Palo Alto Networks NG Firewalls Reviews

I have used it in a couple of different ways. One way was to use it as a perimeter device and to act like a traditional firewall for controlling the traffic in and out of the network and doing intrusion detection. It was more of a filtering-type device for remote access and VPNs. 

At another job, we used it as a site-to-site VPN. We scanned customer applications and code over a site-to-site VPN. These were the two main use cases that I have done over the last eight years with Palo Alto.

It integrates very well with AWS Cloud. We use the VM-Series of Palo Alto firewalls. It is good.

It is very important that Palo Alto Networks NG Firewalls provide a unified platform that natively integrates all security capabilities. That is because it is a very sophisticated environment when you start talking about the cloud and software-defined networking. When you think about that level of complexity, to have somebody like Palo Alto and AWS work together to make the deployment of those devices seamless is an incredible benefit to users.

There are different types of modules to provide defense for customers. It is pretty amazing.

It can secure data centers consistently across all workplaces. It is no secret that Palo Alto has made a large footprint in the industry when it comes to those types of security services. When you talk about the data centers and things like that, Palo Alto scales well. They are doing a great job.

In terms of downtime reduction, downtime is relative. There are many different types of elements that can cause downtime. It could be some type of attack or just a configuration change. However, things like Panorama and high availability embedded in the platform allow for high availability.

The ease of updating the platform was valuable. We could easily update the OS and different modules within the platform. It was a fairly user-friendly and easy-to-use platform. 

We found it to be fairly stable as well. It was largely stable.

Overall, when you consider how sophisticated the appliance or the platform is, they have done a remarkable job. It is probably as good as it can be in terms of being highly sophisticated but having a very small leap to learn the platform and deploy it. I do not have many complaints about the platform.

I have worked with this solution for about eight years.

Palo Alto has a great support ecosystem. I only had one issue with somebody, but we got that addressed. It was just like any industry or business. You are going to have some people who do not want to act right, but overall, they have high-quality support.

I would rate them an eight out of ten. I am a customer, and I am involved in high-pressure situations. I am always going to say that I want a quicker response, but when I am being flat-out honest and reasonable, they are as good as they could possibly be without overstepping.

Positive

We have used Check Point. I did not like Check Point at all. It is very cumbersome, so I definitely would not recommend it. 

I found the Cisco ASA line to be overly complicated for what it needs to be, but that is the history of Cisco. They have very capable devices, but they are definitely not as friendly, in my opinion. I would give a nod to Palo Alto. Palo Alto GUI seems to be a little bit easier to navigate. Cisco devices have always been very capable, but they have a steeper learning curve.

It is fairly simple. It is as simple as it can be to get started.

The number of people required depends on the environment and the type of project that you are doing. If you are designated to deploy it as a perimeter device, you do not need that many people. If you have a situation where it is in the cloud and you have to do a lot of other things to get traffic to the device, configure the interfaces in the cloud, and later create policies and bring everything into Palo Alto, it is a more sophisticated process. You need somebody very knowledgeable about that, or you need multiple people to work that out.

We have had some complex scenarios, but I was fairly knowledgeable about AWS and the firewalls, so I was able to put everything together myself. I did not require any third-party help.

It is a pretty significant return on investment if a device does what it says it will do, and it has a small learning curve and good stability.

I do not have much opinion on that because I have not been involved in the procurement process of the Palo Alto devices with the exception of pay-as-you-go through AWS, but all of this stuff is very expensive, in my opinion.

I will be a little bit pessimistic and rate it a nine out of ten, but I feel that it is a ten.

We use Palo Alto firewalls to secure the enterprise network and connect our branch offices with our data centers.

A lot of Palo Alto's attack mitigation is automatic. It's nice that you can define security policies and profiles, and the firewall can automatically take action to mitigate attacks as they occur.

We can avoid downtime because Palo Alto supports high-availability firewalls, which usually enable us to do maintenance without interruption to the enterprise. We also have redundancy in our wide area, so we are not dependent on one internet provider. If it fails, we can route across an alternate provider through our VPN tunnels. 

Palo Alto solutions are scalable and highly capable. NG firewalls offer a complete solution that's reliable, consistent, easy to manage, and full of rich security features. They're easier than other firewalls and certainly more effective.

NG Firewalls provide a unified platform that natively integrates all security capabilities. It's critical to have a cohesive system that works across the entire organization. Palo Alto embeds machine learning into the firewall's core, which is necessary to keep up with the threat landscape. 

Palo Alto could improve its machine-learning capabilities. That's all new. They integrate the telemetry data and analytics up to the cloud, where they can analyze security policies and best practices like DNS Security. It uses AI tools to sort through all the massive logs and highlight where you can take action or be aware of what's happening. If you don't have many tools in your organization, it's nice to have one tool that does an excellent job across the board. 

I have used Palo Alto NG Firewalls for five and a half years. 

Palo Alto firewalls have excellent scalability. The same techniques and configuration scale from a small branch office to larger data centers. They're consistent in terms of configuration. You have centralized administration through Panorama to manage all of them easily and have global visibility with both configuration and logging.

I rate Palo Alto support seven out of 10. Palo Alto has some excellent engineers, but recently, I've had difficulty finding a technician who can solve the problem quickly.  They're easy to reach, but it's sometimes harder to communicate with the support engineers. Some are more effective, but other engineers take a couple of days to analyze the issue. The support is not as good as it used to be.

Neutral

I've used other brands of firewalls in another company, and this company has used some older firewalls. I have used Juniper SRX and NetScreen firewalls. I've also worked with Cisco ASA and SonicWall firewalls.

Palo Alto firewalls provide better visibility into the data and excellent logging that enables you to track all threats and activity. They seem to be more resilient to attacks. Other brands get overwhelmed by DDOS attacks, whereas Palo Alto has multiple levels of security that can head off some of those floods. They act almost like an intrusion detection system and some form of DDoS protection. They do a good job if you can't afford a separate product.

I rate Palo Alto NG firewalls nine out of 10 for ease of setup. They're easier to set up than Juniper SRX or NetScreen. When I arrived, they had already installed a few firewalls, but they weren't working well. The failover and high availability were not set up properly. 

They were new to Palo Alto. They started deploying a few in their branch offices and configuring them with Panorama, so they're all registered and centrally administered. There are consistent policies and shared objects across your organization for filtering geographic regions and things like that. 

The IT VP administered some of the network after their other engineer left. They had previously used Fortinet and only recently purchased Palo Altos, but they were trying to get them deployed. As a senior network engineer, I deployed it with the IT VP, and the IT manager made some operational changes. I and a member of my team maintain the firewalls. 

Palo Alto enables you to support an extensive, busy network with fewer people. You can centrally administer the solution and apply automated content updates for virus and threat prevention. Once you get these things set up, they do a lot of it independently. You only need to keep a close watch on them. 

Palo Alto can be priced higher than some less capable firewalls. However, they are exceptional when you consider the completeness of the solution and its ability to handle threats. Palo Alto is better than other solutions, which justifies a slightly higher price point. You have other tools that are easier to deploy, reducing your total cost of ownership. The newer models are faster, making the pricing more attractive.

A cheaper solution might be better if you have a small or home business that doesn't have many security requirements. Palo Alto scales down to small offices and larger data centers and enterprises. Their product scales to a wide range of use cases. 

I rate Palo Alto NG Firewalls 10 out of 10. I recommend spending time with Palo Alto and other support partners planning and understanding your network before you deploy. You can simplify many capabilities into common rules that you can apply consistently across the organization to save time. Planning can help you build consistency in naming address objects, VLANs, and network resources.

I primarily help users migrate from traditional firewalls to Palo Alto NG Firewalls. This involves troubleshooting, assisting with application control and backup configuration, and teaching users how to optimize the firewall for their needs. Additionally, I guide users through the process of redesigning their firewalls and migrating their servers, which often includes helping them understand and manage the vast number of applications they have. Sometimes, the firewall cannot identify specific applications, requiring customization to ensure accurate recognition and security. Currently, I am working on a management query language, which involves collaborating with other teams to assess the necessity of specific applications and connections between the firewall and various assets. This ensures optimal security and network efficiency.

Although Palo Alto Networks NG Firewalls now utilize machine learning, its significance wasn't initially apparent to me. My first experience with Palo Alto revealed the power of their machine learning through features like WildFire, which uses real-time analysis to understand and combat hacker attacks. While early versions had tools like Power Tool that hinted at machine learning capabilities, Palo Alto didn't explicitly promote this functionality until version 10, likely in response to increasing market competition and the growing prominence of machine learning in firewalls. The embedded machine learning is helpful.

Palo Alto NG Firewalls has improved our organization's security by providing strong protection through network segmentation and XDR. The firewall has proven effective in reducing security risks and monitoring endpoint activity. It offers excellent application recognition and thorough threat analysis, boosting overall network security.

Palo Alto NG Firewalls have reduced over 90 percent of our network downtime.

Palo Alto NG Firewalls offer an efficient interface that simplifies log checking, troubleshooting connection issues, and firewall policy configuration. The process is user-friendly, guiding users through network infrastructure setup, interface creation, settings application, and policy configuration in a clear and intuitive manner.

Palo Alto Firewalls can improve their support structure, especially concerning longer working hours for engineers. Enhancing support teams' capability to handle cases without much delay would be beneficial. Additionally, the high cost of the product could be re-evaluated.

I have been using Palo Alto Next Generation Firewalls for over ten years.

Palo Alto NG Firewalls are stable. On a scale of one to ten, I would rate them around seven or eight for stability.

I find Palo Alto NG Firewalls to be highly scalable, and would rate their scalability as eight out of ten.

Customer support's effectiveness depends on the clarity and completeness of information provided by users.

Neutral

I've used Check Point and Fortinet in addition to Palo Alto, but I prefer Palo Alto's interface and performance.

The initial setup for Palo Alto NG Firewalls is clear and instructive, detailing network infrastructure setup before advancing to policy configuration.

A fresh deployment of Palo Alto NG Firewalls can be completed in three days, followed by a two-day handover session to train users. This totals five days for deployment and training. However, migrations for companies with over 10,000 users and 20 subnets can take up to a month, potentially involving additional user requests or a phased approach.

I have vast experience deploying these firewalls on-premises within our team, making use of the intuitive interface provided by Palo Alto for implementation.

Although Palo Alto is expensive, its superior security functions, application identification, and overall performance justify the cost and make it stand out from the competition.

I would rate Palo Alto NG Firewalls nine out of ten. The Palo Alto NG Firewalls are great, but they are expensive.

I'm most interested in Palo Alto NG Firewalls, specifically how to improve their efficiency and application identification capabilities. Sometimes applications have unique requirements or behave differently, making accurate identification crucial. Palo Alto NG Firewalls excel at application-level security because they can block traffic, prevent attacks, and identify potentially compromised applications. Unlike traditional firewalls, Palo Alto NG Firewalls go beyond basic policy enforcement and traffic filtering by incorporating intrusion prevention systems and antivirus functionality. This allows them to analyze internal traffic for risks, similar to how antivirus software protects endpoints.

Future users need to appreciate the costs involved in using Palo Alto, and the manual configuration required is beneficial because it ensures clarity and control over what is being configured. To enhance your organization's security posture and management, I recommend implementing Palo Alto Networks NG Firewalls.

Three people in our organization are directly using the Palo Alto NG Firewalls.

Upgrading Palo Alto Next-Generation Firewalls requires some maintenance.

We primarily use Palo Alto Networks NG Firewalls for a DMZ firewall. Its primary function is to separate our network into four layers: a DMZ zone for all publishing services, an internal zone for internal user access to publishing services, a zone for terminating connections between VPN consultants and internal services, and a zone for Internet access.

We implemented Palo Alto Networks NG Firewalls to secure our network and control access using filtering and application control. We also use Palo Alto WildFire for vulnerability scanning.

We have Palo Alto Networks NG Firewalls deployed on the cloud and on-prem.

Palo Alto helps us secure our network against suspicious activity from both internal and external sources. Its integration with our SIEM aids our SOC team in blocking malicious activity.

Palo Alto Networks NG Firewalls do a good job securing our environment. To access any solution, the first step is to calculate the required throughput. Because we are working with a small network or environment, we need a specific amount of throughput from a Firewall model. I chose this particular model based on my throughput requirements. The second consideration is the level of security achievable by the solution. We are using additional methods, such as performing a gap analysis and assessing the solution, to determine this. This involves simulating attacks passing through the Firewalls to observe how the solution detects or blocks them.

The most valuable feature of Palo Alto Networks NG Firewalls is its application visibility, which allows us to see all users and their accessed resources. Additionally, its user-friendliness and customization options contribute to its overall value.

The reporting feature needs significant improvement. Generating reports in Palo Alto is challenging because it relies on specific attributes and source IDs. We want to create reports to view the number of users and consumption, but customization is difficult. The interface for generating reports is user-unfriendly, making it difficult to find information. Overall, the reporting capabilities are weak compared to other firewall solutions.

The SD-WAN feature needs improvement. It currently relies on the physical interface instead of the sub-interface, requiring Panorama rather than a local firewall. Furthermore, the configuration customization for SD-WAN application source and subnetting is significantly limited compared to other firewalls.

The technical support is slow and needs improvement.

I have been using Palo Alto Networks NG Firewalls for five years.

I would rate the stability of Palo Alto Networks NG Firewalls ten out of ten.

I would rate the scalability of Palo Alto Networks NG Firewalls ten out of ten.

Palo Alto does not provide direct support to customers. Each region has support partners, so to get direct support from Palo Alto, you need to be a very large customer. This is why resolving issues with Palo Alto takes a long time. We go through our partner, and they take some time to investigate and try to solve the problem. If they can't, they escalate the case to Palo Alto, which takes additional time to investigate and try solutions. This is why our cases may take days or weeks to resolve.

Negative

I work with numerous firewall solutions, including FortiGate, Cisco Firepower, Cisco Sourcefire, and Forcepoint Firewalls. I've found that each firewall excels in specific areas. For instance, I recommend Cisco Firepower for central firewall management. However, for DMZ and application control, I suggest Palo Alto. Finally, I recommend FortiGate for perimeter firewall deployment based on its extensive features and overall stability.

The initial deployment is straightforward and can be completed in a few hours for small environments. However, larger environments with multiple policies will require additional deployment time.

We have seen a return on investment of 30 percent from Palo Alto Networks NG Firewalls. 

Palo Alto is a more expensive firewall solution than others. However, it is the top choice for a DMZ and a valuable investment overall. We still need to invest in an additional firewall with more advanced features to enhance perimeter security.

I would rate Palo Alto Networks NG Firewalls seven out of ten.

Those looking for the cheapest and fastest firewall won't find that combination. They must invest money to get a fast firewall suitable for their environment. Gather their requirements before choosing a firewall that fits their budget and features. They can opt for the quickest or cheapest option or select a device compatible with their needs.

We have Palo Alto Networks NG Firewalls deployed in multiple locations, serving both on-premises and cloud departments. There are three people in our organization that work with the NG Firewalls. Our clients are enterprises.

Palo Alto Networks NG Firewalls require maintenance for software upgrades, and after several years, the hardware will also need upgrades.

I recommend Palo Alto Networks NG Firewalls for their stability and high level of security. If the security of your infrastructure is critical, Palo Alto is a strong choice, though it comes with a higher price tag. If budget is a concern or security isn't a top priority, then Palo Alto may not be the best fit.

As a reseller, our primary customers utilizing Palo Alto Networks NG Firewalls are in the financial services, government, and manufacturing sectors. They select Palo Alto Networks NG Firewalls due to their superior performance and security capabilities compared to alternative firewall solutions.

Palo Alto Networks NG Firewalls provides a unified platform that natively integrates all security capabilities for our customers.

Palo Alto Firewalls integrate machine learning into their core functionality to offer real-time, inline attack prevention that our customers rely on.

Palo Alto Networks NG Firewalls offer a variety of models designed to protect data centers in all work environments. These models share standard features.

Palo Alto Networks NG Firewalls can significantly reduce downtime, and replacing a firewall typically takes only one to two minutes.

Palo Alto Networks NG Firewalls' single-path architecture offers a valuable feature, ensuring stable performance for our customers.

Palo Alto Networks NG Firewalls pricing has room for improvement.

I would like Palo Alto Networks to provide a free virtual firewall.

I have been using Palo Alto Networks NG Firewalls for three years.

I have not encountered any stability issues using Palo Alto Networks NG Firewalls.

The scalability of Palo Alto Networks NG Firewalls is limited because of the lack of a virtual firewall.

The local support is better than the corporate support.

Neutral

Palo Alto Networks NG Firewalls are expensive compared to other solutions.

I would rate the price eight out of ten, with ten being the most costly.

I would rate Palo Alto Networks NG Firewalls eight out of ten.

Although Palo Alto Networks NG Firewalls are more expensive than other firewalls, they provide better protection and are a better value for your money.

On certain levels, it protects our information. Luckily, I had switched to Palo Alto as our VPN solution for our users. We finished that in December of 2019, just in time for COVID to hit. We had a system that was able to support 650 to 700 users remoting into our campus through the VPN. This was a huge use case for us, as it was not intended to be the solution for COVID, but it turned out to be the solution for COVID. So, it was a great use case. Obviously, we want to protect our servers, virtual servers in the cloud, and on-prem. 

We have the eighth fastest supercomputer in the world. Unfortunately, we don't get to protect that because it has so much data going through it, i.e., petabytes a day. There isn't a firewall that can keep up with it. We just created a science DMZ for that kind of stuff as well as large data movers since we do weather data for the world. We research the ocean, sky, and solar weather. We have 104 universities who work with us around the world. Therefore, we need to have data available for all of them. We need to be protected as much as we can.

We started with Palo Alto 5060, then the 3060 came in, which was the next form. We have now switched to an HA system and have four firewalls as our base: a pair of 5220s and a pair of 5250s. We have been running the different OSs from PAN-OS 8.0, 8.1, 9.0, 9.1, and then 10.1. We are about to move to 10.2. We are in the process of doing that over the next week. We like to stay on the cutting edge because they are always adding more features and security.

We have it deployed in a number of different ways. We have our four main firewalls, which have two high availability pairs. One is set primarily for users and outward-facing functions. Therefore, our DMZ servers, staff, and guest networks are on one pair of firewalls. Back behind the scenes, labs and our HR department are on a separate set of firewalls. We call them: untrust and trust. Then, we have another set of firewalls, both in our Wyoming supercomputing center and in our Boulder main campus, which runs a specific program that has a DOD contract that requires more security, so they have their own set of firewalls. We also have firewalls in Azure Cloud for our tests and production environments. I am in the process of purchasing another VM firewall to put on the AWS Cloud. The last set that we have is at our Mauna Loa Solar Observatory, where we have an HA pair of just 800s because we only have a one gig radio link down the side of the volcano to the University of Hawaii.

We have between 1,200 and 1400 staff at any given time. Essentially all of them use the solution one way or another, either to access systems or through the VPN. We also have remote users who aren't employees but instead collaborators, and they can be anywhere in the world and remote into our systems. We then have people who are doing PhD programs at universities around the world who need to get into our systems to download data sets as part of their PhD or Master's program. Thus, the solution is not limited to our employees.

We have been around since the late 50s to early 60s. We were one of the original people who helped set up the ARPANET, which was a precursor to the Internet. Historically, our science has been open science. We want everyone to have it. The mindset has been that our network is flat and open to everything, and we have slowly reeled that in. Now, more of our stuff is behind firewalls. We are now going through a project where we are doing some more segmentation within the protected part. Each lab is protected from each other, or at least can be. They still talk to each other all the time, so we have rules for that. If we need to, we can shut access down right away because of the firewalls.

One of the best features is that Palo Alto NGFW can embed machine learning in the core of the firewall to provide inline, real-time attack prevention. We aren't using the AWS-offered firewalls in the cloud or Azure. When I read over the specs on it, it is more like a traditional firewall where a port is open to an IP address, and that is all you know. Palo Alto can decide if traffic is of a certain kind, regardless of what port and protocol it is using. Then, it can figure that out and I can write my rules based on that. That is a huge functionality and super important to me. The machine learning as well as being able to send stuff to WildFire is pretty important too. We like to get those types of reports and know that we have more protection from zero days than most traditional companies would.

The WildFire reporting and Cortex XDR platform have huge infrastructures in the cloud that secures the network against threats. So, we have the potential on the system, specifically for users, where we take care of this since the user is the most dangerous. We get reports back from WildFire on a minute-by-minute basis, rather than a daily or weekly update like I used to with different AV vendors. These features can detect viruses and malware more quickly, which is super important.

We have some large data movers that we can't put behind the firewalls. We don't have the largest firewalls, we have the 5200 Series firewalls. Their throughput is about 20 gigs a second, and it is protecting networks that have 100 gig connections. So, we have to be kind of choosy as to what we put behind the firewalls, but for the stuff that we put behind it, the latency really isn't problematic at all. Even though the firewall location is just one aspect, we have three different areas that talk to each other over multiple 240 gig links or 200 gig lengths. The firewall is not hindering that at all.

The biggest thing that needs to be improved with them is their training. I took a training class for the 8.0 build, then I took it again for the 9.0 and 10 builds. They add new features every time that they do a new major release, but the training doesn't keep up. It is the same basic training that probably was with the 3.0 build, and they just change the screenshots. I would love to see them do some more work since they have all these bells and whistles, but we don't know how to use those features on a large scale.

I know this little section here about the firewall, but I know there is a huge amount that still could be done with it. I am not touching enough of it because I just don't know how. It seems like the more I learn about it, the more I learn that there is to learn

We have been using Palo Alto Firewalls for the past six years. We started with a single firewall, then built up from that.

It is very stable. A lot of times, it depends on what our network tweaks are, e.g., we monitor the link between the firewall and the router. If it misses some heartbeats on that, then it will switch over. That is part of how the HA process works. If it says I am not getting network connectivity, then it tells the other one to take over. We actually have an exciting way to do that because we have one data center at the top of the hill at the front-end of Boulder (or on the south-end.) We have another one in the HA link about 13 miles away at the north-end of Boulder. We actually do an HA pair across there using a 200-gig link with dark fiber between them. Most people, with their HA pairs, will be right next to each other, but ours are only that way on a globe.

The firewall tech support team has been very good and responsive. Sometimes, they are too responsive. They call when I am in a different meeting, then I have to figure out with whom I am going to talk. The sales engineering team is also really good because they will monitor some of that, then call me about it separately to see if I need additional support.

For the VPN only, we used Cisco's old ASA firewalls. That was set up before my time. We moved away from that when we went to GlobalProtect in December 2019.

Primarily, I wanted a single platform. We had Palo Alto Firewalls doing firewalling things and Cisco firewalls doing the AnyConnect VPN solution. Paying maintenance of both sets didn't make a whole lot of sense to me. Also, ASAs didn't seem to be able to support as many users concurrently as the Palo Alto solution looked like it could support. So, I just got rid of the Ciscos and went to the Palo Alto NG Firewalls and GlobalProtect.

I have actually done a lot of initial setups. They are fairly straightforward at this point. The hardest part was where I had to just send them out to Mauna Loa, and I wasn't allowed to go to Hawaii for that. I had to set them up in Boulder, then I would think how they should be used and ship them over. That was a little difficult, since once they were on the ground in Hawaii, the final steps were slightly difficult to handle. As soon as they unplugged from the switch that was currently handling traffic and plugged into the switch where the firewall was connected, the person at the other end's laptop no longer had a connection for all the stuff that had been having traffic. We had to do everything by the old phone method. It was challenging, but we got through it.

Usually, I can get the initial deployment done in a few hours. However, going through and working with people to get what they need set up, as far as the rules and different areas behind the firewall, that takes a few weeks to a couple of months. A lot of that is based on people's time.

The first thing is get the basic things working: the networking, any routing that we need to do, and build communication to our RADIUS servers and Active Directory so we can log in and use our multi-factor authentication to manage the firewall. After that, I work with different groups who will be behind the firewall to find out what IP ranges they need supported, what kind of routing, who they want to talk to, and with whom they want talking to them. I have to know all that stuff. A lot of times, it is kind of teasing out information as far as what protocols they will be talking on or will they be using SSL or SNMP.

A lot of times that is a do-it on-the-fly kind of thing. You sort of stand stuff up, and say, "Check it now," and then they say, "Well, this one is not working now." Or, we just added a new service and this needs to be turned on. So, there is a lot of movement back and forth.

I have done all of it by myself, except for the very first installation of the firewall that was done in conjunction with a reseller. That was before my time.

There are two of us on the firewall team. There are another three or four guys from the networking side team who also help out.

We had an external pen test a couple of years ago. They found a number of findings for the areas of our network that hadn't yet moved behind the firewall and no findings at all for the ones that had. This was just because of the way that we wrote the rules and because of the firewalls, which prevented an external source from being able to view and enumerate our systems. If something wasn't behind the firewall, they were able to get a response back in many cases, even when they weren't supposed to be outward-facing.

I have information that Palo Alto NGFW has blocked malicious activity. We use the Palo Alto High Confidence block lists. 

There is an advantage to going with the high availability pair licensing model versus the standalone. It gives you a high availability pair, but the pricing is only a slight increase over a single system. It makes sense to take a look at your add-on functionality, like the Applications and Threats subscription and URL protection subscription. On the user side, I might want everything. However, on the server side, I might not need very much. I might want the Applications and Threats subscription and not much else. So, you don't have to buy all the bells and whistles for every firewall. Depending on what the function is, there are ways around it.

There are a lot of other subscriptions available, such as DNS Security and URL protection. I have heard there is an advanced URL protection going to be released soon. Also, there are a few others, like SD-WAN and GlobalProtect, which is one that we have because we have users who use Macs, Linux Boxes, and Windows systems. So, we need to support all of that.

Someone else made the decision to buy the initial Palo Alto gear. When they left, I had to learn the Palo Alto gear. At that point, I said, "I know Palo Alto. I like it. Why would I change away from it?" So, I have looked at different solutions throughout the years, but Palo Alto is one of the best out there.

We use Cisco Umbrella for DNS. We have done this for 15 years since it was open DNS as part of an MSF stipulation.

All data goes through the firewall,since our HR and finance departments are behind the firewall. A lot of our labs are behind the firewall. We have some plans to expand, as I am about to put a virtual firewall in AWS Cloud for a project. We have a C-130 hub that has been flying into hurricanes and tornadoes for years. I want to put a firewall on that to protect the instrumentation from outside sources.

If you are just looking for the cheapest, fastest firewall out there, that is a foolish attitude. The point of a firewall is to increase your security, not to increase your throughput. You don't want it to degrade your throughput, but the cheapest solution and the solution that makes sense aren't necessarily the same thing.

The main advice would be to plan on starting small, then build up. Don't try to do everything at once. Also, make sure you do the available training prior to use or at the same time, at least the basic one, because that is important. 

Make sure you have a good networking background or a good network engineer standing next to you because talking to the routers is key.

I would rate it at about eight and a half to nine out of 10. There is no perfect answer, but this is a pretty good one.

We provide localization services and use Palo Alto Networks NG Firewalls to protect our environment.

We have two on-premises Palo Alto Networks NG Firewalls that are managed in the cloud.

Palo Alto Networks NG Firewalls provide a unified platform for centralized management. This is one of the most critical features of the NG Firewalls.

Palo Alto Networks NG Firewalls utilize embedded machine learning to combat the evolving landscape of cyber threats. This is crucial because traditional security methods often fall short against modern malware and sophisticated attacks. By employing machine learning, these firewalls proactively identify and mitigate risks in a way that static rules-based systems cannot, effectively countering the advanced techniques increasingly used by malicious actors.

It helps reduce downtime in our organization by 98 percent.

Palo Alto Networks NG Firewalls offer a comprehensive suite of security features, with Intrusion Prevention System and certificate inspection being among the most valuable.

The machine learning feature, with its continuous potential for improvement, directly enhances the security of Palo Alto Networks NG Firewalls.

I have been using Palo Alto Networks NG Firewalls for almost 12 years.

The technical support is good, and Palo Alto has excellent documentation.

Positive

We also use FortiGate Firewalls in addition to Palo Alto Networks NG Firewalls. Both offer similar features and prices and are considered top competitors in the market.

The return on investment from Palo Alto Networks Next-Generation Firewalls has been significant, as the enhanced security they provide to the enterprise effectively offsets their cost.

Palo Alto Networks NG Firewalls are affordable, and we get what we pay for.

I would rate Palo Alto Networks NG Firewalls ten out of ten.

We have over 10,000 end users.

When choosing a firewall, cost often reflects capability. While budget-friendly options exist, their security levels may not match those of higher-end providers like Palo Alto or Fortinet. Investing in a robust firewall often provides enhanced protection and advanced features, justifying the higher cost.

We have three employees and one consultant who are responsible for the maintenance of our NG Firewalls.

NG Firewalls form the edge between customers' networks and the internet. They often provide load balancing to multiple internet providers. In most cases, people use NG Firewalls for more than just a basic firewall function. 

The intrusion detection and prevention feature is usually the most significant piece that people want because it provides layers of protection against malware, ransomware, and things of that nature.

My colleague likes to tell our clients that none of his customers who installed a Palo Alto have ever had a ransomware attack. I'm always nervous when he says that because things change so fast. However, it gives people peace of mind that they're protected at the network's edge. 

The firewall is going to do everything possible to protect resources and data. We have customers with social security numbers, HIPAA data, and other sensitive customer information. Other products don't seem to provide the same level of protection and leave customers open to malware or ransomware attacks.

Palo Alto has many features to protect against data leakage and unauthorized downloads, so it can do quite a lot to protect a network against any attack. The leadership at our client companies feel reassured that they've done what they can with the best solution out there to protect themselves.

Smart people always do stupid things, like clicking on something they shouldn't. They often realize their mistake five minutes or five seconds after doing it. We've seen what these mistakes can quickly do to an organization. Palo Alto's features help you prevent those types of things from happening. You can immediately block suspicious file downloads and push those up to Palo Alto to investigate. You can get ahead of the problem and help other folks who might not have seen that attack.

NG Firewalls provide a unified platform that natively integrates all security capabilities. Having all those features in one platform at the edge is essential. That's a massive component of the customers' overall security structure. It isn't everything, but it protects the edge of the network. 

It does not prevent someone from getting their company laptop infected at home and infecting the network when they come to the office the next day. That's where other pieces come into play to make an overall security structure. The firewall is designed to protect everything at the edge and has everything you need to do that. It protects you at the edges and provides reports that give people information about what's happening on the network at a given time and date. 

NG Firewalls take care of any holes in the client's network and reduces the number of security tools needed. A decade ago, deploying these types of tools required multiple devices, whether that was Barracuda email, firewall, and an intrusion detection platform. Generally, people had antivirus and anti-spyware systems running in their enterprises. All of that is now integrated into the Palo Alto Firewall platform. 

The antivirus and anti-spyware features are as good as anything out there. It's updated constantly, so any novel threats are automatically detected. On top of all these features, it provides a solid edge platform that incorporates all of the security features necessary in that edge component.

One of the simple features I like about Palo Alto firewalls is that it's extremely easy to find out what's happening in the network. The reporting is phenomenal, and it's easy to find which threats have been detected and what traffic is going through the box. When a customer notices something is wrong, you can quickly check the amount of traffic going through the firewall around that time. If there is anything out of the ordinary, you can decide it needs to be investigated further.

I talk to customers a lot about simple aspects. Palo Alto firewalls have vast technical capabilities in the signature database, which is constantly updated. Palo Alto does a lot of work to find threats in the wild, which is rare among vendors. From a practical and operational standpoint, the ability to see what's happening at any time, live or historically, is a huge benefit compared to other firewalls that are out there.

Machine learning is a massive part of it. Threats are always evolving, and they can constantly update the signatures they're hunting and the raw data streams they're looking for outside of something that's been defined as a true signature type of attack.

Most of my customers use what Palo Alto refers to as the Wildfire functionality. Their online analysis team checks every 15 minutes to find anything new that has been detected in the wild anywhere in the world. Once their team finds something, they immediately disseminate that information down to the firewalls so they can start looking for something new. That includes anything that has evolved from one version of an attack to another. So far, we have not run into any issues with changing attacks creating problems for customers with a Palo Alto firewall in place.

It's rare for our customers to use the zero-day intelligence feature to upload information to Palo Alto. Still, receiving anything from Palo Alto that others have detected out in the wild is beneficial. Any zero-day signature people find in a data stream can be pushed down to the firewalls, and it's a huge benefit to know that the firewall can stay on top of the changes in the attack world.

The PA 400 series is excellent. It's the product that they were missing. Years ago, there was a Palo Alto 200 and a Palo Alto 500. The 500 was a relatively low-cost platform that focused more on team-sized businesses. It reached the end of its life, and they replaced it with an 800, a similar form factor but quite a bit more expensive. The 200 was replaced with a 220, which was at the low end cost-wise in the product family, but they never had anything in the middle. 

They didn't have something that offered high performance at a reasonable cost. The 400s provide that missing link inside their product family to cater to small and medium-sized businesses. Because more and more, even though companies are small, with 50 to 100 people in a company, internet bandwidth has gotten so cheap that they're typically running 1+ gigabit-per-second connections out to the internet.

While they may not be using that much bandwidth today, that will change as they do more and more online. We saw during the pandemic how that could change quickly. Suddenly, everybody's working from home, and internet connectivity is the company's lifeblood. The 400 series gives customers decent performance at a lower price point in a small form factor. It's a product they can deploy, knowing it will protect them and provide the performance they need for years.

The reporting and visibility are phenomenal, but you don't get that information out of the box. They can email reports regularly, and the functionality is all there. However, a lot of it is based on an older model for email, where customers have in-house email servers. The small and medium-sized business customers I deal with are moving toward Office 365 or some other cloud-based mail and not maintaining their own internal mail servers. 

Palo Alto is developing that, and I need to understand how they integrate with an Office 365-type mail environment. The next piece is figuring out how to get that information to the people who need it without somebody physically sitting in front of the screen or going to the firewall to have it delivered to them regularly. The capability is there, but it's primarily based on an older email architecture that customers rarely use anymore.

I'm an integrator who has been doing professional services with Palo Alto installations for at least eight years.

Palo Alto firewalls are solid. I can recall that we haven't had platform failures or product issues with the Palo Alto Firewalls. Everything can have a power supply failure. We have seen that occasionally, but it's rare. In eight years, we've had to replace power supplies in two firewalls out of hundreds we've deployed. It's a physically stable platform, and the software is also solid. I typically avoid the most recent software versions until they reach what I consider mature and seasoned. 

We've seldom had issues with performance. I always tell people that internet bandwidth will be bigger and cheaper in the future, so firewalls need to keep pace from a performance standpoint. Palo Alto has done a decent job of bringing out new models with higher throughput levels while maintaining all the threat-driven functions. But we constantly need to evaluate where we are with internet bandwidth and where we expect to be in the future. 

We tell people that the physical hardware platform they choose will protect them today, no matter which one. However, the choice will determine how long that can stay in your network. It ultimately comes down to pure bandwidth. As we move towards the cloud, more and more internet bandwidth becomes critical. Multiple internet providers are now essential on most of our customers' networks. The raw bandwidth and performance through the box must keep up with that. Palo Alto's newer platforms have multiple-gigabit throughput, and I assume they'll continue with that as they evolve the product line further.

Their product line includes sizeable chassis-based firewall systems that can do multiple virtual firewalls within a single platform. Even their middle-tier products have that capability. Some of our customers have numerous divisions that need separation between departments, so those scalable features come in handy. Most are organizations with one or two firewalls per site. Still, I've worked with large enterprises that had tens or hundreds of firewalls in their overall environment to maintain a separation between departments and to separate users from servers.

Palo Alto also has a product called Panorama that lets you centralize the configurations of vast numbers of firewalls. It acts as a central point for changing firewall settings, and you can push the changes out to a subset of firewalls in your environment or all of them. The bottom line is that Palo Alto can scale up NG firewalls to massive numbers of platforms.

I rate Palo Alto support eight out of 10. 

Positive

NG Firewalls are easy to set up. I've been doing it for a long time, so it's effortless for me to set them up. When registering a firewall with Palo Alto, you can download a Day 1 configuration into the box with many of the standard protection features activated. 

I don't use that, but I periodically check it to see if there is something else Palo Alto has determined should be enabled or a feature that should be tuned differently than I typically do. They provide the initial configuration with the critical features activated.

Deployment requires a small team. Sometimes, it's only a person from the customer side and me. Usually, it is me plus one other engineer working on deploying these where we've got changes on switches to support the firewall or adjustments to the DNS systems. A lot of different areas come into play when we change the edge. Frequently, our customers are transitioning from a rudimentary network design to a new design where we're implementing firewall and network segmentation within their environment. That's easy, but we use a team of two or three folks to finish the job as quickly as possible.

While all next-generation firewall platforms have some degree of these different components built into them, Palo Alto has rock-solid antivirus, anti-spyware, threat prevention, data leakage prevention, and file blocking, plus all of the typical functions that a firewall does. It does all of these functions exceptionally well in addition to regular firewall aspects like blocking DDoS attacks and generic types of attacks. It tends to be more expensive than most competing platforms, but the return on investment is huge. I'm almost to the point of saying that I won't support any other firewall platforms out there.

There are several new firewall models that have come along, but I tell people that Palo Alto will provide all the protection you could need. There's no reason to look at anything else out there because most other platforms don't provide the same level of protection. The value proposition to customers is the peace of knowing they've got the best protection at the edge they can buy.

The licensing model is becoming more and more typical of vendors. There are several different licenses that we usually provide with the firewalls. DNS security is a newer one, and we're considering the types of customers who might benefit from that. 

The cost of the license is platform-dependent. It would be nice if they standardized that across the board to make the license a flat fee instead of based on scale and the platform you're using. Functionality shouldn't change based on the platform or the amount of data going through it. It's the same functionality on there. That's one aspect customers often raise. The platform's price is what it is, but the ongoing cost of the annual license is hard for some customers to wrap their heads around. 

Many people are just looking for the cheapest, fastest firewall, and my answer is always the same. It's a cliche to say you get what you pay for, but when you opt for the cheapest product, you have to understand that the costs of an attack are monumental. We had a customer who deployed SonicWall firewalls because they wanted something inexpensive that provides a basic level of functionality. They have spent three weeks trying to recover from a ransomware attack because the firewall didn't prevent them from downloading files into their environment, and it lacked some of the features a Palo Alto firewall has.

I tend to use examples like that. It's like switches. When everything's working great, you can go to the local store and buy yourself a cheap and expensive switch, and it'll be fine. But when there are problems, how do you recover? And what can you do with the firewall that will protect you against attacks you don't anticipate? That's where Palo Alto shines. You know you are protected when you deploy it.

Other products are less expensive because they don't provide the same level of functionality. They'll talk about threat prevention, anti-spyware, and malware functions, but they have not been updated automatically like Palo Alto and they lack zero-day functionality. Maybe they don't have some other components, like data leakage protection or file download protections to thwart a concerted attack against organizations.

I always ask people what it would cost to shut down their business for several days. This customer had a solid backup strategy for their servers at least, enabling them to start using cloud-based versions of all their servers within three days. They still were out of business for three days. Now that we've put Palo Alto firewalls in place, they feel confident that's not going to happen again.

I get nervous when people say it can't happen, but we haven't seen it happen with the Palo Alto firewall with the capabilities and features we enable on these boxes. When people say they don't want to spend that money, they need to consider it as something protecting their entire business. An internet connection isn't a nice-to-have; it's the lifeblood of their business, being protected by the firewalls.

I rate Palo Alto NG Firewalls 10 out of 10. People who are only starting with these firewalls should rely on the technical notes and briefs Palo Alto provides on functionality. I started using Palo Alto firewalls years ago, and we deployed firewalls the way we knew how. Later, I worked with another integrator who had been doing it for about two or three years more than I had. He was configuring areas on the firewalls that I had never considered. That becomes the critical piece; turning a firewall up based on what another firewall vendor does is enough to get you the same level of functionality that the other vendors provide.

But with the additional capabilities that Palo Alto includes in the firewalls, it's imperative to have all the different pieces activated as much as the customer can accommodate in their environment. And that's a critical piece that Palo Alto provides a lot of online resources, and there are a lot of technical notes that are out there on what needs to be enabled in addition to that Day 1 configuration. That can give you a big headstart on all the different areas that need to be enabled within the firewall.