Palo Alto Networks NG Firewalls Reviews

These firewalls are only used for perimeter purposes, in gateway mode.

In addition to our environment being secure, we can monitor compliance of VPN users. Security and monitoring are the two big benefits.

It's also very critical for us that it provides a unified platform that natively integrates all security capabilities. We have multiple vendors and multiple solutions. Palo Alto has to work with them. For example, when it comes to authentication, we can integrate LDAP and RADIUS, among others. And in one of our customer's environments, we have integrated a new, passwordless authentication.

Apart from the security, Palo Alto NG Firewalls have nice features like App-ID and User-ID. These are the two most useful features.

With App-ID, we can identify exact traffic. Even if someone tries to fool the firewall with a different port number, or with the correct port number, Palo Alto is able to identify what kind of traffic it is.

With User-ID, we can configure single sign-on, which makes things easy for users. There is no need for additional authentication for a user. And for documentation and reporting purposes, we can fetch user-based details, based on User-ID, and can generate new reports.

Another good feature is the DNS Security. With the help of DNS security, we can block the initial level of an attack, and we can block malicious things from a DNS perspective.

The GlobalProtect VPN is also very useful.

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

We have been using Palo Alto Networks NG Firewalls for two years. I've worked on the 800 Series and the 3000 Series.

It's quite stable. They are launching a new firmware version, but compared to other products, Palo Alto is quite stable.

I have worked with Palo Alto's support many times and it is quite good. Whenever we create a support ticket, they are on time and they update us in a timely manner. In terms of technical expertise, they have good people who are experts in it. They are very supportive of customers.

Positive

The initial deployment is straightforward; very simple. The primary access for these firewalls is quite simple. We can directly access them, after a few basic steps, and start the configuration. Even the hardware registration process and licensing are quite simple.

The time it takes to deploy a firewall depends upon hardware and upon the customer's environment. But a basic to intermediate deployment takes two to three months.

Our customers definitely see ROI with Palo Alto NG Firewalls, although I don't have metrics.

I am not involved in the commercial side, but I believe that Palo Alto is quite expensive compared to others.

One of the pros of Palo Alto is the GlobalProtect, which is a VPN solution. GlobalProtect has broader compliance checks. I have worked on Check Point and FortiGate, but they don't have this kind of feature in their firewalls. Also, Check Point does not have DNS Security, which Palo Alto has.

If you're going with Palo Alto, you have to use all its features, including the DNS Security, App-ID, and SSL decryption. Otherwise, there is no point in buying Palo Alto.

We use them to do quite a bit of URL filtering, threat prevention, and we also use GlobalProtect. And application visibility is huge for us. Rather than having to do port-based firewalling, we're able to take it to an application level.

We have quite a number of security pieces that are implemented for our network, such as a DNS piece, although we're not using Palo Alto for that purpose. But with that, in line with our seam, we're able to better distinguish what normal traffic looks like versus what a potential threat would look like. That's how we're leveraging the NG Firewalls. Also, we have separated the network for our databases and we only allow specific users or specific applications to communicate with them. They're not using the traditional port base, they're using application-aware ports to make sure that the traffic that has come in is what it says it is.

Machine learning in Palo Alto's firewalls, for securing networks against threats that are able to evolve and morph rapidly, has helped us out significantly, in implementation with different security software and processes. The combination allows our security analysts to determine the type of traffic that is flowing through our network and to our devices. We're able to collect the logs that Palo Alto generates to determine if there's any type of intrusion in our network.

The machine learning in the core of the firewalls, for inline, real-time attack prevention, is very important to us. With the malware and ransomware threats that are out there, to keep abreast of and ahead of those types of attacks, it's important for our devices to be able to use AI to distinguish when there is malicious traffic or abnormal traffic within our environment, and then notify us.

The fact that in the NSS Labs Test Report from July 2019 about Palo Alto NG Firewalls, 100 percent of the evasions were blocked, is very important to us. 

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

I've been using Palo Alto NG Firewalls for about five years.

The firewalls are very stable. We've had no issues with downtime.

They're very scalable. Because we use Panorama, we're able to have global firewall rules for areas that we want to block, across the network, for security reasons. We just push those down to all the devices in one shot.

Our corporate site has about 500 users, and our 14 remote sites, because they're retail, usually have anywhere from five to 10 users each.

Their support is generally very knowledgeable. Sometimes it depends though on who you get, but they've always addressed our issues in a timely manner.

We were using older versions of Palo Alto's firewalls and we also had Cisco firewalls in our environment.

For our remote stores we're able to use Panorama, along with Palo Alto's Zero Touch Provisioning hardware. Once a device is connected to the internet and can communicate back to our Panorama, it just pulls the configurations. That means it's very easy to deploy.

It took about two to three months to deploy about 14 sites. That wasn't because we were having issues, it was just the way we scheduled the deployment, because we had to bring down different entities and had to schedule them accordingly with a maintenance window. But if it wasn't for that scheduling, within a week we could have deployed all of the remote sites.

For our implementation strategy, at our corporate site we had both old and new firewalls sitting side by side on the network. As we went to a remote site we would take them from their legacy Cisco and cut them over to the new firewall. Once that was done, we moved all of the firewall rules that were on the old firewall over to the new one.

When it comes to maintenance and administration of the firewalls, my team of five people is responsible. We have a network architect, a network specialist, two senior network specialists, and a security manager.

We did it by ourselves. We have a certified Palo Alto engineer on staff and he did all the installation.

Definitely look into a multi-year license, as opposed to a single-year. That will definitely be more beneficial in terms of cost. We went with five-year licenses. After looking at the overall costs, we calculate that we're only paying for four years, because it works out such that the last year is negligible. If we were to be billed yearly, the last year's costs would be a lot more. With the five-year plan we're saving about a year's worth of licenses.

Based on the quantity of devices we purchased, we found that the hardware price was actually cheaper than most of the other vendors out there.

If a colleague at another company were to say, "We are just looking for the cheapest and fastest firewall," given my experience with Palo Alto's NG Firewalls, my answer would depend on the size of the company and how much traffic they're going to be generating. Palo Alto is definitely not the cheapest, but if you scale it the right way it will be very comparable to what's out there.

One of the things we like about Palo Alto is the fact that the hardware appliances we have are not impacted in terms of resources. The CPU and memory stay low, so we don't have a bottleneck where it's trying to process a whole bunch of traffic and things are slow. We were looking at various brands because we were going from older hardware to newer, and we wanted to evaluate what the other vendors were doing. After that evaluation, we were comfortable that Palo Alto would be able to handle all of our network traffic without impacting performance.

We looked at Fortinet and Cisco. Cisco is a bit pricey when compared to our Palo Altos. Fortinet was definitely cheaper, but we were skeptical about their performance when we bundled all of the features that we wanted. We didn't think it was going to be fast enough to handle the network traffic that we were generating across the board. We believe Cisco would have handled our traffic, but their next-gen platform, along with SD-WAN, required us to have two separate devices. It wasn't something that would have been on one platform. That's probably why we didn't go down that road.

Part of what we considered when we were looking around was how familiar we were with the technology. That was also a big area for us. Most of the guys on our team were pretty familiar with Cisco and Palo Alto devices. They weren't too familiar with Fortinet or Check Point. We narrowed it down based on if we had a security breach, how easy would it be for us to start gathering information, remediating and troubleshooting, and looking at the origin of the threat. We looked at that versus having to call support because we weren't too familiar with a particular product. That was huge for us when we were doing the evaluation of these products.

Other than the SD-WAN, everything else has been functioning like our previous setup because it's a pretty similar license. The way that the new hardware handles URL filtering, threat protection, and GlobalProtect has been pretty solid. I don't have any issues with those.

Overall, I would rate Palo Alto NG Firewalls at nine out of 10. It's definitely not the cheapest product out there. Cost is the main reason I wouldn't put it at a 10.

We use Palo Alto Networks NG Firewalls to manage the villains. Basically, to protect the environment. 

I like that they are more stable than the previous ones, and they allow a lot of other features.

It would be better to have more tools to control Palo Alto Networks NG Firewalls. We don't have too many tools to access Palo Alto. For example, the IT team doesn't have access to it. We can see it physically and see if it's running or not. We need to contact a special team to receive that information. I would also like to see more reporting in the next release.

I have been using Palo Alto Networks NG Firewalls for two years.

Palo Alto Networks NG Firewalls is stable.

Palo Alto Networks NG Firewalls is scalable. We have about 250 people using it at our hotel.

We use Trustwave, a company that provides the devices. We have an agreement with them, and we're satisfied with the support.

We used to use Juniper and Fortinet.

The initial setup is pretty much straightforward. It takes us about two hours to set up and deploy this solution. It takes a team of two guys to deploy and maintain this solution.

I would recommend this solution to new users.

On a scale from one to ten, I would give Palo Alto Networks NG Firewalls a nine.

We use this solution as our central firewall, but not as a perimeter firewall. For our perimeter, we use another solution. 

Our organization consists of roughly 2,000 to 3,000 employees. 

Identifying applications is very easy with this solution.

I don't like the reporting. The reports it provides are not helpful. They should include more executive summaries and other important information — they're too technical.

I have been using this solution for three years. 

The stability is excellent. 

The technical support is good, but not excellent. Their responses can be quite vague and unhelpful at times. 

We used to use Checkpoint. We stopped using it because the price was too high. 

Considering our limited amount of experience, the initial setup was easy. Deployment took one month. 

A local reseller team of roughly three to five people implemented it for us — it was a great experience. 

We evaluated Palo Alto, Checkpoint, Fortinet, and Cisco Firepower. Overall, it came down to the price — that's why we went with Palo Alto Networks NG Firewalls.

This solution is very particular; it's only suited to specific companies — it's a commercial opportunity. 

Overall, on a scale from one to ten, I would give this solution a rating of eight. 

Basically, it is for protection and security. We are using it to make sure that our network is as secure as possible. We are able to evaluate each stack in each pocket and take certain actions as needed when we look into some of the content of the payload. 

We have on-prem deployments, and we also have SaaS-based services.

Mechanically, all firewalls work in a similar fashion, but what makes Palo Alto different is that it also has some of the threat hunt capabilities. It is a little bit better than other vendors.

As things are evolving, we want to make sure that Palo Alto is able to keep up with what is going on outside. They should continue to do more intelligence-related enhancements and integrate with some of the other security tools. We want to have a more intelligent toolset down the road.

We implemented this solution last year.

We currently have 25,000 users. Its usage won't increase a lot, but IT is changing very rapidly, and it would depend on the security model towards which we are moving. 

Palo Alto provides pretty good support.

It is straightforward. The deployment duration varies because there are different modules and components, but it doesn't mean that we have to complete everything to make it work. For the core piece of it, it would probably take a couple of months to install, configure, and test.

We have a vendor to help us. We have two or three people for its deployment.

It has a yearly subscription.

I would recommend this solution. I would rate Palo Alto Networks NG Firewalls an eight out of ten.

We have two 3000 Series Firewalls placed in our primary location. We have two sites and the secondary site uses the primary site for internet access. All traffic to the secondary location goes through a VPN tunnel. I'm a network administrator. 

The value of this solution for me is the protection from a single packet and ease of making security rules. It also doesn't require a special dedicated network team, I'm able to do it myself. It's a time saver for me and now in this pandemic period, users have access from home.  

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem. 

I've been using this solution for 10 years. 

It's been 10 years and I don't remember any outages because of a hardware failure or a logical error in configuration. We had problems with servers or switches initially but it works like a charm now. 

Scalability is the main disadvantage of Palo Alto. They call themselves a firewall with router capabilities but it's not a router and it requires a good bandwidth in VPN which could become a problem because you have to scale to really big hardware. We can solve the issue with other solutions, but for me the idea is to have less devices in your environment.
It's all about the hardware.  

The support is quite good. A couple of months ago, I sent an email with an issue and we got an answer in 15-20 minutes. In my experience, Palo Alto support is one of the best, maybe the best support available.

We previously used Juniper which is currently called Net Screen. I also looked at Sonic Wall. We carried out a proof of concept five years ago and they had to decide whether to go with Palo Alto or another vendor. 

For me, the initial setup is very easy. To get the device running with some capabilities but maybe not all security rules takes about an hour and it's the same for any upgrades. We have around 900 users and one admin person from our organization who deals with any issues. 

Palo Alto is an expensive solution, we currently have a three year contract. I'm not sure what our terms are. People always want cheaper, nobody wants to pay more. In our region, I think if Palo Alto was cheaper, more companies would buy the solution. 

I would absolutely recommend this product, it's expensive but I trust it. There is always room for improvement such as with scalability capabilities in Palo Alto. I know I'm not the only one who thinks this is an issue. It's possible that next time we will try virtualized firewalls, it may be a little cheaper for us. We would consider switching to something else but it would be a big move and quite complicated. Moving to a different vendor is a whole other story.

I rate this solution a nine out of 10. 

We are working on creating security policies on the firewall. We have just put GlobalProtect VPN in our company. We also have Prisma Access.

We have on-prem and hybrid cloud deployments.

It has strengthened our security policies and made our environment more secure. It has provided us more security features. Due to the rules that we have created on Palo Alto Firewall, all the malicious things have been stopped from coming into our environment.

The App-ID feature is the coolest feature because you don't need to open a new port. Apps are directly linked to the port. It provides one of the best ways to lock down the additional port switch.

Its software updates can be improved. It sometimes becomes very slow with the software updates for different features.

It should have an External Dynamic List of data. The malicious IP is not frequently getting updated in Palo Alto, and this should be done.

I have been using this solution for six years.

Its stability is good.

Its scalability is also good.

We were using Cisco ASA previously. Palo Alto has strengthened our security policies. It has also made our environment more secure than Cisco ASA.

Its initial setup is straightforward.

I would rate Palo Alto Networks NG Firewall an eight out of ten. It has been working very well.

We plan to continue using this solution. Within our organization, there are roughly 1,000 employees using this solution.

We chose Palo Alto for its security features. It's quite nice. It's very user-friendly, powerful, and there are barely any bugs. 

We have been using this solution for roughly two years.

This solution is very stable.

The scalability of the firewalls could be improved. You can't scale the physical firewalls because Palo Alto doesn't support clustering. 

The support could be improved. They could be faster.

They have a multi-layer model of support. If we're experiencing any issues, we have to go to our local partner. If our local partner can't help, then we have to go through a distribution layer that's certified from Palo Alto. If our issues can't be fixed, they will escalate them to the vendor. This can be quite annoying, to be honest.

With Cisco, for example, you can open a ticket directly with the vendors themselves, and they can escalate it internally, which is much faster.

We used to use Juniper Firewalls.

The initial setup is quite straightforward. 

We deployed this solution with some help from our local partners. Overall, deployment took a couple of days. A team of three deployed this solution.

This solution is quite expensive.

I would absolutely recommend this solution to others. Overall, on a scale from one to ten, I would give this solution a rating of nine.