Palo Alto Networks NG Firewalls Reviews

I am a customer of Palo Alto Networks. If any issue arises, I raise a ticket with Palo Alto.

We are currently using Palo Alto in our national data center, which is a large Tier Three data center. As all communication is now going through APIs, it would be beneficial to improve Palo Alto by adding an API scanner in the future.

The most valuable feature of the solution is the network protection.

We decided to use Palo Alto because they are the leader in the market.

Palo Alto does provide a unified platform that natively integrates all security capabilities.

These days, DDoS attacks are becoming more frequent, especially in external data centers. Therefore, we need to enhance the DDoS attack block list and update patches in our national data center.

The API scanner could be improved.

The support could be improved. 

Palo Alto does not have a support team located in Bangladesh, and their support team operates from another location. Therefore, when we raise a ticket, it takes some time for them to respond, which can be problematic for us.

I have been working with Palo Alto Networks NG Firewalls for seven years.

Since we have definitely used Palo Alto Networks NG Firewalls, it's not possible to compare them with any other product.

The stability of Palo Alto Networks NG Firewalls is good.

The current solution is satisfactory, but we require more scalability from Palo Alto.

Technical support is good.

I would rate the technical support a nine out of ten.

Previously, we did not use another solution.

The initial setup was straightforward, as we prioritize quality over price for our federal work. Our main concern is protection, as we need to safeguard national assets.

I am the consultant.

We have observed a positive return on investment because if a DDoS attack were to occur, it would result in a loss of business and other adverse effects.

By using Palo Alto to protect our data, we can prevent such attacks and ensure that our business runs smoothly.

We always aim to reduce the pricing, as it is currently a bit high and needs to be lowered.

Before my organization purchases any product, they must obtain my permission and also conduct an evaluation.

From the very beginning, we have been using Palo Alto Networks NG Firewalls, I cannot make a comparison with other firewall solutions.

Palo Alto is the market leader in firewall technology, and we also use their firewall. However, we have been experiencing DDoS attacks and are using Palo Alto to protect against them. 

In some cases, we may need to increase the DDoS block list and update patches through Palo Alto.

As someone who works in the national data center, we always strive to use the very best, not the cheapest.

I would rate Palo Alto Networks NG Firewalls a nine out of ten.

We use Palo Alto Networks NG Firewalls with Prisma and cloud environments.

As a firewall, it effectively protects our environment from threats.

In general, I appreciate the regular firewall function of the Palo Alto Networks NG Firewall.

Overall, it is a good networking device product.

From my perspective, having machine learning integrated into the core of the Palo Alto NG Firewalls is very important for enabling real-time attack prevention.

As far as I know, the use of Palo Alto Networks NG Firewalls has resulted in reduced downtime, but I am not directly involved with that department.

One main issue I've encountered is customer service. Occasionally, when I open a request, it gets closed automatically, without any explanation, leaving me unsure of what happened to it. However, overall, the product itself works well. As for Prisma Cloud, it could benefit from some additional functionality, but the main issue is the lack of communication regarding closed requests.

There is room for improvement in the area of customer service.

I have had experience working with Palo Alto Networks NG Firewalls for three or more years.

The stability of Palo Alto Networks NG Firewalls is good.

Technical support is lacking. I would rate the technical support a seven out of ten.

Neutral

Previously, we worked with Cisco Secure Firewall.

We switched to Palo Alto Networks NG Firewalls because it was a good deal for the company.

I was not involved in the deployment.

Another team was responsible for running the proof of concept.

I don't have any knowledge or experience regarding the unified platform and native integration of all security capabilities provided by Palo Alto Networks NG Firewalls.

Based on my experience, evaluating the security solution for all workplaces from the smallest office to the largest data centers cannot be assessed by a single path. However, in general, the solution is performing its intended job well.

I would rate Palo Alto Networks NG Firewalls an eight out of ten.

Attending the RSA conference provided me with an enormous amount of knowledge on various topics such as new technologies, and threats in different environments, including cloud and on-premises. Which impacts my purchase throughout the year afterward.

One of our objectives is to search for new solutions, whether to replace current ones with more modern options or to explore new sandboxes, technologies, and vulnerabilities.

We primarily use Palo Alto Networks NG Firewalls as Foundry Network devices, but we also use them to filter internal network traffic.

I don't believe there is a significant difference. It is similar to any Google firewall product in that it works as long as they are reliable.

The most important part of this solution is its reliability, as it just works without any fancy features. Users are mainly concerned about their ability to function consistently and dependably.

I believe that companies could potentially gain an advantage by leveraging their engineers' familiarity with certain interfaces. Typically, the familiarity factor plays a significant role in product selection, and if they have experience using certain interfaces, they are more likely to opt for those products.

In terms of the interface, I don't feel there is any distinction between this vendor and others. I believe that familiarity with the products itself is an important consideration.

With the use cases that I am familiar with, I don't believe that additional features would be of any benefit. 

Adding more features generally causes more issues. I would prefer they focus on improving reliability rather than adding new features.

My preference would be to exclude machine learning since it must be capable of explanation. This is really important to us, and the performance must also be highly predictable. If it is implemented, at the very least, the option to disable it completely must be available.

In my view, machine learning is often a bothersome addition that can potentially compromise security by allowing unauthorized traffic to pass through undetected. 

From my experience, this tends to occur in networks where all the traffic is clearly defined.

Enhancements could potentially be made to the firmware to improve its inspectability.

In my current job, I have been using Palo Alto Networks NG Firewalls for three years.

In my experience, Palo Alto Networks NG Firewalls have been a stable solution.

It has been as scalable as you would expect.

I have experience working on both small office networks as well as larger ones spanning multiple locations, typically around three to five locations.

I have worked with a range from small office setups with around fifty devices to larger ones with a scale of maybe a thousand, two thousand, or even five thousand devices.

I have experience with quite a lot of other vendors.

In my opinion, I find the configuration of this product more appealing than that of Cisco, but ultimately, it comes down to the preference of the organization's administrators. In terms of features, I don't see a significant difference between them; they all seem pretty standard to me.

I find their syntax more appealing, especially for the command line.

 I am rarely involved in the deployment.

When assessing firewalls for securing data centers consistently and across all workspaces or places, Palo Alto Networks NG Firewalls are suitable products. 

From my experience, they have demonstrated excellent performance.

While it may not necessarily decrease downtime, it also doesn't cause any increase in downtime.

Attending events like RSA has proven to be quite beneficial for me in terms of meeting new people and discovering interesting products. These events generated new contacts and partnerships for my organization.

I believe that we will likely evaluate and purchase at least one of the products in the near future.

It's a decent product, I would rate Palo Alto Networks NG Firewalls an eight out of ten.

We are resellers. We're testing this solution in our network and learning about the scalability, how to set up the firewall, and the rules. It's a layer 7 firewall, so we want to know about the capabilities and detection.

The solution is deployed on-premises.

The most important feature is the firewall. We can make rules to filter the application layer of traffic. It's a very helpful feature.

The interface is user-friendly. It minimizes clicks and the need to type comments. With the GUI, we just have to drag and drop. It's quite helpful. For those who don't have a lot of experience with Palo Alto, there's a lot of good documentation.

The machine learning is very good. From our tests, the detection is quite good. I would rate the machine learning a nine out of ten.

I would like to see more integration.

I have used this solution for about eight months.

I'm a consultant and appliance tester. My job is to test the network and know how it works.

The stability is good.

I don't know about the scalability because we only have one appliance, which we haven't upgraded.

I haven't contacted technical support, but all of the answers to my questions are available in the documentation.

We previously used Fortinet.

The installation is straightforward. It's just a simple button. The deployment took less than two hours.

We used four people for testing the capabilities and for the deployment. There were also three or four people outside my team who were involved.

I would rate this solution a nine out of ten. 

To those who are interested in using this solution, what I would first say is that Palo Alto is a leader in Gartner. I would give them recommendations about the technical side, what we have done in our testing, the protection rate, the benefits, and how quickly and accurately the firewall can detect threats.

This solution helps us standardize. We have a presence in the Americas, the Pacific, and Europe and have to manage three firewalls. The previous solution made it difficult to standardize, but with Palo Alto Networks NG Firewalls, it's a little simpler. It just makes it a pleasant experience overall.

Security is the biggest thing nowadays, including threat response, incident response, and root cause. We found that a lot of the logging and dashboard capabilities offered by Palo Alto fill the missing skill gap that you run up against. It makes it easier for our tier-two staff to get involved in some of the deeper root cause analysis. The dashboards, logs, and reports make it easier for our staff to dive right in and not get lost in what tools they should use. It's easy because they're all right there.

Our firewall engineers like the automations that are involved with the firewall rules. For example, we integrate with Azure, and Azure constantly updates the IP addresses for their whitelists. There are hundreds. With the previous solution that we had, our firewall administrators had to hand-jam a lot of their IP addresses, so it became more of a deterrent to manage the firewall because of the overhead involved. Now that it's automated with Palo Alto Networks NG Firewalls, they've been more apt to use the tool than they did previously.

It allows our firewall administrators to speak more confidently when we have an incident response. When they detail their root cause analysis and possibly what the problem is, the leadership receives that information with a little more confidence, and it's a little more palatable. This makes our lives easier when dealing with an incident response.

From a leadership perspective, the reports are genuine, palatable, and easy to understand. They allow me to make logical leaps.

There are servers that go along with Palo Alto, at least for the identity management part. We chose to use a Windows platform, so the only maintenance involved is the patching of the servers and then the occasional agent upgrade for the servers. Palo Alto versions would need to be upgraded as well, along with security patches.

For the most part, we don't see it as a lot of overhead in terms of maintenance. We try to have a maintenance weekend each month for our network team, in addition to a patch maintenance weekend for our system administrators. Overall, we really haven't had to patch.

As part of our internet filtering, we integrate heavily with Active Directory, and we use security groups to separate staff into two groups: those who should have full access to the internet and those who should have limited access. It may be just the way the topology is for our domain controllers and that infrastructure, but at peak usage, there seems to be a delay in reading back against the security group to find out what group the user is in.

We've been using it for roughly five years.

It's deployed on-premises, but we are presently moving into Azure, so we are looking at the Palo Alto appliances for that environment as well.

Stability-wise, we have three regions in which we use Palo Alto, and we are not pegging the resources for these boxes at all. They're meeting and exceeding our expectations in terms of stability, but we're definitely not pushing them to the limit.

In terms of the scalability of the appliance itself, there are some licenses that you can upgrade where you don't have to bolt on any hardware. You may have to upgrade a module. The supporting appliances are VMs that we stand up in the data center, and those handle more of the identity management pieces of the Palo Alto solution.

Palo Alto's technical support has been great. We recently had an issue with DNS where we were having difficulties tracking where an endpoint was making DNS requests. We got a little lost in some of the admin consoles for Palo Alto. We opened a service request, the call was returned within two hours, and an administrator from Palo Alto stayed on the phone with our engineers for about three hours and really helped us by generating some unique queries.

I would rate technical support an eight out of ten with respect to the engineers. They've been very responsive and quick. They have always followed up within the timeframe that Palo Alto said that they would.

Positive

We switched because of the end of life in a hardware's life cycle. With us moving into the cloud and having a much larger endpoint presence, we wanted something that was a little more robust. We also had fewer head counts for our firewall or network administrator staff. So, we wanted a tool that we could access easily and not have such a large training curve. We went with Palo Alto Networks NG Firewalls because it made a little more sense for us.

In terms of ROI, protecting our customers is obviously number one. The implementation of our previous solution required agents to be installed on all our endpoints. That was a little more difficult because we have a large number of endpoints globally. The administrative overhead to manage the updates for those agents was not favorable.

Palo Alto Networks NG Firewalls allowed us to rely more on the existing infrastructure, Active Directory, to help us with identity management and security groups. It has made it simpler to manage.

We evaluated two other options. 

The sales team that assisted us with refining our requirements and explaining some of the new feature sets that are coming out helped us see that some of our requirements were no longer needed. It really helped us to learn more about the service that we were looking for, and Palo Alto just made it an easier discussion for us.

I recommend fully engaging Palo Alto's sales team. They're very knowledgeable and very friendly. We have three regions, PAC, Europe, and the Americas, and time zones and the quality of support always come into question when you're spread out. We haven't seen any gaps no matter what time zone we had a problem with in terms of sales and post-support. It has been great all the way around.

Overall, I would give Palo Alto Networks NG Firewalls a rating of eight on a scale of one to ten.

We use Palo Alto Networks NG Firewalls as internet firewalls, LAN or WAN firewalls, as well as data center firewalls.

When you apply App-ID and User-ID and Content-ID, you will protect your environment more than with any other firewall. That's because Palo Alto is a leader in App-ID. They invented it. It knows the application and who's communicating with it, and how it is used inside a network. If you use Palo Alto as your internet firewall, for example, when your employee accesses the internet, you will determine which applications he's communicating with, including which ports and the behavior of the user. That helps protect your environment.

The Palo Alto NG Firewalls unified platform has helped to eliminate security holes in our customers' environments. When you have multiple firewalls from Palo Alto to protect more than one segment, such as the LAN, WAN, internet, and data center segments, you can manage all of these from a single point with Palo Alto Panorama. It makes it easy to configure and monitor all of these segments.

The most valuable features are the power of the threat prevention and the WildFire service. Its strength comes from the huge number of sensors all over the world. The firewalls have a rich library of signatures.

Also, the new generation of Palo Alto firewalls includes machine learning embedded in the hardware itself and that is effective in the new era of attacks. Nowadays, we don't know the behavior of the attacks, so we need a product to learn along with us: How an attack will affect us and how the attack will enter a corporate environment. That's why the machine learning aspect is important.

They also provide a unified platform that natively integrates all security capabilities. You can configure or change anything in the firewall itself from the management console, and there is a separate console for managing all the firewalls you have, called Panorama. It's a very good central manager. I like Panorama. It is the most powerful and capable central manager of firewalls. It gives you very rich information about your environment, and what is moving inside it. It helps you to configure it easily.

It's also important that the NSS Labs test report from July 2019 about Palo Alto's NG Firewalls showed that 100 percent of the evasions were blocked. NSS Labs is the most accurate public report that all my customers want to see. All my customers ask about NSS Labs and where Palo Alto is positioned in their reports. To position Palo Alto, I will show my customer the NSS Lab report. It's the most important report.

In addition, in the last two series, Palo Alto separated the engines. That means you will not face any issue with the performance or the firewalls. There is an engine for performance, an engine for the IPS, and another engine for other features. There isn't only a single engine responsible for all these features.

The IoT could be better. IoT environments will be part of IT and measuring these zones will make your IT environment more resistant to attacks. You need a powerful firewall to secure the IoT segment, the same way that Palo Alto Firewalls do for the IT segment.

Also, if you enable SSL you will face a problem. The throughput of the firewall will be degraded. SSL is a big issue on all firewalls. All products suffer from issues with SSL, but Palo Alto firewalls suffer more from it.

I have been using Palo Alto Networks NG Firewalls for at least four years, but for my company it has been almost 10 years.

I have worked with many Palo Alto models, including the PA-3000 Series, the new PA-3020 Series, and the new-generation PA-3400. I have worked with the PA-800 Series and the 5K as well.

Our company provides services for the whole cycle, from design and sizing to ordering and implementation. We provide all professional services. And we support systems after implementation.

It's a very stable firewall.

If you choose a model, from PA-3000 or PA-400, or the PA-5000 Series, you should size it correctly from the beginning, and you must consider expansion, otherwise you could face a big problem, as it's not scalable. But, if you have a big company, and you've chosen it as a data center firewall, you can choose a modular version, so that it is easily scalable.

There are two types of support. If you choose partner support, you will face a big problem because it will take more time to reach Palo Alto. But if you choose direct support from the vendor, they will support you very well.

Positive

It's very simple to deploy Palo Alto NG Firewalls into our clients' environments. One of my professional service team engineers was able to do an implementation on his own after shadowing just one implementation. He didn't take any courses or do any formal training. He was just a shadow on a single implementation. After that, he did an implementation. It's a very easy firewall.

The time it takes to deploy this firewall depends on the environment. If it's a complicated environment, a big corporate environment, the number of policies and rules and segments will be the determining factor. But it won't take that long. If you enable App-ID, you will need more time. App-ID is one of the most powerful tools inside NG Firewalls from Palo Alto, but it needs professional engineers to implement it. After that, you will have a very good security tool.

Our customers certainly see ROI from Palo Alto firewalls. For example, if a bank doesn't have Palo Alto firewalls, or any technology from Palo Alto, they will face many attacks, which would be resolved by Palo Alto. These attacks could compromise some of their customers and result in taking their money. What will the bank do then? The ROI comes from protecting customers.

Palo Alto is one of the most expensive firewalls in the world. Everyone knows that. But you need at least one layer from Palo Alto to protect your environment because it is the strongest company in the security field.

The licensing model for container security is complicated for me and for my customers.

I deal with Fortinet Fortigate firewalls, Forcepoint firewalls, and Cisco firewalls every day. We sell and implement them, like Palo Alto.

Palo Alto now has the IoT license on the firewall. They can protect you from DNS attacks. The WildFire license is a very rich license, and other vendors don't have that. And if your firewall is an internet edge firewall, Palo Alto GlobalProtect will give you a host compliance check without adding anything else. Also App-ID and Content-ID are very good and very mature, unlike with other vendors.

I have also used Palo Alto NGFW’s DNS Security for two of my customers. It's a good addition to the firewall, but it's not perfect. Palo Alto is not specialized in DNS attacks. There are a lot of companies that specialize in DNS attacks. They are more mature than Palo Alto in this area. Palo Alto is not like Akamai or Infoblox or EfficientIP, as those companies are specialized in DNS, DNS servers, and DNS attacks. Palo Alto is not only a DNS company.

Someone who says, "We are just looking for the cheapest and fastest firewall?" can get a free firewall, but they will not be protected. They will not be updated against the latest attacks all over the world.

There are tools on the Palo Alto portal that can be used to enhance the configuration of your Palo Alto product and they are free.

Overall, I love Palo Alto.

We have deployed Palo Alto Networks NG Firewalls and every web filter security available. So, we came to know each website user who got blocked and the "not required" categories. These categories are permanently blocked, and if any changes are required in these categories, we will first get approval from management. 

I like the sandbox feature, and it's very good. It kills each malware deployment in the sense of signatures within five minutes. So, we can secure our network and infrastructure very well within the stipulated time.

The WildFire functionality is very good because a few files are also getting blocked. It's critical as malware attacks are also getting ignored, and the logging is very well maintained in this firewall.

The most valuable solutions in this field are application-based firewalls. That is the main criteria of the firewall and functionality. We can get all the logs related to this and each and every packet. I like that the firewall is working as an application. The application-based entity we have deployed is well maintained and working very well.

We were able to find lots of vulnerabilities when we deployed it, but we could not disclose all. But there were vulnerabilities we could block by updating the firewall and taking actions on clientside machines. So, we got to know that we have lots of vulnerabilities inside the organization too, and we took lots of steps and resolved the number of vulnerabilities.

Palo Alto Networks NG Firewalls is an all-in-one solution. It provides every entity log, which is a very good functionality of this firewall. It gives every packet and aspect that the firewall is performing through its logs, and it does it very well.

This firewall's unified platform helped eliminate multiple network security tools. If anyone uses P2P sites, cryptocurrency websites, or any illegal sites, we can block it easily. It gives us a proper alert for these kinds of sites, and it properly secures our network. Monitoring is the best thing we are doing here, and we can block this kind of vulnerability as soon as it comes to us.

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall.

We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more.

URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

I have been using Palo Alto Networks NG Firewalls for the last three or four years.

Stability in the sense of security and alerts, this solution is very good, and we have not had had any issues. However, web filtering and application-based approach are very poor.

Palo Alto Networks NG Firewalls is a scalable solution.

Palo Alto Networks support could be better. We bought this solution for security purposes, and we asked the support team to convert each and every entity. They have not been able to convert this New Generation Firewall to date. 

Their name suggests that the product will use every application and work as a New-Generation Firewall. Yet, it's not configured, and we can only configure 30% to 40% of the applications. That is also giving us some problems sometimes.

On a scale from one to ten, I would give Palo Alto Networks support a three.

We have a policy in our organization to change the firewall every five years. So, I have experience working on FortiGate, SonicWall, and WatchGuard over the last 20 years.

WatchGuard is very good at web filtering. FortiGate is also very good, and they have their own application to manage the firewall, and SonicWall is also very good. 

Palo Alto is a web-based firewall, and there are no applications to deploy and support. I mean, I take all the logs and all things from the client-side. As it's web-based, it's extremely slow. 

When you click on a particular log, it will take a lot of time because it generates lots of logs. That is a good thing, but performance is a little slow. Both WatchGuard and FortiGate are very good for this kind of thing. Also, WatchGuard is application-based, and I didn't have to deploy it. I came to know about Palo Alto from my friends who said it was very good for application-based security. 

The initial setup and deployment are straightforward. We did not have any issues at all. It took us about 15 to 20 days to implement this solution. 

The policies we have with Atelier and WatchGuard were exported, and we tried to deploy these policies on the new firewall. The reseller helped us configure it but without our concession or permission and could not deploy the firewall. We later had more problems, and the reseller helped us with that as well.

Video Import Solutions is our local reseller in Pune, India. In our experience, not every engineer knew the firewall concept. I mean, not at all. If we wanted something new or had to deal with this application-related issue, they always told us they would log a case and resolve it. But they did not support us at all and did not give us any reason why they could not do it.

I am a technical guy, and I would say that you will not get a return on your investment. Even FortiGate and WatchGuard will offer next-generation solutions that perform better than Palo Alto Networks.

The price could be better. Pricing is very different compared to WatchGuard, which costs around 60 lakhs, and FortiGate, which costs approximately 40 lakhs. Palo Alto Networks costs about a crore which is very high pricing.

We bought this firewall, and our organization did not want to pay so much. We spent around one crore rupees which is not within our budget at all, and we are unhappy with them.

This firewall provides a unified platform that natively integrates all security
capabilities. It will queue all functionalities like firewall protection and alerts and track all DDoS attacks. It shares all the information with us, and we can monitor and take immediate action on the other alerts we receive.

I would advise potential users to only go for this solution if they have the budget and don't require any support. Only buy this firewall if you can install, configure, and solve potential problems on your own. If not, FortiGate and WatchGuard are much better options.

On a scale from one to ten, I would give Palo Alto Networks NG Firewalls a five.

It is our main Internet firewall. It is used a lot for remote access users. We also use the site-to-site VPN instance of it, i.e., LSVPN. It is pretty much running everything. We have WildFire in the cloud, content filtering, and antivirus. It has pretty much all the features enabled.

We have a couple of virtual instances running in Azure to firewall our data center. Predominantly, it is all physical hardware.

I am part of the network team who does some work on Palo Alto Networks. There is actually a cybersecurity team who kind of controls the reins of it and does all the security configuration. I am not the administrator/manager in charge of the group that has the appliance.

With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings.

It is fairly intuitive. 

The central management of Panorama actually works. It is what FortiManager aspires to be, but Panorama is usable. You can push config down, do backups, and use templates from other sites, copying them over. The reliability and throughput, plus Panorama's control features, are its main selling features.

It is a combined platform that has different features, like Internet security and the site-to-site VPN. Previously, there were different components that did this. If it was a remote access VPN client, then you would have to go onto one platform and troubleshoot. If it was a site-to-site, it was on a different platform so you would have to go onto that one. It would be different command sets and troubleshooting steps. From that perspective, having that combined and all visible through Panorama's centralized management is probably one of the better benefits.

We had a presentation on Palo Alto Networks NG Firewalls a few years ago. I know the number of CPU cores that they have inside the firewall is crazy, but it is because they have to pack all the performance and analysis in real-time. It is fast. I am always amazed at the small PA-220s and how much performance they have with their full antivirus on it. They can pass 300-megabits per second, and they are just about the size of a paperback book. As far as how that single-pass processing impacts it, I am always amazed at how fast and how much throughput it has.

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

I use it every other day.

It is pretty reliable. All the services pretty much work. It is not too buggy. With any hardware/software manager these days, when you get new features, they tend to not be too thoroughly tested and can be buggy. We have been noticing this. For example, they had zero-touch deployment and the first few iterations just didn't work. While we have encountered a few bugs, I don't think they are any worse than anything else we get. The underlying hardware seems to be pretty reliable. You can do configuration changes, reboot and reload them, and they just keep coming back and work.

Our cybersecurity guys tend to do the patching and upgrades when they come around. When one of these things had a hard disk failure, they got that restored or replaced. For day-to-day maintenance, other than typical operational changes and troubleshooting, I don't think there is that much maintenance to be done. Every few weeks, there is probably somebody who goes for a few hours and checks the various patch levels and possibly does upgrades.

The upgrades are fairly easy to do. You just download the software, the central management system, and tick off the devices that you want to deploy it to. It will automatically download it. Then, you just sort of schedule a reboot. I don't know how many hours per week or month people put into it, but it is pretty reasonable.

We have about half a dozen core firewalls and 30 to 40 remote firewalls. We haven't hit any scaling limitations yet. What we have is functioning well. At some point, our main firewall in our data center might be overwhelmed, but it has pretty high throughput numbers on it. So far, we haven't hit any sort of limitations. So far, so good.

The physical appliances are sort of tiered. You have your entry-level, which is good for 300-megabits of threat detection. The next ones have 800-megabits of threat detection. So, if you have a site with around 50 people, you can get the entry-level. However, there is always a point that if you have too many users doing too many things then the physical appliance just can't handle it. Then, you need to upgrade to a higher-level appliance. This is expected. When that happens, we will just sort of get the higher-level model or plan for two years of growth to get the right size. Therefore, as far as scalability, it just comes down to planning. 

As far as the management platform, that would be more of a case of just adding CPU cores into your virtual machine as well as more memory. So far, we haven't had any scalability limitations. It is possible that we will see it at some point, but we haven't so far.

This is not Palo Alto-specific. It seems to be across all the different vendors that there is a little bit of a hit-and-miss on whether you get a tech person who knows what they are doing and are interested in your problem. When you call frontline support, you can get somebody who doesn't know what they are doing and puts you off. Or the next time you call, you can get a tech who is on the ball and super helpful. This is sort of a smaller problem. It is a bit of a crapshoot on how good the support will be. I would rate the frontline technical support as five or six out of 10.

If it tends to be more of a critical problem, and you involve the sales team, then you are forwarded onto somebody who really knows what they are doing. However, the frontline support can be hit-and-miss. Their second-tier support is really good. 

The top-tier support is 10 out of 10. We did have some more serious problems, then they put one of their engineers on it who has been amazing.

Overall, I would rate the technical support as eight out of 10.

Positive

I did work with Cisco ASA, prior to FireEye, where they purchased and integrated it as sort of the next generation part of their ASA. 

One of our remote access solutions for remote access clients was Cisco ASA. That was just getting to its end-of-life. It actually worked quite well. It was pretty hands-off and reliable, but the hardware was getting to end-of-life. Because we had the Palo Alto capable of doing similar functions, we just migrated it over. 

It was similar for our site-to-site VPN, which was Cisco DMVPN that we are still using, but we are migrating off it since its hardware is reaching end-of-life. By combining it into the Palo Alto umbrella, it makes the configuration and troubleshooting a bit easier and more homogenous. 

Before, it was just different platforms doing sort of similar but different functions. Now, we are using similar platforms and devices rather than having three different solutions. This solution is sort of homogenized; it is sort of all in one place. I suspect that makes security a bit more thorough. Whereas, we had three different platforms before. Some of the delineation isn't clear, as they sort of overlap in some respects to what they do, but having it in one location and system makes gaps or overlaps or inconsistencies easier to spot.

I was gone for a few years when they brought this in.

Adding additional appliances is very straightforward. 

Having one manager/system with a common interface and commands, rather than three or four, is more efficient.

It is expensive compared to some of the other stuff. However, the value you get out of it is sort of the central control and the ability to reuse templates.

It is a good product, but you pay for it. I think it is one of the more expensive products. So, if you are looking for a cheaper product, there are probably other options available. However, if you are looking for high performance, reliable devices, then it has kind of everything. Basically, you get what you pay for. You can get other firewalls for cheaper and some of the performance would probably be just as good, but some of the application awareness and different threat detections are probably superior on the Palo Alto Networks.

As far as a firewall solution, it is one of the best ones that I have seen. It is fairly expensive compared to some of the other ones, but if you have the money and are looking for a solid, reliable system, then Palo Alto is the way to go.

For what we use it for, the solution is good.

I am part of the network team. There is a cybersecurity team who has control of its reins and does all the security configuration. I am not the administrator of it or a manager in charge of the group with this appliance.

I find the whole machine learning and AI capabilities a bit overhyped. Everybody throws it in there, but I'm actually a little bit suspicious of what it is actually doing.

I don't follow or monitor some of the day-to-day or zero-day threat prevention protection abilities that it has. 

I would rate the solution as nine out of 10, as I am always hesitant to give perfect scores.