We changed our name from IT Central Station: Here's why
Presales Specialist at a tech services company with 1-10 employees
Real User
Embedded machine learning reduces manual work of having to search for attacks in a SIEM
Pros and Cons
  • "DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network."
  • "The only area I can see for improvement is that Palo Alto should do more marketing."

What is our primary use case?

We have had a couple of big projects with government companies here in Ukraine. One of those projects involved three data centers with a lot of security and network requirements, and we implemented Palo Alto as part of this project.

The use case was to build the new data centers with a firewall that would not only work on the perimeter but also for internal traffic. We deployed eight PA-5200 Series firewalls and integrated them with VMware NSX, and they're working together.

How has it helped my organization?

One of the points that helped us win the tender is that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention. The customer's security team was asking for this feature from the firewalls because machine learning makes things much easier than manually sitting there with some kind of SIEM and searching for all kinds of attacks and critical issues. The machine learning is really helpful because it's doing the work automatically.

What is most valuable?

We had a small project with the PA-800 Series appliance where we implemented DNS Security. DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network.

In general, Palo Alto NG Firewalls are 

  • easy to manage
  • good, reliable appliances
  • easy to configure.

They also have a good balance between security and traffic. They have good hardware and, for management, they have their own data plane. If traffic is really overloading the data plane, you still have the ability to get into the management tools to see what's going on. You can reset or block some traffic. Not all firewalls have that feature.

They have really good clients, such as a VPN client. You can also enforce security standards on workers in the field. It's a really good product. And now, for endpoint security, they have Cortex XDR. You use the same client, but with additional licenses that enable more features.

What needs improvement?

The only area I can see for improvement is that Palo Alto should do more marketing.

For how long have I used the solution?

We work with customers, but we are not using the solution ourselves.

What do I think about the scalability of the solution?

The scalability is really good because they have a chassis version of appliances. They plan to build new chassis. But for the really big projects here in Ukraine, we can easily cover what we need with the PA-8000 Series with Palo Alto chassis appliances.

In our project with the three data centers, each data center was able to process 40 gigs.

How are customer service and support?

First-level support is provided by our distributor Bakotech. They are technical guys and they really know the product. Unlike some support providers who just send you manuals to ready, they're really helpful. You can call them at any time and they get back to you shortly and help.

How was the initial setup?

The initial setup is really easy. If you're working with Palo Alto Panorama, which is their management server, it's very easy to deploy a lot of appliances in a couple of days, because you're just sending out the configuration and templates on a blind device. In a couple of hours that device is working like the rest.

Which other solutions did I evaluate?

Another valuable aspect of Palo Alto NG Firewalls is that the appliances and software are really reliable in terms of stability and performance. Some firewall vendors don't write real information on their datasheets and, after implementing them, you see that the reality is not the way it was described. For example, when it comes to threat prevention and how much traffic appliances can handle, there was a project where we beat another vendor's firewall because Palo Alto has the real information on its datasheets.

I have some experience with Cisco, on a small project but there was a somewhat older software version, and there was a lot of lag. When changing something in the configuration, once you pushed "commit" you could go have a coffee or do other stuff for 20 minutes or more, because it took a really long time to push that configuration to the device.

What other advice do I have?

If a colleague at another company said to me, "We're just looking for the cheapest and fastest firewall," I would tell them that the cheapest is not the best. If you need really reliable hardware and software, and don't want headaches after the implementation, just buy Palo Alto.

The PA-400 is really strong and not only for SOHO or SMB companies. They have a really big throughput with Threat Prevention and DNS Security enabled. It's a really good appliance in a small size. But it's not only for small companies. The PA-460 can easily handle the traffic of a midsize company, one with 100 or 200 employees, and maybe even a little more. The PA-460 can handle about 5 gigs of traffic. With Threat Prevention, they can handle 2.5 gigabytes of traffic. For a regular office, that's good. It might be a little small for big companies.

Regarding DS tunneling, it is mostly peer-type attacks. With tunneling, it depends on what type of tunneling is used. You need to look at the specific case, at things like whether it was an internal DNS tunnel or one from the outside to the inside between branches. Most of the time, you can see that kind of traffic with a firewall if you have enabled full logging and you drop the logs into a good SIEM, like ArcSight or others. You will see the anomaly traffic via tunnels. You can also switch on decryption so you can decrypt a tunnel and see what is going on inside.

We have had no issues from our customers who are working with Palo Alto NG Firewalls. They fully cover all our customers' needs.

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Flag as inappropriate
Senior Network Engineer at a tech services company with 201-500 employees
MSP
Top 10
Combines many tools in one appliance, giving us a single point of view for our firewall and all related security issues
Pros and Cons
  • "The most valuable features include the different security zones and the ability to identify applications not only by port numbers but by the applications themselves... And with the single-pass architecture, it provides a good trade-off between security and network performance. It provides good security and good network throughput."
  • "The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good."

What is our primary use case?

We use it to segregate traffic between different tenant instances and to manage secure access to environments, DMZ zones, and to communicate what the firewall is doing.

How has it helped my organization?

With Palo Alto NG Firewalls, we can pass all compliance requirements. We trust it and we are building the security of our environment based on it. We feel that we are secure in our network.

It also provides a unified platform that natively integrates all security capabilities. It's very important because it gives us one solution that covers all aspects of security. The unified platform helps to eliminate security holes by enabling detection. It helps us to manage edge access to our network from outside sources on the internet and we can do so per application. It also provides URL filtering. The unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. In one appliance it combines URL filtering, intrusion prevention and detection, general firewall rules, and reporting. It combines all of those tools in one appliance. As a result, our network operations are better because we have a single point of view for our firewall and all related security issues. It's definitely a benefit that we don't need different appliances, different interfaces, and different configurations. Everything is managed from one place.

What is most valuable?

The most valuable features include the different security zones and the ability to identify applications not only by port numbers but by the applications themselves.

The DNS Security with predictive analytics and machine learning for instantly blocking DNS-related attacks works fine. We are happy with it.

And with the single-pass architecture, it provides a good trade-off between security and network performance. It provides good security and good network throughput.

What needs improvement?

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good.

In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

For how long have I used the solution?

I have been using Palo Alto Networks NG Firewalls for about three years.

What do I think about the stability of the solution?

The solution is pretty stable.

What do I think about the scalability of the solution?

The scalability is good.

In terms of the extensiveness of use, it depends on business needs. Every communication from the company is going through this solution, so it's highly used and we are highly dependent on the solution. 

In terms of increasing our use of the solution, it all comes down to business needs. If the business needs it, and we get to the limit of the current appliance, we will consider updating it or adding more appliances. At this point, we're good.

Which solution did I use previously and why did I switch?

We previously used Cisco. The switch was a business decision and may have had to do with cost savings, but I'm not sure what the driver was.

How was the initial setup?

The initial setup was a little bit complex, but not terrible. The complexity was not related to the product. It was more to do with needing to prepare and plan things properly so that in the future the solution will be scalable. If there were some predefined templates for different use cases, that would help. Maybe it has that feature, but I'm not familiar with it.

The time needed for deployment depends on the requirements. We also continuously optimized it, so we didn't just deploy it and forget it.

Our implementation strategy was to start with allowing less access and then allowing more and more as needed. We made the first configuration more restrictive to collect data on denied traffic, and then we analyzed the traffic and allowed it as needed.

We have less than 10 users and their roles are security engineers and network engineers. We have three to four people for deployment and maintenance and for coordinating with the business, including things such as downtime and a cut-over. The network and security engineers work to confirm that the configuration of the solution is meeting our requirements.

What about the implementation team?

We did it ourselves.

What's my experience with pricing, setup cost, and licensing?

I'm not sure about pricing. I don't know if Palo Alto NG Firewalls are cheaper or not, but I would definitely recommend Palo Alto as an option.

If you need additional features, you need additional licenses, but I'm not aware of the cost details.

Which other solutions did I evaluate?

We evaluated Cisco, Sophos, Dell EMC SonicWall, and FortiGate. Cost and reputation were some of the key factors we looked at, as well as the flexibility of configuration. Another factor was how many users could comfortably work on the solution when publicly deployed.

What other advice do I have?

The fact that Palo Alto NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention is important, but I still don't completely trust it. I haven't really seen this feature. Maybe it's somewhere in the background, but I haven't gotten any notifications that something was found or prevented. At this point, we still use traditional approaches with human interaction.

Overall, what I have learned from using Palo Alto is that you need to be very detailed in  your requirements.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,322 professionals have used our research since 2012.
Georges Samaha
Security Consultant at a tech services company with 501-1,000 employees
Reseller
Top 5Leaderboard
Good application detection, strong antivirus capabilities and built-in machine learning
Pros and Cons
  • "From my experience, comparing it to other products, the granularity you can have in the application is very good. The application detection is excellent. It's certainly one of the best."
  • "The solution would benefit from having a dashboard."

What is our primary use case?

We primarily use the solution as a firewall.

What is most valuable?

From my experience, comparing it to other products, the granularity you can have in the application is very good. The application detection is excellent. It's certainly one of the best. 

The engine detector application is usually one of the best compared to any other firewall on the market, in my opinion.  With it, I can do a lot of rules based on the application. If you have multiple internet links, you can have an application export from one link, and an application wire from another link. You can have security on the application. The security, for example, can have different functionalities. Basically, the granularity of rules is amazing in Palo Alto.

They have a good reputation for their antivirus capabilities.

The solution offers a strong URL based system or detection for malicious URL or malicious files. 

They even have a machine learning algorithm. They do a lot of very advanced detection for files and URLs. 

Once you deploy the product, you can basically forget about it. It has high customer satisfaction because it's always just working.

What needs improvement?

The solution would benefit from having a dashboard.

From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

For how long have I used the solution?

We've been working with Palo Alto for about six years now.

What do I think about the stability of the solution?

From my experience, it's the best hardware compared to other NG firewalls from the perspective of performance stability. While the other firewalls lose 50 or 60% of performance when enabling all policies, Palo Alto loses 10 to 20% maximum, even with enabled IPS and fire detection and all. From our experience performance-wise, it's one of the best hardware solutions for firewalls. 

We haven't lost performance really, so I would describe it as very stable. There are not any issues.

What do I think about the scalability of the solution?

Since the solution is hardware, there are some limitations in terms of scalability.

Usually, in hardware, you can't say it's scalable or not due to the fact that you have the limitations built-in related to the size of the box. The box has a maximum number that it can reach. You can add more hardware, however, the hardware itself is finite.

We usually do a POC first so we can get the figures for performance and we can put in a box that can support 20 or 30 people extra for future expansion.

How are customer service and technical support?

In general technical support is very good. That said, usually, when we face an issue, we try to solve it ourselves internally before going to level one support. 

In general, we never have had a big issue with support. I don't have much experience with the support team to tell you if they're really good or not. Usually 80% of the cases we open, we talk with the distributor and finish the operation case directly with Palo Alto. It's more like a backend request and therefore I don't have much input that would be objective.

Which solution did I use previously and why did I switch?

As resellers, we also work with Cisco and some Forcepoint solutions.

I like that in Cisco there's more security parts, like IPS, and a Demandware engine.

I like Cisco, in general, more than Palo Alto if I'm comparing the two. However, from an application perspective, our application's usability and detection and firewall control using an application, it's Palo Alto that's the best on the market. That's, of course, purely from a  firewall point of view. Even in terms of detection of the applications, it has the best system.

How was the initial setup?

The deployment depends on the client's environment as well as how they are using it. For example, an internet NG firewall on the internet, it takes, on average, a week between installation, integration, and tuning. Usually we don't do all the policies because we are system integrator. We do the main policies and we teach the customer and then do a handover to the user for tuning and all the installation extras.

If it's a data center project, it takes more time and effort. It takes a month sometimes due to the fact that we'll be dealing with a lot of traffic. The application and server are usually harder to control than internet applications like Facebook and other standard applications, and easier on the internet. Then there's also internal applications, custom applications, migrating applications, finance education applications, etc., which are not always direct from the customer or directly known.

In short, the implementation isn't always straightforward. There can be quite a bit of complexity, depending on the company.

What other advice do I have?

In general, I prefer hardware, and Palo Alto's is quite good. However, we have a couple of virtual deployments for cases as well.

I would definitely recommend the solution. It's one of the best firewalls on the market. I've worked with four different vendors in the past, and some of the most mature NG firewalls are Palo Alto's. It's their main business, so they are able to really focus on the tech. They spend a lot of time on R&D. They're always leading the way with new technologies. 

While Cisco has more main products, Palo Alto really does focus in on NG firewalls. That's why I always see them as a leader in the space.

I'd rate the solution nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
President at MT-Data
Real User
Top 20
Awesome stability, great firewall capabilities, and a rather straightforward initial setup
Pros and Cons
  • "The solution allows us to set parameters on where our users can go. We can block certain sites or ads if we want to."
  • "We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved."

What is our primary use case?

We primarily use the solution for the firewalls. We're also using the next-gen features to shape what's going on. For example, to figure out what is allowed out and what isn't allowed out on a layer-7 application-aware firewall. We can block based on the application, as opposed to port access.

How has it helped my organization?

The solution helped us stop being policemen to our users. We don't have to run around telling people they can't do certain things. We can just not allow it and walk away from it. We're not out there seeing who is doing what, we just don't allow the what.

What is most valuable?

The solution allows us to set parameters on where our users can go. We can block certain sites or ads if we want to.

The firewall capabilities are very good.

What needs improvement?

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. 

The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes.

Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly.

The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam. 

For how long have I used the solution?

I've been using the solution for five years.

What do I think about the stability of the solution?

The stability is awesome. I haven't had any issues with the solution stability-wise. I've got the same firewalls that have been out there for five years and they work great.

What do I think about the scalability of the solution?

I don't work with enterprise-class products. I'm not in that environment. However, so as far as I know, Palo Alto has products that will go that large. Panorama may be able to scale quite well. You can manage all your appliances out of it. They are a very popular license.

Their GlobalProtect license is very much like Cisco's AnyConnect. It does the endpoint security checks. It makes sure they've got the latest patches on and the antivirus running and they've got the latest antivirus definitions and whatnot installed before they allow the VPN connection to happen. It's quite nice.

How are customer service and technical support?

Their support is very good. I've never had any issues with their support. I would say that we've been satisfied with their level of service. 

Occasionally there may be a bit of a language issue based on where their support is located.

How was the initial setup?

The initial setup is pretty typical. It's like any firewall. As long as you've worked with next-gen firewalls, it's just a matter of getting your head around the interface. It's the same sort of thing from one firewall to the other. It's just a matter of learning how Palo Alto does stuff. Palo Alto as a system, for me, makes a whole lot of sense in the way that they treat things. It makes sense and is easy to figure out. That's unlike, for example, the Cisco firewalls that seem to do everything backwards and in a complicated way to me. 

I haven't worked with enough Cisco due to the fact I don't really like the way they work. That isn't to say that Cisco firewalls are bad or anything. It's just that they don't operate the way I think. That might have changed since they acquired FireEye which they bought a couple of years back.

What's my experience with pricing, setup cost, and licensing?

I know the solution is not inexpensive. It depends on what you ultimately sign up for or whether you just want the warranty on the hardware. 

What other advice do I have?

I'm not really a customer. I'm like a consultant. I'm an introduction expert. If I think a client needs a certain technology I point them in the direction of whoever sells it. I do go in and configure it, so I do have experience actually using the product.

When I'm looking for something, I just find someone that sells Palo Alto and I redirect the client towards them. I'm not interested in being in a hardware vendor. There's no money in it. There's so much competition out there with people selling hardware. It doesn't matter where the client gets it from.

We tend to use the 200-series models of the solution.

I'd rate the solution eight out of ten. They do a very good job. The product works well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Engineer at a comms service provider with 51-200 employees
Real User
Top 20
Reliable with a straightforward setup and good security features
Pros and Cons
  • "It's one of the best products I've worked with. It's typically a market leader on Gartner. It's a very respected brand."
  • "The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market."

What is our primary use case?

The solution is typically used for antivirus and antimalware purposes, to help protect an organization against attacks.

What is most valuable?

The solution offers many different capabilities.

It's one of the best products I've worked with. It's typically a market leader on Gartner. It's a very respected brand.

The solution offers very good security, especially in relation to antivirus activities.

The initial setup is pretty straightforward.

The product is extremely reliable.

What needs improvement?

The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market.

Clients are typically looking for a solution that's more aggressive in the market.

For example, with Fortinet, they have an SD-WAN that really has many capabilities. For example, it can inject a GSL SIM card along with the MPLS connection. It connects the system within one product. Palo Alto doesn't offer this. This is one area that will need to improve. In Indonesia, the market is growing strategically. Palo Alto has this one product, however, with the limitation of the GSM sim card they are getting left behind. 

For how long have I used the solution?

I started using the solution around 2012 or 2013. It may have been eight years or so. Sometimes I am doing a POC or implementing the solution, so it has been on and off.

What do I think about the stability of the solution?

While the solution itself is okay in terms of stability, there could be issues if the hardware is affected. We have hardware that gets affected by humidity, for example, which can end up affecting a wide range of infrastructure. If the environment is good, the solution will be okay. If we talking about Palo Alto's series starting from the 3,000 to 5,000 or 7,000, Palo Alto has a really stable product.

What do I think about the scalability of the solution?

We set up this solution for companies of all sizes, from small to large enterprises. One of our clients is a telecom, which is quite sizable. They have the most complex configuration. The solution, however, is able to work for any company, no matter what the size. In that sense, it's a scalable option.

That said, the NG firewall is not a typical product that we can scale up on a whim. If we want to scale up in this product, we need to buy a higher series. We have to replace it. If we want to scale out this product, we can do a roll out in another location. Therefore, you can expand it out, however, you do need to change the sizing, which means getting a size or two up.

How are customer service and technical support?

I haven't contacted technical support recently. The last time I spoke to the tech support team was five years ago or maybe as an Operation Engineer three or five years ago. Generally, I found that they were really good at understanding the product. In my experience, they were really helpful. I'd say I was satisfied with their support.

Which solution did I use previously and why did I switch?

I've also used Juniper, however, that may have been three or four years ago or so.

How was the initial setup?

In my case, I have a lot of experience with Palo Alto and the implementation process. Therefore, I don't find it too complex. It's rather straightforward for me. However, I have a long history with the solution. I find the hierarchy of the configuration fairly easy to understand, especially if you compare it to a solution such as Juniper. Juniper is a bit more complex to set up. Whereas, Palo Alto is a bit more straightforward.

How long deployment takes can vary. It really depends on the complexity of the configuration and the environment.

If a client only buys the implementation, they will have to handle the maintenance of the product. It's a good idea to have that type of person in-house.

What's my experience with pricing, setup cost, and licensing?

We find the cost of the solution to be very high. It's quite expensive, and one of the most expensive on the market.

The pricing is related to the complexity of the environment. The more complex the company's requirements, the more it will cost.

What other advice do I have?

We have a partnership with Palo Alto.

I am in pre-sales and often do POCs or do some aspect of evaluating the solution for clients to help them understand the usefulness.

Overall, I really do prefer Palo Alto to other options. I'm the most comfortable with it and I understand it the best out of other solutions such as Juniper or Fortinet.

I'd suggest organizations consider the solution. Yes, it is quite expensive. However, it is also very reliable and is always marked highly in Gartner due to its feature set and usability. It's easy to configure and it's very easy to add more features into your roadmap if you need to. It can easily integrate into a larger holistic security system to help keep a company safe.

In general, I would rate the solution at a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Tirut Hawoldar
Manager IT Security & Infrastructure at a consumer goods company with 1,001-5,000 employees
Real User
Top 20
Gives us visibility and reporting that we didn't have, improving our ability to monitor and secure our network
Pros and Cons
  • "You can easily integrate it with Active Directory, and you can use the GlobalProtect VPN for internal and external purposes. The URL Filtering is also clear and the application filtering is a plus. The application filtering is much better when you compare it to FortiGate or other firewall vendors."
  • "There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI."

What is our primary use case?

We have implemented our own private cloud where we host different services for a number of internal companies that are part of a group. We have financial companies, hospitality, and construction companies; a large variety. We use Palo Alto to provide security protection for all these companies.

How has it helped my organization?

Previously, with our old firewalls, we did not have any visibility. The application layer was zero. We didn't have any visibility there. And we also didn't have any reports. Now, we have good visibility and we are able to get reports and we can monitor the network much better. That's a big change for us and a big help.

What is most valuable?

There are a lot of helpful features

  • monitoring
  • reporting
  • WiFi.

You can easily integrate it with Active Directory, and you can use the GlobalProtect VPN for internal and external purposes. The URL Filtering is also clear and the application filtering is a plus. The application filtering is much better when you compare it to FortiGate or other firewall vendors.

Also, the fact that Next-Gen Firewalls from Palo Alto embed machine learning in the core of the firewall to provide inline and real-time attack prevention is very important. Nowadays, all the modern attacks, hackers, and bad people are becoming more intelligent and automating attacks. Embedding AI is a good idea.

We have complete visibility through the logs and the alerting. It depends on how you configure the firewall. You can configure it to get alerts whenever there's an attack or whenever something is happening. That's how we can assess if the firewall is doing the job correctly or not. We are happy with the way the firewall does its job.

What needs improvement?

There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI.

For how long have I used the solution?

We have been using Palo Alto Networks NG Firewalls since 2012.

What do I think about the stability of the solution?

The big firewalls, like the PA-300 and the PA-3020, are very good, stable, and performant. They are very reliable. The smaller models are reliable, but the performance on their management plane is a bit slow. Even the management plane of the PA-850 is a bit slow when you compare it to some of the bigger models.

What do I think about the scalability of the solution?

Scaling is easy. We currently have about 1,000 endpoints.

How are customer service and support?

We haven't worked with their technical support.

Which solution did I use previously and why did I switch?

We replaced a Cisco ASA Firewall with Palo Alto, and then we started replacing all our other firewalls with Palo Alto. Cisco ASA was not a next-generation firewall at that time. And no firewall could beat the traffic monitoring and the visibility that we had on Palo Alto.

We did a PoC before going to Palo Alto. We placed the Palo Alto in virtual wire mode, meaning a transparent mode. Without changing our existing network infrastructure, we were able to plug the Palo Alto into our network where we could see all the incoming and all the outgoing traffic. Without creating any policies or any blocking, we were able to see all the traffic and we were impressed with that part and we decided to switch to Palo Alto.

How was the initial setup?

The first deployment was very complex. I was not the one who implemented it, it was an integrator, but it was a headache due to some difficulties. After that, things became easy. We have implemented six or seven Palo Altos, and things are easy because of our familiarity with the whole deployment process. The first time we were using this firewall we were not at ease with the product. After that, we got used to it and it became easier.

Because of the issues with the first one, it took one week for the deployment, for the complete transition from Cisco ASA to Palo Alto. Since then, all the deployments have been done in one day.

What was our ROI?

We have seen ROI as a result of the visibility and reporting. These are two things we didn't have, and now that we have the visibility, we can ensure  that our network is secure.

What's my experience with pricing, setup cost, and licensing?

If you compare Palo Alto with other firewalls, it's a bit expensive.

Which other solutions did I evaluate?

At that time, Palo Alto was the leader and I think it was the only next-gen firewall.

We have looked into other firewalls since then. In 2017 or 2018, we decided to replace one Palo Alto with a Forcepoint Next-Gen Firewall. We placed that in the network but, after six months, we replaced it with Palo Alto.

What other advice do I have?

If someone is looking for the cheapest and fastest firewall, I would say the fastest is good, but not cheapest. Palo Alto Firewalls are not cheap.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Team Lead Network Infrastructure at a tech services company with 1-10 employees
Real User
Top 5Leaderboard
Stable with good performance and a fairly straightforward setup
Pros and Cons
  • "It's a next-generation firewall and it's pretty stable. You don't have to worry about if you restart it for some maintenance. It will just come back."
  • "Sometimes some of the applications the customer has do not respond as they normally should."

What is our primary use case?

The solution can be used in the data center it can be used as perimeter firewalls and gateways as well. It can be used anywhere. From the systems side, the data center side, or I typically recommend that it be deployed in a VM, as it may be able to see the internet traffic and specifically it would basically look into the details of a virtualized environment as well.

What is most valuable?

It's a next-generation firewall and it's pretty stable. You don't have to worry about if you restart it for some maintenance. It will just come back. Basically, it would come back in a straightforward manner. There are no stability issues.

The one thing that I like about Palo Alto is it's throughput is pretty straightforward. It supports bandwidth and offers throughput for the firewall.  The throughput basically decreases.

Palo Alto actually provides two throughput values. One is for firewall throughput and other is with all features. Whether you use one or all features, its throughput will be the same.

It's performance is better than other firewalls. That is due to the fact that it is based on SPD architecture, not FX. It basically provides you with the SB3 technology, a single path parallel processing. What other brands do is they have multiple engines, like an application engine and IPS engine and other even outside management engines. This isn't like that.

With other solutions, the traffic basically passes from those firewalls one after the other engine. In Palo Alto networks, the traffic basically passes simultaneously on all the engines. It basically improves the throughput and performance of the firewall. There's no reconfiguration required.

What needs improvement?

Palo Alto has all the features that any firewall should have. Other firewalls should actually copy Palo Alto so that they can provide better stability, performance, and protection - at levels that are at least at Palo-Alto's.

This isn't necessarily an issue with the product per se, however, sometimes basically there are some features, depending on the customer environment, do not work as well. Sometimes some of the applications the customer has do not respond as they normally should. Palo Alto support needs to understand the customer requirements and details so that they can resolve customer queries more effectively.

For how long have I used the solution?

I've been using the solution for the past six years at this point.

What do I think about the stability of the solution?

The solution offers very good stability. I don't have issues with bugs or glitches. It's reliable.

What do I think about the scalability of the solution?

We have a variety of customers ad they all have a different amount of users. Some have 50 users. Some have 100 users. Some have 1,000 users as well. It varies quite a bit. In that sense, it scales to meet the customer's needs.

How are customer service and technical support?

I've dealt with technical support in the past. Sometimes it is good and sometimes it's not as good. It depends on the complexity of the deployment. Overall, however, I would say that I have been satisfied with the level of service provided.

Which solution did I use previously and why did I switch?

There are multiple products from different vendors, and I basically deploy different firewalls from different vendors for the customers based on their needs. The solutions I work with include Cisco, Fortinet, and WatchGuard. There are a few others as well.

How was the initial setup?

The initial setup isn't too complex. It's pretty straightforward.

The deployment time basically depends on the deployment model. If it's a VMware model, it's pretty straightforward and you can basically deploy it in half an hour to one hour.

If it is in another deployment model, for example, if it's in Layer 3, it depends on the subnet environment, how many subnets they have, or how the traffic is routing from one end to the other end, etc. 

What about the implementation team?

I'm involved in system integration, so I basically deploy and manage the solution for the other customers.

What other advice do I have?

I'm an integrator. I work with many clients. My clients use both the cloud and on-premises deployment models.

I would recommend the solution to other organizations.

Overall, I would rate it at a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Solutions Architect at a comms service provider with 51-200 employees
Reseller
Top 5
A good solution with great stability and very good Policy Optimizer feature
Pros and Cons
  • "I love the Policy Optimizer feature. I am also completely happy with its stability."
  • "Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete. Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet. We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks."

What is our primary use case?

We mainly use it for perimeter protection between the internet and the local network. We are using it for application control. We exploit the applications with some policies about how the network traffic is going to be from the local LAN to the external network and vice versa. We are protecting our network from outsiders and stopping them from getting into the network.

What is most valuable?

I love the Policy Optimizer feature. I am also completely happy with its stability.

What needs improvement?

Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete.

Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet.

We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks.

For how long have I used the solution?

I have been using this solution for about three years.

What do I think about the stability of the solution?

I am completely happy with its stability. I have no issues with its stability.

What do I think about the scalability of the solution?

I don't need more scalability. I can use the new features without changing the hardware. The features are completely inside the hardware, so I have no issue with the scalability. Most of our customers are big businesses.

How are customer service and technical support?

I didn't have a very complex call with their technical support.

How was the initial setup?

It depends. It can be complex when we are replacing a solution with Palo Alto Networks and the customer doesn't know how the policy is going to be implemented in the solution. If that is not the case and it is a clean installation, it is very straightforward. It is not at all complex.

The deployment generally takes a whole week. This includes the planning stage and doing the initial setup. It takes about two days to set up a device, power it on, and turn on the policies.

What's my experience with pricing, setup cost, and licensing?

It is an expensive solution.

Which other solutions did I evaluate?

Our clients compare it with Check Point. Palo Alto Network has the application granularity. It enables you to handle the applications, policies, and Policy Optimizer. There is no need for splitting the management plane and the processing plane. In Check Point, you need two devices. You need one device for the management and one for the gateway. Palo Alto has both in one, which is a good feature.

Check Point is a kind of cheaper solution, and we can deploy that application on open servers. The open servers option in Check Point has a huge cost-saving. In terms of performance, I will always choose Palo Alto Network because its IPS feature is superior to Check Point. It is much better than Check Point.

What other advice do I have?

First of all, I would say that the engineer who is going to deploy the solution has to know how the network policy is going to be introduced into the firewall. It is very important for deployment because it is a new concept that Palo Alto introduced in the market. The second thing is to know the policies, not on the layer-4 basis, but in terms of policies, such as SMB, DSTP, and other such things.

I would rate Palo Alto Networks NG Firewalls a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Product Categories
Firewalls
Buyer's Guide
Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions.