Palo Alto Networks NG Firewalls Reviews

Our use cases include combining multiple next-gen firewalls and bringing them into the Panorama centralized platform.

In general, it's one of the better firewall brands out there. It definitely has the investment and the dedication of the Palo Alto team to constantly improve their product and move forward. They're not a static company, like some of the other companies out there, and that's why I like them.

From a firewall perspective, there is a unified platform that natively integrates all security capabilities, which is good because there is a single pane of glass. I don't have to go to every single firewall to look at certain things. I don't have to go to every single firewall to deploy rules. I can use Panorama to deploy the rules, so it's a one-stop job type of thing.

For securing data centers consistently across all workplaces, all next-gen firewalls pipe into the same Panorama centralized management solution. We can manage everything from a single pane of glass, deploy all that out, and make sure it goes through each firewall and updates correctly. That's huge. If you had to do it manually and you had thirty locations, that'd be like a day's job versus thirty minutes.

Having a centralized platform where they all feed into the Panorama solution significantly drops firewall-by-firewall management. We can use the Panorama solution to communicate with all of them.

I like the navigation of the general Panorama solution. I can easily navigate around and get to the thing I need. I'm not wasting time trying to find something.

Personally, I feel that their dashboards for reporting and things like that need some improvement.

We've been using Palo Alto for one to two years.

It has been very stable so far.

So far, it has been scalable enough to hit multiple divisions.

I have not personally contacted their support. That just dictates that they have a good product.

We also use Cisco firewalls.

I am not directly involved in its deployment, but I do help manage it. To my knowledge, the deployment was straightforward. It was easy to connect them into the Panorama platform.

There was a consultant. They knew their stuff.

There is typically no return on investment for firewalls because it's an IT cost, and we don't make money because we don't resell them.

It's pretty good.

We evaluated Fortinet and Check Point.

The value I receive from attending an RSA Conference is huge because I visit all my vendor partners to understand their roadmaps for the future. Attending an RSA Conference has had an impact on our organization’s cybersecurity purchases made throughout the year afterward because it brings out new features and subsets of the vendor partners. Also, if there is a deficiency in any of the current ones we currently use, we'll go engage other providers in order to find out if they can reach that gap or not, and then it'll dictate future proof of concepts and decisions.

Palo Alto embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, but I personally haven't experienced that. It's a good thing that there hasn't been an attack where that became useful, but that's great to know.

As a result of our experience with Palo Alto NGFW, to a colleague at another company who says, “We are just looking for the cheapest and fastest Firewall,” I would say, "Go with Palo Alto."

Overall, I would rate Palo Alto NGFW an eight out of ten.

We chose Palo Alto Networks NG Firewalls to replace our outdated firewalls.

The overall security of the organization has been improved.

The most valuable aspect of this solution is pre-sales and post-sales because of the support and relationship building.

Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. 

The integration of all security capabilities in Palo Alto NG Firewalls provides a unified platform, which is crucial as it reduces complexity.

Having machine learning embedded in the core of the solution for in-line, real-time attack prevention is of great importance to us, it is a top priority. 

This is significant because it enables automation, reducing the number of man-hours needed.

When evaluating the ability of Palo Alto Networks NG Firewalls to secure data centers consistently across all workplaces, I would give it a rating of eight out of ten.

By using Palo Alto Networks NG Firewalls, we have been able to decrease our downtime by several hours per month.

The solution could be more cost-effective.

I have been using Palo Alto Networks NG Firewalls for two years.

Palo Alto Networks NG Firewalls is a very stable solution.

Palo Alto Networks NG Firewalls are easily scalable.

We previously used Barracuda Networks.

We switched to Palo Alto Networks NG Firewalls after having a bad experience with our previous vendor for firewall solutions.

Palo Alto is more forward-thinking when compared to Barracuda.

I was involved in the initial setup. It was complex in multiple ways.

The solution itself is not a simple solution.

An integrator assisted us with the deployment.

They were helpful and knowledgeable.

I have experienced a return on investment with Palo Alto Networks NG Firewalls. One benefit is that there are fewer man-hours required for deployment and maintenance.

That solution's pricing and/or licensing are very convoluted.

Based on my experience with Palo Alto Networks NG Firewalls, if a colleague at another company said they were only looking for the cheapest and fastest firewall, I would not recommend Palo Alto.

I would rate Palo Alto Networks NG Firewalls a nine out of ten.

Attending an RSA conference provides high value and helps us to see the impact of our organization's cybersecurity purchases annually.

I use NG Firewalls for perimeter defense. 

We've seen better throughput compared to our previous firewall. End-users are happier with their connections through Palo Alto. 

Palo Alto offers better Layer 7 protection than competing solutions by Cisco and Fortinet. I also like the VPN client more. The interface is simple, so administrators can deploy and configure it much faster than other firewalls. The interoperability with other vendors is excellent. We can connect Palo Alto firewalls to all our other solutions. 

I would like to see more artificial intelligence. However, that is going beyond firewalls to products like Prisma. Palo Alto has those features in an entirely different ecosystem. It isn't a problem. Machine learning is valuable, but I rely more on threat intel. 

I have been using Palo Alto's solutions since 2014.

I rate Palo Alto NG Firewalls a nine out of ten for stability. We have had zero downtime except for scheduled maintenance. The firewalls are in a cluster that never goes down.

The scalability is excellent because you can always purchase a bigger firewall as you grow. 

I rate Palo Alto's support a seven out of ten. It is good overall but worse in some regions. The first level of support will usually do nothing for you. If you're an IT company, you're not looking for level-one support. You need to escalate. Other vendors have a direct support line for enterprise clients, but not Palo Alto.

Neutral

Palo Alto has a better interface and integration with other solutions than competing vendors. The only drawback is the price. Go with FortiGate if you're looking for a firewall that is cheap and decent. If you can't afford Palo Alto, FortiGate is the next cheapest. 

We can deploy Palo Alto firewalls faster and easier than most other solutions. We assess the traffic, buy the appropriate size, and implement it. 

Palo Alto firewalls are expensive, but they're worth what we pay. 

I rate Palo Alto NG Firewalls a nine out of ten. Technical support has some room for improvement, and there are several minor issues that aren't worth mentioning. 

We used the solution as an edge or internet firewall where we were running IPS/IDS and doing filtering on it, apart from the other security features. We are still using it for our users' VPN activity and to manage site-to-site VPN tunnels with other clouds, like AWS and Azure, so that there is connectivity back and forth between those cloud providers and our on-prem data center.

The features I like are the debugging and troubleshooting through package capture. It's easy to capture from the CLI and it's also easy to get logs from the CLI.

It's very important that Palo Alto NG Firewalls embed machine learning into the core of the firewall to provide inline, real-time attack prevention. That increases our security posture. It gives us real-time anti-cyber activity and enables us to look at it. The firewall is able to capture it and flag it and it is easy to mitigate as soon as we see something like that happening, to secure the environment more, in real time.

These firewalls have the zero-delay signatures feature, which is really important because you don't want to be lagging behind with any kind of security updates. It doesn't affect our security a lot, but without it, we could be compromised a little bit. If updates are delayed by a couple of hours, there's an opportunity for the bad actors to execute something in that time frame. It gives us a little bit more security, but it's not like it's a high-severity situation.

Overall, they're doing great with the features. They're improving them day by day and year by year, which is really good. They're making new products that are compact inside, which is also really good. Instead of a full rack, they have tiny devices that have the same or even better performance compared to the bigger ones. They are doing well in improving the units, features, and security.

I've been using Palo Alto Networks NG Firewalls for eight years.

They're very reliable and stable. Compared to some of the competitors, they're more reliable.

The scalability is also good. They provide good options for scaling. The only thing that I would think about is that, in the newer firewalls, they have increased the performance but decreased the number of concurrent VPN connections or users. The new, compact devices have better performance, but they have reduced the number of users that can connect. Maybe that's a marketing strategy to sell higher-end models.

In my organization, everybody is using the Palo Alto firewalls because they're connected to the VPN, but the management and operations aspects are limited to the folks in IT.

These firewalls used to bring a lot of value to us, but in my practical experience, in the last three years at least, they have been lagging behind their competitors. The main issue is the support that we can get.

For example, in the past, if something happened, we could just give them a call and open a ticket, and we would have technical support right away to help us. Whether it was a severity-one, critical incident, where we had no connectivity, or just a minor or medium-severity issue, we used to get support right away. But in the last three years, it has been really hard to get hold of an engineer. I have reached out a couple of times to give them a heads-up, "This is a ticket I opened three days ago. I'm trying to get a hold of anybody."

It's okay that they force us to open a ticket on the portal, but after opening a ticket, it's really hard to get support when you need it. You have to wait for them to get back to you and sometimes it's random. And the biggest problem I have is that you have to wait hours on the line when you're calling them to get a hold of the next available engineer.

They should make it easier to get in touch with their TAC. This is what they have called transforming the customer experience, but I believe it's getting worse. That's the only thing they have to improve. When you do get someone, the support from their end stands out, it's a nine out of 10. But getting a hold of an engineer is a two out of 10.

Neutral

The initial setup is very straightforward. You need to connect through the portal manager and to the IP that you want to access remotely. And pushing the configuration from other devices is very easy. They provide tools so that you can get the configuration from competitors' devices and convert that into the Palo Alto version. It's very easy to configure initially and to manage as well.

On the maintenance side, it's really good. We don't have to put a lot of effort into that.

The security and performance of the PA-400 series of Palo Alto NGFWs, versus its price, is really good. It's very inexpensive and has good performance compared to the previous higher-end 3000 models.

Palo Alto provides Panorama where you can manage a bunch of firewalls from a single pane of glass or just one device. It allows you to manage all of the firewalls in one, integrated location. You don't have to make a chain of 50 different firewalls. It will push what you need to be changed to all the other firewalls. We used to use it, but we got rid of it because we replaced all our Palo Altos with competitors' firewalls and we don't use Palo Alto anymore, other than for VPN. We have six firewalls in our organization right now, although we used to have 35 to 40. Because we no longer have a lot of firewalls, we got rid of Panorama. We don't want to pay for it to just manage six firewalls where we are not making any changes frequently. If we had 35 or 40 still, I would definitely recommend having Panorama.

Panorama is for managing the rules. It saves time on configuration, but it doesn't affect your security posture. Whether you're managing each firewall or using Panorama, it's exactly the same thing. But it helps you to execute changes in a very short period of time. It's a way of pushing the config to all your devices.

We use this solution for perimeter security and security profile purposes.  This covers anti-virus and anti-spyware, as well as cyber security vulnerabilities through URL and file blocking.

We like the fact that this product can provide multiple layers of protection depending on our clients requirements, and can be configured to whatever level of protection and the specific protocols that they want.

We also like the fact that this solution has a wide range of features covering all types of system security, not focusing on just one area. Everything is geared into a single module, which means we no longer need several different devices.

As well as the single module functionality, this solution allows us to easily see the active sessions and how many users we have connected. Complete information, on one screen.

We would like to see the external dynamic list for this solution improved. The current version does not automatically block malicious IP addresses, which would be very useful.

We have been using this solution for the last seven years.

We have experienced 100% stability with this solution.

The scalability of this solution depends on the management CPU that is being utilized. To manage high level traffic, it requires high-specification hardware to be used, or performance can be affected.

This vendor not only provides a lot of very clear documentation, but also has a community center to allow for self-diagnosis and fixes.

However, if this does not resolve the issue, the technical support team are very responsive and quick to fix any problems we take to them.

Positive

The initial setup of this solution is straightforward, particularly when migrating from a different product and using their centralized management tool. This provides a configuration file that completes the majority of the setup automatically. All traffic is then automatically diverted through this firewall

The firewall is then registered in the providers portal, which allows for updates to be applied when they are released without the need for manual intervention.

We implemented this using one member of our in-house team, and the deployment took three days to complete.

However, there was some pre-implementation work to be done registering firewall serial numbers, connecting console cables etc, but this is all straightforward.

This solution is quite expensive because along with the license there is premium partner support that has to be purchased as a default addition. 

There is also a specific Threat Prevention License that has to be requested and purchased separately. However, licenses can be purchased for specific periods as opposed to just an annual offering.

We actually tested multiple solutions, and choose this one because it gave us the most benefits in one product.

We would advise organizations who are migrating from a different provider to inquire about the centralized management console, and to understand the full costs involved up front.

Also, despite the fact that this solution provides a lot of features, there will still be areas that aren't covered as this only works on perimeter level security.

I would rate this solution a 10 out of 10.

I design networks for our customers; I always use a high-speed packet filter upfront because I work for a Juniper partner company. This is usually a Juniper SRX series firewall and it does most of the easy work. Behind that, I add a more intelligent firewall, Palo Alto NGFW. We are partnered with Palo Alto, but that's not the main reason we use their solution. I worked with Check Point products for four years, and the Palo Alto alternative seriously impressed me. Here in Hungary, Palo Alto is considered the de facto intelligent firewall, for good reason.

I work for an integrator and support company, and I support our customer's security platforms; we have many customers with Palo Alto Networks NG Firewalls.

The firewalls improved our organization. Creating firewall rules is much simpler. The solution is so straightforward that customers can configure it themselves, and they rarely call us for that, which is great for us as a support company. It makes our job much easier as Palo Alto NGFWs don't require a security specialist to configure; it can be done by systems engineers or IT support staff. 

All the features are valuable, but my main one is the straightforward and well-designed GUI. I'm over 50 and have been in this business since the internet started. I'm not a GUI guy; I prefer using the command line. The product's GUI is excellent, and so is the threat intelligence. It's also straightforward to configure and flexible. The solution even has good networking, such as VLAN and subinterfaces, which is great because, in my experience, if the firewall is good, then the router usually isn't and vice-versa, but Palo Alto has both.

We use the on-premises solution, and it's very impressive; both flexible and intelligent. The machine learning functionality is excellent, and I love the product as a support guy because it makes my job much easier. I have very little troubleshooting, and our customers haven't had a single security incident since implementing Palo Alto. I'm deeply impressed with this solution.

The machine learning against evolving threats works well. The best thing I can say is that none of our customers have had any security issues; I can't find any problems with the solution.

The support is outstanding; we are always alerted about potential issues such as bugs in advance, so we have time to adapt and prepare. Palo Alto has grown more effective; most importantly, there haven't been any security issues. I would give the product a 10 out of 10 for flexibility and at least a seven for security. I can't say precisely what security threats our customers face, but nothing has gotten through.

The solution provides a unified platform, which is essential because there is a significant shortage of experienced IT specialists in Hungary and elsewhere. Their effectiveness is amplified by the quality and straightforward nature of the solution, and the result is more robust security.

I don't have a direct view of our customer's security threats as it is privileged information, but I can say that there have been no security breaches. I would say the solution does eliminate security holes. 

Our Palo Alto firewalls have the zero-delay signature feature implemented, and it works fine. There haven't been any issues with us or any of our customers. This feature makes the whole security system more efficient. 

The network performance is top-notch; I would give it a 10 out of 10. Intelligent firewalls tend to be slower, but this solution is fast. Previously, I used a simple packet filter or zone-based packet filter in conjunction with an intelligent firewall, but Palo Alto is fast and secure enough for standalone use. I've been familiar with the solution's architecture from the beginning, and it's a very nice platform.

I recommend this solution to any engineer; technically speaking, it's the best product on the market. I know it isn't the cheapest, and decisions are often made on a financial level, but Palo Alto in Hungary always gives us a good deal. 

The solution's VPN, called GlobalProtect, could be improved as I've had a few issues with that. 

It can be challenging to migrate configurations between Palo Alto firewalls or restart with a backup configuration using the CLI. That could be improved. I think I'm one of the only people still using the CLI over the GUI, so that's just a personal issue.

I have been working with the solution for four years.

The solution is incredibly stable.

We work with hardware platforms, and they are usually slightly over designed to be on the safe side. The virtual firewall is highly customizable, but I have experience with the hardware platforms, and there is an upper limit on those, but I haven't had any scaling issues thus far.

In Hungary, where I live, the population is 10 million, similar to London. When I say we have 1000 end-users, it may seem like a small number, but that's relatively high for Hungary. Other vendors also supply the solution here, so 1000 is just our customers.

I mostly do deployments and maintenance alone. There are three systems engineers at our company.

The customer service and support are good. I have full support when I have a problem, and they can even do remote assistance. We had a big power failure, and the firewall didn't restart; they provided a hardware expert over the phone to solve the problem. They are very impressive. I would say Juniper offers the best support, but Palo Alto is almost as good, if not just as good for me.

Positive

I have been in this business from the beginning, so I used most firewall solutions. I focused on Cisco for 15 years, but that changed due to license-based selling in a very price-sensitive market. Cisco is not as viable an option as it used to be as customers consider it too expensive. I also used a Check Point solution, which was regarded as the go-to intelligent firewall five years ago, but now Palo Alto has taken that top spot. 

We are partners with several providers, including Juniper, Palo Alto, and a few others, but I always go with Palo Alto because it's a straightforward solution with easy installation.

The setup is easy; it's straightforward for anyone with basic networking and security knowledge. It's comparable to setting up a firewall at home, which is very impressive. It's still easy with very complex network setups, only the VPN concentrator, GlobalProtect, is more challenging, as it requires two-factor authentication, but it's still straightforward.

Initial setup time depends on the specific implementation, but we can do a new deployment in one or two days. It is more complicated when migrating from other platforms because the customer expects the same logic and features in the new platform. Palo Alto has an excellent marketing strategy, so their customers know their product uses a unique logic. This helps keep the implementation straightforward and shorter compared to other solutions. 

My implementation strategy begins with a plan for the customer's network based on their needs. Then I set up all the networking parameters and configure the solution in my lab device, so I can export it and import it on-site. Every setup begins in our lab, as it's more impressive to go to the customer and import the configuration right away. 

I don't know about the price of the platform or the license fees, as the finance department deals with that. I only bill for the materials involved in the design.

I don't know about the price. When there's a new project, I go to the meeting, but after a point, all the engineers leave when it comes to money because it's not our business. I know Palo Alto offers good discounts for the partners, and the solutions are good. They offer free trials and win many customers because it allows them to test products and see how well they perform.

The only thing I can say is it's a top technology. 

I would rate this solution a nine out of ten.

Cloud-based solutions are very unpopular in Eastern Europe, only private clouds are used, but on-premises is the favored deployment method. We use cloud solutions at home and for small companies or companies with particular use cases. I implemented the solution for a customer, and my first task was to disable all cloud-related features. It's exceedingly difficult to find a financial or government institution using a cloud-based platform; this market segment tends to have a more conservative mentality.

I don't use the solution personally, but I'm the first-level troubleshooter. If I can't solve a problem, I open a ticket to Palo Alto's customer support.

I have clients who used separate firewalls and VPN concentrators, but after switching to this solution, they now use the Palo Alto firewall and its VPN, GlobalProtect. I don't think it's the best VPN concentrator, it's an excellent firewall, but the weak point is the VPN.

I advise reading the documentation before configuring, which goes for any platform.

We use it to see and detect malware. It is also used for antivirus, anti-spyware, anti-malware, vulnerability, and Wildfire analysis. We support different kinds of authentication as well: Kerberos, LDAP, TACACS, and SAML. All in all, it is a security device that you can have anywhere on your network, as per the design considerations.

It is deployed in two different ways, either on-premises or on the cloud, which may require a different hypervisor. 

Nowadays, because of the pandemic, everyone is working from home or users are not sitting in the office to work. So, security has become a challenge. For that, we provide GlobalProtect, which is a VPN solution. This will connect to your organization's network, and then you can access anything that is required. This is the most widely used tool that we provide, and it is used worldwide. During the pandemic, it was a massive success for us.

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities which is really important from the end customer point of view. If I have to set up an organization, I will go ahead and buy different devices or platforms. However, if I go ahead and buy Next-Generation Firewalls and put them on the edge of the network where I connect with ISPs, my Next-Generation Firewalls will take care of the security parameters. I don't need to worry about it that much anymore.

Its security profiles are a valuable feature. 

All the logs can be stored in a single place.

Panorama lets all the devices be managed centrally in a single place. This provides the best view for admins into any particular firewall, which decreases those admins' tasks because they can view everything in a single place. 

The machine learning tracks how many packets per second are coming into the firewall.

Any request coming in will go into the DNS sinkhole first, not to the user. We protect our users that way.

Within this one platform, you are getting everything that you want. This single device can provide you with antivirus, anti-spyware, volumetric protection, URL filtering where decryption is required, and file blocking with Wildfire analysis.

Palo Alto Networks NG Firewalls have a Single Pass Parallel Processing (SP3) Architecture, which has a different kind of code doing the work. It increases the packet processing rate. Whereas, without the SP3 Architecture, you are waiting for each job to complete, even if you have 100 jobs assigned.

There is always scope for improvement on any particular device in any particular organization. For example, when there was change from IPv4 to IPv6, some of the firewalls still didn't support IPv6. In North America, we have seen most customers are using IPv6, as they are getting the IPv6 IPs from their ISPs. Sometimes, when they go through the firewall, it denies the traffic.

It has been almost three years.

From a stability point of view, the firewall is very stable because the PAN-OS version doesn't change very often. If a new PAN-OS version is out in the market, our engineering team checks it multiple times.

The network performance is never compromised.

It is scalable. We have small and big clients.

For small clients, there is the PA-220 device, which is very small but still very productive and secure. 

I have worked with one of the TACs, where there are almost 500 TAC engineers present. They have different rules for case priority when a customer opens something. If a customer is paying more to get support, then we have a dedicated engineer assigned to that particular customer. This is much easier for the customer, as they are getting one of the best engineers out there to troubleshoot their network. They never compromise on that.

Sometimes, due to some issues, tickets don't get assigned. Or, they assign the tickets manually if something goes wrong, which is a very odd case. Customers don't understand that. So, we always apologize to customers, and say, "How can we help you out?"

Support is 10 out of 10. 

Positive

We ask the end customer, whosoever has the legacy network in their organization, if they don't need all their extra devices in order to cut down on costs. We then do an IPSec tunnel on the cloud as a gateway. From there, they can route the traffic to the Internet or wherever they would like.

Palo Alto is a unified device with a very streamlined voice. I have worked on Cisco routers and ASA as well, where you have to do a lot of stuff through the CLI and Linux shell scripting. With Palo Alto, those things are streamlined and engineering takes care of everything.

The initial setup is pretty straightforward. It is very user-friendly. Everyone in an organization can learn the platform quickly. When we give training to our new candidates, they learn it very quickly. So, it is a streamlined device.

There is an interface type called V-Wire. You just connect it to your network. It will not disturb anything. You don't need to provide IPs. It doesn't need a separate Mac address. It just connects to a particular interface as a bump in the wire. It inspects your traffic, giving you an overall idea of what applications your organization is using and what user is doing what. If needed, you can deploy it in your network later on. This makes it very easy for our customer to deploy the product in their network before they buy it.

When it comes to installing a new PAN-OS version, it doesn't require you to go to Linux and write tons of commands in order to download and activate the latest PAN-OS version. You just have to download it, click the download tab, click the install tab, and then you are done. Therefore, it is hassle-free and super easy like Windows.

We have a very large team for deployment.

If you buy Palo Alto Next-Generation Firewalls, everything is in a single platform. You don't need to go and buy the Wildfire analysis to track zero-day attacks and lots of other things. Therefore, cost is cut down by 50% to 60% if you go for Palo Alto Next-Generation Firewalls.

If someone doesn't have a security platform in their network, then the following licenses will be required: antivirus, anti-spyware, vulnerability, and Wildfire analysis. There are also licenses for GlobalProtect and support.

Overall, Palo Alto Networks NG Firewalls is a market leader.

With other devices, you need a controller and console to manage them. That is not the case with Palo Alto Networks NG Firewalls, where most of the work is done through the GUI. If you want to deep dive, then you go to the CLI. 

Cisco ASAs give some information on the Nexus Firewall, but they are not streamlined. Whereas, Palo Alto Networks NG Firewalls is a streamlined device and easy to use.

If someone is in a routing and switching domain and wants to come up to a security domain, they should choose Palo Alto Network NG Firewalls.

We are happy to assist customers whenever support is missing. Over a period of time, we see customers raise tickets because they are looking for a particular feature that is not available on the platform. We don't say to our customers, "We don't support this." Instead, we take it as an opportunity, giving that information to our engineering team.

I would rate the solution as nine out of 10. I am leaving room for improvement.

I use Palo Alto Networks NG Firewalls to handle my perimeter security, which is the most critical point of my network.

Layer 3 and Layer 4 are part of the core functionality of any firewall, but this firewall brings more information into the inspection via Layer 7. Thus, the entire threat landscape has changed for us as a company.

We can integrate all the Palo Alto firewalls to have a single insight experience across all firewalls.

On a major scale, Palo Alto NGFW can be helpful in eliminating some security tools. It doesn't eliminate all of our other security tools, but it does bring down the dependency on some tools.

Security and network performance are of equal importance to us. This solution doesn't compromise your network's performance for security, which is a good trade-off.

The most valuable features are application inspection and sandboxing. Application inspection decides where traffic is transmitted. If I have a perimeter report for a particular service, then other services or malicious services cannot use an open port. In this way, application inspection is doing a fantastic job. We also have a very good sandbox with almost no rate limit. It will inspect any file that comes in and goes out in a dedicated patch to identify malware. Therefore, these two things help me to protect our organization from any bad actors.

It is extremely important for me that Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention. The way that they handle the traffic is very useful for us. The firewall creates a benchmark of known traffic patterns that every endpoint would have using machine learning. Machine learning creates a baseline of how the traffic goes in and out. When there is a deviation in the normal behavior, it gives me a threat indication via a reporting feature that shows us how the current traffic has deviated from the usual traffic. This is a very good feature, which is important for my organization to have on a daily basis.

It gives me a better experience when handling security holes. 

Our upgrades brought some rule reviewing features by default, without having to depend on third-party tools to perform the rule reviewing. That has been a good feature.

I would like them to bring in some features that would encourage traffic shaping or bandwidth routing, like other UTM firewalls, because the solution should be capable of limiting the bandwidth for rules.

If Palo Alto Networks could bring in session tracking, like FortiGate, then we can remove another cybersecurity tool. If they could say "This is user-based, not IP-based," using user attribute-based rules, then that would be helpful for a small- or medium-scale company because they could use a single device instead of two or three devices.

I have been using it for four years.

The stability is very good. After the upgrade, every other process was smoother. We haven't often seen bugs or operational hazards in terms of the device. 

Scalability is always available. If you are ready to invest the money, then you can add another box. Every device has its limitations though. NGFW has its own limitations, where it cannot scale beyond a certain point. Those limitations have already been published and users need to be aware of them when they are planning to buy a firewall.

The size of my environment is 3,000 to 4,000 users. We are a larger organization with 60 to 80 VLANs. There are approximately 3,600 endpoints accessing them. Day in, day out, we have a lot of network access change requests coming in that need to be performed. 

In terms of maintaining the firewalls for our space and cost, there are about 15 team members. It is a huge environment with 10 different clusters of Palo Altos. From our operational perspective, we need 15 team members.

On a practical scale, it depends on the size of your organization. If it is a small organization, I think two to three members should be sufficient enough to handle the solution. When you have a smaller organization with a maximum of 20 different VLANs, where there is a size limit of 50 to 100 users/employees, then two or three members would be sufficient enough to handle it. However, it all depends upon the number of endpoints that are the nodes and how many nodes the firewall is protecting.

The technical support is good. I would rate them as 10 out of 10. 

They are able to support me and the issues that have arisen, which have been very minimal. For cases where we break something in the configuration or any bug that is out of control, they are good in understanding and analyzing our issues as well as providing a solution for them. That is why I rated them as 10.

Positive

The initial setup was straightforward, not complex. We migrated from a different vendor to this platform. We had our goals and objectives in front of us. So, we had a good project plan before migrating everything.

I have multiple clusters. For the largest cluster, the migration took three to four weeks.

We used an integrator for the deployment.

We are monitoring the metrics. We have certain metrics to find ROI, e.g., it could be zero-days, the number of inclusions that this solution has blocked successfully, or the amount of malware that it has stopped. We identify this information via the sandboxing feature, which determines what other normal firewalls would have let in. We consider the amount of data that we process and the regulatory fines that would have arisen, if not for this solution. That is how our return of investment is calculated.

If the cost is your main priority, Palo Alto would be a bit high. However, if you are ready to hear about return of investment, then I would convince you to go for Palo Alto.

I am using three or four firewalls from different vendors. I know their capabilities as well as the strengths and weaknesses of each vendor. 

We have evaluated different firewalls and found Palo Alto best suited for boundary networks. Fortinet handles our user-facing firewalls. Between FortiGate and Palo Alto, there is Cisco.

We did a SWOT analysis on all the firewalls. We determined the best firewalls based on their throughput and protection suites. For example, a user-facing firewall doesn't need to be jam-packed with security features. However, a perimeter firewall is between the trusted and untrusted networks, so more security features are needed.

We are using a different DNS Security solution, so we haven't used Palo Alto NGFW’s DNS Security.

Explore the features that the solution offers. There are a lot. If you can use the features to their fullest potential, that would be best. 

If you are just doing an L3 and L4 inspection, then Palo Alto Networks might not be best suited for that environment. If you are going to use the features of an NGFW, then I would tell you about the solution's features and return of investment based on what you are protecting.