Palo Alto Networks NG Firewalls Reviews

We are using this solution for IDS, IPS, and VPN services.

Also, we are using it for gateway purposes. The development team accesses the data center, and the file intrusion prevention policy.

The most valuable features are the content ID, IPs, and the URL filtering service to enable protection. 

The structure is much faster and more sophisticated than Cisco.

Their cloud support is smart.

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device.

The hardware is weak.

In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security.

I would like a collaboration system and reporting ASA policy needs to be smarter.

It's definitely a stable solution.

For LAN purposes, we have 700 plus users.

The technical support is good enough.

We are using Cisco support and they are very good. 

The Palo Alto support is faster and their support is also good.

The initial setup is straightforward.

It takes a maximum of two days to deploy.

Two or three guys are enough to deploy and maintain it.

We used vendor support for the deployment.

We plan to continue the usage of this solution in the future and I would recommend it to others. 

The product is very good, I would rate Palo Alto Networks NG Firewalls a nine out of ten.

I'm a network security engineer and we are platinum partners with Palo Alto. 

Initially, there were no application controls offered in the legacy firewall. Now you can log each and every application. It provides valuable control and is the main feature in addition to the security features they're currently offering. All the firewalls - Fortinet, Cisco, Palo Alto -  provide complete visibility and control over your network which you didn't previously have. Now you have user ID and you can implement URL filtering as well, there is control over your network. End user logging is far better with Palo Alto than Fortinet or Cisco, and it helps you to troubleshoot. I'd rate Palo Alto on top. It's comfortable and that's my experience. Cisco and Fortinet provide good services, but Palo Alto offers a very good product.

There will always be room for improvement. On a daily basis you get patches for everything. They build new features, apply new technologies and new applications which need to be integrated and with that you get bugs. There are always issues, whether it's hardware or software. 

I've been using this solution for five years. 

The product is generally stable but with each new update you need to get the OS bug fix. Any security device has a vulnerability which a hacker can exploit and you have to keep on patching.

I work on the system integrator side and work with multiple customers, and this is a scalable solution. 

The support level is good, but it depends on the region you're working from. In some countries, the support flexibility is very good. For others, you have different strategies. I'm in Pakistan and Palo Alto has a different strategy here in that they don't directly provide support. You have to add another vendor in between and open a case with them and if they can't resolve your query they activate to Palo Alto. In some countries, Palo Alto directly provides support and in others they can't be contacted directly. In a couple of scenarios, we got involved with an R&D team and told them there was a bug for our end users. Palo Alto escalated that case to an R&D team and they got it fixed in the following patches.

The initial setup is a very smooth process integrated with initial configuration. It's very easy. 

You could say that the cost is higher for Palo Alto, but they are a better product compared to the other principals. 

I work with Fortinet as well as Palo Alto. Palo Alto has very extensive logging that Fortinet doesn't offer. To get that with Fortinet you need to purchase FortiAnalyzer for reporting. The logging is so extensive in Palo Alto that you can generate a report and get an analysis on the same firewall. You don't need to procure anything else. The documentation of both Fortinet and Palo Alto is up to standard. They both have very extensive documentation for their products. Both of them offer the same level of knowledge base for their customers and are up to the mark. In terms of support, Fortinet and Cisco allow you to directly open a case and get an engineer on the line. Cisco follows the same model. I'm unable to do that with Palo Alto from Pakistan. 

I would rate this solution an eight out of 10.

We deploy and provide support for this solution to our customers. The use case depends on customer requirements because Palo Alto Next Generation Firewall can be used as a data center firewall, perimeter firewall or on the cloud for a perimeter firewall or used with communications. Some customers use it for global protect connectivity. I am a senior network engineer and we are partners with Palo Alto Networks. 

The best feature of this solution is the GlobalProtect, followed by the App-ID feature which is very good. I also like the VMS feature. 

They've improved a lot of things but we'd like to see more mobility between on-prem and cloud based. I'd also like to see security synchronization between the firewalls. Managing can be difficult. 

I've been providing this solution for over two years. 

There are occasionally issues with reporting, otherwise stability is fine. 

The scalability of this solution is fine. 

Technical support is fine, although sometimes there have been delays. From a technical perspective, they are knowledgeable. 

Now that I have some experience with it, the initial setup is simple. If it's being deployed on-prem, deployment takes a couple of days. But if it's a cloud deployment, we can complete deployment in a day. 

Palo Alto is more expensive in comparison to Fortinet and other firewalls. It's okay because they do provide quality. 

I would recommend this firewall still. Our system integrates well but it depends on customer requirements so we sometimes choose to go with an alternative firewall.

I would rate this solution an eight out of 10. 

We use both the NG and VM series of Palo Alto firewalls. We sell and install them for clients to provide the best security that money can buy. Additionally, adding SD WAN on the same edge device has made an all-in-one, security-edge-intelligent routing solution possible without sacrificing performance or a secure environment.

The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us. 

An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications. On one occasion, I was alerted by Palo Alto that something unusual was happening through a particular port at a client location. I blocked the port access because I didn't know what exactly was going on and alerted the client. Then the client called me up and said, "Hey, I need the port that was blocked because [of this]." We could then test what was going on in a secure environment where it couldn't affect anything else to be sure the behavior was not something to be concerned about. In this case, Palo Alto kept the client totally safe. That is a fantastic capability.

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

I have been using the solution with clients since at least 2008 when I became a solutions architect.

Palo Alto is the most stable firewall that I have experience with. Firepower is second to Palo Alto. Fortinet is third coming in just after Firepower. Meraki is in there around number 100. The stability of that solution is absolutely horrific. That it is a security device — a firewall — makes that relatively more frightening because it affects the stability of the entire infrastructure.

Palo Alto's stability means that it is always on the alert and it keeps infrastructure safe.

Palo Alto is quite scalable and versatile.

Easy to speak with, level of professionalism is high.

Anyone should tinker with hardware from different manufacturers, then see what fits with your application. 

The complexity of the setup is somewhere in the middle of the road. It certainly isn't the most difficult, nor is it the easiest. 

MSP

Palo Alto is a little expensive compared to every other solution, but you get what you pay for. The question I have been asking customers since I became a solutions architect is what the best in security is worth. The problem with people seeking security solutions is thinking that all solutions are the same, thinking the newest technology solutions are best and thinking cost-first. A better way to think about it would be how expensive a break-in is. 

If I am shopping around for a firewall solution and I see I have to pay a lot per year for Palo Alto and I see Meraki is a much lower price, I might be attracted by the less expensive product. When it is deployed, we get broken into and lose $10 million worth of design documents. It may be quite possible that break-in could have been avoided by paying more for a better security solution. Because I went the cheap route, I lost many times what I 'saved.' For possibilities like this alone, it is hard to put a price on security. 

Take a deeper look at what happens when you try to save money on security. Meraki does SD-WAN (Software-defined Wide Area Network). That is touted as fantastic because the client is going to save a whole lot of money because they don't need MPLS (Multi-Protocol Label Switching) anymore. But the reality behind it is, there is absolutely no application acceleration, no data deduplication, and no forward error correction. Forward error correction is extremely important when you're using a device between points. But Meraki sells its devices for nickels or pennies on the dollar in comparison to other security solutions. Only then you only learn the lesson of what happens when you go cheap. Your network gets broken into more easily because of the inherent exposure in SD-WAN and it goes down a lot. 

If you have sales offices and those sales offices have Meraki firewalls, the device may observe a problem out on the internet. When it does, the Meraki's failover results in an outage. With Meraki, failover to a better link takes 30-seconds. Whether it is a 30-minute failover or 30-second failover, you can drop a call. If you are cold calling and you dropped a call, you don't get a second chance. It is impossible to say how much money you might lose. For example, if my company sells microchips and that call was going to develop into a $40 million sale, that sale is gone. It is gone because of the small comparative cost savings in security and the instability of the solution you chose to use. But a 30-second outage every single time a route is withdrawn across the internet means your phone is going to ring if you are the IT Director, and you will eventually lose your job. 

The costs for Palo Alto are structured in a similar way to other products. With Palo Alto you can do one, two, three and five years contracts. It is the same thing with Fortinet and Meraki. Hardware cost is very different than the application license. The hardware maintenance agreement is separate. With all of the firewall solutions, you will pay for a hardware maintenance agreement. That protects the hardware itself. That is an annual billing and separate from the software in all cases. Nobody bills for firewalls on a monthly basis. Even the VM version of the Palo Alto is billed per year. Using that license, you can build up a VPN that forces all default traffic to a particular device before it goes out to the internet. It is comparatively pretty cheap in practice, and it works. It works well because you only need one piece of hardware. Build the server and start slicing out VMs. Then it becomes possible for everybody in a network to be protected by Palo Altos security at a lower cost. 

As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.

That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.

Cisco Firepower NGFW (Next-Generation Firewall)

I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.

Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.

I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product. 

Firepower is a capable solution but it is difficult to set up and manage.

Cisco Meraki NGFW (Next-Generation Firewall)

Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.

If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.

There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop. 

It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.

I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.

An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.

Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."

All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.

Fortinet FortiGate NGFW (Next-Generation Firewall)

I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.

Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
     

Comparing the Complexity of Setup

Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.

Rating the Products

On a scale from one to ten with ten being the best, I would rate each of these products like this:

• Meraki is a one out of ten (if I could give it a zero or negative number I would).
• Fortinet is seven out of ten because it is simple but not so secure.
• Firepower is seven out of ten because it is more secure, but not so simple.
• Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.
  
  

An Aside About Cisco Products 

It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.

Palo Alto is my number one choice for firewalls. I support and utilize more Palo Alto firewalls throughout my company and with my customers than any other device. Number two would be Fortinet. I don't really like Fortinet that that much because it is not as secure as Palo Alto, but I have customers who want to use it because it is a lot less expensive. Number three is Cisco Meraki, which I obviously don't like, but people request that because the Cisco name is very popular and a lot of other people are using it. I couldn't recommend against choosing a device more than choosing it by name instead of functionality. 

Palo Alto invented the method of looking at the application identifier in each packet and making a decision. For instance, many companies may want to do something like prohibiting all chat applications with the exclusion of whatever application the company is choosing to use. Let's say the company is using IP Communicator for customers and for employees to chat with each other, but the company wants to block Skype. The reason why might be because they don't want anybody bringing up a Skype call, sharing information via that Skype call, or maybe turning on a Skype call and letting other people see inside the facility. Skype has a very interesting platform in which you block one IP address on the Skype server and it allows another one. You block Skype.com and it creates another URL. Skype loves to get in and around simple security steps. Palo Alto is phenomenal because it takes a look at the application identifier within each packet and will find that it is Skype and block it. If you want to block AOL Instant Messenger, you just block it. Anything out there you don't want employees to use can just be blocked by referencing the identifier.

Netflix is another one that seems to find it's way into corporate networks. It is normal not to want employees sitting around watching movies. The Palo Alto will find out that someone is trying to access a Netflix movie and block it. Then it can also send an email to alert different people of the activity. You could set it up so that when something like that happens, an email goes to the director of IT to say, "Hey, this person may be trying to access Netflix." You may want it to just block the access type and forgo the alert. Or you can block the activity and alert anyone you want that someone appears to have tried to subvert security. The idea of this type of security measure isn't just to lay blame and get people fired, it is to identify different types of breaches and why they occur. It could be that a potential breach requires a sit-down conversation with the persons involved. But the truth is that many malicious sites — like adult related websites, platforms like gambling sites, obviously hacking-related sites, violence or gore — are loaded with malware. You don't want that on your computer, and your employer doesn't want it on the network either. It is just as bad as bringing a device to work and allowing that device to be connected to the network without protection as that is just another potential malware exposure.

Another beautiful thing with Palo Alto is that they have Wildfire. Wildfire can prohibit malware in either direction. Malware is not going to get into the network via a customer or a user surfing and it is not going to get out and affect the network and spread around via a user's BYOD (Bring Your Own Device) that got infected while he was working at home.

We are a solution provider and this is one of the firewall solutions that we implement for our customers. We present this product to customers and also handle the onsite installation.

Our clients use it to secure their network infrastructure.

The most valuable feature is WildFire, which blocks sophisticated attacks and distinguishes it from other traditional firewall functions.

I would like to see better third-party orchestration so that it is easier for the team to work with different products. 

Improvements should be made in the Cortex module.

I worked with this next-generation firewall for about four months as I rotated between departments.

We have had no complaints about stability.

Scalability has not been a problem. Our customers for this firewall are large companies in industries such as banking.

I have not been in contact with technical support.

The initial setup is quite straightforward compared to other brands of firewalls. The deployment takes about one month.

Our in-house team handles the deployment and maintenance for our customers.

My advice for anybody who is considering this product is that it is a useful firewall and high-ranking compared to others.

I would rate this solution an eight out of ten.

We resell products by Palo Alto and Cisco, and this next-generation firewall by Palo Alto is one of the products that we are familiar with.

The most valuable features are web filtering and application filtering.

The IPS functionality is very good.

The performance is good.

The price is expensive and should be reduced to make it more competitive.

Information about Palo Alto products is more restricted than some other vendors, such as Cisco, which means that getting training is important.

The traps should be improved.

I would like to see better integration with IoT technologies. Having a unified firewall for OT and IT would be very good.

We have been working with Palo Alto for about one year.

This is a stable firewall and you don't have a lot of surprises. The performance, throughput, and decryption are all good. It is important to remember that at the end of the day, it depends on the configuration.

For special functionality, you are going to have some exceptions. However, for the well-known functionality, it is stable.

It is scalable in that the performance is good and you don't need a large cluster to operate it.

The technical support is good. The team is responsive and they gave us the right information at the right time to solve the difficulties and complexities that we were experiencing.

We also sell products by Cisco and there are some differences between them. Palo Alto is more expensive and the performance is better. With Cisco, the documentation is better and it is easier to install. There is a lot more information available for Cisco products.

This is an expensive product, which is why some of our customers don't adopt it.

My advice for anyone who is implementing the Palo Alto Next-Generation firewall is to take the training that is available. This will allow them to better work with the technology.

This is an ambitious company with a good security roadmap. The product is being continuously developed and they are professionals who are focused in this area of technology. It is the firewall that I personally recommend.

I would rate this solution a seven out of ten.

Our primary use case was for perimeter protection.

Innovative, advanced threat protection is the most valuable feature. 

I don't see any specific room for improvement.

The user interface is probably not as slick as it could be.

I have been using Palo Alto for three years. 

We're on-premises primarily at the moment, but also a cloud product. 

The stability is generally pretty good. I haven't heard any complaints from our customers around Palo Alto's stability. It's one of the reasons why they're the leaders in this space.

We've got our own team for maintenance. My company is a large multinational with 20,000 employees.

I have contacted their support once. It's very good support. They help me to fix our problem quickly.

The initial setup was complex. It's not very intuitive. You need to know what you're doing for the initial setup, you need to be a Palo Alto expert.

If you compare it to their competitor Fortinet, Fortinet's FortiGate product is a lot easier to install, if you're not an expert.

The time it takes to deploy depends on how complex the deployment needs to be for the client. If it's a basic deployment, is going to take around two days. 

My advice would be to make sure the firewall is configured properly.

I would rate it an eight out of ten. Not a ten because you have to be really excellent before you get a ten out of me.

In the next release, I would like to have the ability to auto-generate rule and policy, based on known traffic, based on the baseline. That is a feature that I think Palo Alto should be able to have in some form or fashion to auto-generate and propose a policy and rules set, after putting the file into a learning mode for some period.

Our primary use case was to configure our PSAs for our customized configuration. 

I like that it has high security. 

The whole performance takes a long time. It takes a long time to configure. 

I have been using Palo Alto for six years. 

I contact Palo Alto by email or by phone. Their support is good. 

I have previously worked with Cisco ASA. Palo Alto is a lot easier especially in regards to security. It is a well-integrated software.

The difficulty of the deployment depends on our clients' environment and their requests.

We require a two-member team for support. 

In terms of how long it takes to deploy, again, it depends on the customers' environment. If the request is easy, it can take around two weeks.

I would rate Palo Alto a nine out of ten. 

In the next release, they should simplify the deployment process.