Palo Alto Networks NG Firewalls Reviews

This solution helps us standardize. We have a presence in the Americas, the Pacific, and Europe and have to manage three firewalls. The previous solution made it difficult to standardize, but with Palo Alto Networks NG Firewalls, it's a little simpler. It just makes it a pleasant experience overall.

Security is the biggest thing nowadays, including threat response, incident response, and root cause. We found that a lot of the logging and dashboard capabilities offered by Palo Alto fill the missing skill gap that you run up against. It makes it easier for our tier-two staff to get involved in some of the deeper root cause analysis. The dashboards, logs, and reports make it easier for our staff to dive right in and not get lost in what tools they should use. It's easy because they're all right there.

Our firewall engineers like the automations that are involved with the firewall rules. For example, we integrate with Azure, and Azure constantly updates the IP addresses for their whitelists. There are hundreds. With the previous solution that we had, our firewall administrators had to hand-jam a lot of their IP addresses, so it became more of a deterrent to manage the firewall because of the overhead involved. Now that it's automated with Palo Alto Networks NG Firewalls, they've been more apt to use the tool than they did previously.

It allows our firewall administrators to speak more confidently when we have an incident response. When they detail their root cause analysis and possibly what the problem is, the leadership receives that information with a little more confidence, and it's a little more palatable. This makes our lives easier when dealing with an incident response.

From a leadership perspective, the reports are genuine, palatable, and easy to understand. They allow me to make logical leaps.

There are servers that go along with Palo Alto, at least for the identity management part. We chose to use a Windows platform, so the only maintenance involved is the patching of the servers and then the occasional agent upgrade for the servers. Palo Alto versions would need to be upgraded as well, along with security patches.

For the most part, we don't see it as a lot of overhead in terms of maintenance. We try to have a maintenance weekend each month for our network team, in addition to a patch maintenance weekend for our system administrators. Overall, we really haven't had to patch.

As part of our internet filtering, we integrate heavily with Active Directory, and we use security groups to separate staff into two groups: those who should have full access to the internet and those who should have limited access. It may be just the way the topology is for our domain controllers and that infrastructure, but at peak usage, there seems to be a delay in reading back against the security group to find out what group the user is in.

We've been using it for roughly five years.

It's deployed on-premises, but we are presently moving into Azure, so we are looking at the Palo Alto appliances for that environment as well.

Stability-wise, we have three regions in which we use Palo Alto, and we are not pegging the resources for these boxes at all. They're meeting and exceeding our expectations in terms of stability, but we're definitely not pushing them to the limit.

In terms of the scalability of the appliance itself, there are some licenses that you can upgrade where you don't have to bolt on any hardware. You may have to upgrade a module. The supporting appliances are VMs that we stand up in the data center, and those handle more of the identity management pieces of the Palo Alto solution.

Palo Alto's technical support has been great. We recently had an issue with DNS where we were having difficulties tracking where an endpoint was making DNS requests. We got a little lost in some of the admin consoles for Palo Alto. We opened a service request, the call was returned within two hours, and an administrator from Palo Alto stayed on the phone with our engineers for about three hours and really helped us by generating some unique queries.

I would rate technical support an eight out of ten with respect to the engineers. They've been very responsive and quick. They have always followed up within the timeframe that Palo Alto said that they would.

Positive

We switched because of the end of life in a hardware's life cycle. With us moving into the cloud and having a much larger endpoint presence, we wanted something that was a little more robust. We also had fewer head counts for our firewall or network administrator staff. So, we wanted a tool that we could access easily and not have such a large training curve. We went with Palo Alto Networks NG Firewalls because it made a little more sense for us.

In terms of ROI, protecting our customers is obviously number one. The implementation of our previous solution required agents to be installed on all our endpoints. That was a little more difficult because we have a large number of endpoints globally. The administrative overhead to manage the updates for those agents was not favorable.

Palo Alto Networks NG Firewalls allowed us to rely more on the existing infrastructure, Active Directory, to help us with identity management and security groups. It has made it simpler to manage.

We evaluated two other options. 

The sales team that assisted us with refining our requirements and explaining some of the new feature sets that are coming out helped us see that some of our requirements were no longer needed. It really helped us to learn more about the service that we were looking for, and Palo Alto just made it an easier discussion for us.

I recommend fully engaging Palo Alto's sales team. They're very knowledgeable and very friendly. We have three regions, PAC, Europe, and the Americas, and time zones and the quality of support always come into question when you're spread out. We haven't seen any gaps no matter what time zone we had a problem with in terms of sales and post-support. It has been great all the way around.

Overall, I would give Palo Alto Networks NG Firewalls a rating of eight on a scale of one to ten.

We basically use it to protect our network from various malicious activities out there. We have two subscriptions. We have the WildFire subscription, which is similar to DNS filtering. We also have Threat Protection, which allows the firewall to inspect traffic up to Layer 7. It inspects applications as well as unknown applications, quarantining and stopping things. So, you are not always chasing, "What applications should I be running on this device?" It does a good job of all of that. The management of it is a little tricky, but that is how it goes.

We are running the PA-3250s. We have two of them. They operate in Active/Passive mode. Therefore, if one fails, then the other one takes over. 

It is pretty important to have embedded machine learning in the core of the firewall to provide inline, real-time attack prevention, because all these different attacks and threats are constantly evolving. So, you want to have something beyond just hard pass rules. You want it to learn as it is going along. Its machine learning seems pretty good. It seems like it is catching quite a few things.

There is a web-based GUI to do management, but you need to know how the machine or firewall operates. There are hundreds of different menus and options. I have used other firewalls before. Just implementing or designing a policy with Palo Alto, if you want a certain port to be open to different IP addresses, then that could take 20 to 25 clicks. That is just testing it out. It is quite complex to do. Whereas, with other places, you tell it, "Okay, I want this specific port open and this IP address to have access to it." That was it. However, not with Palo Alto, which is definitely more complex.

The VPN is only available for Windows and Mac iOS environments. We have a variety of iPads, iPhones, and Android stuff that wouldn't be able to utilize the built-in VPN services.

I would like easier management and logging. They can set up some profiles instead of having you create these reports yourself. However, you should be able to set it up to give you alerts on important things faster.

We have had this in place for four years. I have been at the school for almost a year and a half. So, this is my second year here at the school, so my experience with it has probably been a year and change. I use other firewall solutions, but I have gotten pretty comfortable with the Palo Alto solution.

It is very stable. We have never had any issues with any failures on it.

I haven't felt any performance lags on it. It has been handling everything just fine.

We purchased it a few years ago. Since then, we have had a lot more clients on our network, and it has handled all that fine. You go into it and just have to scale it higher. Palo Alto doesn't give you too many choices. There is not a medium; it is either very small or very big. So, you don't have a choice in that.

We have never had to call Palo Alto. Secure Works does all our support maintenance on it.

I have been here for a year and a half. Before, the firewall that they were using (Barracuda) was barely adequate for what we were doing. We got new ones simply, not because we had a software/hardware-type attack, but because we had a social engineering attack where one of the folks who used to work for us went on to do some crazy things. As a result, the reaction was like, "Oh, let's get a new firewall. That should stop these things in the future."

The initial setup was pretty complex because they did not do it themselves. They actually hired some folks who put it in. 

We use Secureworks, which is a big security company. They actually send an alert when there are problems with the firewall or if there are security issues. They handled the deployment. 

We also use another company called Logically to monitor the firewall in addition to all our other devices.

Active/Passive mode is very redundant, but they require you to buy all the associated licensing for both firewalls, which is kind of a waste of money because you are really only using the services on one firewall at a time.

I would suggest looking at your needs, because this solution's pricing is very closely tied to that. If you decide that you are going to need support for 1,000 connections, then make sure you have the budget for it. Plan for it, because everything will cost you.

If another school would call and ask me, I would say, "It's not the cheapest. It's very fast, but it's not the cheapest firewall out there."

I have been looking at different firewalls because our service and maintenance contracts are up on it. We have two different outsourced folks who look at the firewall and help us do any configurations. My staff and I lack the knowledge to operate it. For any change that we need to make, we have to call these other folks, and that is just not sustainable.

We are moving away from this solution because of the pricing and costs. Everything costs a lot. We are moving to Meraki MS250s because of their simplicity. They match the industry better. I have called the bigger companies, and Meraki matches the size, then the type of institution that we are.

If someone was looking for the cheapest and fastest firewall product, I would suggest looking at the Meraki products in the educational space. I think that is a better fit.

Its predictive analytics and machine learning for instantly blocking DNS-related attacks is doing a good job. I can't be certain because we also have a content filter on a separate device. Together, they kind of work out how they do DNS filtering. I know that we haven't had any problems with ransomware or software getting installed by forging DNS.

DNS Security for protection against sneakier attack techniques, like DNS tunneling, is good. I haven't had a chance to read the logs on those, but it does pretty well. It speaks to the complexity of the firewall. It is hard to assess information on it because there is just a lot of data. You need to be really good at keeping up with the logs and turning on all the alerts. Then, you need to have the time to dig through those because it could be blocking something, which it will tell you.

I haven't read the NSS Labs Test Report from July 2019 about Palo Alto NGFW, but it sounds interesting. Though it is a little bit of snake oil, because the worst attacks that we had last year were purely done through social engineering and email. I feel like this is an attack vector that the firewall can't totally block. So, before you put something in, like Palo Alto Firewalls, you need to have your security policy in place first.

I would rate this solution as eight out of 10. Technically, it is a good solution, but for usability and practicality, I would take points off for that.

The solution is more towards the front of the security stack.

We use both AWS and Alibaba Cloud.

The single pass architecture has helped a lot in the implementation and maintenance of Palo Alto Networks. It changed the customer's opinion on UTM platforms. In the past, when customers used UTM platforms, they feared the security features would impact the performance and slow down the network, causing some instability. However, with the single pass architecture, Palo Alto has demonstrated that you can use a lot of the security features without having an impact on the security and network performance. Therefore, most of our customers will dare to use most of Palo Alto Networks' security features.

• Application identification
• Antivirus
• Vulnerability protection
• URL filtering
• SSL VPN
• IPsec VPN

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities. Most of our customers are busy. They cannot afford the time to learn very complicated user interfaces and configuration procedures. With Palo Alto Networks, they offered a unified user interface for all its NG Firewall products and Panorama. I think it reduces some of our customers' maintenance time. 

Palo Alto NGFW’s unified platform has helped our customers eliminate security holes. With a unified platform, customers can deploy the NG Firewall both in the data center edge, inside the data center, and in the product/public cloud environments. They have the same user interfaces and platform, so they can be maintained by a single unified platform called Panorama. Customers can use Palo Alto Network NG Firewalls in all the places where they need to protect their environments. This helps to decrease security holes.

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

I have been using it for eight years, though my company does not use it.

Compared to its competitors, the stability of NG Firewalls is very good. We have faced some strange problems with the hardware platform or operating system. Most of these customer cases come from complicated configs and bugs. However, stability is very good overall.

Scalability is not that good. Palo Alto Networks NG Firewalls product is for middle-sized and small businesses. It has fixed parts and capacities for processing. Some of their higher-end products have the scalability to expand capacities, but only a few customers can afford their larger product.

I would rate it as eight to nine out of 10. Most of the technical engineers, who provide support for our customers, are efficient. There are one or two Tier 1 tech support engineers who often don't have answers.

Palo Alto NGFW’s unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. Before using Palo Alto Networks NG Firewalls, customers might need to implement Layer 4 firewalls, IPS and possibly an antivirus, gateways, and maybe web proxies for all their devices. With Palo Alto NGFW’s unified platform, if a customer can do all the config and security policies on one platform, then this will merge all their security things onto a single platform.

The initial setup is not complex; it is straightforward. Our users only need a cable and some basic steps to configure the management interface. Then, it can set up the NG Firewall and ensure that the network and routing are working as expected in the environment. I think its steps are easier than most of its competitors. The initial setup takes one or two hours.

The full setup time depends on the features, then whether the environment or customer needs are complicated or not.

For our implementation strategy, we talk to our customers and work out documents for all their configs, which includes basic information that we need to know for implementing the firewall. Then, we follow the documents and do the implementation. We also may modify some content of the documents as the project processes.

It needs one or two employees with enough skills to manage and maintain it. They may need to modify firewalls, firewalls security rules, and possibly inspect alerts that are generated from firewalls.

By having a customer operate on a unified platform, they can do the application control, traffic control, threat protection, and URL filtering on a single platform. This effectively reduces the workload on all their networks and security tools.

Cheap and faster are the opposite sides of security. Security inspections have some technical and money costs. If you just purchase some cheap, fast firewalls, then you will lose a lot of the security features and fraud protection capabilities.

My company uses Cisco Firepower NGFW Firewall, not Palo Alto Networks NG Firewalls. We started our cooperation with Cisco a lot longer than with Palo Alto Networks. We have been working with Cisco to expand their business in China for more than 20 years, which is why the leaders in our company might be choosing Cisco products.  

Most of our customers have been using Palo Alto Networks for a long time and do not want to change to another vendor. The unified user interface is a big benefit for them.

Palo Alto NGFW’s DNS Security is an effective way to detect and block DNS tunneling attacks, because most competitors do not have these techniques to detect the DNS tunneling on a single device. They require maybe a SIM or some analysts. So, this is something quite creative for Palo Alto Networks.

For our customers, I would tell them that Palo Alto Networks NG Firewalls is easy to use, but probably difficult to master. It has a very easy to use interface and configuration utility, but it has a lot of advanced features that need some deep knowledge of the product.

No product can guarantee 100% evasions being blocked, but I think Palo Alto is among the top of the threat inspection vendors. From the NSS Labs Test Report, we can see that Palo Alto Networks always has a top score.

Machine learning in a single firewall is not that accurate or important for our customers. Since it will only see some network traffic, it cannot connect everything together, like endpoints and servers. Therefore, our customers do not value the machine learning techniques on a single firewall very much.

We may review the alerts generated by machine learning modules, then we can see if the alerts are real alerts, not false positives. This may tell us how efficient machine learning is.

Very few customers in China have used the Palo Alto NGFW’s DNS Security module. It is a new feature that was introduced only two years ago. Customers already know what the product can provide in terms of protection. Its DNS Security provides something that is not really easy to understand. Also, it increases the cost of the firewall because it requires another license to be implemented, and the cost is not low.

DNS Security is very impressive, and I think it will be an efficient way to block the rapidly changing threat landscape and maybe Zero-day attack methods.

Biggest lesson learnt: If you want to protect something, you need to gain visibility of the entire network. NG Firewalls provides a deep visibility into network traffic.

I would rate Palo Alto Networks NG Firewalls as nine out of 10.

We use it to segregate traffic between different tenant instances and to manage secure access to environments, DMZ zones, and to communicate what the firewall is doing.

With Palo Alto NG Firewalls, we can pass all compliance requirements. We trust it and we are building the security of our environment based on it. We feel that we are secure in our network.

It also provides a unified platform that natively integrates all security capabilities. It's very important because it gives us one solution that covers all aspects of security. The unified platform helps to eliminate security holes by enabling detection. It helps us to manage edge access to our network from outside sources on the internet and we can do so per application. It also provides URL filtering. The unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. In one appliance it combines URL filtering, intrusion prevention and detection, general firewall rules, and reporting. It combines all of those tools in one appliance. As a result, our network operations are better because we have a single point of view for our firewall and all related security issues. It's definitely a benefit that we don't need different appliances, different interfaces, and different configurations. Everything is managed from one place.

The most valuable features include the different security zones and the ability to identify applications not only by port numbers but by the applications themselves.

The DNS Security with predictive analytics and machine learning for instantly blocking DNS-related attacks works fine. We are happy with it.

And with the single-pass architecture, it provides a good trade-off between security and network performance. It provides good security and good network throughput.

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good.

In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

I have been using Palo Alto Networks NG Firewalls for about three years.

The solution is pretty stable.

The scalability is good.

In terms of the extensiveness of use, it depends on business needs. Every communication from the company is going through this solution, so it's highly used and we are highly dependent on the solution. 

In terms of increasing our use of the solution, it all comes down to business needs. If the business needs it, and we get to the limit of the current appliance, we will consider updating it or adding more appliances. At this point, we're good.

We previously used Cisco. The switch was a business decision and may have had to do with cost savings, but I'm not sure what the driver was.

The initial setup was a little bit complex, but not terrible. The complexity was not related to the product. It was more to do with needing to prepare and plan things properly so that in the future the solution will be scalable. If there were some predefined templates for different use cases, that would help. Maybe it has that feature, but I'm not familiar with it.

The time needed for deployment depends on the requirements. We also continuously optimized it, so we didn't just deploy it and forget it.

Our implementation strategy was to start with allowing less access and then allowing more and more as needed. We made the first configuration more restrictive to collect data on denied traffic, and then we analyzed the traffic and allowed it as needed.

We have less than 10 users and their roles are security engineers and network engineers. We have three to four people for deployment and maintenance and for coordinating with the business, including things such as downtime and a cut-over. The network and security engineers work to confirm that the configuration of the solution is meeting our requirements.

We did it ourselves.

I'm not sure about pricing. I don't know if Palo Alto NG Firewalls are cheaper or not, but I would definitely recommend Palo Alto as an option.

If you need additional features, you need additional licenses, but I'm not aware of the cost details.

We evaluated Cisco, Sophos, Dell EMC SonicWall, and FortiGate. Cost and reputation were some of the key factors we looked at, as well as the flexibility of configuration. Another factor was how many users could comfortably work on the solution when publicly deployed.

The fact that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention is important, but I still don't completely trust it. I haven't really seen this feature. Maybe it's somewhere in the background, but I haven't gotten any notifications that something was found or prevented. At this point, we still use traditional approaches with human interaction.

Overall, what I have learned from using Palo Alto is that you need to be very detailed in  your requirements.

We deployed the Palo Alto Next Generation Firewall on the perimeter of the network, so all traffic that flows to the company from the internet and from the company to the internet scanned by the Palo Alto Networks Firewall. In addition, all of the internal traffic from LAN users to services that are on the DMZ zone traverse the Palo Alto Firewall.

The strengths of Palo Alto Networks NG Firewalls are application visibility and application awareness. Their strong point is identifying applications for traffic. So all of the policies that are configured are related to the application and not to a port.

For example, let's say you want to allow HTTP traffic and the server is not listening on the standard http port which port 80 but listens on port 25 which Is the standard port for SMTP, this is not an obstacle has the firewall is focusing on the application, it identify the HTTP application and allow the HTTP application and block any other application on port 25. So we don't care on which port the app traverses.

It is easy to install and is stable too.

There is another solution from Palo Alto for endpoints - XDR  that integrates with the firewall  thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls.

The price could be lower.

I've worked with Palo Alto Networks NG Firewalls within the last 12 months.

So far, it's stable. I haven't had any problem with it. I'm always authorizing to have the minor version aligned with the latest version. There haven't been any published vulnerabilities with the product so far.

I'm using the cluster, and that's a great long term solution. So I haven't needed to expand.

There are more than 10,000 employees in the company. We hope to migrate the other branches that have a different vendor to Palo Alto.

The initial setup was straightforward from my point of view.

From a financial perspective, this solution is quite expensive.

The licensing is on a yearly basis even though we close the deal for three years upfront.

I would advise that those thinking about Palo Alto Networks NG Firewalls need to switch how they think about a policy on the firewall. They should not to look at it from the point of view of the service and what port that policy is related to. Instead, they should look at it from the application side. Don't pay too much attention to the port. Just look at the application. For example, the NGFW doesn't care if SMTP traverses on port 25 or 65. It just enforces the protocol.

From a technical point of view, I don't think that there's something that's missing from the Palo Alto Networks NG Firewalls. So, I would rate it at nine on a scale from one to ten.

The product’s most valuable feature is security.

Palo Alto Networks NG Firewalls work slowly for vulnerability management. Its performance could be faster.

We have been using Palo Alto Networks NG Firewalls for five years.

The product is stable. I rate its stability a ten out of ten.

I rate the product’s scalability a nine out of ten.

The technical support services are good. They respond immediately.

Positive

We used FortiGate earlier. We plan to switch again to FortiGate as per our vendor’s preference.

The initial setup process is quite easy. It took less than a month to complete.

I rate the product’s pricing an eight out of ten.

We evaluated Check Point. We decided to go to Palo Alto for better pricing.

I rate Palo Alto Networks NG Firewalls a nine out of ten.

It is used for protection against attacks and it is very fast and reliable. We have a lot of use cases for it.

We are an implementation partner for Palo Alto. One of the companies we implemented its Next-Generation Firewalls for was previously using Barracuda. A ransomware attack happened and they lost all their backup data, and their configuration. Once we implemented Palo Alto for them, there were similar attacks but they were blocked.

Along with Prisma, it helps in preventing a lot of attacks, especially Zero-day attacks.

The sandboxing is valuable and they are frequently updating their signature database. We get new updates every five minutes. That makes it easy to detect new and unknown attacks.

The configuration part could be improved. It's very difficult to configure. It doesn't have a user-friendly interface. You have to know Palo Alto deeply to use it.

Also, it doesn't support open-source protocols like EIGRP. We had to find another solution for that.

I've been using Palo Alto Networks NG Firewalls for the last six years.

Palo Alto suggests version 9.1.7 for stability. When new features come out, things are not as stable.

It's scalable. I recommend it for its scalability.

We generally deploy these firewalls into larger environments, but the PA-400 series is affordable.

There are problems with the technical support. When we are facing an attack, it's very difficult to get a hold of people from the TAC. It's not like Cisco, especially in India. There are very few members of Palo Alto TAC in India. Sometimes we get support from people in other countries.

Neutral

The initial deployment of these firewalls is very complex. The registration is a very difficult task. You have to go to the partner portal to register and it's not user-friendly. All the other solutions are not like that. With Juniper, for example, it's very easy to handle their portal.

The deployment time depends on the customer environment but it normally takes around three weeks. Our implementation strategy is to first understand the network we are dealing with and how we can deploy Palo Alto.

The pricing for Palo Alto is very high. The price difference with other vendors is huge because Palo Alto has been the market leader for the last five or six years, and they have a reliable product. Everybody knows Palo Alto, like Cisco routing and switching. It's likely that only enterprise-level customers can afford this kind of firewall.

Palos Alto's firewalls have machine learning software and sandboxing. Everything is one step ahead of all the competitors.

Still, almost all vendors provide the same things. They call their technologies by different names, but that's the only big difference in features.

According to the industry reviews Palo Alto has been the market leader for the last five or six years. They have better technology and the hardware is also good. It's the pricing and user interface where there are issues. Apart from them, everything is fine.

We have had a couple of big projects with government companies here in Ukraine. One of those projects involved three data centers with a lot of security and network requirements, and we implemented Palo Alto as part of this project.

The use case was to build the new data centers with a firewall that would not only work on the perimeter but also for internal traffic. We deployed eight PA-5200 Series firewalls and integrated them with VMware NSX, and they're working together.

One of the points that helped us win the tender is that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention. The customer's security team was asking for this feature from the firewalls because machine learning makes things much easier than manually sitting there with some kind of SIEM and searching for all kinds of attacks and critical issues. The machine learning is really helpful because it's doing the work automatically.

We had a small project with the PA-800 Series appliance where we implemented DNS Security. DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network.

In general, Palo Alto NG Firewalls are 

• easy to manage
• good, reliable appliances
• easy to configure.
  

They also have a good balance between security and traffic. They have good hardware and, for management, they have their own data plane. If traffic is really overloading the data plane, you still have the ability to get into the management tools to see what's going on. You can reset or block some traffic. Not all firewalls have that feature.

They have really good clients, such as a VPN client. You can also enforce security standards on workers in the field. It's a really good product. And now, for endpoint security, they have Cortex XDR. You use the same client, but with additional licenses that enable more features.

The only area I can see for improvement is that Palo Alto should do more marketing.

We work with customers, but we are not using the solution ourselves.

The scalability is really good because they have a chassis version of appliances. They plan to build new chassis. But for the really big projects here in Ukraine, we can easily cover what we need with the PA-8000 Series with Palo Alto chassis appliances.

In our project with the three data centers, each data center was able to process 40 gigs.

First-level support is provided by our distributor Bakotech. They are technical guys and they really know the product. Unlike some support providers who just send you manuals to ready, they're really helpful. You can call them at any time and they get back to you shortly and help.

The initial setup is really easy. If you're working with Palo Alto Panorama, which is their management server, it's very easy to deploy a lot of appliances in a couple of days, because you're just sending out the configuration and templates on a blind device. In a couple of hours that device is working like the rest.

Another valuable aspect of Palo Alto NG Firewalls is that the appliances and software are really reliable in terms of stability and performance. Some firewall vendors don't write real information on their datasheets and, after implementing them, you see that the reality is not the way it was described. For example, when it comes to threat prevention and how much traffic appliances can handle, there was a project where we beat another vendor's firewall because Palo Alto has the real information on its datasheets.

I have some experience with Cisco, on a small project but there was a somewhat older software version, and there was a lot of lag. When changing something in the configuration, once you pushed "commit" you could go have a coffee or do other stuff for 20 minutes or more, because it took a really long time to push that configuration to the device.

If a colleague at another company said to me, "We're just looking for the cheapest and fastest firewall," I would tell them that the cheapest is not the best. If you need really reliable hardware and software, and don't want headaches after the implementation, just buy Palo Alto.

The PA-400 is really strong and not only for SOHO or SMB companies. They have a really big throughput with Threat Prevention and DNS Security enabled. It's a really good appliance in a small size. But it's not only for small companies. The PA-460 can easily handle the traffic of a midsize company, one with 100 or 200 employees, and maybe even a little more. The PA-460 can handle about 5 gigs of traffic. With Threat Prevention, they can handle 2.5 gigabytes of traffic. For a regular office, that's good. It might be a little small for big companies.

Regarding DS tunneling, it is mostly peer-type attacks. With tunneling, it depends on what type of tunneling is used. You need to look at the specific case, at things like whether it was an internal DNS tunnel or one from the outside to the inside between branches. Most of the time, you can see that kind of traffic with a firewall if you have enabled full logging and you drop the logs into a good SIEM, like ArcSight or others. You will see the anomaly traffic via tunnels. You can also switch on decryption so you can decrypt a tunnel and see what is going on inside.

We have had no issues from our customers who are working with Palo Alto NG Firewalls. They fully cover all our customers' needs.