Palo Alto Networks NG Firewalls Reviews

We use this solution for Zero Trust Data Center Segmentation with layer 2 Palo Alto firewalls. Segmentation has allowed us to put servers into Zones based off VLAN tags applied at the Nutanix level and can change "personalities" with the change of a VLAN tag. Palo Alto calls the "Layer 2 rewrite". By default, all traffic runs through a pair of 5000 series PAs and nothing is trusted. All North and South, East and West traffic is untrusted. No traffic is passed unless it matched a rule in the firewalls. There is a lot of upfront work to get this solution to work but once implemented adds/moves/changes are easy.

This solution not only provides better security than flat VLAN segments but allows easy movement throughout the lifecycle of the server.

The most valuable feature is the ease of use of the central Panorama to control all firewalls as one unit for baseline rules and then treat each firewall separately when needed.

I wish that the Palos had better system logging for the hardware itself.

We have been using this solution for four years.

We use the firewall for securing the data center. We have designed it to be a two-stage firewall. We have a perimeter firewall which is not Palo Alto, and then the Palo Alto firewall which is acting as a data center firewall. We are securing our internal network, so we have created different security zones. And we assign each zone a particular task.

We have found the application control to be the most valuable feature. Also, Layer 7, because all other products are working up to the maximum capacity. But Palo Alto is benefiting us, especially in application control management. We are able to differentiate between Oracle traffic and SQL traffic.

The solution needs some management tool enhancements. It could also use more reporting tools. And if the solution could enhance the VPN capabilities, that would be good.

The solution is very stable, but I think the local providers have no sufficient products. We are looking for more support. 

The solution is very scalable. We are trying to increase usage. We are planning already to increase our internet center. We are planning to extend our users to around 1,500. Currently, we have about 700 users.

The local consultant support needs some improvement. External support is sufficient for us.

The initial setup was easy for us to implement.

We used a consultant for the deployment portion.

I would rate this solution 7 out of 10.

We have multiple IPS applications, and other multiple use cases.

We are using pretty much all of the features. This is deployed in our parameter and pretty much provides for different functionalities, for all incoming traffic and outgoing traffic.

The support could be improved.

The next release could use more configuration monitoring on this one, and additional features on auditing.

The solution is generally stable. There are no issues. We have forty-thousand users.

The solution is scalable, yes. We don't plan on increasing usage.

We are being provided with decent support but some of the RCS, some of the issues can be resolved much faster.

We were using Check Point. We switched because of certain features: entire equity, ideas, application visibility, single interfacing, etc.

The initial setup was complex. We're in the process of replacing it in seventy or so locations, and setup is still ongoing, but going well. It was complex because of the multiple zones that we had to create. We had multiple interfaces so there are multiple complexities that we had to address. We don't require extra staff to maintain the solution.

We implemented through a system integrator.

We have seen a return on investment. 

I don't have data points, but some of the use cases that we have already delivered to the organization have shown that a lot of threats have been identified and has been blocked. I don't know how you can quantify that. At the same time, the effort was significantly reduced on the deployment of new routes based on this.

I think, if you compare, they're a little costly next to Cisco of Check Point, but they offer a lot of other additional features to look at. The licensing is annual, and there aren't any additional fees on top of that.

We actually did not but we were using two or three other products already, so we had a good idea of what to expect.

I'd say the blueprint of the implementation needs to be ready before you start the implementation of the product. The product is generally stable and the team provides a good presence on it, but at the end, if you're putting it in the mission-critical data center, the planning needs to be extensive.

I would rate this solution an eight and a half out of ten.

Our solution is now based on clustering and load balancing. We can add more nodes to our environment to accommodate the new load within our company.

We have about 2,000 to 2,300 users on Palo Alto NG firewall support.

Palo Alto has a line of products for different customers. If you do the sizing it from the beginning, considering that you are a growing company, it is fine.

You need to plan for the future, which means that you have to pay in advance through investment. With Palo Alto NG Firewalls, the cost will be higher.

We would like to have the processing power to be enhanced with every new CPU so that we are getting more cores. Palo Alto is incorporating this. 

We are requesting now a new firewall that will come in with higher power, i.e. the 5220.

I found Palo Alto NG firewalls more intuitive compared to other products. I value the capability to identify a cloud solution.

Palo Alto has a good product and end-user experience. It's great. They can maybe add more processing power to their hardware. That's it. 

Sometimes it's stuck and you need to restart it. They have been adding a lot of things, so we need to upgrade for the new features.

Palo Alto NG is a stable product as long as it's working. It does what it expected to do. But sometimes for some reason the hardware resources spike, so it stops responding. 

The only fix is to restart the firewall,i.e. a  hardware restart. This is one of the issues. It's not related to the software because of the troubleshooting that we did. 

It's about resource consumption. Some hardware and software issues Palo Alto needs to work on. They released their Palo Alto Operating System which enhanced their product suite.

The scalability compared to other products is not good. You need to change the box whenever you want your number of connection sessions to increase. 

You can't just upgrade the parts with a software key or with adding additional hardware. You need to replace the entire box. It's not scalable. 

The solution's technical support is responsive. They are good.

We previously used a different solution that was Fortinet. I'm still using it. There's another area in the network where we use Fortinet.

We shifted from Fortinet to Palo Alto. It's just mapping the network from the available firewall to another firewall. It wasn't complex. 

Between deployment and stabilization, the product was completed in two weeks, i.e. 10 working days.

One of my team did the installation under my supervision.

You have to do proper network design from the beginning. You have to look into future expansion. Otherwise, after a year, you have to replace the entire box.

On a scale from 1 to 10, I would rate this product a seven because the point of scalability within their product is a big issue. 

If you have to put a huge investment in front to accommodate future expansion, it is fine. 

It requires forecasting. If your forecast is not correct and you are not growing to that point, then all your investments will be a waste. 

If you're adding a block so that it can accommodate your user traffic demand, then that would be perfect. 

I buy one block at a time now. I can't buy two blocks at the same time. That's a waste of money with Palo Alto NG firewalls.

I'm using many solutions. I'm working as a CTO for a big company here. I work with Palo Alto and Cisco.

I have to support many vendors. We are a system integrator.

Most features in Palo Alto are okay, but we have had some issues like publicity not working. Comments have some delay, but overall, it's a good product.

Palo Alto NG firewalls can be improved in support of finance and banking. We need better affiliations for profiling the user. 

The product has some delay in the maintenance. They have to find some solution to make updates quicker.

I would rate this product 8.5/10. It's very good.

We use this solution for WAN routing, NAT, VPN tunnels, granular security policies, URL filtering, antivirus, threat prevention, sandboxing, decryption, high availability, and reporting.

Palo Alto has improved traffic visibility, and the ability to manage it. With Palo Alto, we have more flexibility and our network is more secure. With our High availability pair, we have had no downtime for several years, since it was first put it in production. We have even changed boxes for new models during this time.

Palo Alto is easy to use, feature-rich, and it has good technical support. You can fetch users, so you have visibility by username, IP address, destination, application, and you can even define a custom application.

In the GUI, you can easily find blocked traffic and the reason for it.

The only thing that is a little strange is in Policy-Based Forwarding. When you delete and add a new rule, because of the one hundred rule limit, if the new rule has an ID that is greater than one hundred, even though you have fewer than that, it will not work. The same thing happens when you are renaming a rule. The new rule will have a new ID, so it is possible for it to be greater than one hundred. This can be easily fixed by using one command from CLI, but you have to be aware of it.

The technical support for this solution is good.

Our previous solution was open source, and not so easy to manage. We had a Linux Iptables firewall, Squid + DansGuardian proxy, and an OpenVPN server. We replaced all of these solutions with Palo Alto.

If you have some network experience then you can set it up on your own, with no setup costs. Don't buy a device with more power than you really need, because licensing depends on the cost of the box you have.

We evaluated Sophos, SonicWall, and Fortinet.

PA is a product that continuously improves, so, I have nothing to add in terms of features.

My advice is not to look for a cheaper solution, as the price/performance ratio on Palo Alto is great.

I primarily use this solution for the core banking network. It's for core security. So it's to protect against intrusion, to protect against any kind of cyber attack that can happen to it. It protects our core infrastructure.

Mostly it's improved the security side. There was no security before, and we were looking for a solution that could give us the exact capacity to do all the configurations that we need, while also providing a high level of security. 

The app ID is very good.

The support needs improvement. Also, better reporting of errors would be good.

The solution is very stable.

The scalability is not so good. Because if you want to upgrade, you have to change the service completely. We have about 2000 users.

It's a long wait time, although sometimes it's been quicker to get them. Occasionally, the type of answers provided are not so great.

We used to use Check Point, but we switched. It's because we found Palo Alto is better. Check Point is much slower, more expensive.

The initial setup was straightforward for us. We are technology oriented, so for us, it was straightforward. No complexities. For deployment, we needed about 5 people. Maintenance is only three people. Three engineers are looking after the books.

We did the implementation ourselves.

I would advise anyone to go ahead and understand exactly what they need. It's not because Palo Alto's cost is a little less. Depending on use, it's expensive. So they should understand the requirements first, before going with Palo Alto.

We previously had Check Point and eventually compared it with the Palo Alto screening, which proved that Palo Alto was the best. It was not a difficult choice.

I would rate this solution 8 out of 10. Generating reports is not so easy. I think with support, for everyone, and for all the bank company workers, they can do that a bit better. Then maybe I would rate them higher.

We're customer facing; each customer uses it for a different purpose. Some use NG Firewalls for IPS capability, some for application capabilities, these kinds of things.

The accessibility, antivirus, and stability features are the most valuable. It's so stable, the customer can use the decryption features without impacting performance.

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

It's a very stable solution.

I am the customer's technical support. If a customer has issues, they would call me.

The initial setup was basic. It was very simple. The basic configuration will only take 15 minutes. Anyone can set it up. If a person has worked with a firewall before, they can do it themselves. You only need one person for deployment.

Licensing is on a three year basis. Customers prefer one to three years. Licencing is pretty expensive. Check Point is cheaper than Palo Alto. There's also an international license. If a customer wants to control different things, they will need an extra license. 

I've helped customers using Fortinet and Check Point. They are compromised. Their firewall is not stable. But for some features, for example, encryption, they want to use this feature, but the firewall feature isn't great. With Palo Alto, there isn't any problem, you can open any feature - IPS feature, data encryption feature - there isn't an issue.

Implementation is simple, the product is stable, but I advise if people get the firewall I strongly recommend the use of the API features. They may not be accustomed to using a next-generation firewall. If they want to use NG Firewalls, they need to use and implement the API features. They need to create uses based on the application.

My understanding is Version 9 will introduce some logic features.

I would rate this solution 9 out of 10.