally, in my practice, what I've seen is that when choosing a firewall, the clients first choose a cheaper alternative. Then, after some time they think that it may not be what they wanted. This could be brought about by a throughput issue or maybe some threats were not blocked or they have had some security incidents. After trying these firewalls, they replace them with another, and yet another, until finally, they settle on Palo Alto.
Essentially, my advice is to skip the cheaper vendors and go straight to Palo Alto.
In summary, this is a very good product and my only real complaint is about the cost. If it were more competitive then more customers would choose it, and those people suffering losses as a result of security incidents would be saved. I find the real reason that people don't choose the right product is due to the cost factor. Even when they know that the product is the best choice, because of the limitation that they have on the investment they can make, they're not able to choose it.
I would rate this solution a nine out of ten.
I'm in Indonesia, where I use Cisco SD-WAN for DC and DRC to communicate with bank branches. One customer uses traditional simple routing via VGP or SPF to communicate to the head office data center or disaster recovery center. Still, I proposed using SDN technology, Cisco SD-WAN, to improve the application experience, have visibility to the provider link, and communicate directly from the branches to the application, such as Microsoft 365.
The customer also wants to access an application in the cloud from the branches, which requires a proxy, so the traffic goes to the data center and then to the cloud. You can directly connect all components to the cloud with Cisco SD-WAN, so I've implemented the product for the customer.
The primary use case for Cisco SD-WAN is direct internet access, including onboard security. Customers don't want just a simple routing. Customers also want a firewall and IPS feature from Cisco SD-WAN.
One of the benefits of Cisco SD-WAN is cost reduction for customers. In Indonesia, it's costly to use NPLS and Metro for connection, so I always propose using an internet link to communicate between branches to the data center or disaster recovery center. Cisco SD-WAN can provide that service; the product also keeps traffic secure. Some customers may be afraid to use the internet link or connection to communicate between the branches and the data center because of some critical applications, so it may not be the best practice for some customers.
However, as my company is a partner of Cisco, I give the customer the PLC first before providing the solution, and I have customers happy about what I propose, in this case, Cisco SD-WAN.
If a customer wants access to cloud-based collaboration apps, such as WebEx, Google Meet, Zoom, and Teams, Cisco SD-WAN can integrate with Cisco Umbrella for cloud security.
With Cisco SD-WAN, customers can enjoy cost reduction. Customers also don't need to use a third-party DNS or process security solution because Cisco SD-WAN integrates with Cisco Umbrella. This is how beneficial Cisco SD-WAN is to an organization or business.
The most valuable features of Cisco SD-WAN include the DIA and its integration with Cisco Umbrella for DNS security.
One area for improvement in Cisco SD-WAN is reporting. The report needs to give more visibility to the customer. For example, the report should provide API information. I have a customer who wants to integrate the application via API and wants a summary of the utilization, branch links, and all internet connections on Cisco SD-WAN. The product has a monitoring menu, but it's very simple and needs to be more detailed, so that could be improved.
The security feature in Cisco SD-WAN also needs improvement, particularly if Cisco wants to challenge other brands, such as Fortinet. Fortinet has a firewall layer with an IPS feature, plus it can also run SD-WAN within the same box or device, while Cisco SD-WAN has a limited firewall and IPS feature, which could be improved.
In the next release, I also want to see more flexibility in the product when integrating with other infrastructure or monitoring solutions.
My experience with Cisco SD-WAN is around two to three years. Just last week, I implemented Cisco SD-WAN for one of my customers.
I found the stability of Cisco SD-WAN good enough.
Cisco SD-WAN has good scalability, so I'm giving its scalability an eight out of ten.
I'd rate the Cisco SD-WAN technical support team as seven out of ten because my company had difficulty getting the best engineer for a partner and a customer.
Neutral
Some customers need more detail about Cisco SD-WAN, so it takes a long discussion before the product is implemented, but for a customer that knows Cisco SD-WAN, at least how it works, signing up for it and implementing it takes three to six months. Sometimes, completing the deployment of Cisco SD-WAN takes one year if the customer requirement is complicated and challenging.
For simple routing, Cisco SD-WAN is easy to set up. It's an eight out of ten. If you're setting up the product with some security features, then the setup would be more complex, and that's a three out of ten for me.
The last time I deployed Cisco SD-WAN, mainly for three hundred to four hundred cases, the deployment took six months to one year.
I deployed the product for a bank, so the deployment and maintenance should not disrupt the production, which means it takes more time to migrate the current connection or the current infrastructure to Cisco SD-WAN because my team also needs to build the data center and the RC, and then migrate the traditional link with Cisco SD-WAN, and refresh the router at the branches. For three hundred to four hundred cases, that required many field engineers, about fifteen engineers. The bank also had project and implementation teams, but I have no idea how many people made up the teams.
I implemented Cisco SD-WAN with fifteen engineers, plus implementation and project teams from the bank.
The ROI from Cisco SD-WAN is good for me, so it's an eight out of ten.
The pricing for Cisco SD-WAN is more expensive than other brands or solutions, such as Fortinet and Palo Alto Networks, so it's one out of ten.
Cisco SD-WAN also doesn't have flexibility using bandwidth tiering licenses, while Palo Alto Networks and Fortinet have more flexibility with the licensing.
One customer is on a three-year subscription, while another chose a different type of subscription and tiering license. Customers only pay for the standard licensing fees.
I'm a pre-sales engineer, but only for Cisco products, such as Cisco DNA Center, Cisco SDI, Cisco SD-WAN, and other Cisco technologies.
I implemented the latest version of Cisco SD-WAN for a customer.
I deployed Cisco SD-WAN on the public cloud for customers, but I'm unsure if it runs on AWS, Google, or Azure cloud.
Cisco SD-WAN requires two types of maintenance, on-call and onsite. Three engineers handle onsite maintenance during office hours—two from 8:00 AM to 5:00 PM and one from 5:00 AM to 11:00 PM. There's a second or backup engineer on standby that handles troubleshooting for the customer.
In each bank, Cisco SD-WAN has many users. Based on how many panels or bandwidth each bank uses, I'd say one bank already has two thousand to two thousand five hundred.
My rating for Cisco SD-WAN is eight out of ten. Despite needing some improvements, the product is already good for both customers and partners and is competitive enough.
My company is a gold partner of Cisco.
