Palo Alto Networks NG Firewalls Reviews

We deployed Palo Alto Networks NG Firewalls for inbound and outbound protection, as well as DMC protection, in our data center.

The key aspect of this solution that provides the most value is its next-gen capabilities, which represented a significant change for us. Previously, we had been using Check Point.

We switched to this solution due to its advanced next-gen capabilities, which allowed us to create rules based on applications rather than ports or protocols. As a result, the solution became much more relevant to our needs compared to our previous solution.

Palo Alto Networks NG Firewalls allowed for more flexibility in defining rules, as it was based on applications rather than strict port and protocol definitions. This made it easier to adapt to changing needs and configurations.

We were able to automate things using the API. Savings are minimal, but we save a significant amount of time when we deploy rules that we learn when we deploy the policy. Is the process still the same? Perhaps the implementation will take only a few hours or minutes.

We have been exclusively using it for the Next-Gen firewall, MDPN, and remote access for a while.

It integrates the core capabilities into one.

To make it more affordable, we had to separate the integrated features into individual components. The integrated solution was more expensive than when we broke it down into separate components.

I have been using Palo Alto Networks NG Firewalls for over five years, and perhaps even as long as ten years.

The stability of Palo Alto Networks NG Firewalls is very good.

We have upgraded it several times for additional features, and we have never experienced any crashes or performance issues. Overall, it has been quite stable.

In terms of scalability, the cost is a limiting factor. We can buy a large number of them, but it would not make financial sense for us to do so due to the high cost.

In contrast to the cloud environment where you can scale incrementally and horizontally, in our case, we have to purchase the entire unit. As a result, scaling our responsibilities becomes challenging.

We have around 2,000 compute resources that need protection, so getting a large firewall is necessary to safeguard our environment.

Technical support is very good.

I would rate the technical support an eight out of ten.

F5 and Cloudflare are types of support that were really good. There is no escalation whatsoever. The first person you get to already is the top-notch technical person.

With Palo Alto, you have to escalate, but eventually, you get to a good one.

Positive

The deployment process was easy.

We used a migration tool to transfer from our previous firewall to Palo Alto, and it proved to be quick.

We received support from a Palo Alto sales engineer.

While Palo Alto is expensive, it's still the better option compared to the other two vendors that were evaluated since they didn't provide the necessary performance and benefits.

Overall, the expenses for Palo Alto are manageable, and it's worth the investment.

It's too expensive.

Although Palo Alto is a good and fast product, it is not the most affordable option out there, and it may not be the easiest to use.

We evaluated Cisco and Fortinet.

During our evaluation process for selecting a firewall vendor, we prioritize performance as the number one factor. 

Price range is ranked second in importance. 

Other important factors include ease of use, API support, and next-gen features, all of which are used as evaluation criteria. We have previously used Magic Quadrant, but it is important for us to carefully choose our firewall vendor.

Integrating machine learning at the core of Palo Alto Networks NG Firewalls would be highly beneficial. The ability to automatically detect threats without the need to create rule sets manually would be a game changer.

Attending events like RSA is valuable to me because it allows me to explore different vendors and products. Sometimes, I come across new vendors that I haven't heard of before, which is good.

Attending events like RSA can have a significant impact on our company's cybersecurity purchases throughout the year. If we come across a new vendor with a fresh approach to protecting the company or identifying threats, we are definitely interested in exploring their offerings.

I would rate Palo Alto Networks NG Firewalls an eight out of ten.

As a Security Engineer, I use this solution for protection. I put in additional rules and also use the solution for forensic investigations and to look at traffic logs.

I like that Palo Alto Networks does a good job of keeping the firewall updated with the latest threat signatures.

We use Panorama, so we're able to manage an entire array of firewalls in one console. It's really useful because we can make one change and deploy it to all of our firewalls.

Palo Alto Networks NG Firewalls do a great job at providing a unified platform that natively integrates all security capabilities. For example, we can easily export our firewall logs into our SIEM. We have so many tools to manage that having a unified platform makes our job easier.

This firewall is great at securing data centers consistently across all workplaces.

We have high availability, and Palo Alto Networks NG Firewalls helped reduce downtime.

The performance of the Panorama interface needs to be improved. It tends to be very sluggish at times.

I've been using Palo Alto Networks NG Firewalls for five years.

I have not heard of any complaints or issues regarding the stability of the firewalls.

We can easily add nodes into Panorama with no problem. As such, scalability is not an issue. We have an enterprise environment with approximately 15,000 users in multiple countries.

I haven't had to call technical support, but my colleagues have. They've always spoken positively about the experience and would probably rate the technical support an eight out of ten.

Positive

My organization used Cisco Secure Firewall ASA and switched to Palo Alto Networks NG Firewalls because Cisco was lagging behind in many features. For example, the management interface on the ASAs was awful compared to that in the NG Firewalls.

We have absolutely seen an ROI in the fact that we haven't ended up in the news. We can look at any time and see all the threats that have been stopped by Palo Alto Networks NG Firewalls.

If you are looking for the cheapest and fastest firewall, I would say that it's a risky angle to take. Security costs money, and you'll get what you pay for.

The benefits I receive from attending an RSA conference are networking, meeting people and having conversations face-to-face, making contacts in the industry, getting suggestions about products, and attending briefings about specific products.

Also, attending RSAC can have an impact on your organization’s cybersecurity purchases because you may find out about products that you hadn't heard of before.

Overall, I would rate Palo Alto Networks NG Firewalls an eight on a scale from one to ten.

We mainly use the solution for traditional firewall boundaries.

The solution helped us meet our security requirements.

The fact that the Next-Gen firewalls are integrated with identity is the best. It gives us the ability to track what an individual is doing and helps us provide access to only what they need in order to do their job.

Because we want to free up our operators from the routine tasks of investigations, it's important to us that Palo Alto Networks NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention.

Technical support could be improved. Palo Alto's technical support used to be great. Whenever I had a problem, I could pick up the phone and call and get answers. That's not the case any longer.

Palo Alto Networks NG Firewalls don't provide a unified platform that natively integrates all security capabilities. It's missing some features for geofencing and understanding locations.

These firewalls are primarily used for edge defense. In terms of securing data centers consistently across all workplaces, that is, from the smallest office to the largest data centers, Palo Alto Networks NG Firewalls don't have a strong zero trust model.

NG Firewalls have not helped us reduce downtime in our organization. Because of technical support issues, we've taken some hits.

I've been using Palo Alto Networks NG Firewalls for 20 years.

It's always been a stable product.

This solution is a firewall that's a hardware appliance, and that's not the direction the industry is heading. Everybody is going toward a software-defined perimeter. Palo Alto doesn't have a strong say on it. They took what they had for their hardware and just put it in the cloud without understanding what being cloud-centric is all about.

I would rate the technical support a three out of ten.

Negative

Our ROI is that the firewalls have been used quite a few times for investigations. We've gathered the evidence we needed to act upon an issue.

These firewalls are not cheap, but they have a reasonable licensing model.

If you are considering attending an RSA Conference, note that you won't gain enough information by attending one conference. However, when you attend year after year, go through the expo, and talk to vendors, you will begin to see trends. You'll see that what's hype one year is no longer a reality another year. Thus, the experience with RSA is a multiple-year experience.

Attending RSAC has made an impact on our organization’s cybersecurity purchases. We've brought products back into our infrastructure based on what we discovered from talking to vendors at the RSAC.

Overall, I would rate Palo Alto Networks NG Firewalls a seven out of ten.

We are resellers. We're testing this solution in our network and learning about the scalability, how to set up the firewall, and the rules. It's a layer 7 firewall, so we want to know about the capabilities and detection.

The solution is deployed on-premises.

The most important feature is the firewall. We can make rules to filter the application layer of traffic. It's a very helpful feature.

The interface is user-friendly. It minimizes clicks and the need to type comments. With the GUI, we just have to drag and drop. It's quite helpful. For those who don't have a lot of experience with Palo Alto, there's a lot of good documentation.

The machine learning is very good. From our tests, the detection is quite good. I would rate the machine learning a nine out of ten.

I would like to see more integration.

I have used this solution for about eight months.

I'm a consultant and appliance tester. My job is to test the network and know how it works.

The stability is good.

I don't know about the scalability because we only have one appliance, which we haven't upgraded.

I haven't contacted technical support, but all of the answers to my questions are available in the documentation.

We previously used Fortinet.

The installation is straightforward. It's just a simple button. The deployment took less than two hours.

We used four people for testing the capabilities and for the deployment. There were also three or four people outside my team who were involved.

I would rate this solution a nine out of ten. 

To those who are interested in using this solution, what I would first say is that Palo Alto is a leader in Gartner. I would give them recommendations about the technical side, what we have done in our testing, the protection rate, the benefits, and how quickly and accurately the firewall can detect threats.

This solution helps us standardize. We have a presence in the Americas, the Pacific, and Europe and have to manage three firewalls. The previous solution made it difficult to standardize, but with Palo Alto Networks NG Firewalls, it's a little simpler. It just makes it a pleasant experience overall.

Security is the biggest thing nowadays, including threat response, incident response, and root cause. We found that a lot of the logging and dashboard capabilities offered by Palo Alto fill the missing skill gap that you run up against. It makes it easier for our tier-two staff to get involved in some of the deeper root cause analysis. The dashboards, logs, and reports make it easier for our staff to dive right in and not get lost in what tools they should use. It's easy because they're all right there.

Our firewall engineers like the automations that are involved with the firewall rules. For example, we integrate with Azure, and Azure constantly updates the IP addresses for their whitelists. There are hundreds. With the previous solution that we had, our firewall administrators had to hand-jam a lot of their IP addresses, so it became more of a deterrent to manage the firewall because of the overhead involved. Now that it's automated with Palo Alto Networks NG Firewalls, they've been more apt to use the tool than they did previously.

It allows our firewall administrators to speak more confidently when we have an incident response. When they detail their root cause analysis and possibly what the problem is, the leadership receives that information with a little more confidence, and it's a little more palatable. This makes our lives easier when dealing with an incident response.

From a leadership perspective, the reports are genuine, palatable, and easy to understand. They allow me to make logical leaps.

There are servers that go along with Palo Alto, at least for the identity management part. We chose to use a Windows platform, so the only maintenance involved is the patching of the servers and then the occasional agent upgrade for the servers. Palo Alto versions would need to be upgraded as well, along with security patches.

For the most part, we don't see it as a lot of overhead in terms of maintenance. We try to have a maintenance weekend each month for our network team, in addition to a patch maintenance weekend for our system administrators. Overall, we really haven't had to patch.

As part of our internet filtering, we integrate heavily with Active Directory, and we use security groups to separate staff into two groups: those who should have full access to the internet and those who should have limited access. It may be just the way the topology is for our domain controllers and that infrastructure, but at peak usage, there seems to be a delay in reading back against the security group to find out what group the user is in.

We've been using it for roughly five years.

It's deployed on-premises, but we are presently moving into Azure, so we are looking at the Palo Alto appliances for that environment as well.

Stability-wise, we have three regions in which we use Palo Alto, and we are not pegging the resources for these boxes at all. They're meeting and exceeding our expectations in terms of stability, but we're definitely not pushing them to the limit.

In terms of the scalability of the appliance itself, there are some licenses that you can upgrade where you don't have to bolt on any hardware. You may have to upgrade a module. The supporting appliances are VMs that we stand up in the data center, and those handle more of the identity management pieces of the Palo Alto solution.

Palo Alto's technical support has been great. We recently had an issue with DNS where we were having difficulties tracking where an endpoint was making DNS requests. We got a little lost in some of the admin consoles for Palo Alto. We opened a service request, the call was returned within two hours, and an administrator from Palo Alto stayed on the phone with our engineers for about three hours and really helped us by generating some unique queries.

I would rate technical support an eight out of ten with respect to the engineers. They've been very responsive and quick. They have always followed up within the timeframe that Palo Alto said that they would.

Positive

We switched because of the end of life in a hardware's life cycle. With us moving into the cloud and having a much larger endpoint presence, we wanted something that was a little more robust. We also had fewer head counts for our firewall or network administrator staff. So, we wanted a tool that we could access easily and not have such a large training curve. We went with Palo Alto Networks NG Firewalls because it made a little more sense for us.

In terms of ROI, protecting our customers is obviously number one. The implementation of our previous solution required agents to be installed on all our endpoints. That was a little more difficult because we have a large number of endpoints globally. The administrative overhead to manage the updates for those agents was not favorable.

Palo Alto Networks NG Firewalls allowed us to rely more on the existing infrastructure, Active Directory, to help us with identity management and security groups. It has made it simpler to manage.

We evaluated two other options. 

The sales team that assisted us with refining our requirements and explaining some of the new feature sets that are coming out helped us see that some of our requirements were no longer needed. It really helped us to learn more about the service that we were looking for, and Palo Alto just made it an easier discussion for us.

I recommend fully engaging Palo Alto's sales team. They're very knowledgeable and very friendly. We have three regions, PAC, Europe, and the Americas, and time zones and the quality of support always come into question when you're spread out. We haven't seen any gaps no matter what time zone we had a problem with in terms of sales and post-support. It has been great all the way around.

Overall, I would give Palo Alto Networks NG Firewalls a rating of eight on a scale of one to ten.

I'm working in a company that focuses on giving support to different enterprise companies. We help customers with a virtual environment as well as on-prem firewalls.

Before the COVID situation, most of the firewalls were on-prem firewalls, and during the pandemic, there were a lot of problems trying to deliver the firewalls and put them in place. It was taking a lot of time. So, most of the customers have taken a virtual approach for that. A lot of customers with on-prem firewalls are going for a virtual approach.

We are using the most recent version of it.

Palo Alto NG Firewalls help you a lot to have a context of everything. With traditional firewalls or Layer 3 firewalls, we're more focused to determine the source and destination IPs on a specific port. It could be USB or something else, but with next-generation firewalls, you can have more information, such as the user who used it, as well as the application consumed by this user. That's a genuine value that these next-generation firewalls bring in understanding that a user on the network is consuming Port 443 but using Facebook. It is determined by the payload. It can examine the packet, check the payload, and identify the applications. The next-generation firewalls are also more focused on protection.

There are new features that are based on machine learning to protect your network and identify any vulnerabilities. They are pretty good too. With the normal firewalls that we have, the policies are based on ports and IP source and destination. For example, as a part of my policy, I have allowed UDP ports 145 or 345, and for authentication, I have allowed LDAP and other protocols. However, there is a possibility of a breach. Even if I have determined that the traffic is from my active directory servers to the users, when I internally open ports 145 and 345 for all the protocols and all the applications, it creates a vulnerability in my network. If I create the specific rule where I establish that my application is going to be LDAP, and these ports will only be open for LDAP, I am closing the gap. I'm making my network safer, and I'm being more specific and more granular. That's the detail we need nowadays to prevent different types of attacks. The idea is to be more specific and only give the permissions that are needed. We should try to avoid giving more privileges because that creates a vulnerability gap. The customers appreciate being specific and having very descriptive rules for their use cases and blocking other types of communications, which is not that good with normal firewalls.

Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention, which is very important. Attackers are innovating every moment, and the attacks are becoming more sophisticated and unpredictable. They are not as predictable as they were in the past. Therefore, it is important to have something at the back in the form of machine learning to help you to interpret and analyze any kind of attack in real-time and protect you from a breach. Technology is very important because you can lose a lot of money or information if you don't have a good security posture and the right tools to prevent a breach or attack.

The machine learning in Palo Alto NG Firewalls is helpful for securing your networks against threats that are able to evolve and morph rapidly. They have advanced threat prevention and advanced URL filtering. WildFire is also useful. It gives you an analysis of malicious files. It detects the files in the sandbox and lets you know in minutes if a new file could be malware, which is helpful for advanced threat prevention. It can quickly give you a lot of context and protection.

DNS security is something that is the focus and a part of the threat prevention profile, and you get different types of options. They collect a lot of information from the experience of other users to determine different problems, such as a malicious page or domain, and use advanced predictive analysis and machine learning to instantly block DNS-related attacks. Their Unit 42 Threat Intelligence team helps the security teams a lot to determine and prevent threats. I haven't had any issue with DNS security. Generally, we recommend the step-by-step approach during the implementation. We recommend starting with a couple of users, analyzing the traffic, and ensuring that the signatures are accurate and policies are established. You have an option to put exceptions for DNS signatures, but in my experience, I didn't have to make many exceptions. You can definitely do it, but it is generally very accurate.

DNS Security provides protection against sneakier attack techniques like DNS tunneling. For DNS tunneling, my approach is to use an SSH proxy. There is a feature in Palo Alto to decrypt SSH traffic and block the application. For example, you see it as SSH, but after you decrypt that traffic, you can see it as SSH tunneling and you can actually block it. You can put things like a sinkhole in order to prevent this traffic.

Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities, which is very important. You get a lot of information. For example, in the monitor tab, you can review whether files are transmitted or not, received or not. You can also see the logs related to a threat or a URL that is malicious or is being blocked by your profiles. You have all that information in your hand, and you can review it in a very organized way, which has been very valuable for me. It helped me a lot to understand the problems that a customer can have in the field.

Palo Alto NG Firewalls allow you to enable all logical firewalling functions on a
single platform. You can segment your network into Zones. With Zones, you can separate and allow the traffic in a more specific way. For example, you can separate your visitors or guests into different zones. It is helpful in terms of the cost. This is something that could help you to reduce the cost because you don't have to put in a lot of tools for doing the same thing, but it is something that I'm not an expert in.

The first time I came across these firewalls, what surprised me the most was their web user interface. It is complete and gives you a lot of information. You can do 80% of the things related to your network and firewall through the web UI. In some of the other devices, the UI is not as complete. App-ID is also very valuable in customer networks. When you're seeing a lot of traffic in your network, you can see in your web UI which users have the applications that are consuming the most bandwidth. You have a broad context, which is very good.

Palo Alto can do a little bit better when it comes to the User-ID part. I've been facing problems related to double authentication. You have a computer user, but you also have a VPN user, and when you do a single sign-on to another page, these logs can sometimes generate a problem notification. It doesn't happen a lot, but in some networks, it could be a problem. It would be very helpful to have the ability to restrict the connections that you can have in your VPN. For example, if you have the credentials, you can connect with the same user account from different computers or devices. If you have the domain information, you can connect from different devices. That's a problem that they need to address and resolve. They should ensure that at any moment, only one person is connected through a specific user account.

I have been using this solution for almost five years.

There are no issues with stability. In most cases, they are very stable. 

We recommend our customers to have an HA configuration with active/passive, which is very good in Palo Alto. It takes seconds to change from one firewall to another, which provides reliability and prevents loss of service because of a hardware problem or a network problem on a device. Having an HA environment makes your network resilient.

It depends on the type. If you have a virtual firewall, it is easier to scale to meet your needs. It also depends on the work that you have done during the implementation. It depends on your design, which should be based on a customer's current needs and growth. There are Palo Alto firewalls with different throughput rates to support traffic and encryption. That's why you need to determine and talk about the expectation that a customer has for growth. We do a lot of that so that the customers can have a very robust tool that will help them to secure their network during the coming years without the need to change the device. We understand that it is a huge investment, and they want this product to be there for them for the maximum duration.

For the firewall part, there are complete and very good resources out there to help you. Most of the time, I go through them, and someone has had the same issue in the past. There is a lot of information about the issues that have been solved in the past and how to troubleshoot them. They're very accurate with that. They're very good.

Positive

It depends. If a customer has had another firewall, you need to go through an analysis of their network to understand the rules they have and then translate and introduce them to the Palo Alto methodology. Palo Alto helps us a lot with tools like Expedition, which is a migration tool. Expedition helps you to import the existing configuration from other brands. Overall, it is very straightforward if you have experience. Otherwise, there is a lot of documentation about how you can use the Expedition tool in order to have a successful migration. 

If it is a greenfield deployment where the customer is going to have it for the first time, the configuration is very straightforward. If you don't have any other firewalls, the implementation duration depends on the granularity that a consumer wants and the complexity of their network. The main job is going to be related to the authentication of the users and User-ID. In general, if you have just ten rules, you can do it in three to four days.

In terms of maintenance, they are continuously checking and reviewing if there are some breaches or there are any exploits or new applications. It is continuously updating itself on a weekly or daily basis. They are continuously developing new versions. They have a lot of documentation that we share with the customers for information about the best-recommended version or the version with fewer issues. Their documentation is complete in that aspect, and it gives you a lot of information. You have access to the known issues of released versions. Palo Alto is continuously working on new versions and fixing the glitches of previous versions. You might have to upgrade to a new version because a particular problem is resolved in it.

To someone who says that they are just looking for the cheapest and fastest firewall, I would say that I understand that businesses need to reduce the cost, but such a solution is an investment, and in the future, it's going to help you. If you go to the cheapest solution that could do most of the things, but not all, you could face problems. You could have a breach that would cost you a lot more money than having a good security posture. The number of attacks is going to increase more and more. We have to take them seriously and invest in new and powerful tools for protection. The investment that you do today can save your company tomorrow.

They are trying to come up with new things and innovate every year with new licenses. For example, a couple of years ago, they brought the IoT part, which is something that became popular. They try to innovate a lot and bring out new licenses, but you need to understand your needs to know which licenses are better for you. You should consult a good team and obtain a license that is good for you. That's because not all the licenses are important for your environment. For example, if you are not familiar, or you don't have any future plans for IoT, you don't require a license for that. You should focus on the licenses that you really need and are going to generate value for you. You should focus on your security needs and understand which firewall model can give you the protection and the ability to grow over time based on your projections. Your licensing should include good threat prevention, URL filtering, DNS security, and WildFire in order to have a very secure environment. 

It is a complete solution, and it provides a lot of protection to the users and the network, but it is not something for device protection. For that, you would need something like Cortex, which can help you determine abnormal behavior in an endpoint. 

Palo Alto is trying to combine different products to protect different areas. A next-gen firewall is very good for your network, but, for your endpoints, you can have Cortex. These two solutions can then work together. They speak the same language and have a full integration to protect all your environment. Nowadays, there are a lot of people working from their homes. They are exposed to different types of threats. They connect to your environment through a VPN, but when they disconnect, they do their daily tasks on the device, and while doing that, they may go through a bad page or execute a file that can corrupt the computer. You can determine this and stop attackers from connecting to and infiltrating your network. Palo Alto tries to separate the breaches or the attack areas, and they have a very good product in each area. You can make these products work together in order to have a very strong platform.

I would rate this solution a nine out of ten.

I have deployed it as my internal firewall in the cloud. I also have it on-premises as my perimeter firewall. I am also running Palo Alto in my DMZ. 

I'm using the PA-5532 Series. We have cloud and on-premises deployments. The cloud deployment is on the Azure public cloud.

We are using it on Azure Cloud as an internal firewall for filtering the east-west traffic. At the same time, we are using this firewall as a second-layer firewall in our perimeter for filtering the application URL and other things for the users. We are using another firewall as a perimeter for the DMZ. So, all internal applications that are connecting users are connecting through this firewall. We have other vendors as well, but the main applications are going through the Palo Alto firewall.

Its predictive analytics work very well for blocking DNS-related attacks. We are moving malicious URLs to the unknown IP in the network. They are reconfigured.

Its DNS security for protection against sneakier attack techniques, such as DNS tunneling, is good.

I'm using most of its features such as antivirus, anti-spam, and WAF. I'm also using its DNS Security and DNS sinkhole features, as well as the URL filtering and application security features.

In terms of application filtering and threat analysis, it's a little bit better as compared to the other UTM boxes, such as Sophos or other brands. It is secure and good in terms of application classification and signatures. It is a trustable solution.

In terms of the network performance, I am not very happy with Palo Alto. Other solutions, such as Fortinet, have better throughput and network performance.

I am in GCC in the Middle East. The support that we are getting from Palo Alto is disastrous. The problem is that the support ticket is opened through the distributor channel. Before opening a ticket, we already do a lot of troubleshooting, and when we open a ticket, it goes to a distributor channel. They end up wasting our time again doing what we have already done. They execute the same things and waste time. The distributor channel's engineer tries to troubleshoot, and after spending hours, they forward the ticket to Palo Alto. It is a very time-consuming process. The distributor channels also do not operate 24/7, and they are very lazy in responding to the calls.

It is expensive as compared to other brands. Its pricing can be improved.

I have been using this solution for more than four years.

Its stability is fine. I'm happy with it.

It is scalable. Its usage is extensive. We are using it daily. It is our core device.

Their support is very bad as compared to the other vendors. The support ticket is opened only through the distributor channel, and it takes a lot of time to get a solution for the issue. I'm not happy with their technical support. I would rate them a four out of ten.

Neutral

Palo Alto is the main core product in our case, but we also have Fortinet, Check Point, and Cisco ASA firewalls. Fortinet is one of the key products in our network.

The process of configuring Palo Alto devices is very easy. There is not much in it, but if we want to add or remove a device in Panorama, it is a very complicated setup. Adding, deleting, and updating a device from Panorama is very difficult. The interaction between Panorama and Palo Alto devices isn't good. They need to improve that. FortiManager works very well in terms of device interaction and other things.

The deployment duration depends on the customer infrastructure and where they want to deploy the box, such as in the data center or at the perimeter, but for me, generally, two days are enough for the setup. I provide customers the ways to design a secure network, and they can choose whatever is convenient for them based on their existing network.

In my environment, there are the four network security engineers who are the owners of these devices. We take care of the deployment and management of security devices.

Its price is higher than other vendors. They need to re-think its pricing. 

With Fortinet, the SD-WAN feature is totally free, whereas, with Palo Alto, I need to pay for this feature. With Fortinet, there is one licensing, and I can get many things, whereas, with Palo Alto, I need to go for individual licensing.

I'm working in a systems and data company, and I recommend Palo Alto and other firewalls to many people. The users can choose one based on their budgeting because Palo Alto is expensive as compared to other brands.

Palo Alto NGFW’s unified platform hasn't 100% helped to eliminate security holes. In some cases, we are using other products. I'm mainly using it for WAF and securing my DMZ infrastructure. It is working well in terms of the functionalities in layer 3 and layer 4.

I would rate this solution a seven out of ten.

Almost all of my deployments are regulated to each firewall perimeter or as a data center firewall. The perimeter firewalls are deployed to control the user traffic and establish IPv6 VPN connections between a company's headquarter and its branches. This solution comes with threat prevention and URL filtering licenses for perimeter deployment. For data center deployments, the solution is deployed as a second layer of protection for the network traffic, especially for VLANs. It also prevents lateral movement of network attacks.

Almost all of my deployments in the Middle East are deployed on-prem. There is no acceptance of cloud solutions, especially for government and banking rules.

Palo Alto Networks Next-Generation Firewall comes with full visibility into the network traffic. The administrator of this next-generation firewall can troubleshoot the traffic, network issues, or connectivity issues that busted through the Palo Alto Next-Generation Firewall, then detect whether the problem is from the client side or the server side. This solution helps the administrator to troubleshoot and have their network up and running all of the time.

A feature introduced by Palo Alto with the version 10-OS is embedded machine learning in the core of the firewall to provide inline, real-time attack prevention. Machine learning analyzes the network traffic and detects if there is any usual traffic coming from outside to inside. Because of Palo Alto, organizations detect around 91% of malicious attacks using machine learning. The machine learning helps customers by implementing firewalls in critical and air gap areas so there is no need to integrate with the cloud sandbox. 

I integrate Palo Alto with different Security Information and Event Management (SIEM) solutions as well as Active Directory to control the traffic based on users and integration with the email server to send notifications and look at domain recipients. I also integrate Palo Alto with Duo as a multi-factor authentication, which is easy to integrate. 

They have introduced more security components that can be integrated. We are talking about Cortex XDR and WildFire. These are natively integrated with Palo Alto Networks. These help to predict malicious attacks on the endpoint and network. WildFire is easy to deploy and integrate.

SP3 architecture helps distribute the bucket into different engines. Each engine has their own tasks: the networking engine, the management engine, and application and security. Each one of these tasks is done by a single task or dedicated CPUs and RAM for handling traffic.

I have been using this solution for about four or five years.

They have a stable solution, stable hardware, and stable software since they have released multiple OSs. If there are any issues, they release a new OS. Each month, you will see new batches with a new OS introduced to customers. You can update it easily. 

With Palo Alto Networks, you have a dedicated management plan. Therefore, if you face an issue regarding the management interface, e.g., the GUI and CLI of Palo Alto Networks, if you have any problem on that you can restart it without effects on the data streams.

The technical support team is great. We have no tickets open with Palo Alto. There are distributed tech centers worldwide that do not have Palo Alto employees, but have the capability to solve your problem in an easy way. They help you to close your gaps or pains.

Positive

I am expert with next-gen Firewalls, especially in Fortinet and Palo Alto. I am NSE 4, NSE 7, and PCSAE certified.

Palo Alto has introduced new features in their next-generation firewall, such as SD-WAN. However, the technique of SD-WAN implementation is not easy to understand. It is not easy to deploy at this moment. Maybe, in the future, they can improve the process and how the administrators, partners, or support team can easily deploy this SD-WAN solution on their next-generation firewall. The SD-WAN solution from Fortinet is easy to do. It does not take more than five or 10 minutes. When we talk about Palo Alto, it takes extra effort to implement SD-WAN.

If you are looking for a great firewall that helps you stop attacks as well as giving you visibility with the administration, this firewall is the best choice. You should not look at the price the first time. Instead, you should look into the solution's productivity and return on investment.

There are some differences in regards to the integrations between Palo Alto and other vendors. Palo Alto handles the traffic using Single Pass Parallel Processing (SP3) engines unlike other vendors, like Fortinet, who use ASIC processors to handle the traffic. The SP3 engine is a different, new architecture for next-generation firewalls. The SP3 engine curbs the traffic and makes the decision based on the buckets, then it evaluates the bucket and other features regarding routing. 

SP3 helps the customer when we talk about data sheets and the performance of the administration firewall. We introduce SP3 to show them real numbers. When we talk about Fortinet, they introduce a different performance number for networking and application throughputs. With Palo Alto Networks, the deduplication between the firewall throughput to the full inspection mode throughput is minimal. There is no big difference between the networking throughput and full inspection mode throughput.

I use DNS security from other vendors, not Palo Alto. I have tested Palo Alto with some scripts in regards to exfiltration and about 50% to 70% of exfiltration attacks could be stopped by Palo Alto. This year, Palo Alto has improved its DNS security against data exfiltration attacks. They enhanced the DNS security features with Palo Alto Networks Next-Generation Firewall by introducing a cloud solution. The solution now forwards these DNS requests to the cloud, which can analyze it using machine learning and artificial intelligence to decide if it is legitimate traffic or not.

The integration is based on the customer environment and what they need. Enterprise customers have some regulations and compliance so they need to send all their logs to the same solutions. We can integrate it using a syslog protocol over UDP. So, it is easy to integrate Palo Alto with some solutions. However, with other Palo Alto technologies or solutions, I integrate them just with WildFire. WildFire is a dedicated solution related to sandboxing and can be deployed on-prem or in the cloud.

The NSS Labs Test Report information has previously helped me to convince customers to buy Palo Alto Networks Next-Generation Firewalls. However, I am now not using the NSS Labs Test Report. Instead, I am using Gartner reports to offer customers Palo Alto Networks Next-Generation Firewalls.

Machine learning on the Palo Alto Networks Next-Generation Firewall was introduced on version 10.

I would rate this solution as nine out of 10.