IT Central Station is now PeerSpot: Here's why

Palo Alto Networks NG Firewalls OverviewUNIXBusinessApplication

Palo Alto Networks NG Firewalls is #7 ranked solution in best firewalls. PeerSpot users give Palo Alto Networks NG Firewalls an average rating of 8 out of 10. Palo Alto Networks NG Firewalls is most commonly compared to Azure Firewall: Palo Alto Networks NG Firewalls vs Azure Firewall. Palo Alto Networks NG Firewalls is popular among the large enterprise segment, accounting for 57% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
Palo Alto Networks NG Firewalls Buyer's Guide

Download the Palo Alto Networks NG Firewalls Buyer's Guide including reviews and more. Updated: June 2022

What is Palo Alto Networks NG Firewalls?

Palo Alto Networks NG Firewalls is a firewall solution designed for security teams that provides them with full visibility and control over all networks via powerful traffic identification, malware prevention, and threat intelligence technologies. In order to determine which applications, users, and content traversing the network are safe, the solution offers companies a variety of advanced security tools and strategies.

Palo Alto Networks NG Firewalls Features

Palo Alto Networks NG Firewalls has many valuable key features. Some of the most useful ones include:

  • Secure Application Enablement (App-ID, User-ID, Content-ID)
  • Malware Detection and Prevention (threat prevention service, buffer overflows and port scans, anti-malware capabilities, command-and-control protection, and WildFire)
  • DNS Security (URL filtering, predict and block malicious domains, signature-based protection, extensible cloud-based architecture)
  • Panorama Security Management (including graphical views and analytics, manage rules and dynamic updates, customizable application command center (ACC), log collection mode, physical or virtual appliance)
  • Threat Intelligence (high-fidelity threat intelligence, priority alerts, automatic extraction and sharing of prevention indicators, native integration with Palo Alto Networks products)

Palo Alto Networks NG Firewalls Benefits

There are several benefits to implementing Palo Alto Networks NG Firewalls. Some of the biggest advantages the solution offers include:

  • Dedicated management interface for managing and initial configuration of the device
  • Regular threat signatures and updates
  • Import addresses and URL objects from the external server
  • Configure and manage with REST API integration
  • Great throughput and connection speed is fair even in high traffic load
  • Deep visibility into the network activity through Application and Command Control
  • Easy to manage and very user friendly

Reviews from Real Users

Below are some reviews and helpful feedback written by Palo Alto Networks NG Firewalls users.

A Solutions Architect at a communications service provider says, “The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us. An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications.”

PeerSpot user Gerry H., CyberSecurity Network Engineer at a university, mentions that the solution has a “Nice user interface, good support, is stable, and has extensive logging capabilities.” He also adds, “Wildfire has been a very good feature. This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.”

Eric S., Network Analyst at a recreational facilities/services company, states, "With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings."

Palo Alto Networks NG Firewalls was previously known as Palo Alto NGFW, Palo Alto Networks Next-Generation Firewall, Palo Alto Networks PA-Series.

Palo Alto Networks NG Firewalls Customers

SkiStar AB, Ada County, Global IT Services PSF, Southern Cross Hospitals, Verge Health, University of Portsmouth, Austrian Airlines, The Heinz Endowments

Palo Alto Networks NG Firewalls Video

Palo Alto Networks NG Firewalls Pricing Advice

What users are saying about Palo Alto Networks NG Firewalls pricing:
  • "The product is expensive compared to competing products but uses a similar type of pricing model based on hardware, software and maintenance."
  • "Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions."
  • "We were very happy when they released the PA-440s. Previously, we had been looking at the PA-820s, which were a bit of overkill for us. Price-wise and capability-wise, the PA-820s hit the nail on the head for us."
  • "The Palo Alto solution is actually not expensive. It was comparable to the old firewall manufacturers that we were using. From the benefits that we have gotten out of the Palo Alto products, it is well worth the difference in cost, even though the difference in cost is not much at all."
  • "Definitely look into a multi-year license, as opposed to a single-year. That will definitely be more beneficial in terms of cost... Palo Alto is definitely not the cheapest, but if you scale it the right way it will be very comparable to what's out there."
  • "Palo Alto is one of the most expensive firewalls in the world. Everyone knows that. But you need at least one layer from Palo Alto to protect your environment because it is the strongest company in the security field."
  • "Palo Alto is like Mercedes-Benz. It is quite expensive, but the price is definitely justified."
  • Palo Alto Networks NG Firewalls Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Solutions Architect at a computer software company with 10,001+ employees
    MSP
    Top 5
    The product stability and level of security are second to none in the industry
    Pros and Cons
    • "This is arguably the best security protection that you can buy."
    • "The only real drawback to this product is that it is expensive. But you get what you pay for and there is no way to put a price on top-notch security."

    What is our primary use case?

    We use both the NG and VM series of Palo Alto firewalls. We sell and install them for clients to provide the best security that money can buy. Additionally, adding SD WAN on the same edge device has made an all-in-one, security-edge-intelligent routing solution possible without sacrificing performance or a secure environment.

    What is most valuable?

    The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us.  An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications. On one occasion, I was alerted by Palo Alto that something unusual was happening through a particular port at a client location. I blocked the port access because I didn't know what exactly was going on and alerted the client. Then the client called me up and said, "Hey, I need the port that was blocked because [of this]." We could then test what was going on in a secure environment where it couldn't affect anything else to be sure the behavior was not something to be concerned about. In this case, Palo Alto kept the client totally safe. That is a fantastic capability.

    What needs improvement?

    Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

    For how long have I used the solution?

    I have been using the solution with clients since at least 2008 when I became a solutions architect.
    Buyer's Guide
    Palo Alto Networks NG Firewalls
    June 2022
    Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
    607,127 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    Palo Alto is the most stable firewall that I have experience with. Firepower is second to Palo Alto. Fortinet is third coming in just after Firepower. Meraki is in there around number 100. The stability of that solution is absolutely horrific. That it is a security device — a firewall — makes that relatively more frightening because it affects the stability of the entire infrastructure.Palo Alto's stability means that it is always on the alert and it keeps infrastructure safe.

    What do I think about the scalability of the solution?

    Palo Alto is quite scalable and versatile.

    How are customer service and support?

    Easy to speak with, level of professionalism is high.

    Which solution did I use previously and why did I switch?

    Anyone should tinker with hardware from different manufacturers, then see what fits with your application. 

    How was the initial setup?

    The complexity of the setup is somewhere in the middle of the road. It certainly isn't the most difficult, nor is it the easiest. 

    What about the implementation team?

    MSP

    What's my experience with pricing, setup cost, and licensing?

    Palo Alto is a little expensive compared to every other solution, but you get what you pay for. The question I have been asking customers since I became a solutions architect is what the best in security is worth. The problem with people seeking security solutions is thinking that all solutions are the same, thinking the newest technology solutions are best and thinking cost-first. A better way to think about it would be how expensive a break-in is.  If I am shopping around for a firewall solution and I see I have to pay a lot per year for Palo Alto and I see Meraki is a much lower price, I might be attracted by the less expensive product. When it is deployed, we get broken into and lose $10 million worth of design documents. It may be quite possible that break-in could have been avoided by paying more for a better security solution. Because I went the cheap route, I lost many times what I 'saved.' For possibilities like this alone, it is hard to put a price on security.  Take a deeper look at what happens when you try to save money on security. Meraki does SD-WAN (Software-defined Wide Area Network). That is touted as fantastic because the client is going to save a whole lot of money because they don't need MPLS (Multi-Protocol Label Switching) anymore. But the reality behind it is, there is absolutely no application acceleration, no data deduplication, and no forward error correction. Forward error correction is extremely important when you're using a device between points. But Meraki sells its devices for nickels or pennies on the dollar in comparison to other security solutions. Only then you only learn the lesson of what happens when you go cheap. Your network gets broken into more easily because of the inherent exposure in SD-WAN and it goes down a lot.  If you have sales offices and those sales offices have Meraki firewalls, the device may observe a problem out on the internet. When it does, the Meraki's failover results in an outage. With Meraki, failover to a better link takes 30-seconds. Whether it is a 30-minute failover or 30-second failover, you can drop a call. If you are cold calling and you dropped a call, you don't get a second chance. It is impossible to say how much money you might lose. For example, if my company sells microchips and that call was going to develop into a $40 million sale, that sale is gone. It is gone because of the small comparative cost savings in security and the instability of the solution you chose to use. But a 30-second outage every single time a route is withdrawn across the internet means your phone is going to ring if you are the IT Director, and you will eventually lose your job.  The costs for Palo Alto are structured in a similar way to other products. With Palo Alto you can do one, two, three and five years contracts. It is the same thing with Fortinet and Meraki. Hardware cost is very different than the application license. The hardware maintenance agreement is separate. With all of the firewall solutions, you will pay for a hardware maintenance agreement. That protects the hardware itself. That is an annual billing and separate from the software in all cases. Nobody bills for firewalls on a monthly basis. Even the VM version of the Palo Alto is billed per year. Using that license, you can build up a VPN that forces all default traffic to a particular device before it goes out to the internet. It is comparatively pretty cheap in practice, and it works. It works well because you only need one piece of hardware. Build the server and start slicing out VMs. Then it becomes possible for everybody in a network to be protected by Palo Altos security at a lower cost. 

    Which other solutions did I evaluate?

    As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours. That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages. Cisco Firepower NGFW (Next-Generation Firewall) I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool. Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products. I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product.  Firepower is a capable solution but it is difficult to set up and manage. Cisco Meraki NGFW (Next-Generation Firewall) Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company. If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there. There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop.  It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work. I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that. An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it. Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings." All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution. Fortinet FortiGate NGFW (Next-Generation Firewall) I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night. Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.      Comparing the Complexity of Setup Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest. Rating the Products On a scale from one to ten with ten being the best, I would rate each of these products like this: Meraki is a one out of ten (if I could give it a zero or negative number I would). Fortinet is seven out of ten because it is simple but not so secure. Firepower is seven out of ten because it is more secure, but not so simple. Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare. An Aside About Cisco Products  It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.

    What other advice do I have?

    Palo Alto is my number one choice for firewalls. I support and utilize more Palo Alto firewalls throughout my company and with my customers than any other device. Number two would be Fortinet. I don't really like Fortinet that that much because it is not as secure as Palo Alto, but I have customers who want to use it because it is a lot less expensive. Number three is Cisco Meraki, which I obviously don't like, but people request that because the Cisco name is very popular and a lot of other people are using it. I couldn't recommend against choosing a device more than choosing it by name instead of functionality.  Palo Alto invented the method of looking at the application identifier in each packet and making a decision. For instance, many companies may want to do something like prohibiting all chat applications with the exclusion of whatever application the company is choosing to use. Let's say the company is using IP Communicator for customers and for employees to chat with each other, but the company wants to block Skype. The reason why might be because they don't want anybody bringing up a Skype call, sharing information via that Skype call, or maybe turning on a Skype call and letting other people see inside the facility. Skype has a very interesting platform in which you block one IP address on the Skype server and it allows another one. You block Skype.com and it creates another URL. Skype loves to get in and around simple security steps. Palo Alto is phenomenal because it takes a look at the application identifier within each packet and will find that it is Skype and block it. If you want to block AOL Instant Messenger, you just block it. Anything out there you don't want employees to use can just be blocked by referencing the identifier. Netflix is another one that seems to find it's way into corporate networks. It is normal not to want employees sitting around watching movies. The Palo Alto will find out that someone is trying to access a Netflix movie and block it. Then it can also send an email to alert different people of the activity. You could set it up so that when something like that happens, an email goes to the director of IT to say, "Hey, this person may be trying to access Netflix." You may want it to just block the access type and forgo the alert. Or you can block the activity and alert anyone you want that someone appears to have tried to subvert security. The idea of this type of security measure isn't just to lay blame and get people fired, it is to identify different types of breaches and why they occur. It could be that a potential breach requires a sit-down conversation with the persons involved. But the truth is that many malicious sites — like adult related websites, platforms like gambling sites, obviously hacking-related sites, violence or gore — are loaded with malware. You don't want that on your computer, and your employer doesn't want it on the network either. It is just as bad as bringing a device to work and allowing that device to be connected to the network without protection as that is just another potential malware exposure. Another beautiful thing with Palo Alto is that they have Wildfire. Wildfire can prohibit malware in either direction. Malware is not going to get into the network via a customer or a user surfing and it is not going to get out and affect the network and spread around via a user's BYOD (Bring Your Own Device) that got infected while he was working at home.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    CyberSecurity Network Engineer at a university with 5,001-10,000 employees
    Real User
    Top 20
    Nice user interface, good support, stable, and has extensive logging capabilities
    Pros and Cons
    • "When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus."
    • "From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible."

    What is our primary use case?

    We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

    After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

    How has it helped my organization?

    Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

    I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

    The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

    The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

    This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

    As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

    I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

    What is most valuable?

    Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

    We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

    From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

    This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

    The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

    What needs improvement?

    One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

    Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

    From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

    For how long have I used the solution?

    I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

    What do I think about the stability of the solution?

    The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

    I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

    What do I think about the scalability of the solution?

    The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

    Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

    The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

    The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

    We have deployments in other campuses, as well.

    As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

    How are customer service and support?

    The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

    Which solution did I use previously and why did I switch?

    Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

    We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

    One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

    Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

    We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

    How was the initial setup?

    The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

    Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

    In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

    What about the implementation team?

    When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

    One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

    Overall, our experience with ProSys was good. We like working with them.

    What's my experience with pricing, setup cost, and licensing?

    Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

    The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

    There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

    I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

    Which other solutions did I evaluate?

    We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

    I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

    What other advice do I have?

    I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

    When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

    We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

    In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

    Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

    If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

    If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

    Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

    I would rate this solution a ten out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    Buyer's Guide
    Palo Alto Networks NG Firewalls
    June 2022
    Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
    607,127 professionals have used our research since 2012.
    Network Analyst at a recreational facilities/services company with 1,001-5,000 employees
    Real User
    Top 20
    Its single pane of glass makes monitoring and troubleshooting more homogeneous
    Pros and Cons
    • "With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings."
    • "Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it."

    What is our primary use case?

    It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.

    We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.

    I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.

    How has it helped my organization?

    With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings.

    What is most valuable?

    It is fairly intuitive. 

    The central management of Panorama actually works. It is what FortiManager aspires to be, but Panorama is usable. You can push config down, do backups, and use templates from other sites, copying them over. The reliability and throughput, plus Panorama's control features, are its main selling features.

    It is a combined platform that has different features, like Internet security and the site-to-site VPN. Previously, there were different components that did this. If it was a remote access VPN client, then you would have to go onto one platform and troubleshoot. If it was a site-to-site, it was on a different platform so you would have to go onto that one. It would be different command sets and troubleshooting steps. From that perspective, having that combined and all visible through Panorama's centralized management is probably one of the better benefits.

    We had a presentation on Palo Alto Networks NG Firewalls a few years ago. I know the number of CPU cores that they have inside the firewall is crazy, but it is because they have to pack all the performance and analysis in real-time. It is fast. I am always amazed at the small PA-220s and how much performance they have with their full antivirus on it. They can pass 300-megabits per second, and they are just about the size of a paperback book. As far as how that single-pass processing impacts it, I am always amazed at how fast and how much throughput it has.

    What needs improvement?

    Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

    It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

    For how long have I used the solution?

    I use it every other day.

    What do I think about the stability of the solution?

    It is pretty reliable. All the services pretty much work. It is not too buggy. With any hardware/software manager these days, when you get new features, they tend to not be too thoroughly tested and can be buggy. We have been noticing this. For example, they had zero-touch deployment and the first few iterations just didn't work. While we have encountered a few bugs, I don't think they are any worse than anything else we get. The underlying hardware seems to be pretty reliable. You can do configuration changes, reboot and reload them, and they just keep coming back and work.

    Our cybersecurity guys tend to do the patching and upgrades when they come around. When one of these things had a hard disk failure, they got that restored or replaced. For day-to-day maintenance, other than typical operational changes and troubleshooting, I don't think there is that much maintenance to be done. Every few weeks, there is probably somebody who goes for a few hours and checks the various patch levels and possibly does upgrades.

    The upgrades are fairly easy to do. You just download the software, the central management system, and tick off the devices that you want to deploy it to. It will automatically download it. Then, you just sort of schedule a reboot. I don't know how many hours per week or month people put into it, but it is pretty reasonable.

    What do I think about the scalability of the solution?

    We have about half a dozen core firewalls and 30 to 40 remote firewalls. We haven't hit any scaling limitations yet. What we have is functioning well. At some point, our main firewall in our data center might be overwhelmed, but it has pretty high throughput numbers on it. So far, we haven't hit any sort of limitations. So far, so good.

    The physical appliances are sort of tiered. You have your entry-level, which is good for 300-megabits of threat detection. The next ones have 800-megabits of threat detection. So, if you have a site with around 50 people, you can get the entry-level. However, there is always a point that if you have too many users doing too many things then the physical appliance just can't handle it. Then, you need to upgrade to a higher-level appliance. This is expected. When that happens, we will just sort of get the higher-level model or plan for two years of growth to get the right size. Therefore, as far as scalability, it just comes down to planning. 

    As far as the management platform, that would be more of a case of just adding CPU cores into your virtual machine as well as more memory. So far, we haven't had any scalability limitations. It is possible that we will see it at some point, but we haven't so far.

    How are customer service and support?

    This is not Palo Alto-specific. It seems to be across all the different vendors that there is a little bit of a hit-and-miss on whether you get a tech person who knows what they are doing and are interested in your problem. When you call frontline support, you can get somebody who doesn't know what they are doing and puts you off. Or the next time you call, you can get a tech who is on the ball and super helpful. This is sort of a smaller problem. It is a bit of a crapshoot on how good the support will be. I would rate the frontline technical support as five or six out of 10.

    If it tends to be more of a critical problem, and you involve the sales team, then you are forwarded onto somebody who really knows what they are doing. However, the frontline support can be hit-and-miss. Their second-tier support is really good. 

    The top-tier support is 10 out of 10. We did have some more serious problems, then they put one of their engineers on it who has been amazing.

    Overall, I would rate the technical support as eight out of 10.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I did work with Cisco ASA, prior to FireEye, where they purchased and integrated it as sort of the next generation part of their ASA. 

    One of our remote access solutions for remote access clients was Cisco ASA. That was just getting to its end-of-life. It actually worked quite well. It was pretty hands-off and reliable, but the hardware was getting to end-of-life. Because we had the Palo Alto capable of doing similar functions, we just migrated it over. 

    It was similar for our site-to-site VPN, which was Cisco DMVPN that we are still using, but we are migrating off it since its hardware is reaching end-of-life. By combining it into the Palo Alto umbrella, it makes the configuration and troubleshooting a bit easier and more homogenous. 

    Before, it was just different platforms doing sort of similar but different functions. Now, we are using similar platforms and devices rather than having three different solutions. This solution is sort of homogenized; it is sort of all in one place. I suspect that makes security a bit more thorough. Whereas, we had three different platforms before. Some of the delineation isn't clear, as they sort of overlap in some respects to what they do, but having it in one location and system makes gaps or overlaps or inconsistencies easier to spot.

    How was the initial setup?

    I was gone for a few years when they brought this in.

    Adding additional appliances is very straightforward. 

    What was our ROI?

    Having one manager/system with a common interface and commands, rather than three or four, is more efficient.

    What's my experience with pricing, setup cost, and licensing?

    It is expensive compared to some of the other stuff. However, the value you get out of it is sort of the central control and the ability to reuse templates.

    It is a good product, but you pay for it. I think it is one of the more expensive products. So, if you are looking for a cheaper product, there are probably other options available. However, if you are looking for high performance, reliable devices, then it has kind of everything. Basically, you get what you pay for. You can get other firewalls for cheaper and some of the performance would probably be just as good, but some of the application awareness and different threat detections are probably superior on the Palo Alto Networks.

    What other advice do I have?

    As far as a firewall solution, it is one of the best ones that I have seen. It is fairly expensive compared to some of the other ones, but if you have the money and are looking for a solid, reliable system, then Palo Alto is the way to go.

    For what we use it for, the solution is good.

    I am part of the network team. There is a cybersecurity team who has control of its reins and does all the security configuration. I am not the administrator of it or a manager in charge of the group with this appliance.

    I find the whole machine learning and AI capabilities a bit overhyped. Everybody throws it in there, but I'm actually a little bit suspicious of what it is actually doing.

    I don't follow or monitor some of the day-to-day or zero-day threat prevention protection abilities that it has. 

    I would rate the solution as nine out of 10, as I am always hesitant to give perfect scores.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Chief Architect at a recruiting/HR firm with 1,001-5,000 employees
    Real User
    Top 20
    Provides centralized visibility and control for security through a unified platform
    Pros and Cons
    • "Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is very useful. This prevents us from having to go to a lot of different systems, and in some cases, many different systems in many different regions, because we are a global company with 60 remote offices around the world in 30 different countries. Its centralized platform is really what we look for in all services, whether it be security or otherwise."
    • "When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint."

    What is our primary use case?

    It is a data center firewall solution and a centralized management for remote office firewall solutions. We have 30-odd remote offices where we are putting firewalls in to replace the standard routers that we used to have. This solution will give us a little bit of routing and firewall capabilities.

    We are deploying the PA-440 Series in our remote offices.

    How has it helped my organization?

    Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration. 

    The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.

    What is most valuable?

    The firewall feature is great because we didn't have specific firewall capabilities beforehand. The anti-malware features and the ability to plug into our mail scanning are valuable as well, so we can share data between our email antivirus scanning solutions. That integration has been quite useful.

    Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is another string to the bow of our layered security approach. So, it is important. It is not the big reason we bought it, but it is a useful component to our layered security approach. Security best practices push for a layered approach because there are so many different factors that you need to cover: 

    • Email threats
    • Malware
    • Viruses
    • Accidental human mistakes made internally to your network.
    • Malicious humans in your network and outside your network. 

    Therefore, a multi-layered approach really is a security best practice way of attacking security. You can't just worry about the parameter; you need to worry about what's inside your network and how things come in.

    The key thing is that we don't have to try and play Whac-A-Mole. The machine learning-powered firewalls do that for us. As a recruitment company, we can never have the necessary technologies available to us to try and do this ourselves, so leveraging the machine learning power from Palo Alto reduces the risk for us.

    Palo Alto NGFW provides a unified platform that natively integrates all security capabilities, which is very useful. This prevents us from having to go to a lot of different systems, and in some cases, many different systems in many different regions, because we are a global company with 60 remote offices around the world in 30 different countries. Its centralized platform is really what we look for in all services, whether it be security or otherwise.

    What needs improvement?

    When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

    For how long have I used the solution?

    We started with a couple of firewalls about 18 months ago. We started them in our data centers and are just about to deploy them in our remote offices.

    What do I think about the stability of the solution?

    It has been very stable.

    On the maintenance side, we haven't increased our team at all. One of the great things that we have been able to improve is the capability of our team without increasing the number of heads who are using Palo Alto.

    What do I think about the scalability of the solution?

    It is scalable with what we need. I am not looking at thousands and thousands of devices, so it is well within what we need for our few hundred devices.

    We often didn't deploy tools because it was too hard to try and manage them with our small team. This solution has enabled our small team to be way more effective than they were before. It gives us the visibility and control that we need.

    We have a senior network administrator and about five operational guys. There are also some service desk-level guys and about 12 of them have visibility into activities, but they don't actually change things. Change control is quite closely guarded.

    We have deployed the solution in a couple of data centers. We are deploying it across 30 offices this year and plan to do the next 30 to 30-ish offices in the next 12 to 18 months, as some of their hardware retires or has expired. We are not pushing it out too fast. We are going with the cadence of the business.

    How are customer service and support?

    The technical support is very good. We had some nasty questions, but they were sorted out quite quickly. The problem that we had, because it was live, was it took us a little bit of time to deploy stuff. We also have a good relationship with their pre-sales engineers who offered advice and guidance, specifically as part of the deployment.

    Which solution did I use previously and why did I switch?

    We previously had Cisco ASA Firewalls in some locations and Cisco Security PAK Routers in other locations that gave us a base level of firewall. So, we didn't previously have any next-generation firewalls. These are our first real next-gen firewalls.

    We switched solutions because we didn't have enough of the network security covered. Also, we wanted centralized visibility and control, which was key for us.

    When we did some red team testing, we found that there was a way to get some data out through our existing DNS environment. We knew we had to fix the centralized DNS management, visibility, knowledge of the DNS queries, and the visibility of the DNS queries as a result of some testing that we did. Whereas, before they were all geographically disparate, having a centralized place to look at to be able to do some analysis and visibility really are the key things for us.

    How was the initial setup?

    The initial setup was not simple, but it is simplified. What was really good was the free training beforehand. As an architect, I don't get my hands that dirty, but I was able to go through a number of the free courses beforehand, or workshops, that were done online. Their training platform was very useful in helping me get an understanding of the product and how we would deploy it in our own environment. The actual deployment, as with anything network-related, is fairly complex because we have a very connected network with a lot of different entry points. While it takes time, it was very useful to get the training beforehand.

    The deployment took about three months, but it was in the midst of a data center migration. It probably only took us a month to deploy it properly, but then we had to migrate services over, which took another six months. Again, this was part of our data center migration project. To actually get the solution installed was very quick, it took only a couple of days to get it up and running. However, to move services onto it, you need to be a bit careful when you start to move the live services onto it.

    Our implementation strategy was really focused around our data center migrations and moving stuff out of one data center into another. As we moved services from one data center to the other, we brought them onto Palo Alto's in the new data center rather than onto the existing old routers and firewalls. So, it was really governed by the business, applications, and what we could move when.

    What about the implementation team?

    We used Palo Alto directly for the deployment. Our experience with them was great.

    To deploy it, we didn't employ any more staff. We did send a few people out remotely. With COVID, travel is a little bit tricky. So, we have some remote agreements with some suppliers who will go out for a day, plug a device in, and help us with the initial out-of-the-box config. That is normally two to three hours per site that we have to do, which is what I would expect from this kind of device.

    What's my experience with pricing, setup cost, and licensing?

    Look at Palo Alto because it is a bit modular, so you can take the components that you need when you need them. You need something that will do the job. It doesn't matter if it's cheap and fast, if it quickly lets through vulnerabilities. You need something that will be reliable.

    We were very happy when they released the PA-440s. Previously, we had been looking at the PA-820s, which were a bit of overkill for us. Price-wise and capability-wise, the PA-820s hit the nail on the head for us.

    Go for a three-year deal, then Palo Alto will bring in some discounts. We also deployed them as HA Pairs to make sure we had resiliency.

    Which other solutions did I evaluate?

    We looked at Cisco and Fortinet. The reason that we went with Palo Alto was they were fairly cost-effective. They were also a bit easier to manage. The central management and control of Palo Alto was a little bit nicer than the Cisco side of things. I think everyone achieves the same things in slightly different ways. The way Palo Alto achieves their centralized management and control resonated a bit better with us and our requirements.

    What other advice do I have?

    We haven't actually deployed Palo Alto NGFW’s DNS Security yet, but we will be doing that.

    It is great that 100% of the tested attacks were blocked in the NSS Labs Test Report from July 2019 about Palo Alto NGFW. It is a great story, but I never trust 100% because that's why we have layered security. However, it definitely provides a great level of comfort in our security structure.

    I never give anyone a 10, so I will give the solution a nine (out of 10).

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Matt Gahafer - PeerSpot reviewer
    Network Engineer at Samtec, Inc.
    Real User
    We have been able to cut down on some of our other hardware
    Pros and Cons
    • "We have not had to replace hardware routers nor purchase additional hardware. So, that has provided a little bit of an ROI."
    • "We have a lot of the older firewall models, i.e., the PA-220. It seems that with newer operating systems the PA-220 is becoming slower than when I first bought it. It is not really an issue for users who are passing traffic through the firewall, but more from the management access of it."

    What is our primary use case?

    These are gateway firewalls to the Internet for every site. At a majority of the sites, we use the firewall as our gateway for the network below.

    Previously, we used them just for the Internet firewall and Internet security side. However, in the last year or two, we have started to migrate them as the gateway routers, e.g., as gateways for the networks below. They are doing Internet firewalling as well as firewalling for the networks below.

    We are using the PA-220s, PA-440s, PA-820s, PA-3250s, and PA-5250s. We are using all of those hardware models. Then, we are running the PAN-OS 10.1.3 on those.

    We have around 40 locations worldwide. At minimum, we have one Palo Alto Networks NG Firewall at each location. At some of the larger sites, we have two Palo Alto Networks NG Firewalls in HA configuration. Then, at our headquarters and disaster recovery site, we have two at each site.

    What is most valuable?

    The WildFire feature that they offer is very nice to have. The URL filtering that they offer has been a great help to us as well. We have found with the URL filtering that they offer that we are able to categorize what traffic can go outbound to the Internet from our internal network. By doing the URL filtering, we are able to say that we are not allowing gambling, adult content, or certain URL categories that we just don't want to allow. Then, with WildFire, that helps detect any viruses coming inbound or on east-west traffic inside of our network.

    Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is very important. I got an email saying that there was going to be a new 400 series firewall, and it was talking about the ML and AI features that it is offering. That is very exciting to see coming for all our firewalls.

    We have the Palo Alto Next-Gen firewalls as well as Cortex XDR for the antivirus side. We are making use of Cortex XDR and Data Lake to correlate the data. We definitely see the benefits of having all that in one unified platform. Some of my colleagues are able to see how certain malware security incidents can correlate to how the virus or malware came into the network, then how it traversed our network based on the XDR information.

    I can manage 1,000 firewalls from a single pane of glass.

    What needs improvement?

    I am looking to have the machine learning see how a virus or malware will morph, then prevent that from happening. That seems invaluable at this point.

    We have a lot of the older firewall models, i.e., the PA-220. It seems that with newer operating systems the PA-220 is becoming slower than when I first bought it. It is not really an issue for users who are passing traffic through the firewall, but more from the management access of it.

    For how long have I used the solution?

    We have had them for about three years.

    What do I think about the stability of the solution?

    I have had some issues here recently, but it has been more operating system issues. As far as the hardware goes, they have been very solid. Out of the last three or four years that we have utilized Palo Alto Network NG Firewalls. I have only had one time where I had a hardware failure on it that had to get a replacement.

    What do I think about the scalability of the solution?

    It is very scalable. The Panorama management tool makes it very easy to add a new firewall. You can add one, 10, or 100 firewalls, deploying them quickly and keeping the same security posture that you had in place previously with other devices.

    I have not noticed any trade-offs from security versus network performance at all. I think they are both running very well. We haven't lost network performance with an increase in security or vice versa.

    The entire company is using the solution. We are a manufacturing company who manufactures electronic interconnects. We have our own marketing department, engineering, learning development, HR, accounting, and IT. Thus, we have a broad spectrum of users who are using the solution.

    We actually have a very small staff. There are only five of us who are actively administering the Palo Alto environment. We have around 40 locations worldwide with just over 8,000 users globally.

    We are using it at every facility. We are using it as a gateway router as well as our next-gen firewall. We have no plans to change all that. We are pretty happy with how we are configured. So, I think we will keep that trajectory.

    How are customer service and support?

    The technical support is very good. I am very happy with the tech engineers. They have always been quick to respond and very knowledgeable about the issues that I have had. They help me get those issues resolved quickly. I would give them 10 out of 10.                                

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    It gives us added security compared to our previous firewalls. They were very cumbersome to manage, and they had no central management. By switching to Palo Alto Networks NG Firewalls, we made use of the Panorama management tool to manage all our firewalls. The management side is much easier. Also, it provides visibility from their monitoring to be able to see the traffic. Whereas, I was not able to see that before with our previous firewall manufacturer.

    With our previous firewall vendor, the maintenance was running to the end of its contracts. Therefore, we were looking to switch anyway because we just weren't happy with that hardware. Our implementation strategy was basically to replace all the old firewall hardware with something new. At the time, we were pretty happy with what Palo Alto Networks was offering.

    How was the initial setup?

    The setup is very straightforward. I am familiar with other firewalls and the configurations for them. Switching to the Palo Alto Networks NG Firewalls was pretty seamless.

    The initial deployment of the first site, switching from the old firewalls to the Palo Alto Network NG Firewalls, took about two to three days configuration-wise. Actually switching over from the old firewall to the new firewall was pretty seamless because we can preconfigure the firewall and then replace the old firewall with it. There were no issues.

    What about the implementation team?

    Our VAR helped us do some research on what firewalls would be the best for us. We did our own testing, and we liked this solution. That is why we ended up going with it.

    What was our ROI?

    We do have other tools that we are phasing into the Palo Alto unified platform environment, bringing in Cortex XDR as well as looking at SIEM products. So, we definitely see the benefit of the unified platform. We have been able to cut down on some of our other hardware. So, it is definitely saving us costs as far as combining different hardware into one hardware device.

    We have not had to replace hardware routers nor purchase additional hardware. So, that has provided a little bit of an ROI.

    What's my experience with pricing, setup cost, and licensing?

    The Palo Alto solution is actually not expensive. It was comparable to the old firewall manufacturers that we were using. From the benefits that we have gotten out of the Palo Alto products, it is well worth the difference in cost, even though the difference in cost is not much at all. I would highly recommend Palo Alto products to anyone.

    I just started getting in some of the PA-400 series a couple weeks ago. As far as pricing goes, it was not that much more than the existing hardware platform or the existing firewall that we had in there, i.e., the PA-220. It was not much more expensive and the performance was way better, as far as the management of the firewall itself. The management of those firewalls has greatly been increased.

    Which other solutions did I evaluate?

    When we were looking to switch, we narrowed it down to two or three. Then, we obviously decided to go with the Palo Alto product. Palo Alto had better specifications for their hardware.

    What other advice do I have?

    I would highly recommend the solution as well as looking at the new PA-400 series product line with the machine learning and AI. That is a very good feature that is now available.

    The biggest lesson for me was to not skimp out on hardware based on pricing.

    I would give this solution 10 out of 10. I am very happy with the product.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    Network Administrator at a real estate/law firm with 201-500 employees
    Real User
    Top 20
    Handles all of our network traffic without impacting performance
    Pros and Cons
    • "The machine learning in the core of the firewalls, for inline, real-time attack prevention, is very important to us. With the malware and ransomware threats that are out there, to keep abreast of and ahead of those types of attacks, it's important for our devices to be able to use AI to distinguish when there is malicious traffic or abnormal traffic within our environment, and then notify us."
    • "The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier."

    What is our primary use case?

    We use them to do quite a bit of URL filtering, threat prevention, and we also use GlobalProtect. And application visibility is huge for us. Rather than having to do port-based firewalling, we're able to take it to an application level.

    How has it helped my organization?

    We have quite a number of security pieces that are implemented for our network, such as a DNS piece, although we're not using Palo Alto for that purpose. But with that, in line with our seam, we're able to better distinguish what normal traffic looks like versus what a potential threat would look like. That's how we're leveraging the NG Firewalls. Also, we have separated the network for our databases and we only allow specific users or specific applications to communicate with them. They're not using the traditional port base, they're using application-aware ports to make sure that the traffic that has come in is what it says it is.

    Machine learning in Palo Alto's firewalls, for securing networks against threats that are able to evolve and morph rapidly, has helped us out significantly, in implementation with different security software and processes. The combination allows our security analysts to determine the type of traffic that is flowing through our network and to our devices. We're able to collect the logs that Palo Alto generates to determine if there's any type of intrusion in our network.

    What is most valuable?

    The machine learning in the core of the firewalls, for inline, real-time attack prevention, is very important to us. With the malware and ransomware threats that are out there, to keep abreast of and ahead of those types of attacks, it's important for our devices to be able to use AI to distinguish when there is malicious traffic or abnormal traffic within our environment, and then notify us.

    The fact that in the NSS Labs Test Report from July 2019 about Palo Alto NG Firewalls, 100 percent of the evasions were blocked, is very important to us. 

    What needs improvement?

    The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

    For how long have I used the solution?

    I've been using Palo Alto NG Firewalls for about five years.

    What do I think about the stability of the solution?

    The firewalls are very stable. We've had no issues with downtime.

    What do I think about the scalability of the solution?

    They're very scalable. Because we use Panorama, we're able to have global firewall rules for areas that we want to block, across the network, for security reasons. We just push those down to all the devices in one shot.

    Our corporate site has about 500 users, and our 14 remote sites, because they're retail, usually have anywhere from five to 10 users each.

    How are customer service and technical support?

    Their support is generally very knowledgeable. Sometimes it depends though on who you get, but they've always addressed our issues in a timely manner.

    Which solution did I use previously and why did I switch?

    We were using older versions of Palo Alto's firewalls and we also had Cisco firewalls in our environment.

    How was the initial setup?

    For our remote stores we're able to use Panorama, along with Palo Alto's Zero Touch Provisioning hardware. Once a device is connected to the internet and can communicate back to our Panorama, it just pulls the configurations. That means it's very easy to deploy.

    It took about two to three months to deploy about 14 sites. That wasn't because we were having issues, it was just the way we scheduled the deployment, because we had to bring down different entities and had to schedule them accordingly with a maintenance window. But if it wasn't for that scheduling, within a week we could have deployed all of the remote sites.

    For our implementation strategy, at our corporate site we had both old and new firewalls sitting side by side on the network. As we went to a remote site we would take them from their legacy Cisco and cut them over to the new firewall. Once that was done, we moved all of the firewall rules that were on the old firewall over to the new one.

    When it comes to maintenance and administration of the firewalls, my team of five people is responsible. We have a network architect, a network specialist, two senior network specialists, and a security manager.

    What about the implementation team?

    We did it by ourselves. We have a certified Palo Alto engineer on staff and he did all the installation.

    What's my experience with pricing, setup cost, and licensing?

    Definitely look into a multi-year license, as opposed to a single-year. That will definitely be more beneficial in terms of cost. We went with five-year licenses. After looking at the overall costs, we calculate that we're only paying for four years, because it works out such that the last year is negligible. If we were to be billed yearly, the last year's costs would be a lot more. With the five-year plan we're saving about a year's worth of licenses.

    Based on the quantity of devices we purchased, we found that the hardware price was actually cheaper than most of the other vendors out there.

    If a colleague at another company were to say, "We are just looking for the cheapest and fastest firewall," given my experience with Palo Alto's NG Firewalls, my answer would depend on the size of the company and how much traffic they're going to be generating. Palo Alto is definitely not the cheapest, but if you scale it the right way it will be very comparable to what's out there.

    Which other solutions did I evaluate?

    One of the things we like about Palo Alto is the fact that the hardware appliances we have are not impacted in terms of resources. The CPU and memory stay low, so we don't have a bottleneck where it's trying to process a whole bunch of traffic and things are slow. We were looking at various brands because we were going from older hardware to newer, and we wanted to evaluate what the other vendors were doing. After that evaluation, we were comfortable that Palo Alto would be able to handle all of our network traffic without impacting performance.

    We looked at Fortinet and Cisco. Cisco is a bit pricey when compared to our Palo Altos. Fortinet was definitely cheaper, but we were skeptical about their performance when we bundled all of the features that we wanted. We didn't think it was going to be fast enough to handle the network traffic that we were generating across the board. We believe Cisco would have handled our traffic, but their next-gen platform, along with SD-WAN, required us to have two separate devices. It wasn't something that would have been on one platform. That's probably why we didn't go down that road.

    Part of what we considered when we were looking around was how familiar we were with the technology. That was also a big area for us. Most of the guys on our team were pretty familiar with Cisco and Palo Alto devices. They weren't too familiar with Fortinet or Check Point. We narrowed it down based on if we had a security breach, how easy would it be for us to start gathering information, remediating and troubleshooting, and looking at the origin of the threat. We looked at that versus having to call support because we weren't too familiar with a particular product. That was huge for us when we were doing the evaluation of these products.

    What other advice do I have?

    Other than the SD-WAN, everything else has been functioning like our previous setup because it's a pretty similar license. The way that the new hardware handles URL filtering, threat protection, and GlobalProtect has been pretty solid. I don't have any issues with those.

    Overall, I would rate Palo Alto NG Firewalls at nine out of 10. It's definitely not the cheapest product out there. Cost is the main reason I wouldn't put it at a 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Hamada Elewa - PeerSpot reviewer
    System Engineer - Security Presales at Raya Integration
    Real User
    Top 5
    App-ID, invented by Palo Alto, knows an application, who's communicating with it, and how it is used inside a network
    Pros and Cons
    • "The most valuable features are the power of the threat prevention and the WildFire service. Its strength comes from the huge number of sensors all over the world. The firewalls have a rich library of signatures."
    • "If you enable SSL you will face a problem. The throughput of the firewall will be degraded. SSL is a big issue on all firewalls. All products suffer from issues with SSL, but Palo Alto firewalls suffer more from it."

    What is our primary use case?

    We use Palo Alto Networks NG Firewalls as internet firewalls, LAN or WAN firewalls, as well as data center firewalls.

    How has it helped my organization?

    When you apply App-ID and User-ID and Content-ID, you will protect your environment more than with any other firewall. That's because Palo Alto is a leader in App-ID. They invented it. It knows the application and who's communicating with it, and how it is used inside a network. If you use Palo Alto as your internet firewall, for example, when your employee accesses the internet, you will determine which applications he's communicating with, including which ports and the behavior of the user. That helps protect your environment.

    The Palo Alto NG Firewalls unified platform has helped to eliminate security holes in our customers' environments. When you have multiple firewalls from Palo Alto to protect more than one segment, such as the LAN, WAN, internet, and data center segments, you can manage all of these from a single point with Palo Alto Panorama. It makes it easy to configure and monitor all of these segments.

    What is most valuable?

    The most valuable features are the power of the threat prevention and the WildFire service. Its strength comes from the huge number of sensors all over the world. The firewalls have a rich library of signatures.

    Also, the new generation of Palo Alto firewalls includes machine learning embedded in the hardware itself and that is effective in the new era of attacks. Nowadays, we don't know the behavior of the attacks, so we need a product to learn along with us: How an attack will affect us and how the attack will enter a corporate environment. That's why the machine learning aspect is important.

    They also provide a unified platform that natively integrates all security capabilities. You can configure or change anything in the firewall itself from the management console, and there is a separate console for managing all the firewalls you have, called Panorama. It's a very good central manager. I like Panorama. It is the most powerful and capable central manager of firewalls. It gives you very rich information about your environment, and what is moving inside it. It helps you to configure it easily.

    It's also important that the NSS Labs test report from July 2019 about Palo Alto's NG Firewalls showed that 100 percent of the evasions were blocked. NSS Labs is the most accurate public report that all my customers want to see. All my customers ask about NSS Labs and where Palo Alto is positioned in their reports. To position Palo Alto, I will show my customer the NSS Lab report. It's the most important report.

    In addition, in the last two series, Palo Alto separated the engines. That means you will not face any issue with the performance or the firewalls. There is an engine for performance, an engine for the IPS, and another engine for other features. There isn't only a single engine responsible for all these features.

    What needs improvement?

    The IoT could be better. IoT environments will be part of IT and measuring these zones will make your IT environment more resistant to attacks. You need a powerful firewall to secure the IoT segment, the same way that Palo Alto Firewalls do for the IT segment.

    Also, if you enable SSL you will face a problem. The throughput of the firewall will be degraded. SSL is a big issue on all firewalls. All products suffer from issues with SSL, but Palo Alto firewalls suffer more from it.

    For how long have I used the solution?

    I have been using Palo Alto Networks NG Firewalls for at least four years, but for my company it has been almost 10 years.

    I have worked with many Palo Alto models, including the PA-3000 Series, the new PA-3020 Series, and the new-generation PA-3400. I have worked with the PA-800 Series and the 5K as well.

    Our company provides services for the whole cycle, from design and sizing to ordering and implementation. We provide all professional services. And we support systems after implementation.

    What do I think about the stability of the solution?

    It's a very stable firewall.

    What do I think about the scalability of the solution?

    If you choose a model, from PA-3000 or PA-400, or the PA-5000 Series, you should size it correctly from the beginning, and you must consider expansion, otherwise you could face a big problem, as it's not scalable. But, if you have a big company, and you've chosen it as a data center firewall, you can choose a modular version, so that it is easily scalable.

    How are customer service and support?

    There are two types of support. If you choose partner support, you will face a big problem because it will take more time to reach Palo Alto. But if you choose direct support from the vendor, they will support you very well.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    It's very simple to deploy Palo Alto NG Firewalls into our clients' environments. One of my professional service team engineers was able to do an implementation on his own after shadowing just one implementation. He didn't take any courses or do any formal training. He was just a shadow on a single implementation. After that, he did an implementation. It's a very easy firewall.

    The time it takes to deploy this firewall depends on the environment. If it's a complicated environment, a big corporate environment, the number of policies and rules and segments will be the determining factor. But it won't take that long. If you enable App-ID, you will need more time. App-ID is one of the most powerful tools inside NG Firewalls from Palo Alto, but it needs professional engineers to implement it. After that, you will have a very good security tool.

    What was our ROI?

    Our customers certainly see ROI from Palo Alto firewalls. For example, If a bank doesn't have Palo Alto firewalls, or any technology from Palo Alto, they will face many attacks, which would be resolved by Palo Alto. These attacks could compromise some of their customers and result in taking their money. What will the bank do then? The ROI comes from protecting customers.

    What's my experience with pricing, setup cost, and licensing?

    Palo Alto is one of the most expensive firewalls in the world. Everyone knows that. But you need at least one layer from Palo Alto to protect your environment because it is the strongest company in the security field.

    The licensing model for container security is complicated for me and for my customers.

    Which other solutions did I evaluate?

    I deal with Fortinet Fortigate firewalls, Forcepoint firewalls, and Cisco firewalls every day. We sell and implement them, like Palo Alto.

    Palo Alto now has the IoT license on the firewall. They can protect you from DNS attacks. The WildFire license is a very rich license, and other vendors don't have that. And if your firewall is an internet edge firewall, Palo Alto GlobalProtect will give you a host compliance check without adding anything else. Also App-ID and Content-ID are very good and very mature, unlike with other vendors.

    I have also used Palo Alto NGFW’s DNS Security for two of my customers. It's a good addition to the firewall, but it's not perfect. Palo Alto is not specialized in DNS attacks. There are a lot of companies that specialize in DNS attacks. They are more mature than Palo Alto in this area. Palo Alto is not like Akamai or Infoblox or EfficientIP, as those companies are specialized in DNS, DNS servers, and DNS attacks. Palo Alto is not only a DNS company.

    What other advice do I have?

    Someone who says, "We are just looking for the cheapest and fastest firewall?" can get a free firewall, but they will not be protected. They will not be updated against the latest attacks all over the world.

    There are tools on the Palo Alto portal that can be used to enhance the configuration of your Palo Alto product and they are free.

    Overall, I love Palo Alto.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Diamond Partner
    Flag as inappropriate
    Yannick Nganyade - PeerSpot reviewer
    Network Solutions Architect at Ecobank Transnational Incorporated
    Real User
    Top 20
    Gives you a lot of information when you are monitoring traffic
    Pros and Cons
    • "It is critical that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. In my environments, we have an integration with a third-party vendor. As soon as there is new information about new threats and the destination that they are trying to reach on any of our network devices, that traffic will be stopped."
    • "There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better."

    What is our primary use case?

    We use it as an Internet-facing parameter firewall. In my environment, it has security and routing. It is on a critical path in terms of routing, where it does a deep inspection, etc.

    How has it helped my organization?

    There have been a lot of improvements from security to service.

    It is critical that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. In my environments, we have an integration with a third-party vendor. As soon as there is new information about new threats and the destination that they are trying to reach on any of our network devices, that traffic will be stopped.

    What is most valuable?

    Setting up a VPN is quite easy. 

    It gives you a lot of information when you are monitoring traffic. 

    In terms of user experience, Palo Alto has very good user administration.

    Machine learning is important. Although we have not exhausted the full capabilities of the firewall using machine learning, the few things that we are able to do are already very good because we have an integration with a third-party. We are leveraging that third-party to get threat intelligence for some destinations that are dangerous, as an example. Any traffic that tries to go to those destinations is blocked automatically. There is a script that was written, then embedded, that we worked on with the third-party. So, machine learning is actually critical for our business.

    What needs improvement?

    There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better.

    I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

    For how long have I used the solution?

    I started using Palo Alto in 2015.

    What do I think about the stability of the solution?

    It is very stable. We had two outages this year that were not good. They were related to OSPF bugs. Those bugs affected our service availability. 

    What do I think about the scalability of the solution?

    It is quite scalable. I have been able to create a lot of zones to subinterfaces for a number of environments. I don't really have any issues regarding scalability. It meets my expectations.

    How are customer service and support?

    Palo Alto Networks NG Firewalls technical support is very poor. Three or four months ago, I had a bug where the database of the firewall was locked. You cannot do anything with it. We looked for documentation, giving us a procedure to follow, but the procedure didn't work. We logged a complaint with Palo Alto Networks, and they gave us an engineer. The engineer relied on documentation that doesn't work, and we had already tested. In the end, the engineer gave us an excuse, "No, we need this account to be able to unlock it." This happened twice. The way out of it was just to restart the firewall. You can restart the firewall and everything goes back to normal. Therefore, I think the support that we got was very poor.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I have used Check Point and Cisco ASA.

    Initially, when I started with Palo Alto, we had Cisco ASA, but Palo Alto Networks beat ASA hands down.

    We have a multi-vendor environment with different providers. Our standard is that we can't have the same firewall for each parameter, so there is some kind of diversity. 

    We had ASA looking at one side of the network and Palo Alto Networks looking at the other side of the network. We also had Juniper looking at another side of the network. At the end of the day, ASA was very good, I don't dispute that. However, in terms of functionality and user experience, Palo Alto Networks was better. 

    Palo Alto Networks beat ASA because it was a next-generation firewall (NGFW), while ASA was not.

    How was the initial setup?

    When we bought Palo Alto, we had Juniper devices in our environment. We were told that it was a bit like Juniper, so we were happy. However, some people were a bit skeptical and scared of Juniper firewalls. Because of that, it took us a very long time to put them on the network. However, as soon as we did the implementation, we realized that we were just thinking too much. It was not that difficult. 

    We deployed Palo Alto Networks as part of a project for data center implementation. The implementation of the firewall didn't take long.

    What about the implementation team?

    We buy through a third-party. Our account is managed by IBM.

    What was our ROI?

    We have seen ROI. There is more visibility in the environment in terms of security. There was a time when we suspected a security breach, and this firewall was able to give us all the logs that we expected. 

    What's my experience with pricing, setup cost, and licensing?

    Palo Alto is like Mercedes-Benz. It is quite expensive, but the price is definitely justified.

    Which other solutions did I evaluate?

    One thing is system administration. In our opinion, Palo Alto administration is easier compared to other vendors. I know other vendors who have Check Point. You have to manage Check Point, and it is a bit cumbersome. It is a very nice, powerful firewall, but you need more knowledge to be able to manage Check Point compared to Palo Alto. Palo Alto is very straightforward and nice to use.

    In our environment, troubleshooting has been easy. Anybody can leverage the Palo Alto traffic monitoring. In Cisco ASA and Check Point, you also have these capabilities, but capturing the traffic to see is one thing, while doing the interpretation is another thing. Palo Alto is more user-friendly and gives us a clearer interpretation of what is happening.

    One thing that I don't like with Palo Alto is the command line. There isn't a lot of documentation for things like the command line. Most documents have a graphic user interface. Cisco has a lot of documents regarding command lines and how to maneuver their command line, as there are some things that we like to do with the command line instead of doing them with the graphic interface. Some things are easy to do on a graphic interface, but not in the command line. I should have the option to choose what I want to do and where, whether it is in the command line or a graphic interface. I think Palo Alto should try to make an effort in that aspect, as their documentation is quite poor.

    We would rather use Cisco Umbrella for DNS security.

    I compared the price of Palo Alto Networks with Juniper Networks firewall. The Juniper firewall is quite cheap. Also, Palo Alto Networks is a bit expensive compared to Cisco Firepower. Palo Alto Networks is in the same class of Check Point NGFW. Those two firewalls are a bit expensive.

    It gives us visibility. In my opinion, the first firewall that I would put on our network is Palo Alto Network and the second would be Check Point.

    What other advice do I have?

    Palo Alto Networks NG Firewalls is a very good firewall. It is one of the best firewalls that I have used.

    I would rate Palo Alto Networks as nine out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2022
    Product Categories
    Firewalls
    Buyer's Guide
    Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions.