Palo Alto Networks NG Firewalls OverviewUNIXBusinessApplication

Palo Alto Networks NG Firewalls is the #5 ranked solution in best firewalls. PeerSpot users give Palo Alto Networks NG Firewalls an average rating of 8.8 out of 10. Palo Alto Networks NG Firewalls is most commonly compared to Azure Firewall: Palo Alto Networks NG Firewalls vs Azure Firewall. Palo Alto Networks NG Firewalls is popular among the large enterprise segment, accounting for 58% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Palo Alto Networks NG Firewalls Buyer's Guide

Download the Palo Alto Networks NG Firewalls Buyer's Guide including reviews and more. Updated: May 2023

What is Palo Alto Networks NG Firewalls?

Palo Alto Networks NG Firewalls are next-generation firewalls used for security to protect networks from threats and attacks. It is used for perimeter security, data center protection, and managing secure access to environments. 

The firewall provides application control, malware protection, scalability, stability, user-friendly interface, threat hunt capabilities, application visibility and awareness, URL filtering, traffic monitoring, machine learning for attack prevention, a unified platform for all security capabilities, DNS security, VPN, and embedded machine learning. Palo Alto Networks NG Firewalls is easy to manage, reliable, and balances security and network performance well. It also provides complete visibility through logs and alerting.

Palo Alto Networks NG Firewalls Features

Palo Alto Networks NG Firewalls has many valuable key features. Some of the most useful ones include:

  • Secure Application Enablement (App-ID, User-ID, Content-ID)
  • Malware Detection and Prevention (threat prevention service, buffer overflows and port scans, anti-malware capabilities, command-and-control protection, and WildFire)
  • DNS Security (URL filtering, predict and block malicious domains, signature-based protection, extensible cloud-based architecture)
  • Panorama Security Management (including graphical views and analytics, manage rules and dynamic updates, customizable application command center (ACC), log collection mode, physical or virtual appliance)
  • Threat Intelligence (high-fidelity threat intelligence, priority alerts, automatic extraction and sharing of prevention indicators, native integration with Palo Alto Networks products)

Palo Alto Networks NG Firewalls Benefits

There are several benefits to implementing Palo Alto Networks NG Firewalls. Some of the biggest advantages the solution offers include:

  • Dedicated management interface for managing and initial configuration of the device
  • Regular threat signatures and updates
  • Import addresses and URL objects from the external server
  • Configure and manage with REST API integration
  • Great throughput and connection speed is fair even in high traffic load
  • Deep visibility into the network activity through Application and Command Control
  • Easy to manage and very user friendly

Reviews from Real Users

Below are some reviews and helpful feedback written by Palo Alto Networks NG Firewalls users.

A Solutions Architect at a communications service provider says, “The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us. An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications.”

PeerSpot user Gerry H., CyberSecurity Network Engineer at a university, mentions that the solution has a “Nice user interface, good support, is stable, and has extensive logging capabilities.” He also adds, “Wildfire has been a very good feature. This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.”

Eric S., Network Analyst at a recreational facilities/services company, states, "With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings."

Palo Alto Networks NG Firewalls was previously known as Palo Alto NGFW, Palo Alto Networks Next-Generation Firewall, Palo Alto Networks PA-Series.

Palo Alto Networks NG Firewalls Customers

SkiStar AB, Ada County, Global IT Services PSF, Southern Cross Hospitals, Verge Health, University of Portsmouth, Austrian Airlines, The Heinz Endowments

Palo Alto Networks NG Firewalls Video

Palo Alto Networks NG Firewalls Pricing Advice

What users are saying about Palo Alto Networks NG Firewalls pricing:
  • "With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it."
  • "The cost of the license is platform-dependent. It would be nice if they standardized that across the board to make the license a flat fee instead of based on scale and the platform you're using. Functionality shouldn't change based on the platform or the amount of data going through it. It's the same functionality on there. That's one aspect customers often raise. The platform's price is what it is, but the ongoing cost of the annual license is hard for some customers to wrap their heads around."
  • "Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions."
  • "There is an advantage to going with the high availability pair licensing model versus the standalone. It gives you a high availability pair, but the pricing is only a slight increase over a single system. It makes sense to take a look at your add-on functionality, like the Applications and Threats subscription and URL protection subscription. On the user side, I might want everything. However, on the server side, I might not need very much. I might want the Applications and Threats subscription and not much else. So, you don't have to buy all the bells and whistles for every firewall. Depending on what the function is, there are ways around it."
  • "It's cheaper to replace the equipment every three years than to upgrade. We have done two refreshes of their appliances. What I have seen is that the initial hardware cost is low, but you need a subscription and you need maintenance plans. After every three years, if you're trying to renew your maintenance or subscription, that can be very costly. It's cheaper to just get a newer solution with a three-year subscription and maintenance. It's cheaper to replace your hardware completely with a new subscription plan and a new maintenance plan than to renew the maintenance subscription on existing hardware."
  • "This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify."
  • Palo Alto Networks NG Firewalls Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Ali Mohiuddin - PeerSpot reviewer
    Security Architect at a educational organization with 201-500 employees
    Real User
    Top 5
    Provides zero trust implementation, more visibility, and eliminated security holes
    Pros and Cons
    • "One of the key features for us is product stability. We are a bank, so we require 24/7 service."
    • "There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features."

    What is our primary use case?

    On-premises, we used Cisco but replaced our core firewall world with Palo Alto because we wanted more visibility. Plus, we were looking for features such as IPS for PCI compliance. We wanted next-generation capability, but we had the ASA traditional firewall with Cisco, which doesn't do much, so we replaced it with Palo Alto. 

    In the cloud, we use Palo Alto for the zero trust implementation. Initially, we tried to work with the Azure firewall, but we found a lot of limitations in terms of visibility. It couldn't provide us with the same visibility we wanted for Layer 4 and above.

    The solution is deployed both on cloud and on-premises. The cloud provider is Azure.

    We have about 6,500 endpoints in my organization and five administrators.

    How has it helped my organization?

    One of our key challenges was for the PCI, the new standard 3.1. There's a requirement that financial applications need to have some sort of zero trust architecture. They need to be completely segregated. We implemented zero trust using Palo Alto so that if we are within the same subnet within the network, we have protection.

    The unified platform helps us eliminate security holes. We use another product from Palo Alto, called WildFire, which is basically sandboxing. We have layers of products. Because of WildFire, we're able to identify any weaknesses in the upper layers.

    We give a copy of the same packet to WildFire, and this helps us identify things that were bypassed, such as malware or malicious files. It's especially helpful when we're transferring files, like on SMB, because it's integrated.

    The unified platform helps eliminate multiple network securities, and the effort needed to get them to work with each other. It's a very good product for us because it fits well in our ecosystem. 

    Our other vendor is Fortinet. Previously, we struggled with having multiple products. One of them was command-line based and the other one was web-based. The engineers would have some difficulty because not everyone is good with a command line platform. Palo Alto and Fortinet are both managed by the UI and they're very similar products. They work well with each other, so we use certain capabilities here and there.

    For example, for some internet browsing, we generally have a separate solution for our proxy, but there are situations where we need to provide direct internet access to a particular server in a certain situation. The problem is when a particular product does not work with the proxy for some reason. This is where we use Palo Alto's web filtering. If we didn't have a solution that could do this, it would be difficult on our side because how can we provide direct access to the server without securities?

    When browsing, the logs provide us with the required information. For example, we allow certain URLs to a particular server, and we have that data also. This goes back into our same solution. With Palo Alto, the connectors are built in.

    Our Palo Alto Firewall has the zero-delay signatures feature implemented. For the IPS capability, we rely completely on Palo Alto. If we don't have this implemented and there's a new, ongoing attack, we will be exposed. We make sure there are controls on the policies we have on each layer.

    Even if a patch is released for that particular issue, it would take us time to implement it. We actually rely on the network layer, which is our Palo Alto box, to prevent that in case someone tries to exploit it. In the meantime, we would patch it in the background.

    What is most valuable?

    One of the key features for us is product stability. We are a bank, so we require 24/7 service.

    Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.

    The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.

    It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.

    When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.

    Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.

    There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.

    We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.

    We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.

    Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped. 

    Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.

    When we have to push configurations, we can push to multiple appliances at one time. 

    Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.

    What needs improvement?

    We have had some challenges. There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features.

    Other products provide you with APIs that allow you to access certain features of the product externally with another solution. In the cloud, we have a lot of products that provide us with these capabilities, such as Microsoft. It has its own ecosystem, which is exposed through Graph API. I would like to have the capability to use the feature set of Palo Alto and provide it to another solution.

    For example, if we have a very good system to identify malicious IPs within Palo Alto, we would like the ability to feed the same information into another product using the APIs. These are obviously very advanced capabilities, but it would be great if Palo Alto would allow this in the future.

    Buyer's Guide
    Palo Alto Networks NG Firewalls
    May 2023
    Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
    708,544 professionals have used our research since 2012.

    For how long have I used the solution?

    I have used this solution for more than five years. I'm using version 10.1.

    What do I think about the stability of the solution?

    It's extremely stable. We've used it on the parameter and as a core firewall in our data center. In both cases, it's what we rely on today.

    What do I think about the scalability of the solution?

    The scalability is amazing. When you look at the data sheet, sometimes you'll find that the equipment won't perform well under the same load. However, if something is mentioned on the data sheet and you implement it, you'll find places where you have high CPU and high memory utilization. When you buy something, maybe it should be 50% load, but when you put it into actual implementation, you find out that the CPU and memory remain very high.

    With Palo Alto, the CPU and memory are both intact. It's performing well under load. We have different timings where we have a large load and it goes down and then goes up again. In both scenarios, the product is very good. The CPU performs well. Especially during upgrades, it was very stable and straightforward.

    We have plans to increase usage. We're doing a migration in the cloud right now, and we plan to move a lot of our services to the cloud. This is where we'll either add more virtual firewalls in the cloud or increase the size and capacity of firewalls that we have there.

    How are customer service and support?

    The technical support is great. We've faced very, very serious problems where our systems were impacted due to some reason, and they were able to provide adequate support at the same time. When we raised a P1, an engineer started to work with us right away. Some vendors don't touch the customer's product.

    Palo Alto's support is great; they're willing to get their hands dirty and help us.

    I would rate technical support nine out of ten.

    Which solution did I use previously and why did I switch?

    We previously used Cisco ASA. We switched because of the IPS for compliance, but there were other factors as well, such as usability. We didn't have enough engineers who were well trained on Cisco because it's a very traditional kind of product that's completely CLI driven. We only had one or two people who could actually work on it. Even though people understand Cisco, when we asked them to implement something or make a change, they weren't that comfortable. 

    With Palo Alto, it was very simple. The people who knew Fortinet also learned Palo Alto and picked it up very quickly. When we had new people, they were able to adjust to the platform very quickly.

    How was the initial setup?

    It was straightforward for us. For the initial deployment, we had two experiences. In one experience, we replaced one product with Palo Alto. In that particular situation, we used a tool from Palo Alto to convert the rules from Cisco to Palo Alto. It took us around four or five days to do the conversion and verification to make sure that everything was as it was supposed to be. The cloud deployment was straightforward. We were able to get the appliance up and running in a day.

    For our deployment strategy, when we replaced our core, one of the key things was if we wanted to go with the same zones and to identify where the product would be placed and the conversion. We tested the rule conversion because we didn't want to make a mistake. We took a certain set of policies for one particular zone, and then we did the conversion and applied it. We did manual verification to ensure that if we went with an automated solution, which would do the conversion for us, it would work correctly and to see the error changes. Once we applied it to a smaller segment, we did all of it together.

    For the cloud deployment, we had some challenges with Microsoft with visibility issues. From the marketplace, we took the product and deployed it. We did a small amount of testing to check how it works because it was new to us, but we were able to understand it very quickly. The engineers in UA helped us because the virtual networking for the cloud is a little bit different than when it's physical.

    We were able to get it up and running very quickly. Palo Alto provides a manual for the quick start, which we used to do the deployment. It was pretty straightforward after that.

    For maintenance and deployment, we have two engineers working in two shifts. We have around 15 or more Palo Alto firewalls, so we can survive with six members. That's more than enough to handle operations.

    What was our ROI?

    We offer security services, so it's difficult to calculate ROI. But since we're an organization where we cannot compromise on security, I would say the ROI is very good. We don't have any plans to change the product since we moved from Cisco.

    What's my experience with pricing, setup cost, and licensing?

    The cost is much better. We've worked with multiple vendors, and Palo Alto is very straightforward. We've done many implementations with Cisco, and they kill you on the licensing. When you enable each capability, it costs a lot. They charge you for the software and for the capabilities. They charge you for the licensing. It's very complicated. 

    With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it.

    I work for an enterprise, so we have the topmost license for compliance reasons. There is an essential bundle and a comprehensive bundle for enterprises.

    Palo Alto also has a security essential bundle, which covers everything that's required for a small organization.

    The PA-400 series of Palo Alto is the smaller box for small businesses. The good thing is that it has the same functionality as the big boxes because it runs the PAN-OS operating system in the background. It's a very good product because it provides you with the same capabilities that an enterprise uses. It provides the same operating system and signatures.

    It's also good for an enterprise because you get the same level of capabilities of the firewall. There are firewalls that are 20 times more expensive than this. However, on a small box, you have the same capabilities, the same feature set, and the same stability, so I feel it's a very good product.

    Which other solutions did I evaluate?

    We chose Palo Alto right away because we couldn't go with the same vendor, which was Fortinet. We needed a different vendor, and the only option left was Palo Alto.

    What other advice do I have?

    I would rate this solution nine out of ten. 

    As a recommendation, I would say go for it. It's a very good product. With implementation, we looked at a lot of different processes that said they offered a lot of capabilities. We've used almost all of them, such as GlobalProtect, which is for the VPN capability, and site-to-site VPN. We have done all kinds of implementations and in most of the cases, it's pretty much worked for us.

    At some point, you will have requirements where you have third-party vendors, or you have to integrate with a third party. With Palo Alto, you're safe no matter what. With other open-source solutions, they work but you'll face issues, and you'll have to step up your security. 

    With Palo Alto, it's straightforward. You'll have adequate security, it works well, and you'll be able to work with other solutions too, create tunnels, and GlobalProtect.

    There are people who utilize open source products also, and it works well for them. But if you're an enterprise that provides 24/7 services, it's better to go with a company that has the support and features that work. We don't have any challenges with it. 

    This is very important because maybe you can get a cheaper solution, but stability and functionality matter, especially when we talk about zero-day issues every single day. This is where Palo Alto would be best.

    Secondly, with new types of technologies, like with Kubernetes or microservices, it's better that you go with a company that's actually able to cope with all the technology changes that are happening in the background. If you have a multi-operating system, you'll notice that the signatures for the attack are different for different types of operating systems. 

    For instance, if you have Linux, Windows, and Unix, you need a product that understands all the different types of attacks on different systems. I think it's better to go with something that's well supported, works well, and is stable.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    John Sayer - PeerSpot reviewer
    President at JTS Network Consulting, LLC
    Real User
    Top 10
    Phenomenal reporting and it's easy to find which threats have been detected and what traffic is going through the box
    Pros and Cons
    • "One of the simple features I like about Palo Alto firewalls is that it's extremely easy to find out what's happening in the network. The reporting is phenomenal, and it's easy to find which threats have been detected and what traffic is going through the box. When a customer notices something is wrong, you can quickly check the amount of traffic going through the firewall around that time. If there is anything out of the ordinary, you can decide it needs to be investigated further."
    • "The reporting and visibility are phenomenal, but you don't get that information out of the box. They can email reports regularly, and the functionality is all there. However, a lot of it is based on an older model for email, where customers have in-house email servers. The small and medium-sized business customers I deal with are moving toward Office 365 or some other cloud-based mail and not maintaining their own internal mail servers."

    What is our primary use case?

    NG Firewalls form the edge between customers' networks and the internet. They often provide load balancing to multiple internet providers. In most cases, people use NG Firewalls for more than just a basic firewall function. 

    The intrusion detection and prevention feature is usually the most significant piece that people want because it provides layers of protection against malware, ransomware, and things of that nature.

    How has it helped my organization?

    My colleague likes to tell our clients that none of his customers who installed a Palo Alto have ever had a ransomware attack. I'm always nervous when he says that because things change so fast. However, it gives people peace of mind that they're protected at the network's edge. 

    The firewall is going to do everything possible to protect resources and data. We have customers with social security numbers, HIPAA data, and other sensitive customer information. Other products don't seem to provide the same level of protection and leave customers open to malware or ransomware attacks.

    Palo Alto has many features to protect against data leakage and unauthorized downloads, so it can do quite a lot to protect a network against any attack. The leadership at our client companies feel reassured that they've done what they can with the best solution out there to protect themselves.

    Smart people always do stupid things, like clicking on something they shouldn't. They often realize their mistake five minutes or five seconds after doing it. We've seen what these mistakes can quickly do to an organization. Palo Alto's features help you prevent those types of things from happening. You can immediately block suspicious file downloads and push those up to Palo Alto to investigate. You can get ahead of the problem and help other folks who might not have seen that attack.

    NG Firewalls provide a unified platform that natively integrates all security capabilities. Having all those features in one platform at the edge is essential. That's a massive component of the customers' overall security structure. It isn't everything, but it protects the edge of the network. 

    It does not prevent someone from getting their company laptop infected at home and infecting the network when they come to the office the next day. That's where other pieces come into play to make an overall security structure. The firewall is designed to protect everything at the edge and has everything you need to do that. It protects you at the edges and provides reports that give people information about what's happening on the network at a given time and date. 

    NG Firewalls take care of any holes in the client's network and reduces the number of security tools needed. A decade ago, deploying these types of tools required multiple devices, whether that was Barracuda email, firewall, and an intrusion detection platform. Generally, people had antivirus and anti-spyware systems running in their enterprises. All of that is now integrated into the Palo Alto Firewall platform. 

    The antivirus and anti-spyware features are as good as anything out there. It's updated constantly, so any novel threats are automatically detected. On top of all these features, it provides a solid edge platform that incorporates all of the security features necessary in that edge component.

    What is most valuable?

    One of the simple features I like about Palo Alto firewalls is that it's extremely easy to find out what's happening in the network. The reporting is phenomenal, and it's easy to find which threats have been detected and what traffic is going through the box. When a customer notices something is wrong, you can quickly check the amount of traffic going through the firewall around that time. If there is anything out of the ordinary, you can decide it needs to be investigated further.

    I talk to customers a lot about simple aspects. Palo Alto firewalls have vast technical capabilities in the signature database, which is constantly updated. Palo Alto does a lot of work to find threats in the wild, which is rare among vendors. From a practical and operational standpoint, the ability to see what's happening at any time, live or historically, is a huge benefit compared to other firewalls that are out there.

    Machine learning is a massive part of it. Threats are always evolving, and they can constantly update the signatures they're hunting and the raw data streams they're looking for outside of something that's been defined as a true signature type of attack.

    Most of my customers use what Palo Alto refers to as the Wildfire functionality. Their online analysis team checks every 15 minutes to find anything new that has been detected in the wild anywhere in the world. Once their team finds something, they immediately disseminate that information down to the firewalls so they can start looking for something new. That includes anything that has evolved from one version of an attack to another. So far, we have not run into any issues with changing attacks creating problems for customers with a Palo Alto firewall in place.

    It's rare for our customers to use the zero-day intelligence feature to upload information to Palo Alto. Still, receiving anything from Palo Alto that others have detected out in the wild is beneficial. Any zero-day signature people find in a data stream can be pushed down to the firewalls, and it's a huge benefit to know that the firewall can stay on top of the changes in the attack world.

    The PA 400 series is excellent. It's the product that they were missing. Years ago, there was a Palo Alto 200 and a Palo Alto 500. The 500 was a relatively low-cost platform that focused more on team-sized businesses. It reached the end of its life, and they replaced it with an 800, a similar form factor but quite a bit more expensive. The 200 was replaced with a 220, which was at the low end cost-wise in the product family, but they never had anything in the middle. 

    They didn't have something that offered high performance at a reasonable cost. The 400s provide that missing link inside their product family to cater to small and medium-sized businesses. Because more and more, even though companies are small, with 50 to 100 people in a company, internet bandwidth has gotten so cheap that they're typically running 1+ gigabit-per-second connections out to the internet.

    While they may not be using that much bandwidth today, that will change as they do more and more online. We saw during the pandemic how that could change quickly. Suddenly, everybody's working from home, and internet connectivity is the company's lifeblood. The 400 series gives customers decent performance at a lower price point in a small form factor. It's a product they can deploy, knowing it will protect them and provide the performance they need for years.

    What needs improvement?

    The reporting and visibility are phenomenal, but you don't get that information out of the box. They can email reports regularly, and the functionality is all there. However, a lot of it is based on an older model for email, where customers have in-house email servers. The small and medium-sized business customers I deal with are moving toward Office 365 or some other cloud-based mail and not maintaining their own internal mail servers. 

    Palo Alto is developing that, and I need to understand how they integrate with an Office 365-type mail environment. The next piece is figuring out how to get that information to the people who need it without somebody physically sitting in front of the screen or going to the firewall to have it delivered to them regularly. The capability is there, but it's primarily based on an older email architecture that customers rarely use anymore.

    For how long have I used the solution?

    I'm an integrator who has been doing professional services with Palo Alto installations for at least eight years.

    What do I think about the stability of the solution?

    Palo Alto firewalls are solid. I can recall that we haven't had platform failures or product issues with the Palo Alto Firewalls. Everything can have a power supply failure. We have seen that occasionally, but it's rare. In eight years, we've had to replace power supplies in two firewalls out of hundreds we've deployed. It's a physically stable platform, and the software is also solid. I typically avoid the most recent software versions until they reach what I consider mature and seasoned. 

    We've seldom had issues with performance. I always tell people that internet bandwidth will be bigger and cheaper in the future, so firewalls need to keep pace from a performance standpoint. Palo Alto has done a decent job of bringing out new models with higher throughput levels while maintaining all the threat-driven functions. But we constantly need to evaluate where we are with internet bandwidth and where we expect to be in the future. 

    We tell people that the physical hardware platform they choose will protect them today, no matter which one. However, the choice will determine how long that can stay in your network. It ultimately comes down to pure bandwidth. As we move towards the cloud, more and more internet bandwidth becomes critical. Multiple internet providers are now essential on most of our customers' networks. The raw bandwidth and performance through the box must keep up with that. Palo Alto's newer platforms have multiple-gigabit throughput, and I assume they'll continue with that as they evolve the product line further.

    What do I think about the scalability of the solution?

    Their product line includes sizeable chassis-based firewall systems that can do multiple virtual firewalls within a single platform. Even their middle-tier products have that capability. Some of our customers have numerous divisions that need separation between departments, so those scalable features come in handy. Most are organizations with one or two firewalls per site. Still, I've worked with large enterprises that had tens or hundreds of firewalls in their overall environment to maintain a separation between departments and to separate users from servers.

    Palo Alto also has a product called Panorama that lets you centralize the configurations of vast numbers of firewalls. It acts as a central point for changing firewall settings, and you can push the changes out to a subset of firewalls in your environment or all of them. The bottom line is that Palo Alto can scale up NG firewalls to massive numbers of platforms.

    How are customer service and support?

    I rate Palo Alto support eight out of 10. 

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    NG Firewalls are easy to set up. I've been doing it for a long time, so it's effortless for me to set them up. When registering a firewall with Palo Alto, you can download a Day 1 configuration into the box with many of the standard protection features activated. 

    I don't use that, but I periodically check it to see if there is something else Palo Alto has determined should be enabled or a feature that should be tuned differently than I typically do. They provide the initial configuration with the critical features activated.

    Deployment requires a small team. Sometimes, it's only a person from the customer side and me. Usually, it is me plus one other engineer working on deploying these where we've got changes on switches to support the firewall or adjustments to the DNS systems. A lot of different areas come into play when we change the edge. Frequently, our customers are transitioning from a rudimentary network design to a new design where we're implementing firewall and network segmentation within their environment. That's easy, but we use a team of two or three folks to finish the job as quickly as possible.

    What was our ROI?

    While all next-generation firewall platforms have some degree of these different components built into them, Palo Alto has rock-solid antivirus, anti-spyware, threat prevention, data leakage prevention, and file blocking, plus all of the typical functions that a firewall does. It does all of these functions exceptionally well in addition to regular firewall aspects like blocking DDoS attacks and generic types of attacks. It tends to be more expensive than most competing platforms, but the return on investment is huge. I'm almost to the point of saying that I won't support any other firewall platforms out there.

    There are several new firewall models that have come along, but I tell people that Palo Alto will provide all the protection you could need. There's no reason to look at anything else out there because most other platforms don't provide the same level of protection. The value proposition to customers is the peace of knowing they've got the best protection at the edge they can buy.

    What's my experience with pricing, setup cost, and licensing?

    The licensing model is becoming more and more typical of vendors. There are several different licenses that we usually provide with the firewalls. DNS security is a newer one, and we're considering the types of customers who might benefit from that. 

    The cost of the license is platform-dependent. It would be nice if they standardized that across the board to make the license a flat fee instead of based on scale and the platform you're using. Functionality shouldn't change based on the platform or the amount of data going through it. It's the same functionality on there. That's one aspect customers often raise. The platform's price is what it is, but the ongoing cost of the annual license is hard for some customers to wrap their heads around. 

    Which other solutions did I evaluate?

    Many people are just looking for the cheapest, fastest firewall, and my answer is always the same. It's a cliche to say you get what you pay for, but when you opt for the cheapest product, you have to understand that the costs of an attack are monumental. We had a customer who deployed SonicWall firewalls because they wanted something inexpensive that provides a basic level of functionality. They have spent three weeks trying to recover from a ransomware attack because the firewall didn't prevent them from downloading files into their environment, and it lacked some of the features a Palo Alto firewall has.

    I tend to use examples like that. It's like switches. When everything's working great, you can go to the local store and buy yourself a cheap and expensive switch, and it'll be fine. But when there are problems, how do you recover? And what can you do with the firewall that will protect you against attacks you don't anticipate? That's where Palo Alto shines. You know you are protected when you deploy it.

    Other products are less expensive because they don't provide the same level of functionality. They'll talk about threat prevention, anti-spyware, and malware functions, but they have not been updated automatically like Palo Alto and they lack zero-day functionality. Maybe they don't have some other components, like data leakage protection or file download protections to thwart a concerted attack against organizations.

    I always ask people what it would cost to shut down their business for several days. This customer had a solid backup strategy for their servers at least, enabling them to start using cloud-based versions of all their servers within three days. They still were out of business for three days. Now that we've put Palo Alto firewalls in place, they feel confident that's not going to happen again.

    I get nervous when people say it can't happen, but we haven't seen it happen with the Palo Alto firewall with the capabilities and features we enable on these boxes. When people say they don't want to spend that money, they need to consider it as something protecting their entire business. An internet connection isn't a nice-to-have; it's the lifeblood of their business, being protected by the firewalls.

    What other advice do I have?

    I rate Palo Alto NG Firewalls 10 out of 10. People who are only starting with these firewalls should rely on the technical notes and briefs Palo Alto provides on functionality. I started using Palo Alto firewalls years ago, and we deployed firewalls the way we knew how. Later, I worked with another integrator who had been doing it for about two or three years more than I had. He was configuring areas on the firewalls that I had never considered. That becomes the critical piece; turning a firewall up based on what another firewall vendor does is enough to get you the same level of functionality that the other vendors provide.

    But with the additional capabilities that Palo Alto includes in the firewalls, it's imperative to have all the different pieces activated as much as the customer can accommodate in their environment. And that's a critical piece that Palo Alto provides a lot of online resources, and there are a lot of technical notes that are out there on what needs to be enabled in addition to that Day 1 configuration. That can give you a big headstart on all the different areas that need to be enabled within the firewall.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Palo Alto Networks NG Firewalls
    May 2023
    Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
    708,544 professionals have used our research since 2012.
    CyberSecurity Network Engineer at a university with 5,001-10,000 employees
    Real User
    Top 20
    Nice user interface, good support, stable, and has extensive logging capabilities
    Pros and Cons
    • "When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus."
    • "From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible."

    What is our primary use case?

    We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

    After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

    How has it helped my organization?

    Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

    I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

    The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

    The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

    This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

    As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

    I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

    What is most valuable?

    Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

    We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

    From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

    This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

    The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

    What needs improvement?

    One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

    Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

    From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

    For how long have I used the solution?

    I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

    What do I think about the stability of the solution?

    The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

    I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

    What do I think about the scalability of the solution?

    The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

    Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

    The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

    The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

    We have deployments in other campuses, as well.

    As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

    How are customer service and support?

    The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

    Which solution did I use previously and why did I switch?

    Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

    We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

    One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

    Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

    We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

    How was the initial setup?

    The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

    Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

    In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

    What about the implementation team?

    When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

    One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

    Overall, our experience with ProSys was good. We like working with them.

    What's my experience with pricing, setup cost, and licensing?

    Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

    The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

    There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

    I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

    Which other solutions did I evaluate?

    We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

    I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

    What other advice do I have?

    I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

    When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

    We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

    In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

    Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

    If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

    If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

    Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

    I would rate this solution a ten out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Simon Webster - PeerSpot reviewer
    Security Architect at University Corporation for Atmospheric Research
    Real User
    Top 10
    We get reports back from WildFire on a minute-by-minute basis
    Pros and Cons
    • "The WildFire reporting and Cortex XDR platform have huge infrastructures in the cloud that secures the network against threats. So, we have the potential on the system, specifically for users, where we take care of this since the user is the most dangerous. We get reports back from WildFire on a minute-by-minute basis, rather than a daily or weekly update like I used to with different AV vendors. These features can detect viruses and malware more quickly, which is super important."
    • "The biggest thing that needs to be improved with them is their training. I took a training class for the 8.0 build, then I took it again for the 9.0 and 10 builds. They add new features every time that they do a new major release, but the training doesn't keep up. It is the same basic training that probably was with the 3.0 build, and they just change the screenshots. I would love to see them do some more work since they have all these bells and whistles, but we don't know how to use those features on a large scale."

    What is our primary use case?

    On certain levels, it protects our information. Luckily, I had switched to Palo Alto as our VPN solution for our users. We finished that in December of 2019, just in time for COVID to hit. We had a system that was able to support 650 to 700 users remoting into our campus through the VPN. This was a huge use case for us, as it was not intended to be the solution for COVID, but it turned out to be the solution for COVID. So, it was a great use case. Obviously, we want to protect our servers, virtual servers in the cloud, and on-prem. 

    We have the eighth fastest supercomputer in the world. Unfortunately, we don't get to protect that because it has so much data going through it, i.e., petabytes a day. There isn't a firewall that can keep up with it. We just created a science DMZ for that kind of stuff as well as large data movers since we do weather data for the world. We research the ocean, sky, and solar weather. We have 104 universities who work with us around the world. Therefore, we need to have data available for all of them. We need to be protected as much as we can.

    We started with Palo Alto 5060, then the 3060 came in, which was the next form. We have now switched to an HA system and have four firewalls as our base: a pair of 5220s and a pair of 5250s. We have been running the different OSs from PAN-OS 8.0, 8.1, 9.0, 9.1, and then 10.1. We are about to move to 10.2. We are in the process of doing that over the next week. We like to stay on the cutting edge because they are always adding more features and security.

    We have it deployed in a number of different ways. We have our four main firewalls, which have two high availability pairs. One is set primarily for users and outward-facing functions. Therefore, our DMZ servers, staff, and guest networks are on one pair of firewalls. Back behind the scenes, labs and our HR department are on a separate set of firewalls. We call them: untrust and trust. Then, we have another set of firewalls, both in our Wyoming supercomputing center and in our Boulder main campus, which runs a specific program that has a DOD contract that requires more security, so they have their own set of firewalls. We also have firewalls in Azure Cloud for our tests and production environments. I am in the process of purchasing another VM firewall to put on the AWS Cloud. The last set that we have is at our Mauna Loa Solar Observatory, where we have an HA pair of just 800s because we only have a one gig radio link down the side of the volcano to the University of Hawaii.

    We have between 1,200 and 1400 staff at any given time. Essentially all of them use the solution one way or another, either to access systems or through the VPN. We also have remote users who aren't employees but instead collaborators, and they can be anywhere in the world and remote into our systems. We then have people who are doing PhD programs at universities around the world who need to get into our systems to download data sets as part of their PhD or Master's program. Thus, the solution is not limited to our employees.

    How has it helped my organization?

    We have been around since the late 50s to early 60s. We were one of the original people who helped set up the ARPANET, which was a precursor to the Internet. Historically, our science has been open science. We want everyone to have it. The mindset has been that our network is flat and open to everything, and we have slowly reeled that in. Now, more of our stuff is behind firewalls. We are now going through a project where we are doing some more segmentation within the protected part. Each lab is protected from each other, or at least can be. They still talk to each other all the time, so we have rules for that. If we need to, we can shut access down right away because of the firewalls.

    What is most valuable?

    One of the best features is that Palo Alto NGFW can embed machine learning in the core of the firewall to provide inline, real-time attack prevention. We aren't using the AWS-offered firewalls in the cloud or Azure. When I read over the specs on it, it is more like a traditional firewall where a port is open to an IP address, and that is all you know. Palo Alto can decide if traffic is of a certain kind, regardless of what port and protocol it is using. Then, it can figure that out and I can write my rules based on that. That is a huge functionality and super important to me. The machine learning as well as being able to send stuff to WildFire is pretty important too. We like to get those types of reports and know that we have more protection from zero days than most traditional companies would.

    The WildFire reporting and Cortex XDR platform have huge infrastructures in the cloud that secures the network against threats. So, we have the potential on the system, specifically for users, where we take care of this since the user is the most dangerous. We get reports back from WildFire on a minute-by-minute basis, rather than a daily or weekly update like I used to with different AV vendors. These features can detect viruses and malware more quickly, which is super important.

    We have some large data movers that we can't put behind the firewalls. We don't have the largest firewalls, we have the 5200 Series firewalls. Their throughput is about 20 gigs a second, and it is protecting networks that have 100 gig connections. So, we have to be kind of choosy as to what we put behind the firewalls, but for the stuff that we put behind it, the latency really isn't problematic at all. Even though the firewall location is just one aspect, we have three different areas that talk to each other over multiple 240 gig links or 200 gig lengths. The firewall is not hindering that at all.

    What needs improvement?

    The biggest thing that needs to be improved with them is their training. I took a training class for the 8.0 build, then I took it again for the 9.0 and 10 builds. They add new features every time that they do a new major release, but the training doesn't keep up. It is the same basic training that probably was with the 3.0 build, and they just change the screenshots. I would love to see them do some more work since they have all these bells and whistles, but we don't know how to use those features on a large scale.

    I know this little section here about the firewall, but I know there is a huge amount that still could be done with it. I am not touching enough of it because I just don't know how. It seems like the more I learn about it, the more I learn that there is to learn

    For how long have I used the solution?

    We have been using Palo Alto Firewalls for the past six years. We started with a single firewall, then built up from that.

    What do I think about the stability of the solution?

    It is very stable. A lot of times, it depends on what our network tweaks are, e.g., we monitor the link between the firewall and the router. If it misses some heartbeats on that, then it will switch over. That is part of how the HA process works. If it says I am not getting network connectivity, then it tells the other one to take over. We actually have an exciting way to do that because we have one data center at the top of the hill at the front-end of Boulder (or on the south-end.) We have another one in the HA link about 13 miles away at the north-end of Boulder. We actually do an HA pair across there using a 200-gig link with dark fiber between them. Most people, with their HA pairs, will be right next to each other, but ours are only that way on a globe.

    How are customer service and support?

    The firewall tech support team has been very good and responsive. Sometimes, they are too responsive. They call when I am in a different meeting, then I have to figure out with whom I am going to talk. The sales engineering team is also really good because they will monitor some of that, then call me about it separately to see if I need additional support.

    Which solution did I use previously and why did I switch?

    For the VPN only, we used Cisco's old ASA firewalls. That was set up before my time. We moved away from that when we went to GlobalProtect in December 2019.

    Primarily, I wanted a single platform. We had Palo Alto Firewalls doing firewalling things and Cisco firewalls doing the AnyConnect VPN solution. Paying maintenance of both sets didn't make a whole lot of sense to me. Also, ASAs didn't seem to be able to support as many users concurrently as the Palo Alto solution looked like it could support. So, I just got rid of the Ciscos and went to the Palo Alto NG Firewalls and GlobalProtect.

    How was the initial setup?

    I have actually done a lot of initial setups. They are fairly straightforward at this point. The hardest part was where I had to just send them out to Mauna Loa, and I wasn't allowed to go to Hawaii for that. I had to set them up in Boulder, then I would think how they should be used and ship them over. That was a little difficult, since once they were on the ground in Hawaii, the final steps were slightly difficult to handle. As soon as they unplugged from the switch that was currently handling traffic and plugged into the switch where the firewall was connected, the person at the other end's laptop no longer had a connection for all the stuff that had been having traffic. We had to do everything by the old phone method. It was challenging, but we got through it.

    Usually, I can get the initial deployment done in a few hours. However, going through and working with people to get what they need set up, as far as the rules and different areas behind the firewall, that takes a few weeks to a couple of months. A lot of that is based on people's time.

    The first thing is get the basic things working: the networking, any routing that we need to do, and build communication to our RADIUS servers and Active Directory so we can log in and use our multi-factor authentication to manage the firewall. After that, I work with different groups who will be behind the firewall to find out what IP ranges they need supported, what kind of routing, who they want to talk to, and with whom they want talking to them. I have to know all that stuff. A lot of times, it is kind of teasing out information as far as what protocols they will be talking on or will they be using SSL or SNMP.

    A lot of times that is a do-it on-the-fly kind of thing. You sort of stand stuff up, and say, "Check it now," and then they say, "Well, this one is not working now." Or, we just added a new service and this needs to be turned on. So, there is a lot of movement back and forth.

    What about the implementation team?

    I have done all of it by myself, except for the very first installation of the firewall that was done in conjunction with a reseller. That was before my time.

    There are two of us on the firewall team. There are another three or four guys from the networking side team who also help out.

    What was our ROI?

    We had an external pen test a couple of years ago. They found a number of findings for the areas of our network that hadn't yet moved behind the firewall and no findings at all for the ones that had. This was just because of the way that we wrote the rules and because of the firewalls, which prevented an external source from being able to view and enumerate our systems. If something wasn't behind the firewall, they were able to get a response back in many cases, even when they weren't supposed to be outward-facing.

    I have information that Palo Alto NGFW has blocked malicious activity. We use the Palo Alto High Confidence block lists. 

    What's my experience with pricing, setup cost, and licensing?

    There is an advantage to going with the high availability pair licensing model versus the standalone. It gives you a high availability pair, but the pricing is only a slight increase over a single system. It makes sense to take a look at your add-on functionality, like the Applications and Threats subscription and URL protection subscription. On the user side, I might want everything. However, on the server side, I might not need very much. I might want the Applications and Threats subscription and not much else. So, you don't have to buy all the bells and whistles for every firewall. Depending on what the function is, there are ways around it.

    There are a lot of other subscriptions available, such as DNS Security and URL protection. I have heard there is an advanced URL protection going to be released soon. Also, there are a few others, like SD-WAN and GlobalProtect, which is one that we have because we have users who use Macs, Linux Boxes, and Windows systems. So, we need to support all of that.

    Which other solutions did I evaluate?

    Someone else made the decision to buy the initial Palo Alto gear. When they left, I had to learn the Palo Alto gear. At that point, I said, "I know Palo Alto. I like it. Why would I change away from it?" So, I have looked at different solutions throughout the years, but Palo Alto is one of the best out there.

    We use Cisco Umbrella for DNS. We have done this for 15 years since it was open DNS as part of an MSF stipulation.

    What other advice do I have?

    All data goes through the firewall,since our HR and finance departments are behind the firewall. A lot of our labs are behind the firewall. We have some plans to expand, as I am about to put a virtual firewall in AWS Cloud for a project. We have a C-130 hub that has been flying into hurricanes and tornadoes for years. I want to put a firewall on that to protect the instrumentation from outside sources.

    If you are just looking for the cheapest, fastest firewall out there, that is a foolish attitude. The point of a firewall is to increase your security, not to increase your throughput. You don't want it to degrade your throughput, but the cheapest solution and the solution that makes sense aren't necessarily the same thing.

    The main advice would be to plan on starting small, then build up. Don't try to do everything at once. Also, make sure you do the available training prior to use or at the same time, at least the basic one, because that is important. 

    Make sure you have a good networking background or a good network engineer standing next to you because talking to the routers is key.

    I would rate it at about eight and a half to nine out of 10. There is no perfect answer, but this is a pretty good one.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Gabriel Franco - PeerSpot reviewer
    Senior Service Delivery Engineer at Netdata Innovation Center
    Real User
    Top 5
    Provides full visibility into the traffic, stops attacks in real-time, and comes with an easy-to-use interface
    Pros and Cons
    • "The first time I came across these firewalls, what surprised me the most was their web user interface. It is complete and gives you a lot of information. You can do 80% of the things related to your network and firewall through the web UI. In some of the other devices, the UI is not as complete. App-ID is also very valuable in customer networks. When you're seeing a lot of traffic in your network, you can see in your web UI which users have the applications that are consuming the most bandwidth. You have a broad context, which is very good."
    • "Palo Alto can do a little bit better when it comes to the User-ID part. I've been facing problems related to double authentication. You have a computer user, but you also have a VPN user, and when you do a single sign-on to another page, these logs can sometimes generate a problem notification. It doesn't happen a lot, but in some networks, it could be a problem. It would be very helpful to have the ability to restrict the connections that you can have in your VPN. For example, if you have the credentials, you can connect with the same user account from different computers or devices. If you have the domain information, you can connect from different devices. That's a problem that they need to address and resolve. They should ensure that at any moment, only one person is connected through a specific user account."

    What is our primary use case?

    I'm working in a company that focuses on giving support to different enterprise companies. We help customers with a virtual environment as well as on-prem firewalls.

    Before the COVID situation, most of the firewalls were on-prem firewalls, and during the pandemic, there were a lot of problems trying to deliver the firewalls and put them in place. It was taking a lot of time. So, most of the customers have taken a virtual approach for that. A lot of customers with on-prem firewalls are going for a virtual approach.

    We are using the most recent version of it.

    How has it helped my organization?

    Palo Alto NG Firewalls help you a lot to have a context of everything. With traditional firewalls or Layer 3 firewalls, we're more focused to determine the source and destination IPs on a specific port. It could be USB or something else, but with next-generation firewalls, you can have more information, such as the user who used it, as well as the application consumed by this user. That's a genuine value that these next-generation firewalls bring in understanding that a user on the network is consuming Port 443 but using Facebook. It is determined by the payload. It can examine the packet, check the payload, and identify the applications. The next-generation firewalls are also more focused on protection.

    There are new features that are based on machine learning to protect your network and identify any vulnerabilities. They are pretty good too. With the normal firewalls that we have, the policies are based on ports and IP source and destination. For example, as a part of my policy, I have allowed UDP ports 145 or 345, and for authentication, I have allowed LDAP and other protocols. However, there is a possibility of a breach. Even if I have determined that the traffic is from my active directory servers to the users, when I internally open ports 145 and 345 for all the protocols and all the applications, it creates a vulnerability in my network. If I create the specific rule where I establish that my application is going to be LDAP, and these ports will only be open for LDAP, I am closing the gap. I'm making my network safer, and I'm being more specific and more granular. That's the detail we need nowadays to prevent different types of attacks. The idea is to be more specific and only give the permissions that are needed. We should try to avoid giving more privileges because that creates a vulnerability gap. The customers appreciate being specific and having very descriptive rules for their use cases and blocking other types of communications, which is not that good with normal firewalls.

    Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention, which is very important. Attackers are innovating every moment, and the attacks are becoming more sophisticated and unpredictable. They are not as predictable as they were in the past. Therefore, it is important to have something at the back in the form of machine learning to help you to interpret and analyze any kind of attack in real-time and protect you from a breach. Technology is very important because you can lose a lot of money or information if you don't have a good security posture and the right tools to prevent a breach or attack.

    The machine learning in Palo Alto NG Firewalls is helpful for securing your networks against threats that are able to evolve and morph rapidly. They have advanced threat prevention and advanced URL filtering. WildFire is also useful. It gives you an analysis of malicious files. It detects the files in the sandbox and lets you know in minutes if a new file could be malware, which is helpful for advanced threat prevention. It can quickly give you a lot of context and protection.

    DNS security is something that is the focus and a part of the threat prevention profile, and you get different types of options. They collect a lot of information from the experience of other users to determine different problems, such as a malicious page or domain, and use advanced predictive analysis and machine learning to instantly block DNS-related attacks. Their Unit 42 Threat Intelligence team helps the security teams a lot to determine and prevent threats. I haven't had any issue with DNS security. Generally, we recommend the step-by-step approach during the implementation. We recommend starting with a couple of users, analyzing the traffic, and ensuring that the signatures are accurate and policies are established. You have an option to put exceptions for DNS signatures, but in my experience, I didn't have to make many exceptions. You can definitely do it, but it is generally very accurate.

    DNS Security provides protection against sneakier attack techniques like DNS tunneling. For DNS tunneling, my approach is to use an SSH proxy. There is a feature in Palo Alto to decrypt SSH traffic and block the application. For example, you see it as SSH, but after you decrypt that traffic, you can see it as SSH tunneling and you can actually block it. You can put things like a sinkhole in order to prevent this traffic.

    Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities, which is very important. You get a lot of information. For example, in the monitor tab, you can review whether files are transmitted or not, received or not. You can also see the logs related to a threat or a URL that is malicious or is being blocked by your profiles. You have all that information in your hand, and you can review it in a very organized way, which has been very valuable for me. It helped me a lot to understand the problems that a customer can have in the field.

    Palo Alto NG Firewalls allow you to enable all logical firewalling functions on a
    single platform. You can segment your network into Zones. With Zones, you can separate and allow the traffic in a more specific way. For example, you can separate your visitors or guests into different zones. It is helpful in terms of the cost. This is something that could help you to reduce the cost because you don't have to put in a lot of tools for doing the same thing, but it is something that I'm not an expert in.

    What is most valuable?

    The first time I came across these firewalls, what surprised me the most was their web user interface. It is complete and gives you a lot of information. You can do 80% of the things related to your network and firewall through the web UI. In some of the other devices, the UI is not as complete. App-ID is also very valuable in customer networks. When you're seeing a lot of traffic in your network, you can see in your web UI which users have the applications that are consuming the most bandwidth. You have a broad context, which is very good.

    What needs improvement?

    Palo Alto can do a little bit better when it comes to the User-ID part. I've been facing problems related to double authentication. You have a computer user, but you also have a VPN user, and when you do a single sign-on to another page, these logs can sometimes generate a problem notification. It doesn't happen a lot, but in some networks, it could be a problem. It would be very helpful to have the ability to restrict the connections that you can have in your VPN. For example, if you have the credentials, you can connect with the same user account from different computers or devices. If you have the domain information, you can connect from different devices. That's a problem that they need to address and resolve. They should ensure that at any moment, only one person is connected through a specific user account.

    For how long have I used the solution?

    I have been using this solution for almost five years.

    What do I think about the stability of the solution?

    There are no issues with stability. In most cases, they are very stable. 

    We recommend our customers to have an HA configuration with active/passive, which is very good in Palo Alto. It takes seconds to change from one firewall to another, which provides reliability and prevents loss of service because of a hardware problem or a network problem on a device. Having an HA environment makes your network resilient.

    What do I think about the scalability of the solution?

    It depends on the type. If you have a virtual firewall, it is easier to scale to meet your needs. It also depends on the work that you have done during the implementation. It depends on your design, which should be based on a customer's current needs and growth. There are Palo Alto firewalls with different throughput rates to support traffic and encryption. That's why you need to determine and talk about the expectation that a customer has for growth. We do a lot of that so that the customers can have a very robust tool that will help them to secure their network during the coming years without the need to change the device. We understand that it is a huge investment, and they want this product to be there for them for the maximum duration.

    How are customer service and support?

    For the firewall part, there are complete and very good resources out there to help you. Most of the time, I go through them, and someone has had the same issue in the past. There is a lot of information about the issues that have been solved in the past and how to troubleshoot them. They're very accurate with that. They're very good.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    It depends. If a customer has had another firewall, you need to go through an analysis of their network to understand the rules they have and then translate and introduce them to the Palo Alto methodology. Palo Alto helps us a lot with tools like Expedition, which is a migration tool. Expedition helps you to import the existing configuration from other brands. Overall, it is very straightforward if you have experience. Otherwise, there is a lot of documentation about how you can use the Expedition tool in order to have a successful migration. 

    If it is a greenfield deployment where the customer is going to have it for the first time, the configuration is very straightforward. If you don't have any other firewalls, the implementation duration depends on the granularity that a consumer wants and the complexity of their network. The main job is going to be related to the authentication of the users and User-ID. In general, if you have just ten rules, you can do it in three to four days.

    In terms of maintenance, they are continuously checking and reviewing if there are some breaches or there are any exploits or new applications. It is continuously updating itself on a weekly or daily basis. They are continuously developing new versions. They have a lot of documentation that we share with the customers for information about the best-recommended version or the version with fewer issues. Their documentation is complete in that aspect, and it gives you a lot of information. You have access to the known issues of released versions. Palo Alto is continuously working on new versions and fixing the glitches of previous versions. You might have to upgrade to a new version because a particular problem is resolved in it.

    What other advice do I have?

    To someone who says that they are just looking for the cheapest and fastest firewall, I would say that I understand that businesses need to reduce the cost, but such a solution is an investment, and in the future, it's going to help you. If you go to the cheapest solution that could do most of the things, but not all, you could face problems. You could have a breach that would cost you a lot more money than having a good security posture. The number of attacks is going to increase more and more. We have to take them seriously and invest in new and powerful tools for protection. The investment that you do today can save your company tomorrow.

    They are trying to come up with new things and innovate every year with new licenses. For example, a couple of years ago, they brought the IoT part, which is something that became popular. They try to innovate a lot and bring out new licenses, but you need to understand your needs to know which licenses are better for you. You should consult a good team and obtain a license that is good for you. That's because not all the licenses are important for your environment. For example, if you are not familiar, or you don't have any future plans for IoT, you don't require a license for that. You should focus on the licenses that you really need and are going to generate value for you. You should focus on your security needs and understand which firewall model can give you the protection and the ability to grow over time based on your projections. Your licensing should include good threat prevention, URL filtering, DNS security, and WildFire in order to have a very secure environment. 

    It is a complete solution, and it provides a lot of protection to the users and the network, but it is not something for device protection. For that, you would need something like Cortex, which can help you determine abnormal behavior in an endpoint. 

    Palo Alto is trying to combine different products to protect different areas. A next-gen firewall is very good for your network, but, for your endpoints, you can have Cortex. These two solutions can then work together. They speak the same language and have a full integration to protect all your environment. Nowadays, there are a lot of people working from their homes. They are exposed to different types of threats. They connect to your environment through a VPN, but when they disconnect, they do their daily tasks on the device, and while doing that, they may go through a bad page or execute a file that can corrupt the computer. You can determine this and stop attackers from connecting to and infiltrating your network. Palo Alto tries to separate the breaches or the attack areas, and they have a very good product in each area. You can make these products work together in order to have a very strong platform.

    I would rate this solution a nine out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior Network Administrator at a financial services firm with 11-50 employees
    Real User
    An all-in-one solution for application layer security, VPN access, and ease of management
    Pros and Cons
    • "Application layer firewalling has been the most valuable feature because it gives thousands of application IDs that we can use to control traffic into and out of our environment. The second most important feature has been the GlobalProtect VPN feature."
    • "The only problem that I see with the Palo Alto NGFW being an all-in-one appliance is that because of the different features that are being put into a single appliance, the OS tends to be beefier. Over the eight years, we have seen that the number of features or analyses being put into the appliance itself has a tendency to slow down the appliance, especially at the time of bootup. So, any time we are doing maintenance work, the time required for the appliance to boot up and be fully functional again is significantly longer than eight years ago. They could find a way to make this all-in-one appliance faster."

    What is our primary use case?

    We use it for perimeter security because it gives application layer security and we also use it for VPN access.

    We use the PA-3200 and PA-200 models. In terms of the version, we are one version behind the latest one. The latest version is 11, and we are still on version 10.

    How has it helped my organization?

    The biggest benefit we have seen from it is the ability to identify the traffic of our networks based on the application ID that Palo Alto can provide. Palo Alto firewalls have the most extensive App-ID library, so we are able to identify which applications are necessary for business and which ones are not. We can then block those that are not crucial for business at the firewall itself, so App-ID in the firewall was the biggest benefit to us.

    Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is important and very helpful. I wouldn't be able to compare it to any other product because we have used Palo Alto for eight years, but the machine learning that they have embedded into their OS has been very helpful. Based on the learning that they have done, they have been able to analyze the traffic and coordinate traffic patterns to alert us about possible malware and even block it.

    It provides a unified platform that natively integrates all security capabilities. Palo Alto NGFW has been able to give us all that we need from one particular appliance itself. If we wanted, we could have also used the DNS feature, and in that case, one device could have met all our needs.

    Because it's a unified platform, management is easy. You have to learn only one particular management interface. Once our IT team gets familiar with the management interface, it's easier for them to apply security policies, monitor the traffic, and manage the plans using the same GUI. There are no learning curves for different products.

    We try to keep our security fairly tight. The policies that we have created on the Palo Alto NGFW have been based on security requirements. As of now, we haven't detected anything that would point to a hole in our environment, so it is very hard to say whether Palo Alto NGFW’s unified platform helped to eliminate any security holes.

    It has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. It has helped us consolidate into one vendor. Earlier, we used to have an appliance for the firewall, and then we had an appliance for VPN. We had a separate appliance for the collection and correlation of data. We have eliminated all of those. They are now in one box. The same firewall gives us security policies and lets us collect all the data about the traffic flowing in and out of the network and correlate events. It has helped us eliminate the VPN appliances that we were using in the past. It has helped us to eliminate two other vendors and bring all the services into one.

    The single-pass architecture is good. Everything is analyzed just once, so it improves the performance. 

    What is most valuable?

    Application layer firewalling has been the most valuable feature because it gives thousands of application IDs that we can use to control traffic into and out of our environment. The second most important feature has been the GlobalProtect VPN feature.

    What needs improvement?

    The only problem that I see with the Palo Alto NGFW being an all-in-one appliance is that because of the different features that are being put into a single appliance, the OS tends to be beefier. Over the eight years, we have seen that the number of features or analyses being put into the appliance itself has a tendency to slow down the appliance, especially at the time of bootup. So, any time we are doing maintenance work, the time required for the appliance to boot up and be fully functional again is significantly longer than eight years ago. They could find a way to make this all-in-one appliance faster.

    They should also make the documentation much easier to understand. Given all the features that they have built into the firewalls, it should be easier for the end users to understand the product and all the features available on the product. They should be able to utilize the product to the maximum capabilities. The documentation and the tech support available need to improve. The tech support of Palo Alto has deteriorated over the past few years, especially after our pandemic. Getting tech support on our issues is very difficult. They could definitely improve on that.

    For how long have I used the solution?

    I've been using it for about eight years.

    What do I think about the stability of the solution?

    It's very stable. We have had no issues. There are only two issues that I recall ever happening on our firewalls. The first one was when they released an application ID that caused a problem on the network, but they were able to resolve it quickly within a matter of hours. The second issue was also because of the change in the OS. In both cases, the resolution was quick.

    What do I think about the scalability of the solution?

    In terms of scalability, they have a huge range of models, so depending on what your requirements are, you can scale up from the very base model that goes from 100 megabits per second to the largest one that goes to 10 gigs per second. They have a wide range of appliances that you can upgrade to based on your needs.

    In terms of the traffic that can pass through the firewall, it has been fairly good for us. We have not had to upgrade our network. Being a small company, we don't have too many users. In the past eight years, we have not had to change our bandwidth for the increase in traffic. Whatever we selected four years ago, they remain the same. We have not had to upgrade the hardware capabilities just because our traffic is increasing, but in terms of feature sets, we have added more and more features to the appliances. When we started off with Palo Alto, we were only using the firewall features, and then slowly, we added a VPN for mobile users. We added a VPN for site-to-site connectivity, and the scalability has been good. We have not had to upgrade the hardware. We have just been adding features to the existing hardware, and it has not caused any deterioration in the performance.

    We have about fifty users that are split between the East Coast and the West Coast. Each coast has only about twenty-five users. All in all, we have about fifty users using these products.

    How are customer service and support?

    It used to be good in the past, but over the last few years, it has been very bad. You open a case, and you expect somebody to get back to you and help you out with the issue. They say that based on the SLAs, somebody will get back to you within a certain number of hours for the priority ticket that you created, but that getting back actually includes the initial response where somebody is just acknowledging that they have the ticket. That does not mean that somebody provides me with the solution or takes action on it. If I open a priority one case, which means my network is down, somebody will get back to me within two hours based on the SLA, but that response only includes the acknowledgment mentioning that your case has been received. That's it. It's a different question whether someone is going to get on the phone with you or give you an email about how to troubleshoot the issue and fix that issue.

    I'd rate them a six out of ten based on the response time and the quality of the responses received over the last three or four years.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We were using Cisco's router-based firewalls. They had some advantages, but they did not have a graphical interface for configuration, which was the weakest point. Getting team members on the team who were not familiar with the command line configurations for our Cisco firewalls made us select a product that provides a graphical interface for configuration, and that was a reason for moving to Palo Alto.

    How was the initial setup?

    It has been fairly easy to set up. The initial setup is good. The migration to a new box can also be pretty straightforward.

    I have had experience with setting it up from scratch, and it has been good. It's more on the simpler side. The initial setup to get the firewall in place with basic security principles is straightforward. When you go to the advanced features, it gets trickier.

    The deployment duration depends on the complexity of the network and the kind of rules that you want to implement. The physical appliances are relatively straightforward to set up. For the base security, it doesn't take more than a couple of hours to set it up, but it can take a relatively long time to set up and configure the firewalls that sit in the cloud.

    We use physical appliances and virtual appliances. The physical appliances are in our on-prem environment, and the virtual appliances are in our cloud environment. It took about four hours to set up the physical appliances from scratch, whereas the virtual or VMCD ones took a lot longer. It took two to three days to set them up.

    What about the implementation team?

    For the VMCD ones, we had to get help from their pre-sales support team, but for the on-prem physical appliances, we did the implementation ourselves.

    What's my experience with pricing, setup cost, and licensing?

    It isn't cheap. It's cheaper to replace the equipment every three years than to upgrade. We have done two refreshes of their appliances. What I have seen is that the initial hardware cost is low, but you need a subscription and you need maintenance plans. After every three years, if you're trying to renew your maintenance or subscription, that can be very costly. It's cheaper to just get a newer solution with a three-year subscription and maintenance. It's cheaper to replace your hardware completely with a new subscription plan and a new maintenance plan than to renew the maintenance subscription on existing hardware. That's the reality of the Palo Alto pricing that gets to us.

    You pay for the initial hardware, and then you have to pay the subscription cost for the features that you want to use. Every feature has an extra price. Your firewall features are included with the appliance, but the antivirus feature, DNS security feature, VPN feature, URL filtering, and file monitoring features are additional features that you need to pay for. So, you pay extra for every feature that you add, and then based on the features you purchase, you have to pay the maintenance plan pricing too.

    Which other solutions did I evaluate?

    Before moving to Palo Alto, we did evaluate other options. In those days, we tried out the Check Point firewall. We tried out Fortinet, but Palo Alto was the one that met our needs in terms of the features available and the ease of learning its features and configuration. We went for it also because of the price comparisons.

    What other advice do I have?

    Try to get hold of a presales engineer and do a PoC with all the features that you're looking at before you make a purchase decision.

    It isn't cheap. It's definitely the faster one. It meets all the needs. If you're looking for an all-in-one solution, Palo Alto NGFW would definitely meet your needs, but it isn't the cheapest one.

    We have not used their DNS security feature because we use a competitor's product. We use Cisco Umbrella for that. The reason is that for the DNS security to work, the traffic from those endpoints needs to flow through the firewalls, but we have a lot of mobile user devices whose traffic does not flow through the firewall and we'd like them to have DNS security. We use Cisco Umbrella because that's an endpoint application that protects the endpoints from vulnerabilities based on the DNS reputation, and all the traffic from those endpoints does not necessarily need to go through a central endpoint, like a firewall.

    Overall, I would rate Palo Alto NGFW an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Donald Keeber - PeerSpot reviewer
    President at Margate Net
    Real User
    Top 5
    Ensures a company has a better security posture
    Pros and Cons
    • "It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance."
    • "The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better."

    What is our primary use case?

    In most cases, our use cases were for migration and conversions. People were coming off of dated Cisco platforms and other types of firewall technologies that might not have met next-generation standards, like App-ID. Then, Palo Alto Unit 42 had to go out there and investigate with threat hunters, etc, which was not that well-known or used. Then, Palo Alto sort of showed everybody that world back in 2007 or 2008.

    Mostly, I was dealing with people migrating off of their platforms onto Palo Alto. Unfortunately, in most cases, they wound up just converting them into service-based firewalls, like what they were already using, because they weren't ready to accept the requirements behind actually creating an effective App-ID policy yet for their company.

    It wasn't well adopted at first. Even though everybody wanted it, people were putting it in and not really fully deploying it. Once I started working for Palo Alto, we had a whole lot more control over getting people to actually utilize the technology, like it was meant to be used. Mostly, it was going in as a service-based firewall with some App-ID. However, people weren't really taking advantage of the SSL decryption and other things necessary to truly utilize the firewall effectively.

    I have an active customer who has 600 users using Palo Alto. I have another active customer with 300 users using Palo Alto.

    How has it helped my organization?

    It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance.

    What is most valuable?

    Machine learning is definitely here to stay. Machine learning has to be a part of everybody's solution now, especially going out into the cloud where we don't have as much hardware control. We don't control our perimeters as much anymore. We need to have machine learning. So, machine learning has been a critical point in the evolution of this product.

    DNS Security incorporates Unit 42, WildFire, and all the rest of their antivirus and threat features. It can be very effective because it will know about these bad actor zones and DNS hacks before it gets to your network, which is important. Everybody should be using it, but I haven't found as many people adopting it as they should.

    For anything manipulating TCP 453 or any type of DNS-type application, you will want to be all over that. It is definitely a big problem.

    What needs improvement?

    It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,

    For how long have I used the solution?

    I worked for Palo Alto for about three and a half to four years. I retired from them last year. Before that, I was with Juniper firewalls. So, I have about 10 years experience, on and off, with Palo Alto in various, different scenarios.

    What do I think about the stability of the solution?

    They push stuff out that is not quite ready. If you use the product one version back, then you are pretty good. However, if you try to stay cutting edge, you are going to run into stuff that doesn't work. They are forever releasing stuff that doesn't work right or as designed. Every company does that though, so it is just a question of who is worse. You need to be careful with some of the newer stuff that they release. You need to bake it very well before you put it into production.

    What do I think about the scalability of the solution?

    I am not absolutely certain they have done a good job in scaling out. They may start to suffer now and going forward because there are other, more cloud-ready platforms out there starting to shine over Palo Alto. They are not the prodigal son anymore.

    It has limited scalability since it is still very hardware-centric. They have a cloud VM model, but I haven't had too much experience with it.

    How are customer service and support?

    The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better.

    Several years ago, I would put technical support at eight or nine out of 10. Now, they are down around two or three, which is really low. I have had very bad luck with their support lately.

    How would you rate customer service and support?

    Negative

    How was the initial setup?

    It depends on whether you are coming in from a migration, which means that you expect everything that you will be doing to be out-of-the-box. It has to be if you are putting it in place. You can then evolve it from there to make it more capable. 

    I find the technology pretty easy to work with. Some people don't find it as straightforward. That probably leaves some areas for improvement, where people almost have to do a boot camp to fully take advantage of the product. That shouldn't be the case for a new customer. It should be a little bit more seamless than it is, but it's not bad. I can't really knock it. It is fairly simple to employ, if you know what you are doing.

    Most migrations take anywhere from two to six weeks.

    What about the implementation team?

    I did the deployment. I was using it while I was at Palo Alto. I am still managing them, even outside of Palo Alto. It has been a consistent experience.

    What was our ROI?

    The return on investment doesn't necessarily show right away. However, if a company gets hacked and taken down, they are out of business. So, was your return on investment strong if you put these firewalls in and it prevented that? Absolutely. However, if you put them in and you never get attacked, then you might ask, "Would you have gotten attacked before?

    What's my experience with pricing, setup cost, and licensing?

    There is a license for DNS Security, which I have never actually licensed, but it is a very powerful tool. DNS security is important, and I think that Palo Alto's capabilities are effective and strong there. However, I don't find a lot of companies taking advantage of it.

    This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify. However, my customers will do that if I tell them, "You still need to do that," then they will do it since it is still an entry point into the network. 

    You really need Premium Support, Applications and Threats, DNS Security, and antivirus. The extra bolt-ons, such as Advanced URL Filtering, you need to determine by use case where you are going to use those licenses, then see if you really need them. You might be adding a bunch of licenses that you will never actually get to effectively use. Their licensing model has gotten a bit exorbitant and a la carte . You will wind up spending quite a bit of money on licenses and renewals.

    Which other solutions did I evaluate?

    There is another company out there that I like quite a bit in the firewall space who does a really good job and has a very fast, inexpensive firewall. That is Fortinet. My two favorite firewall companies are Fortinet and Palo Alto. I recommend Fortinet in cases where people don't have the money, as you can get a very nice solution from Fortinet for a lot less money. Fortinet is a good player. I like Fortinet. 

    Palo Alto's interface is a little nicer to work with, e.g., a little easier and more intuitive than Fortinet. This makes Palo Alto a little nicer for the end user, but Fortinet is a kick-ass solution. I would never downplay it. It is definitely really strong. For $600, you can get a fully functional next-generation firewall on Fortinet, and you can't do that with Palo Alto. That is a world of difference in pricing.

    What other advice do I have?

    Machine learning is taking logs and feeding them back through. Everybody is doing machine learning now. You need to have some type of machine learning in order to understand what is going through your environment since you can't be predictive anymore, like you used to be able to be. There is no way of knowing what things are going to do. Therefore, machine learning helps the firewall become smarter. However, machine learning is only as good as how it is utilized and how effectively it is deployed, and it is not always obvious. With Palo Alto, it was difficult to get the API keys and whatnot to work correctly, getting real, effective, actual, usable machine language stuff to use in the policies. It was a lot more hype than reality.

    Their zero-pass architecture is not really zero-pass, but it is better than others. It still has to run the traffic through again, once it is recognized at the port, service, and route level, to be acceptable. Then, it has to bring it back through to try to recognize the application. So, it is not necessarily a 100% zero-pass, but the way it works. 

    It is like in the Indianapolis 500 when a car pulls into a pit stop. Instead of having one place in the pit stop where the tires are changed, another place in the pit stop that does the windows, and another place that does the gas, they have all the guys come around the car and do their work on the car at the same exact time. That is what is happening with Palo Alto. The packet gets there and the services attack the packet versus having to run the packet through the mill. That is what makes it faster, but it still has to do it more than once before it really knows. It is definitely better than what anybody else has done up to this point. 

    With a single-pass cloud, we are not concerned with hardware as much anymore. Now, we are concerned with technology, implementation, and how controls are deployed. That is more important now than where the hardware is, e.g., if the hardware is integrated or deintegrated. I don't know if that is even that important anymore, but it was at one time.

    As long as you are comfortable with the price point, you are not going to make a mistake going this way. It is definitely best-in-class and a first-class firewall. I would never be ashamed of putting Palo Alto Networks NGFWs into my network. It's a very good product. As much as I might complain about this and that, there isn't any product that you would put in the network where you are going to have 100% confidence in it. There will always be something. Palo Alto NGFWs are the best way to go.

    I would rate this solution as nine out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Network Analyst at a recreational facilities/services company with 1,001-5,000 employees
    Real User
    Top 20
    Its single pane of glass makes monitoring and troubleshooting more homogeneous
    Pros and Cons
    • "With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings."
    • "Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it."

    What is our primary use case?

    It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.

    We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.

    I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.

    How has it helped my organization?

    With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings.

    What is most valuable?

    It is fairly intuitive. 

    The central management of Panorama actually works. It is what FortiManager aspires to be, but Panorama is usable. You can push config down, do backups, and use templates from other sites, copying them over. The reliability and throughput, plus Panorama's control features, are its main selling features.

    It is a combined platform that has different features, like Internet security and the site-to-site VPN. Previously, there were different components that did this. If it was a remote access VPN client, then you would have to go onto one platform and troubleshoot. If it was a site-to-site, it was on a different platform so you would have to go onto that one. It would be different command sets and troubleshooting steps. From that perspective, having that combined and all visible through Panorama's centralized management is probably one of the better benefits.

    We had a presentation on Palo Alto Networks NG Firewalls a few years ago. I know the number of CPU cores that they have inside the firewall is crazy, but it is because they have to pack all the performance and analysis in real-time. It is fast. I am always amazed at the small PA-220s and how much performance they have with their full antivirus on it. They can pass 300-megabits per second, and they are just about the size of a paperback book. As far as how that single-pass processing impacts it, I am always amazed at how fast and how much throughput it has.

    What needs improvement?

    Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

    It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

    For how long have I used the solution?

    I use it every other day.

    What do I think about the stability of the solution?

    It is pretty reliable. All the services pretty much work. It is not too buggy. With any hardware/software manager these days, when you get new features, they tend to not be too thoroughly tested and can be buggy. We have been noticing this. For example, they had zero-touch deployment and the first few iterations just didn't work. While we have encountered a few bugs, I don't think they are any worse than anything else we get. The underlying hardware seems to be pretty reliable. You can do configuration changes, reboot and reload them, and they just keep coming back and work.

    Our cybersecurity guys tend to do the patching and upgrades when they come around. When one of these things had a hard disk failure, they got that restored or replaced. For day-to-day maintenance, other than typical operational changes and troubleshooting, I don't think there is that much maintenance to be done. Every few weeks, there is probably somebody who goes for a few hours and checks the various patch levels and possibly does upgrades.

    The upgrades are fairly easy to do. You just download the software, the central management system, and tick off the devices that you want to deploy it to. It will automatically download it. Then, you just sort of schedule a reboot. I don't know how many hours per week or month people put into it, but it is pretty reasonable.

    What do I think about the scalability of the solution?

    We have about half a dozen core firewalls and 30 to 40 remote firewalls. We haven't hit any scaling limitations yet. What we have is functioning well. At some point, our main firewall in our data center might be overwhelmed, but it has pretty high throughput numbers on it. So far, we haven't hit any sort of limitations. So far, so good.

    The physical appliances are sort of tiered. You have your entry-level, which is good for 300-megabits of threat detection. The next ones have 800-megabits of threat detection. So, if you have a site with around 50 people, you can get the entry-level. However, there is always a point that if you have too many users doing too many things then the physical appliance just can't handle it. Then, you need to upgrade to a higher-level appliance. This is expected. When that happens, we will just sort of get the higher-level model or plan for two years of growth to get the right size. Therefore, as far as scalability, it just comes down to planning. 

    As far as the management platform, that would be more of a case of just adding CPU cores into your virtual machine as well as more memory. So far, we haven't had any scalability limitations. It is possible that we will see it at some point, but we haven't so far.

    How are customer service and support?

    This is not Palo Alto-specific. It seems to be across all the different vendors that there is a little bit of a hit-and-miss on whether you get a tech person who knows what they are doing and are interested in your problem. When you call frontline support, you can get somebody who doesn't know what they are doing and puts you off. Or the next time you call, you can get a tech who is on the ball and super helpful. This is sort of a smaller problem. It is a bit of a crapshoot on how good the support will be. I would rate the frontline technical support as five or six out of 10.

    If it tends to be more of a critical problem, and you involve the sales team, then you are forwarded onto somebody who really knows what they are doing. However, the frontline support can be hit-and-miss. Their second-tier support is really good. 

    The top-tier support is 10 out of 10. We did have some more serious problems, then they put one of their engineers on it who has been amazing.

    Overall, I would rate the technical support as eight out of 10.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I did work with Cisco ASA, prior to FireEye, where they purchased and integrated it as sort of the next generation part of their ASA. 

    One of our remote access solutions for remote access clients was Cisco ASA. That was just getting to its end-of-life. It actually worked quite well. It was pretty hands-off and reliable, but the hardware was getting to end-of-life. Because we had the Palo Alto capable of doing similar functions, we just migrated it over. 

    It was similar for our site-to-site VPN, which was Cisco DMVPN that we are still using, but we are migrating off it since its hardware is reaching end-of-life. By combining it into the Palo Alto umbrella, it makes the configuration and troubleshooting a bit easier and more homogenous. 

    Before, it was just different platforms doing sort of similar but different functions. Now, we are using similar platforms and devices rather than having three different solutions. This solution is sort of homogenized; it is sort of all in one place. I suspect that makes security a bit more thorough. Whereas, we had three different platforms before. Some of the delineation isn't clear, as they sort of overlap in some respects to what they do, but having it in one location and system makes gaps or overlaps or inconsistencies easier to spot.

    How was the initial setup?

    I was gone for a few years when they brought this in.

    Adding additional appliances is very straightforward. 

    What was our ROI?

    Having one manager/system with a common interface and commands, rather than three or four, is more efficient.

    What's my experience with pricing, setup cost, and licensing?

    It is expensive compared to some of the other stuff. However, the value you get out of it is sort of the central control and the ability to reuse templates.

    It is a good product, but you pay for it. I think it is one of the more expensive products. So, if you are looking for a cheaper product, there are probably other options available. However, if you are looking for high performance, reliable devices, then it has kind of everything. Basically, you get what you pay for. You can get other firewalls for cheaper and some of the performance would probably be just as good, but some of the application awareness and different threat detections are probably superior on the Palo Alto Networks.

    What other advice do I have?

    As far as a firewall solution, it is one of the best ones that I have seen. It is fairly expensive compared to some of the other ones, but if you have the money and are looking for a solid, reliable system, then Palo Alto is the way to go.

    For what we use it for, the solution is good.

    I am part of the network team. There is a cybersecurity team who has control of its reins and does all the security configuration. I am not the administrator of it or a manager in charge of the group with this appliance.

    I find the whole machine learning and AI capabilities a bit overhyped. Everybody throws it in there, but I'm actually a little bit suspicious of what it is actually doing.

    I don't follow or monitor some of the day-to-day or zero-day threat prevention protection abilities that it has. 

    I would rate the solution as nine out of 10, as I am always hesitant to give perfect scores.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions.
    Updated: May 2023
    Product Categories
    Firewalls
    Buyer's Guide
    Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions.