Palo Alto Networks NG Firewalls Reviews

I have deployed it as my internal firewall in the cloud. I also have it on-premises as my perimeter firewall. I am also running Palo Alto in my DMZ. 

I'm using the PA-5532 Series. We have cloud and on-premises deployments. The cloud deployment is on the Azure public cloud.

We are using it on Azure Cloud as an internal firewall for filtering the east-west traffic. At the same time, we are using this firewall as a second-layer firewall in our perimeter for filtering the application URL and other things for the users. We are using another firewall as a perimeter for the DMZ. So, all internal applications that are connecting users are connecting through this firewall. We have other vendors as well, but the main applications are going through the Palo Alto firewall.

Its predictive analytics work very well for blocking DNS-related attacks. We are moving malicious URLs to the unknown IP in the network. They are reconfigured.

Its DNS security for protection against sneakier attack techniques, such as DNS tunneling, is good.

I'm using most of its features such as antivirus, anti-spam, and WAF. I'm also using its DNS Security and DNS sinkhole features, as well as the URL filtering and application security features.

In terms of application filtering and threat analysis, it's a little bit better as compared to the other UTM boxes, such as Sophos or other brands. It is secure and good in terms of application classification and signatures. It is a trustable solution.

In terms of the network performance, I am not very happy with Palo Alto. Other solutions, such as Fortinet, have better throughput and network performance.

I am in GCC in the Middle East. The support that we are getting from Palo Alto is disastrous. The problem is that the support ticket is opened through the distributor channel. Before opening a ticket, we already do a lot of troubleshooting, and when we open a ticket, it goes to a distributor channel. They end up wasting our time again doing what we have already done. They execute the same things and waste time. The distributor channel's engineer tries to troubleshoot, and after spending hours, they forward the ticket to Palo Alto. It is a very time-consuming process. The distributor channels also do not operate 24/7, and they are very lazy in responding to the calls.

It is expensive as compared to other brands. Its pricing can be improved.

I have been using this solution for more than four years.

Its stability is fine. I'm happy with it.

It is scalable. Its usage is extensive. We are using it daily. It is our core device.

Their support is very bad as compared to the other vendors. The support ticket is opened only through the distributor channel, and it takes a lot of time to get a solution for the issue. I'm not happy with their technical support. I would rate them a four out of ten.

Neutral

Palo Alto is the main core product in our case, but we also have Fortinet, Check Point, and Cisco ASA firewalls. Fortinet is one of the key products in our network.

The process of configuring Palo Alto devices is very easy. There is not much in it, but if we want to add or remove a device in Panorama, it is a very complicated setup. Adding, deleting, and updating a device from Panorama is very difficult. The interaction between Panorama and Palo Alto devices isn't good. They need to improve that. FortiManager works very well in terms of device interaction and other things.

The deployment duration depends on the customer infrastructure and where they want to deploy the box, such as in the data center or at the perimeter, but for me, generally, two days are enough for the setup. I provide customers the ways to design a secure network, and they can choose whatever is convenient for them based on their existing network.

In my environment, there are the four network security engineers who are the owners of these devices. We take care of the deployment and management of security devices.

Its price is higher than other vendors. They need to re-think its pricing. 

With Fortinet, the SD-WAN feature is totally free, whereas, with Palo Alto, I need to pay for this feature. With Fortinet, there is one licensing, and I can get many things, whereas, with Palo Alto, I need to go for individual licensing.

I'm working in a systems and data company, and I recommend Palo Alto and other firewalls to many people. The users can choose one based on their budgeting because Palo Alto is expensive as compared to other brands.

Palo Alto NGFW’s unified platform hasn't 100% helped to eliminate security holes. In some cases, we are using other products. I'm mainly using it for WAF and securing my DMZ infrastructure. It is working well in terms of the functionalities in layer 3 and layer 4.

I would rate this solution a seven out of ten.

Almost all of my deployments are regulated to each firewall perimeter or as a data center firewall. The perimeter firewalls are deployed to control the user traffic and establish IPv6 VPN connections between a company's headquarter and its branches. This solution comes with threat prevention and URL filtering licenses for perimeter deployment. For data center deployments, the solution is deployed as a second layer of protection for the network traffic, especially for VLANs. It also prevents lateral movement of network attacks.

Almost all of my deployments in the Middle East are deployed on-prem. There is no acceptance of cloud solutions, especially for government and banking rules.

Palo Alto Networks Next-Generation Firewall comes with full visibility into the network traffic. The administrator of this next-generation firewall can troubleshoot the traffic, network issues, or connectivity issues that busted through the Palo Alto Next-Generation Firewall, then detect whether the problem is from the client side or the server side. This solution helps the administrator to troubleshoot and have their network up and running all of the time.

A feature introduced by Palo Alto with the version 10-OS is embedded machine learning in the core of the firewall to provide inline, real-time attack prevention. Machine learning analyzes the network traffic and detects if there is any usual traffic coming from outside to inside. Because of Palo Alto, organizations detect around 91% of malicious attacks using machine learning. The machine learning helps customers by implementing firewalls in critical and air gap areas so there is no need to integrate with the cloud sandbox. 

I integrate Palo Alto with different Security Information and Event Management (SIEM) solutions as well as Active Directory to control the traffic based on users and integration with the email server to send notifications and look at domain recipients. I also integrate Palo Alto with Duo as a multi-factor authentication, which is easy to integrate. 

They have introduced more security components that can be integrated. We are talking about Cortex XDR and WildFire. These are natively integrated with Palo Alto Networks. These help to predict malicious attacks on the endpoint and network. WildFire is easy to deploy and integrate.

SP3 architecture helps distribute the bucket into different engines. Each engine has their own tasks: the networking engine, the management engine, and application and security. Each one of these tasks is done by a single task or dedicated CPUs and RAM for handling traffic.

I have been using this solution for about four or five years.

They have a stable solution, stable hardware, and stable software since they have released multiple OSs. If there are any issues, they release a new OS. Each month, you will see new batches with a new OS introduced to customers. You can update it easily. 

With Palo Alto Networks, you have a dedicated management plan. Therefore, if you face an issue regarding the management interface, e.g., the GUI and CLI of Palo Alto Networks, if you have any problem on that you can restart it without effects on the data streams.

The technical support team is great. We have no tickets open with Palo Alto. There are distributed tech centers worldwide that do not have Palo Alto employees, but have the capability to solve your problem in an easy way. They help you to close your gaps or pains.

Positive

I am expert with next-gen Firewalls, especially in Fortinet and Palo Alto. I am NSE 4, NSE 7, and PCSAE certified.

Palo Alto has introduced new features in their next-generation firewall, such as SD-WAN. However, the technique of SD-WAN implementation is not easy to understand. It is not easy to deploy at this moment. Maybe, in the future, they can improve the process and how the administrators, partners, or support team can easily deploy this SD-WAN solution on their next-generation firewall. The SD-WAN solution from Fortinet is easy to do. It does not take more than five or 10 minutes. When we talk about Palo Alto, it takes extra effort to implement SD-WAN.

If you are looking for a great firewall that helps you stop attacks as well as giving you visibility with the administration, this firewall is the best choice. You should not look at the price the first time. Instead, you should look into the solution's productivity and return on investment.

There are some differences in regards to the integrations between Palo Alto and other vendors. Palo Alto handles the traffic using Single Pass Parallel Processing (SP3) engines unlike other vendors, like Fortinet, who use ASIC processors to handle the traffic. The SP3 engine is a different, new architecture for next-generation firewalls. The SP3 engine curbs the traffic and makes the decision based on the buckets, then it evaluates the bucket and other features regarding routing. 

SP3 helps the customer when we talk about data sheets and the performance of the administration firewall. We introduce SP3 to show them real numbers. When we talk about Fortinet, they introduce a different performance number for networking and application throughputs. With Palo Alto Networks, the deduplication between the firewall throughput to the full inspection mode throughput is minimal. There is no big difference between the networking throughput and full inspection mode throughput.

I use DNS security from other vendors, not Palo Alto. I have tested Palo Alto with some scripts in regards to exfiltration and about 50% to 70% of exfiltration attacks could be stopped by Palo Alto. This year, Palo Alto has improved its DNS security against data exfiltration attacks. They enhanced the DNS security features with Palo Alto Networks Next-Generation Firewall by introducing a cloud solution. The solution now forwards these DNS requests to the cloud, which can analyze it using machine learning and artificial intelligence to decide if it is legitimate traffic or not.

The integration is based on the customer environment and what they need. Enterprise customers have some regulations and compliance so they need to send all their logs to the same solutions. We can integrate it using a syslog protocol over UDP. So, it is easy to integrate Palo Alto with some solutions. However, with other Palo Alto technologies or solutions, I integrate them just with WildFire. WildFire is a dedicated solution related to sandboxing and can be deployed on-prem or in the cloud.

The NSS Labs Test Report information has previously helped me to convince customers to buy Palo Alto Networks Next-Generation Firewalls. However, I am now not using the NSS Labs Test Report. Instead, I am using Gartner reports to offer customers Palo Alto Networks Next-Generation Firewalls.

Machine learning on the Palo Alto Networks Next-Generation Firewall was introduced on version 10.

I would rate this solution as nine out of 10.

We use Palo Alto Networks NG Firewalls as internet firewalls, LAN or WAN firewalls, as well as data center firewalls.

When you apply App-ID and User-ID and Content-ID, you will protect your environment more than with any other firewall. That's because Palo Alto is a leader in App-ID. They invented it. It knows the application and who's communicating with it, and how it is used inside a network. If you use Palo Alto as your internet firewall, for example, when your employee accesses the internet, you will determine which applications he's communicating with, including which ports and the behavior of the user. That helps protect your environment.

The Palo Alto NG Firewalls unified platform has helped to eliminate security holes in our customers' environments. When you have multiple firewalls from Palo Alto to protect more than one segment, such as the LAN, WAN, internet, and data center segments, you can manage all of these from a single point with Palo Alto Panorama. It makes it easy to configure and monitor all of these segments.

The most valuable features are the power of the threat prevention and the WildFire service. Its strength comes from the huge number of sensors all over the world. The firewalls have a rich library of signatures.

Also, the new generation of Palo Alto firewalls includes machine learning embedded in the hardware itself and that is effective in the new era of attacks. Nowadays, we don't know the behavior of the attacks, so we need a product to learn along with us: How an attack will affect us and how the attack will enter a corporate environment. That's why the machine learning aspect is important.

They also provide a unified platform that natively integrates all security capabilities. You can configure or change anything in the firewall itself from the management console, and there is a separate console for managing all the firewalls you have, called Panorama. It's a very good central manager. I like Panorama. It is the most powerful and capable central manager of firewalls. It gives you very rich information about your environment, and what is moving inside it. It helps you to configure it easily.

It's also important that the NSS Labs test report from July 2019 about Palo Alto's NG Firewalls showed that 100 percent of the evasions were blocked. NSS Labs is the most accurate public report that all my customers want to see. All my customers ask about NSS Labs and where Palo Alto is positioned in their reports. To position Palo Alto, I will show my customer the NSS Lab report. It's the most important report.

In addition, in the last two series, Palo Alto separated the engines. That means you will not face any issue with the performance or the firewalls. There is an engine for performance, an engine for the IPS, and another engine for other features. There isn't only a single engine responsible for all these features.

The IoT could be better. IoT environments will be part of IT and measuring these zones will make your IT environment more resistant to attacks. You need a powerful firewall to secure the IoT segment, the same way that Palo Alto Firewalls do for the IT segment.

Also, if you enable SSL you will face a problem. The throughput of the firewall will be degraded. SSL is a big issue on all firewalls. All products suffer from issues with SSL, but Palo Alto firewalls suffer more from it.

I have been using Palo Alto Networks NG Firewalls for at least four years, but for my company it has been almost 10 years.

I have worked with many Palo Alto models, including the PA-3000 Series, the new PA-3020 Series, and the new-generation PA-3400. I have worked with the PA-800 Series and the 5K as well.

Our company provides services for the whole cycle, from design and sizing to ordering and implementation. We provide all professional services. And we support systems after implementation.

It's a very stable firewall.

If you choose a model, from PA-3000 or PA-400, or the PA-5000 Series, you should size it correctly from the beginning, and you must consider expansion, otherwise you could face a big problem, as it's not scalable. But, if you have a big company, and you've chosen it as a data center firewall, you can choose a modular version, so that it is easily scalable.

There are two types of support. If you choose partner support, you will face a big problem because it will take more time to reach Palo Alto. But if you choose direct support from the vendor, they will support you very well.

Positive

It's very simple to deploy Palo Alto NG Firewalls into our clients' environments. One of my professional service team engineers was able to do an implementation on his own after shadowing just one implementation. He didn't take any courses or do any formal training. He was just a shadow on a single implementation. After that, he did an implementation. It's a very easy firewall.

The time it takes to deploy this firewall depends on the environment. If it's a complicated environment, a big corporate environment, the number of policies and rules and segments will be the determining factor. But it won't take that long. If you enable App-ID, you will need more time. App-ID is one of the most powerful tools inside NG Firewalls from Palo Alto, but it needs professional engineers to implement it. After that, you will have a very good security tool.

Our customers certainly see ROI from Palo Alto firewalls. For example, if a bank doesn't have Palo Alto firewalls, or any technology from Palo Alto, they will face many attacks, which would be resolved by Palo Alto. These attacks could compromise some of their customers and result in taking their money. What will the bank do then? The ROI comes from protecting customers.

Palo Alto is one of the most expensive firewalls in the world. Everyone knows that. But you need at least one layer from Palo Alto to protect your environment because it is the strongest company in the security field.

The licensing model for container security is complicated for me and for my customers.

I deal with Fortinet Fortigate firewalls, Forcepoint firewalls, and Cisco firewalls every day. We sell and implement them, like Palo Alto.

Palo Alto now has the IoT license on the firewall. They can protect you from DNS attacks. The WildFire license is a very rich license, and other vendors don't have that. And if your firewall is an internet edge firewall, Palo Alto GlobalProtect will give you a host compliance check without adding anything else. Also App-ID and Content-ID are very good and very mature, unlike with other vendors.

I have also used Palo Alto NGFW’s DNS Security for two of my customers. It's a good addition to the firewall, but it's not perfect. Palo Alto is not specialized in DNS attacks. There are a lot of companies that specialize in DNS attacks. They are more mature than Palo Alto in this area. Palo Alto is not like Akamai or Infoblox or EfficientIP, as those companies are specialized in DNS, DNS servers, and DNS attacks. Palo Alto is not only a DNS company.

Someone who says, "We are just looking for the cheapest and fastest firewall?" can get a free firewall, but they will not be protected. They will not be updated against the latest attacks all over the world.

There are tools on the Palo Alto portal that can be used to enhance the configuration of your Palo Alto product and they are free.

Overall, I love Palo Alto.

We have deployed Palo Alto Networks NG Firewalls and every web filter security available. So, we came to know each website user who got blocked and the "not required" categories. These categories are permanently blocked, and if any changes are required in these categories, we will first get approval from management. 

I like the sandbox feature, and it's very good. It kills each malware deployment in the sense of signatures within five minutes. So, we can secure our network and infrastructure very well within the stipulated time.

The WildFire functionality is very good because a few files are also getting blocked. It's critical as malware attacks are also getting ignored, and the logging is very well maintained in this firewall.

The most valuable solutions in this field are application-based firewalls. That is the main criteria of the firewall and functionality. We can get all the logs related to this and each and every packet. I like that the firewall is working as an application. The application-based entity we have deployed is well maintained and working very well.

We were able to find lots of vulnerabilities when we deployed it, but we could not disclose all. But there were vulnerabilities we could block by updating the firewall and taking actions on clientside machines. So, we got to know that we have lots of vulnerabilities inside the organization too, and we took lots of steps and resolved the number of vulnerabilities.

Palo Alto Networks NG Firewalls is an all-in-one solution. It provides every entity log, which is a very good functionality of this firewall. It gives every packet and aspect that the firewall is performing through its logs, and it does it very well.

This firewall's unified platform helped eliminate multiple network security tools. If anyone uses P2P sites, cryptocurrency websites, or any illegal sites, we can block it easily. It gives us a proper alert for these kinds of sites, and it properly secures our network. Monitoring is the best thing we are doing here, and we can block this kind of vulnerability as soon as it comes to us.

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall.

We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more.

URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

I have been using Palo Alto Networks NG Firewalls for the last three or four years.

Stability in the sense of security and alerts, this solution is very good, and we have not had had any issues. However, web filtering and application-based approach are very poor.

Palo Alto Networks NG Firewalls is a scalable solution.

Palo Alto Networks support could be better. We bought this solution for security purposes, and we asked the support team to convert each and every entity. They have not been able to convert this New Generation Firewall to date. 

Their name suggests that the product will use every application and work as a New-Generation Firewall. Yet, it's not configured, and we can only configure 30% to 40% of the applications. That is also giving us some problems sometimes.

On a scale from one to ten, I would give Palo Alto Networks support a three.

We have a policy in our organization to change the firewall every five years. So, I have experience working on FortiGate, SonicWall, and WatchGuard over the last 20 years.

WatchGuard is very good at web filtering. FortiGate is also very good, and they have their own application to manage the firewall, and SonicWall is also very good. 

Palo Alto is a web-based firewall, and there are no applications to deploy and support. I mean, I take all the logs and all things from the client-side. As it's web-based, it's extremely slow. 

When you click on a particular log, it will take a lot of time because it generates lots of logs. That is a good thing, but performance is a little slow. Both WatchGuard and FortiGate are very good for this kind of thing. Also, WatchGuard is application-based, and I didn't have to deploy it. I came to know about Palo Alto from my friends who said it was very good for application-based security. 

The initial setup and deployment are straightforward. We did not have any issues at all. It took us about 15 to 20 days to implement this solution. 

The policies we have with Atelier and WatchGuard were exported, and we tried to deploy these policies on the new firewall. The reseller helped us configure it but without our concession or permission and could not deploy the firewall. We later had more problems, and the reseller helped us with that as well.

Video Import Solutions is our local reseller in Pune, India. In our experience, not every engineer knew the firewall concept. I mean, not at all. If we wanted something new or had to deal with this application-related issue, they always told us they would log a case and resolve it. But they did not support us at all and did not give us any reason why they could not do it.

I am a technical guy, and I would say that you will not get a return on your investment. Even FortiGate and WatchGuard will offer next-generation solutions that perform better than Palo Alto Networks.

The price could be better. Pricing is very different compared to WatchGuard, which costs around 60 lakhs, and FortiGate, which costs approximately 40 lakhs. Palo Alto Networks costs about a crore which is very high pricing.

We bought this firewall, and our organization did not want to pay so much. We spent around one crore rupees which is not within our budget at all, and we are unhappy with them.

This firewall provides a unified platform that natively integrates all security
capabilities. It will queue all functionalities like firewall protection and alerts and track all DDoS attacks. It shares all the information with us, and we can monitor and take immediate action on the other alerts we receive.

I would advise potential users to only go for this solution if they have the budget and don't require any support. Only buy this firewall if you can install, configure, and solve potential problems on your own. If not, FortiGate and WatchGuard are much better options.

On a scale from one to ten, I would give Palo Alto Networks NG Firewalls a five.

It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.

We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.

I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.

With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings.

It is fairly intuitive. 

The central management of Panorama actually works. It is what FortiManager aspires to be, but Panorama is usable. You can push config down, do backups, and use templates from other sites, copying them over. The reliability and throughput, plus Panorama's control features, are its main selling features.

It is a combined platform that has different features, like Internet security and the site-to-site VPN. Previously, there were different components that did this. If it was a remote access VPN client, then you would have to go onto one platform and troubleshoot. If it was a site-to-site, it was on a different platform so you would have to go onto that one. It would be different command sets and troubleshooting steps. From that perspective, having that combined and all visible through Panorama's centralized management is probably one of the better benefits.

We had a presentation on Palo Alto Networks NG Firewalls a few years ago. I know the number of CPU cores that they have inside the firewall is crazy, but it is because they have to pack all the performance and analysis in real-time. It is fast. I am always amazed at the small PA-220s and how much performance they have with their full antivirus on it. They can pass 300-megabits per second, and they are just about the size of a paperback book. As far as how that single-pass processing impacts it, I am always amazed at how fast and how much throughput it has.

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

I use it every other day.

It is pretty reliable. All the services pretty much work. It is not too buggy. With any hardware/software manager these days, when you get new features, they tend to not be too thoroughly tested and can be buggy. We have been noticing this. For example, they had zero-touch deployment and the first few iterations just didn't work. While we have encountered a few bugs, I don't think they are any worse than anything else we get. The underlying hardware seems to be pretty reliable. You can do configuration changes, reboot and reload them, and they just keep coming back and work.

Our cybersecurity guys tend to do the patching and upgrades when they come around. When one of these things had a hard disk failure, they got that restored or replaced. For day-to-day maintenance, other than typical operational changes and troubleshooting, I don't think there is that much maintenance to be done. Every few weeks, there is probably somebody who goes for a few hours and checks the various patch levels and possibly does upgrades.

The upgrades are fairly easy to do. You just download the software, the central management system, and tick off the devices that you want to deploy it to. It will automatically download it. Then, you just sort of schedule a reboot. I don't know how many hours per week or month people put into it, but it is pretty reasonable.

We have about half a dozen core firewalls and 30 to 40 remote firewalls. We haven't hit any scaling limitations yet. What we have is functioning well. At some point, our main firewall in our data center might be overwhelmed, but it has pretty high throughput numbers on it. So far, we haven't hit any sort of limitations. So far, so good.

The physical appliances are sort of tiered. You have your entry-level, which is good for 300-megabits of threat detection. The next ones have 800-megabits of threat detection. So, if you have a site with around 50 people, you can get the entry-level. However, there is always a point that if you have too many users doing too many things then the physical appliance just can't handle it. Then, you need to upgrade to a higher-level appliance. This is expected. When that happens, we will just sort of get the higher-level model or plan for two years of growth to get the right size. Therefore, as far as scalability, it just comes down to planning. 

As far as the management platform, that would be more of a case of just adding CPU cores into your virtual machine as well as more memory. So far, we haven't had any scalability limitations. It is possible that we will see it at some point, but we haven't so far.

This is not Palo Alto-specific. It seems to be across all the different vendors that there is a little bit of a hit-and-miss on whether you get a tech person who knows what they are doing and are interested in your problem. When you call frontline support, you can get somebody who doesn't know what they are doing and puts you off. Or the next time you call, you can get a tech who is on the ball and super helpful. This is sort of a smaller problem. It is a bit of a crapshoot on how good the support will be. I would rate the frontline technical support as five or six out of 10.

If it tends to be more of a critical problem, and you involve the sales team, then you are forwarded onto somebody who really knows what they are doing. However, the frontline support can be hit-and-miss. Their second-tier support is really good. 

The top-tier support is 10 out of 10. We did have some more serious problems, then they put one of their engineers on it who has been amazing.

Overall, I would rate the technical support as eight out of 10.

Positive

I did work with Cisco ASA, prior to FireEye, where they purchased and integrated it as sort of the next generation part of their ASA. 

One of our remote access solutions for remote access clients was Cisco ASA. That was just getting to its end-of-life. It actually worked quite well. It was pretty hands-off and reliable, but the hardware was getting to end-of-life. Because we had the Palo Alto capable of doing similar functions, we just migrated it over. 

It was similar for our site-to-site VPN, which was Cisco DMVPN that we are still using, but we are migrating off it since its hardware is reaching end-of-life. By combining it into the Palo Alto umbrella, it makes the configuration and troubleshooting a bit easier and more homogenous. 

Before, it was just different platforms doing sort of similar but different functions. Now, we are using similar platforms and devices rather than having three different solutions. This solution is sort of homogenized; it is sort of all in one place. I suspect that makes security a bit more thorough. Whereas, we had three different platforms before. Some of the delineation isn't clear, as they sort of overlap in some respects to what they do, but having it in one location and system makes gaps or overlaps or inconsistencies easier to spot.

I was gone for a few years when they brought this in.

Adding additional appliances is very straightforward. 

Having one manager/system with a common interface and commands, rather than three or four, is more efficient.

It is expensive compared to some of the other stuff. However, the value you get out of it is sort of the central control and the ability to reuse templates.

It is a good product, but you pay for it. I think it is one of the more expensive products. So, if you are looking for a cheaper product, there are probably other options available. However, if you are looking for high performance, reliable devices, then it has kind of everything. Basically, you get what you pay for. You can get other firewalls for cheaper and some of the performance would probably be just as good, but some of the application awareness and different threat detections are probably superior on the Palo Alto Networks.

As far as a firewall solution, it is one of the best ones that I have seen. It is fairly expensive compared to some of the other ones, but if you have the money and are looking for a solid, reliable system, then Palo Alto is the way to go.

For what we use it for, the solution is good.

I am part of the network team. There is a cybersecurity team who has control of its reins and does all the security configuration. I am not the administrator of it or a manager in charge of the group with this appliance.

I find the whole machine learning and AI capabilities a bit overhyped. Everybody throws it in there, but I'm actually a little bit suspicious of what it is actually doing.

I don't follow or monitor some of the day-to-day or zero-day threat prevention protection abilities that it has. 

I would rate the solution as nine out of 10, as I am always hesitant to give perfect scores.

We use it for security purposes.

Palo Alto Networks NG Firewalls enable efficient application search, viewing, and configuration access across various services for different user groups within our company.     

The only downside of Palo Alto Networks NG Firewalls, in my opinion, is the relatively higher price compared to Cisco FortiGate. This is especially noticeable when deploying basic configurations and considering the cost of licenses.

I have used the solution for the past few years.

In terms of stability, the user rates it a nine out of ten.

I would rate it 10 out of 10. The current user base for Palo Alto Networks NG Firewalls in the environment is one thousand users. Plans are in place to increase usage in the future, particularly with the intention to upgrade for higher speed.

The experience with tech support is positiveand they have found support helpful in addressing network issues.

Positive

Before adopting Palo Alto NG Firewalls, no other tools were used.

I cannot rate the ease of configuration on a scale from one to ten for Palo Alto Networks NG Firewalls. The configurations are diverse, and it's challenging to determine a specific rating, but I find them somewhat similar and not particularly helpful.So, the deployment process for Palo Alto NG Firewalls takes about one month. This duration is due to the various steps involved in the deployment, each of which can be completed within a business day. The complexity arises from the need to connect with numerous clients and services, considering the continuous operation of the business.

In terms of price, the user finds it expensive, rating it around nine.

The overall recommendation is positive, emphasizing ease of deployment, understanding features, and suitability for the company's needs. I give Palo Alto Networks NG Firewalls a perfect rating of ten.

Our primary use case is protecting our clients from remote threats on the internet. These firewalls are very powerful and important for our business.

With single-pass architecture, there isn't a trade-off between security and network performance. The device functions well in terms of both security and network performance together.

One of the most valuable features of Palo Alto Networks NG Firewalls is application symmetries. I like this feature.

Also, the embedded machine learning in the core of the firewall means the device learns about threat types. The machine learning also enables the solution to secure networks against threats that evolve rapidly.

The solution also provides a unified platform that integrates all security capabilities, which helps prevent external attacks, and eliminates the need for multiple network security tools and the effort needed to make them work together.

I have been using Palo Alto Networks NG Firewalls for about six years.

The stability is good. It's a very stable device. That is the biggest lesson I have learned from using them.

The scalability is very good. If our customer has distributed networks, Palo Alto is a good solution.

In general, the solution is good for midsize companies, between 100 and 2,000 users.

We plan to increase our usage of Palo Alto Networks NG Firewalls in the future.

I rate the technical support highly. Palo Alto's technical team is very helpful and provides fast solutions.

We previously used Palo Alto Cortex. We switched because the NG Firewalls are very stable, flexible, and more powerful.

The initial setup is easy. The initial config takes one or two hours. After that, the time needed depends on the customer's requirements.

For mid-sized networks, the solution requires two to three people for deployment and maintenance. But in our company, we manage with one person for everything.

My responsibilities are on the technical side, but the price is expensive, especially in Turkey, where I am located. The exchange rate of the dollar against the Turkish lira is very high, making Palo Alto very expensive in our country.

Palo Alto is very expensive compared to other vendors, like Fortinet.

In addition to the standard fees, there is an extra cost for a GlobalProtect License, and that is something we generally need.

If a colleague were to say they are just looking for the cheapest and fastest firewall, I don't know what I would say if they don't have the budget. But if they have a budget, I would recommend Palo Alto because, while another solution may be cheaper, it could be more expensive in total if you consider the potential loss of business continuity and reputation.

And while I don't use the PA-400 series, I know it sells well because the higher series are very expensive, and the 200 series is very slow and less powerful. The PA-400 series is good.

Our primary use case is to provide our clients with an internet gateway. 

The best feature is the packet inspection; compared to solutions like Cisco and FortiGate, Palo Alto's packet inspection is much less CPU intensive, allowing it to detect threats embedded within packages more quickly and efficiently. 

Palo Alto Networks NGFW provides a unified platform that natively integrates all security capabilities; it's easy to integrate with other platforms, and we never faced any issues doing so.  

Using Palo Alto Networks NGFW's unified platform, our clients have eliminated multiple network security tools and the effort needed to get them to work together.

The solution doesn't support routing in virtual firewall creation, and we want that to be enabled. 

We've been involved with Palo Alto Networks since 2008 and are a reseller, so we implement the solutions for our clients.

The solution is very stable; we don't have any problems with the stability. 

The product is very scalable. Most of our customers are enterprise-sized financial institutions with over 3,000 branches. 

Palo Alto Networks doesn't directly support Pakistan but rather through distributors. Out tickets go to the distributors, which are then forwarded to Palo Alto.

Neutral

The initial setup is very straightforward; we can complete it three to four hours after activating the licenses.

The product is expensive. With one being the cheapest and ten being the most expensive, I give it an eight.

I rate the solution nine out of ten. 

Palo Alto Networks NGFW is an excellent solution; 90% of the financial institutions in Pakistan use it as their ultimate gateway. 

People are just starting to get into machine learning in Pakistan, so we're not 100% sure of its capabilities and potential. I believe machine learning becomes more efficient in a cloud environment than a hybrid one, though I have yet to research this thoroughly.

To a colleague at another company who says they want the cheapest and fastest firewall, Palo Alto Networks provides an expensive solution, but you can't compromise on security. You can buy the most inexpensive firewall, but you'll have to purchase add-ons and subscriptions to enable a complete security infrastructure in your organization. One solution for every situation that doesn't require any additional services is a better choice. 

I advise those considering the solution to understand where they want to deploy it in the organization, as a broad installation is best for internet gateways. Next, the sensitivity of the data is important; for a financial institution like a bank, I recommend Palo Alto NGFWs because of the quality of the security and machine learning.