Palo Alto Networks NG Firewalls Reviews

We're using Palo Alto Networks NG Firewalls as a backup hardware solution. When the main firewalls have an issue, we're using the backup solution and hardware firewalls to avoid any network issues or prolonged downtime.

Palo Alto Networks Firewalls helped us reduce downtime. When we have another backup solution, the firewalls come down, we have backup hardware, and we have a Docker site that can work if we have an issue in our HQ data center.

Palo Alto provides more security. 

I have no issues if the subscription is renewed on time. 

Some configurations can take time.

The dashboard needs improvement as I find it more complicated compared to Sophos. It is not as user-friendly, especially when trying to easily check problems or generate reports which are easier with Sophos.

I've used the solution for two years.

The solution is stable. It has a feature that allows load balancing across multiple lines. If one line drops, another line can maintain service until the issue is resolved and we return to the original line.

The solution is scalable for large companies, however, it is expensive for medium and small companies.

I would rate technical support from Palo Alto at an eight out of ten.

Positive

We are still using a Sophos appliance as well. However, we are planning to consolidate to using just one solution soon.

I was involved in the setup. I participated with the company that ran the implementation. They didn't provide me with most of the information necessary to help implement in other areas.

The consultant company we're dealing with is the one handling the setup for this solution, not us. The consultant is a partner with Palo Alto.

As an investment, if you're going to use it for enterprise, it's good.

The price of Palo Alto Firewalls is too expensive compared to Sophos licenses and appliance hardware.

For medium companies, I would advise using Sophos. For larger enterprises, Palo Alto is more suitable.

I'd rate the solution seven out of ten.

We use it for perimeter security because it gives application layer security and we also use it for VPN access.

We use the PA-3200 and PA-200 models. In terms of the version, we are one version behind the latest one. The latest version is 11, and we are still on version 10.

The biggest benefit we have seen from it is the ability to identify the traffic of our networks based on the application ID that Palo Alto can provide. Palo Alto firewalls have the most extensive App-ID library, so we are able to identify which applications are necessary for business and which ones are not. We can then block those that are not crucial for business at the firewall itself, so App-ID in the firewall was the biggest benefit to us.

Palo Alto NGFW embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is important and very helpful. I wouldn't be able to compare it to any other product because we have used Palo Alto for eight years, but the machine learning that they have embedded into their OS has been very helpful. Based on the learning that they have done, they have been able to analyze the traffic and coordinate traffic patterns to alert us about possible malware and even block it.

It provides a unified platform that natively integrates all security capabilities. Palo Alto NGFW has been able to give us all that we need from one particular appliance itself. If we wanted, we could have also used the DNS feature, and in that case, one device could have met all our needs.

Because it's a unified platform, management is easy. You have to learn only one particular management interface. Once our IT team gets familiar with the management interface, it's easier for them to apply security policies, monitor the traffic, and manage the plans using the same GUI. There are no learning curves for different products.

We try to keep our security fairly tight. The policies that we have created on the Palo Alto NGFW have been based on security requirements. As of now, we haven't detected anything that would point to a hole in our environment, so it is very hard to say whether Palo Alto NGFW’s unified platform helped to eliminate any security holes.

It has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. It has helped us consolidate into one vendor. Earlier, we used to have an appliance for the firewall, and then we had an appliance for VPN. We had a separate appliance for the collection and correlation of data. We have eliminated all of those. They are now in one box. The same firewall gives us security policies and lets us collect all the data about the traffic flowing in and out of the network and correlate events. It has helped us eliminate the VPN appliances that we were using in the past. It has helped us to eliminate two other vendors and bring all the services into one.

The single-pass architecture is good. Everything is analyzed just once, so it improves the performance. 

Application layer firewalling has been the most valuable feature because it gives thousands of application IDs that we can use to control traffic into and out of our environment. The second most important feature has been the GlobalProtect VPN feature.

The only problem that I see with the Palo Alto NGFW being an all-in-one appliance is that because of the different features that are being put into a single appliance, the OS tends to be beefier. Over the eight years, we have seen that the number of features or analyses being put into the appliance itself has a tendency to slow down the appliance, especially at the time of bootup. So, any time we are doing maintenance work, the time required for the appliance to boot up and be fully functional again is significantly longer than eight years ago. They could find a way to make this all-in-one appliance faster.

They should also make the documentation much easier to understand. Given all the features that they have built into the firewalls, it should be easier for the end users to understand the product and all the features available on the product. They should be able to utilize the product to the maximum capabilities. The documentation and the tech support available need to improve. The tech support of Palo Alto has deteriorated over the past few years, especially after our pandemic. Getting tech support on our issues is very difficult. They could definitely improve on that.

I've been using it for about eight years.

It's very stable. We have had no issues. There are only two issues that I recall ever happening on our firewalls. The first one was when they released an application ID that caused a problem on the network, but they were able to resolve it quickly within a matter of hours. The second issue was also because of the change in the OS. In both cases, the resolution was quick.

In terms of scalability, they have a huge range of models, so depending on what your requirements are, you can scale up from the very base model that goes from 100 megabits per second to the largest one that goes to 10 gigs per second. They have a wide range of appliances that you can upgrade to based on your needs.

In terms of the traffic that can pass through the firewall, it has been fairly good for us. We have not had to upgrade our network. Being a small company, we don't have too many users. In the past eight years, we have not had to change our bandwidth for the increase in traffic. Whatever we selected four years ago, they remain the same. We have not had to upgrade the hardware capabilities just because our traffic is increasing, but in terms of feature sets, we have added more and more features to the appliances. When we started off with Palo Alto, we were only using the firewall features, and then slowly, we added a VPN for mobile users. We added a VPN for site-to-site connectivity, and the scalability has been good. We have not had to upgrade the hardware. We have just been adding features to the existing hardware, and it has not caused any deterioration in the performance.

We have about fifty users that are split between the East Coast and the West Coast. Each coast has only about twenty-five users. All in all, we have about fifty users using these products.

It used to be good in the past, but over the last few years, it has been very bad. You open a case, and you expect somebody to get back to you and help you out with the issue. They say that based on the SLAs, somebody will get back to you within a certain number of hours for the priority ticket that you created, but that getting back actually includes the initial response where somebody is just acknowledging that they have the ticket. That does not mean that somebody provides me with the solution or takes action on it. If I open a priority one case, which means my network is down, somebody will get back to me within two hours based on the SLA, but that response only includes the acknowledgment mentioning that your case has been received. That's it. It's a different question whether someone is going to get on the phone with you or give you an email about how to troubleshoot the issue and fix that issue.

I'd rate them a six out of ten based on the response time and the quality of the responses received over the last three or four years.

Neutral

We were using Cisco's router-based firewalls. They had some advantages, but they did not have a graphical interface for configuration, which was the weakest point. Getting team members on the team who were not familiar with the command line configurations for our Cisco firewalls made us select a product that provides a graphical interface for configuration, and that was a reason for moving to Palo Alto.

It has been fairly easy to set up. The initial setup is good. The migration to a new box can also be pretty straightforward.

I have had experience with setting it up from scratch, and it has been good. It's more on the simpler side. The initial setup to get the firewall in place with basic security principles is straightforward. When you go to the advanced features, it gets trickier.

The deployment duration depends on the complexity of the network and the kind of rules that you want to implement. The physical appliances are relatively straightforward to set up. For the base security, it doesn't take more than a couple of hours to set it up, but it can take a relatively long time to set up and configure the firewalls that sit in the cloud.

We use physical appliances and virtual appliances. The physical appliances are in our on-prem environment, and the virtual appliances are in our cloud environment. It took about four hours to set up the physical appliances from scratch, whereas the virtual or VMCD ones took a lot longer. It took two to three days to set them up.

For the VMCD ones, we had to get help from their pre-sales support team, but for the on-prem physical appliances, we did the implementation ourselves.

It isn't cheap. It's cheaper to replace the equipment every three years than to upgrade. We have done two refreshes of their appliances. What I have seen is that the initial hardware cost is low, but you need a subscription and you need maintenance plans. After every three years, if you're trying to renew your maintenance or subscription, that can be very costly. It's cheaper to just get a newer solution with a three-year subscription and maintenance. It's cheaper to replace your hardware completely with a new subscription plan and a new maintenance plan than to renew the maintenance subscription on existing hardware. That's the reality of the Palo Alto pricing that gets to us.

You pay for the initial hardware, and then you have to pay the subscription cost for the features that you want to use. Every feature has an extra price. Your firewall features are included with the appliance, but the antivirus feature, DNS security feature, VPN feature, URL filtering, and file monitoring features are additional features that you need to pay for. So, you pay extra for every feature that you add, and then based on the features you purchase, you have to pay the maintenance plan pricing too.

Before moving to Palo Alto, we did evaluate other options. In those days, we tried out the Check Point firewall. We tried out Fortinet, but Palo Alto was the one that met our needs in terms of the features available and the ease of learning its features and configuration. We went for it also because of the price comparisons.

Try to get hold of a presales engineer and do a PoC with all the features that you're looking at before you make a purchase decision.

It isn't cheap. It's definitely the faster one. It meets all the needs. If you're looking for an all-in-one solution, Palo Alto NGFW would definitely meet your needs, but it isn't the cheapest one.

We have not used their DNS security feature because we use a competitor's product. We use Cisco Umbrella for that. The reason is that for the DNS security to work, the traffic from those endpoints needs to flow through the firewalls, but we have a lot of mobile user devices whose traffic does not flow through the firewall and we'd like them to have DNS security. We use Cisco Umbrella because that's an endpoint application that protects the endpoints from vulnerabilities based on the DNS reputation, and all the traffic from those endpoints does not necessarily need to go through a central endpoint, like a firewall.

Overall, I would rate Palo Alto NGFW an eight out of ten. 

We have multiple offices across the United States. Palo Alto Networks NG Firewalls is the best solution for securing our network, and the best part is that we can provide a single working solution.

Palo Alto Networks NG Firewalls' embedded machine learning is very important. Every packet is inspected by the firewall, and if it is heuristic or contains a virus or some other unknown packet, it is sent to the Wildfire feature for review. If the packet is safe, it is allowed to pass through, otherwise, a signature is left to protect the organization. The updated signature is then sent to the entire network for the same packet.

Palo Alto Networks NG Firewalls machine learning helps secure our networks against threats that are able to evolve rapidly.

Palo Alto Networks NG Firewalls DNS security helps prevent DNS-related attacks in combination with our policies and machine learning.

Palo Alto Networks NG Firewalls provide a unified platform that integrates with all security capabilities.

The zero-delay security feature with cloud technology is able to immediately releases the signature and update the database.

Palo Alto Networks NG Firewalls single-pass architecture has fast processing and security because of the separate models. The networking speeds rely more on the routers, not the firewall.

The solution provides the ability to process the packets regularly saving us processing time and that is very valuable.

The user ID, Wildfire, UI, and management configuration are all great features.

The stability, scalability for enterprise-level organizations, and technical documentation have room for improvement.

I have been using the solution for six years.

When it comes to network security, there is no such thing as stability; every day brings different forms of attacks, which we must constantly work to prevent.

The solution is scalable but has room for improvement at an enterprise level.

We have around 1,000 people using the solution.

The technical support is good. We receive a quick resolution for our issues.

Positive

The initial setup is straightforward. The deployment time depends on the type of implementation the organization requires but it is not complex. We can do everything from the firewall GUI without having to install any software.

The implementation is completed in-house.

The solution is expensive. Other vendors such as Fortinet provide the same features for less.

I give the solution a nine out of ten.

Palo Alto Networks NG Firewalls is a good solution and I recommend it to others for their network security needs.

Compared to the other firewalls, Palo Alto Networks NG Firewalls are the quickest.

We use these firewalls to manage wastewater systems for over a hundred municipalities across the country. As a result, we exclusively use them in the operational technology (OT) space.

One of the key benefits is that it enables us to secure environments that may pose more significant security challenges.

The centralization capability is the most valuable feature of this solution as it enables us to monitor our systems efficiently. Additionally, the firewalls are excellent, with straightforward configuration and comprehensible interfaces that our engineers can set up with ease.

The cloud firewall solution offers a unified platform that integrates social security capabilities, but it comes at an additional cost.

I think having the ability to see the big picture is important for us, and that's not always easy to achieve. 

As for how important it is for us to have Palo Alto NG Firewalls and defense machine learning at the core of the firewall for real-time attack prevention, I think it's a bit premature to say. There are many players in that field currently, and I would prefer to see them get it right before jumping in just for the sake of being there.

A major concern is making the licensing more accessible to enable small municipalities to afford and manage their own systems independently.

I have had experience working with Palo Alto Networks NG Firewalls for a minimum of three to four years.

I would rate the stability of Palo Alto Networks NG Firewalls a nine or ten out of ten.

Palo Alto Networks NG Firewalls are very scalable.

As far as I know, the technical support for this solution is excellent. 

My team has used it a few times and has always been satisfied with the service. I have never received any negative feedback regarding the support lines.

I would rate the technical support an eight or nine out of ten.

Positive

A lot of the municipality's systems rely on Palo Alto Networks NG Firewalls to stay online, and we've found that they provide better uptime compared to most other solutions.

Our downtime has been reduced by 80 to 90% with the implementation of Palo Alto Networks NG Firewalls.

I was not involved in the deployment process.

We have seen a return on investment. By centralizing our monitoring of systems, we have been able to make our lives easier.

The licensing leaves a lot to be desired. 

We buy the license and then we can't transfer the license without paying an exorbitant fee to our client if they leave us, and that just seems to be a bit of a pain point for us, and there's really no way to partner effectively to make that more reasonable.

We continuously review firewalls, whether it's Check Point or Fortinet, or Cisco. But Palo Alto has been the best for us.

As most of our environments are in the cloud, we don't have a lot of experience in securing data centers.

If a colleague at another company is only looking for the cheapest and fastest firewall, I would advise them that Palo Alto Networks is not the right solution for them. 

While it may not be the most affordable or the quickest to set up, the investment in Palo Alto Networks NG Firewalls is well worth it in terms of reliability and security. 

Choosing a firewall based solely on cost and speed may result in a false sense of security and leave the organization vulnerable to breaches and downtime.

I would rate Palo Alto Networks NG Firewalls an eight out of ten.

NG Firewalls form the edge between customers' networks and the internet. They often provide load balancing to multiple internet providers. In most cases, people use NG Firewalls for more than just a basic firewall function. 

The intrusion detection and prevention feature is usually the most significant piece that people want because it provides layers of protection against malware, ransomware, and things of that nature.

My colleague likes to tell our clients that none of his customers who installed a Palo Alto have ever had a ransomware attack. I'm always nervous when he says that because things change so fast. However, it gives people peace of mind that they're protected at the network's edge. 

The firewall is going to do everything possible to protect resources and data. We have customers with social security numbers, HIPAA data, and other sensitive customer information. Other products don't seem to provide the same level of protection and leave customers open to malware or ransomware attacks.

Palo Alto has many features to protect against data leakage and unauthorized downloads, so it can do quite a lot to protect a network against any attack. The leadership at our client companies feel reassured that they've done what they can with the best solution out there to protect themselves.

Smart people always do stupid things, like clicking on something they shouldn't. They often realize their mistake five minutes or five seconds after doing it. We've seen what these mistakes can quickly do to an organization. Palo Alto's features help you prevent those types of things from happening. You can immediately block suspicious file downloads and push those up to Palo Alto to investigate. You can get ahead of the problem and help other folks who might not have seen that attack.

NG Firewalls provide a unified platform that natively integrates all security capabilities. Having all those features in one platform at the edge is essential. That's a massive component of the customers' overall security structure. It isn't everything, but it protects the edge of the network. 

It does not prevent someone from getting their company laptop infected at home and infecting the network when they come to the office the next day. That's where other pieces come into play to make an overall security structure. The firewall is designed to protect everything at the edge and has everything you need to do that. It protects you at the edges and provides reports that give people information about what's happening on the network at a given time and date. 

NG Firewalls take care of any holes in the client's network and reduces the number of security tools needed. A decade ago, deploying these types of tools required multiple devices, whether that was Barracuda email, firewall, and an intrusion detection platform. Generally, people had antivirus and anti-spyware systems running in their enterprises. All of that is now integrated into the Palo Alto Firewall platform. 

The antivirus and anti-spyware features are as good as anything out there. It's updated constantly, so any novel threats are automatically detected. On top of all these features, it provides a solid edge platform that incorporates all of the security features necessary in that edge component.

One of the simple features I like about Palo Alto firewalls is that it's extremely easy to find out what's happening in the network. The reporting is phenomenal, and it's easy to find which threats have been detected and what traffic is going through the box. When a customer notices something is wrong, you can quickly check the amount of traffic going through the firewall around that time. If there is anything out of the ordinary, you can decide it needs to be investigated further.

I talk to customers a lot about simple aspects. Palo Alto firewalls have vast technical capabilities in the signature database, which is constantly updated. Palo Alto does a lot of work to find threats in the wild, which is rare among vendors. From a practical and operational standpoint, the ability to see what's happening at any time, live or historically, is a huge benefit compared to other firewalls that are out there.

Machine learning is a massive part of it. Threats are always evolving, and they can constantly update the signatures they're hunting and the raw data streams they're looking for outside of something that's been defined as a true signature type of attack.

Most of my customers use what Palo Alto refers to as the Wildfire functionality. Their online analysis team checks every 15 minutes to find anything new that has been detected in the wild anywhere in the world. Once their team finds something, they immediately disseminate that information down to the firewalls so they can start looking for something new. That includes anything that has evolved from one version of an attack to another. So far, we have not run into any issues with changing attacks creating problems for customers with a Palo Alto firewall in place.

It's rare for our customers to use the zero-day intelligence feature to upload information to Palo Alto. Still, receiving anything from Palo Alto that others have detected out in the wild is beneficial. Any zero-day signature people find in a data stream can be pushed down to the firewalls, and it's a huge benefit to know that the firewall can stay on top of the changes in the attack world.

The PA 400 series is excellent. It's the product that they were missing. Years ago, there was a Palo Alto 200 and a Palo Alto 500. The 500 was a relatively low-cost platform that focused more on team-sized businesses. It reached the end of its life, and they replaced it with an 800, a similar form factor but quite a bit more expensive. The 200 was replaced with a 220, which was at the low end cost-wise in the product family, but they never had anything in the middle. 

They didn't have something that offered high performance at a reasonable cost. The 400s provide that missing link inside their product family to cater to small and medium-sized businesses. Because more and more, even though companies are small, with 50 to 100 people in a company, internet bandwidth has gotten so cheap that they're typically running 1+ gigabit-per-second connections out to the internet.

While they may not be using that much bandwidth today, that will change as they do more and more online. We saw during the pandemic how that could change quickly. Suddenly, everybody's working from home, and internet connectivity is the company's lifeblood. The 400 series gives customers decent performance at a lower price point in a small form factor. It's a product they can deploy, knowing it will protect them and provide the performance they need for years.

The reporting and visibility are phenomenal, but you don't get that information out of the box. They can email reports regularly, and the functionality is all there. However, a lot of it is based on an older model for email, where customers have in-house email servers. The small and medium-sized business customers I deal with are moving toward Office 365 or some other cloud-based mail and not maintaining their own internal mail servers. 

Palo Alto is developing that, and I need to understand how they integrate with an Office 365-type mail environment. The next piece is figuring out how to get that information to the people who need it without somebody physically sitting in front of the screen or going to the firewall to have it delivered to them regularly. The capability is there, but it's primarily based on an older email architecture that customers rarely use anymore.

I'm an integrator who has been doing professional services with Palo Alto installations for at least eight years.

Palo Alto firewalls are solid. I can recall that we haven't had platform failures or product issues with the Palo Alto Firewalls. Everything can have a power supply failure. We have seen that occasionally, but it's rare. In eight years, we've had to replace power supplies in two firewalls out of hundreds we've deployed. It's a physically stable platform, and the software is also solid. I typically avoid the most recent software versions until they reach what I consider mature and seasoned. 

We've seldom had issues with performance. I always tell people that internet bandwidth will be bigger and cheaper in the future, so firewalls need to keep pace from a performance standpoint. Palo Alto has done a decent job of bringing out new models with higher throughput levels while maintaining all the threat-driven functions. But we constantly need to evaluate where we are with internet bandwidth and where we expect to be in the future. 

We tell people that the physical hardware platform they choose will protect them today, no matter which one. However, the choice will determine how long that can stay in your network. It ultimately comes down to pure bandwidth. As we move towards the cloud, more and more internet bandwidth becomes critical. Multiple internet providers are now essential on most of our customers' networks. The raw bandwidth and performance through the box must keep up with that. Palo Alto's newer platforms have multiple-gigabit throughput, and I assume they'll continue with that as they evolve the product line further.

Their product line includes sizeable chassis-based firewall systems that can do multiple virtual firewalls within a single platform. Even their middle-tier products have that capability. Some of our customers have numerous divisions that need separation between departments, so those scalable features come in handy. Most are organizations with one or two firewalls per site. Still, I've worked with large enterprises that had tens or hundreds of firewalls in their overall environment to maintain a separation between departments and to separate users from servers.

Palo Alto also has a product called Panorama that lets you centralize the configurations of vast numbers of firewalls. It acts as a central point for changing firewall settings, and you can push the changes out to a subset of firewalls in your environment or all of them. The bottom line is that Palo Alto can scale up NG firewalls to massive numbers of platforms.

I rate Palo Alto support eight out of 10. 

Positive

NG Firewalls are easy to set up. I've been doing it for a long time, so it's effortless for me to set them up. When registering a firewall with Palo Alto, you can download a Day 1 configuration into the box with many of the standard protection features activated. 

I don't use that, but I periodically check it to see if there is something else Palo Alto has determined should be enabled or a feature that should be tuned differently than I typically do. They provide the initial configuration with the critical features activated.

Deployment requires a small team. Sometimes, it's only a person from the customer side and me. Usually, it is me plus one other engineer working on deploying these where we've got changes on switches to support the firewall or adjustments to the DNS systems. A lot of different areas come into play when we change the edge. Frequently, our customers are transitioning from a rudimentary network design to a new design where we're implementing firewall and network segmentation within their environment. That's easy, but we use a team of two or three folks to finish the job as quickly as possible.

While all next-generation firewall platforms have some degree of these different components built into them, Palo Alto has rock-solid antivirus, anti-spyware, threat prevention, data leakage prevention, and file blocking, plus all of the typical functions that a firewall does. It does all of these functions exceptionally well in addition to regular firewall aspects like blocking DDoS attacks and generic types of attacks. It tends to be more expensive than most competing platforms, but the return on investment is huge. I'm almost to the point of saying that I won't support any other firewall platforms out there.

There are several new firewall models that have come along, but I tell people that Palo Alto will provide all the protection you could need. There's no reason to look at anything else out there because most other platforms don't provide the same level of protection. The value proposition to customers is the peace of knowing they've got the best protection at the edge they can buy.

The licensing model is becoming more and more typical of vendors. There are several different licenses that we usually provide with the firewalls. DNS security is a newer one, and we're considering the types of customers who might benefit from that. 

The cost of the license is platform-dependent. It would be nice if they standardized that across the board to make the license a flat fee instead of based on scale and the platform you're using. Functionality shouldn't change based on the platform or the amount of data going through it. It's the same functionality on there. That's one aspect customers often raise. The platform's price is what it is, but the ongoing cost of the annual license is hard for some customers to wrap their heads around. 

Many people are just looking for the cheapest, fastest firewall, and my answer is always the same. It's a cliche to say you get what you pay for, but when you opt for the cheapest product, you have to understand that the costs of an attack are monumental. We had a customer who deployed SonicWall firewalls because they wanted something inexpensive that provides a basic level of functionality. They have spent three weeks trying to recover from a ransomware attack because the firewall didn't prevent them from downloading files into their environment, and it lacked some of the features a Palo Alto firewall has.

I tend to use examples like that. It's like switches. When everything's working great, you can go to the local store and buy yourself a cheap and expensive switch, and it'll be fine. But when there are problems, how do you recover? And what can you do with the firewall that will protect you against attacks you don't anticipate? That's where Palo Alto shines. You know you are protected when you deploy it.

Other products are less expensive because they don't provide the same level of functionality. They'll talk about threat prevention, anti-spyware, and malware functions, but they have not been updated automatically like Palo Alto and they lack zero-day functionality. Maybe they don't have some other components, like data leakage protection or file download protections to thwart a concerted attack against organizations.

I always ask people what it would cost to shut down their business for several days. This customer had a solid backup strategy for their servers at least, enabling them to start using cloud-based versions of all their servers within three days. They still were out of business for three days. Now that we've put Palo Alto firewalls in place, they feel confident that's not going to happen again.

I get nervous when people say it can't happen, but we haven't seen it happen with the Palo Alto firewall with the capabilities and features we enable on these boxes. When people say they don't want to spend that money, they need to consider it as something protecting their entire business. An internet connection isn't a nice-to-have; it's the lifeblood of their business, being protected by the firewalls.

I rate Palo Alto NG Firewalls 10 out of 10. People who are only starting with these firewalls should rely on the technical notes and briefs Palo Alto provides on functionality. I started using Palo Alto firewalls years ago, and we deployed firewalls the way we knew how. Later, I worked with another integrator who had been doing it for about two or three years more than I had. He was configuring areas on the firewalls that I had never considered. That becomes the critical piece; turning a firewall up based on what another firewall vendor does is enough to get you the same level of functionality that the other vendors provide.

But with the additional capabilities that Palo Alto includes in the firewalls, it's imperative to have all the different pieces activated as much as the customer can accommodate in their environment. And that's a critical piece that Palo Alto provides a lot of online resources, and there are a lot of technical notes that are out there on what needs to be enabled in addition to that Day 1 configuration. That can give you a big headstart on all the different areas that need to be enabled within the firewall.

In most cases, our use cases were for migration and conversions. People were coming off of dated Cisco platforms and other types of firewall technologies that might not have met next-generation standards, like App-ID. Then, Palo Alto Unit 42 had to go out there and investigate with threat hunters, etc, which was not that well-known or used. Then, Palo Alto sort of showed everybody that world back in 2007 or 2008.

Mostly, I was dealing with people migrating off of their platforms onto Palo Alto. Unfortunately, in most cases, they wound up just converting them into service-based firewalls, like what they were already using, because they weren't ready to accept the requirements behind actually creating an effective App-ID policy yet for their company.

It wasn't well adopted at first. Even though everybody wanted it, people were putting it in and not really fully deploying it. Once I started working for Palo Alto, we had a whole lot more control over getting people to actually utilize the technology, like it was meant to be used. Mostly, it was going in as a service-based firewall with some App-ID. However, people weren't really taking advantage of the SSL decryption and other things necessary to truly utilize the firewall effectively.

I have an active customer who has 600 users using Palo Alto. I have another active customer with 300 users using Palo Alto.

It helps the organization function better by virtue of cleaner and more predictive Internet access and usage being conducted by the employees and constituents of the company. It helps ensure that they have a stronger security posture. It is preventive medicine If you have DNS Security in place. You will be happy you had it. If you don't have it, you may never need it. However, if you did need it, and didn't have it, you will wish that you did. It is one of those things, like insurance.

Machine learning is definitely here to stay. Machine learning has to be a part of everybody's solution now, especially going out into the cloud where we don't have as much hardware control. We don't control our perimeters as much anymore. We need to have machine learning. So, machine learning has been a critical point in the evolution of this product.

DNS Security incorporates Unit 42, WildFire, and all the rest of their antivirus and threat features. It can be very effective because it will know about these bad actor zones and DNS hacks before it gets to your network, which is important. Everybody should be using it, but I haven't found as many people adopting it as they should.

For anything manipulating TCP 453 or any type of DNS-type application, you will want to be all over that. It is definitely a big problem.

It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,

I worked for Palo Alto for about three and a half to four years. I retired from them last year. Before that, I was with Juniper firewalls. So, I have about 10 years experience, on and off, with Palo Alto in various, different scenarios.

They push stuff out that is not quite ready. If you use the product one version back, then you are pretty good. However, if you try to stay cutting edge, you are going to run into stuff that doesn't work. They are forever releasing stuff that doesn't work right or as designed. Every company does that though, so it is just a question of who is worse. You need to be careful with some of the newer stuff that they release. You need to bake it very well before you put it into production.

I am not absolutely certain they have done a good job in scaling out. They may start to suffer now and going forward because there are other, more cloud-ready platforms out there starting to shine over Palo Alto. They are not the prodigal son anymore.

It has limited scalability since it is still very hardware-centric. They have a cloud VM model, but I haven't had too much experience with it.

The tech support was once great, but now it is poor. The tech support has gone south. It is really difficult. I had a Priority 1 case last a week in their queue, and after multiple complaints, I finally got somebody to take the case. These are things that are unacceptable in the business world. They could train their employees better.

Several years ago, I would put technical support at eight or nine out of 10. Now, they are down around two or three, which is really low. I have had very bad luck with their support lately.

Negative

It depends on whether you are coming in from a migration, which means that you expect everything that you will be doing to be out-of-the-box. It has to be if you are putting it in place. You can then evolve it from there to make it more capable. 

I find the technology pretty easy to work with. Some people don't find it as straightforward. That probably leaves some areas for improvement, where people almost have to do a boot camp to fully take advantage of the product. That shouldn't be the case for a new customer. It should be a little bit more seamless than it is, but it's not bad. I can't really knock it. It is fairly simple to employ, if you know what you are doing.

Most migrations take anywhere from two to six weeks.

I did the deployment. I was using it while I was at Palo Alto. I am still managing them, even outside of Palo Alto. It has been a consistent experience.

The return on investment doesn't necessarily show right away. However, if a company gets hacked and taken down, they are out of business. So, was your return on investment strong if you put these firewalls in and it prevented that? Absolutely. However, if you put them in and you never get attacked, then you might ask, "Would you have gotten attacked before?

There is a license for DNS Security, which I have never actually licensed, but it is a very powerful tool. DNS security is important, and I think that Palo Alto's capabilities are effective and strong there. However, I don't find a lot of companies taking advantage of it.

This is not the firewall to choose if you are looking for the cheapest and fastest solution. Palo Alto NGFWs are expensive. By the time you license them up and get them fully functional, you have spent quite a bit of money. If it is a small branch office with 10 to 15 users, that is hard to justify. However, my customers will do that if I tell them, "You still need to do that," then they will do it since it is still an entry point into the network. 

You really need Premium Support, Applications and Threats, DNS Security, and antivirus. The extra bolt-ons, such as Advanced URL Filtering, you need to determine by use case where you are going to use those licenses, then see if you really need them. You might be adding a bunch of licenses that you will never actually get to effectively use. Their licensing model has gotten a bit exorbitant and a la carte . You will wind up spending quite a bit of money on licenses and renewals.

There is another company out there that I like quite a bit in the firewall space who does a really good job and has a very fast, inexpensive firewall. That is Fortinet. My two favorite firewall companies are Fortinet and Palo Alto. I recommend Fortinet in cases where people don't have the money, as you can get a very nice solution from Fortinet for a lot less money. Fortinet is a good player. I like Fortinet. 

Palo Alto's interface is a little nicer to work with, e.g., a little easier and more intuitive than Fortinet. This makes Palo Alto a little nicer for the end user, but Fortinet is a kick-ass solution. I would never downplay it. It is definitely really strong. For $600, you can get a fully functional next-generation firewall on Fortinet, and you can't do that with Palo Alto. That is a world of difference in pricing.

Machine learning is taking logs and feeding them back through. Everybody is doing machine learning now. You need to have some type of machine learning in order to understand what is going through your environment since you can't be predictive anymore, like you used to be able to be. There is no way of knowing what things are going to do. Therefore, machine learning helps the firewall become smarter. However, machine learning is only as good as how it is utilized and how effectively it is deployed, and it is not always obvious. With Palo Alto, it was difficult to get the API keys and whatnot to work correctly, getting real, effective, actual, usable machine language stuff to use in the policies. It was a lot more hype than reality.

Their zero-pass architecture is not really zero-pass, but it is better than others. It still has to run the traffic through again, once it is recognized at the port, service, and route level, to be acceptable. Then, it has to bring it back through to try to recognize the application. So, it is not necessarily a 100% zero-pass, but the way it works. 

It is like in the Indianapolis 500 when a car pulls into a pit stop. Instead of having one place in the pit stop where the tires are changed, another place in the pit stop that does the windows, and another place that does the gas, they have all the guys come around the car and do their work on the car at the same exact time. That is what is happening with Palo Alto. The packet gets there and the services attack the packet versus having to run the packet through the mill. That is what makes it faster, but it still has to do it more than once before it really knows. It is definitely better than what anybody else has done up to this point. 

With a single-pass cloud, we are not concerned with hardware as much anymore. Now, we are concerned with technology, implementation, and how controls are deployed. That is more important now than where the hardware is, e.g., if the hardware is integrated or deintegrated. I don't know if that is even that important anymore, but it was at one time.

As long as you are comfortable with the price point, you are not going to make a mistake going this way. It is definitely best-in-class and a first-class firewall. I would never be ashamed of putting Palo Alto Networks NGFWs into my network. It's a very good product. As much as I might complain about this and that, there isn't any product that you would put in the network where you are going to have 100% confidence in it. There will always be something. Palo Alto NGFWs are the best way to go.

I would rate this solution as nine out of 10.

These are gateway firewalls to the Internet for every site. At a majority of the sites, we use the firewall as our gateway for the network below.

Previously, we used them just for the Internet firewall and Internet security side. However, in the last year or two, we have started to migrate them as the gateway routers, e.g., as gateways for the networks below. They are doing Internet firewalling as well as firewalling for the networks below.

We are using the PA-220s, PA-440s, PA-820s, PA-3250s, and PA-5250s. We are using all of those hardware models. Then, we are running the PAN-OS 10.1.3 on those.

We have around 40 locations worldwide. At minimum, we have one Palo Alto Networks NG Firewall at each location. At some of the larger sites, we have two Palo Alto Networks NG Firewalls in HA configuration. Then, at our headquarters and disaster recovery site, we have two at each site.

The WildFire feature that they offer is very nice to have. The URL filtering that they offer has been a great help to us as well. We have found with the URL filtering that they offer that we are able to categorize what traffic can go outbound to the Internet from our internal network. By doing the URL filtering, we are able to say that we are not allowing gambling, adult content, or certain URL categories that we just don't want to allow. Then, with WildFire, that helps detect any viruses coming inbound or on east-west traffic inside of our network.

Palo Alto Networks NG Firewalls embeds machine learning in the core of the firewall to provide inline, real-time attack prevention, which is very important. I got an email saying that there was going to be a new 400 series firewall, and it was talking about the ML and AI features that it is offering. That is very exciting to see coming for all our firewalls.

We have the Palo Alto Next-Gen firewalls as well as Cortex XDR for the antivirus side. We are making use of Cortex XDR and Data Lake to correlate the data. We definitely see the benefits of having all that in one unified platform. Some of my colleagues are able to see how certain malware security incidents can correlate to how the virus or malware came into the network, then how it traversed our network based on the XDR information.

I can manage 1,000 firewalls from a single pane of glass.

I am looking to have the machine learning see how a virus or malware will morph, then prevent that from happening. That seems invaluable at this point.

We have a lot of the older firewall models, i.e., the PA-220. It seems that with newer operating systems the PA-220 is becoming slower than when I first bought it. It is not really an issue for users who are passing traffic through the firewall, but more from the management access of it.

We have had them for about three years.

I have had some issues here recently, but it has been more operating system issues. As far as the hardware goes, they have been very solid. Out of the last three or four years that we have utilized Palo Alto Network NG Firewalls. I have only had one time where I had a hardware failure on it that had to get a replacement.

It is very scalable. The Panorama management tool makes it very easy to add a new firewall. You can add one, 10, or 100 firewalls, deploying them quickly and keeping the same security posture that you had in place previously with other devices.

I have not noticed any trade-offs from security versus network performance at all. I think they are both running very well. We haven't lost network performance with an increase in security or vice versa.

The entire company is using the solution. We are a manufacturing company who manufactures electronic interconnects. We have our own marketing department, engineering, learning development, HR, accounting, and IT. Thus, we have a broad spectrum of users who are using the solution.

We actually have a very small staff. There are only five of us who are actively administering the Palo Alto environment. We have around 40 locations worldwide with just over 8,000 users globally.

We are using it at every facility. We are using it as a gateway router as well as our next-gen firewall. We have no plans to change all that. We are pretty happy with how we are configured. So, I think we will keep that trajectory.

The technical support is very good. I am very happy with the tech engineers. They have always been quick to respond and very knowledgeable about the issues that I have had. They help me get those issues resolved quickly. I would give them 10 out of 10.                                

Positive

It gives us added security compared to our previous firewalls. They were very cumbersome to manage, and they had no central management. By switching to Palo Alto Networks NG Firewalls, we made use of the Panorama management tool to manage all our firewalls. The management side is much easier. Also, it provides visibility from their monitoring to be able to see the traffic. Whereas, I was not able to see that before with our previous firewall manufacturer.

With our previous firewall vendor, the maintenance was running to the end of its contracts. Therefore, we were looking to switch anyway because we just weren't happy with that hardware. Our implementation strategy was basically to replace all the old firewall hardware with something new. At the time, we were pretty happy with what Palo Alto Networks was offering.

The setup is very straightforward. I am familiar with other firewalls and the configurations for them. Switching to the Palo Alto Networks NG Firewalls was pretty seamless.

The initial deployment of the first site, switching from the old firewalls to the Palo Alto Network NG Firewalls, took about two to three days configuration-wise. Actually switching over from the old firewall to the new firewall was pretty seamless because we can preconfigure the firewall and then replace the old firewall with it. There were no issues.

Our VAR helped us do some research on what firewalls would be the best for us. We did our own testing, and we liked this solution. That is why we ended up going with it.

We do have other tools that we are phasing into the Palo Alto unified platform environment, bringing in Cortex XDR as well as looking at SIEM products. So, we definitely see the benefit of the unified platform. We have been able to cut down on some of our other hardware. So, it is definitely saving us costs as far as combining different hardware into one hardware device.

We have not had to replace hardware routers nor purchase additional hardware. So, that has provided a little bit of an ROI.

The Palo Alto solution is actually not expensive. It was comparable to the old firewall manufacturers that we were using. From the benefits that we have gotten out of the Palo Alto products, it is well worth the difference in cost, even though the difference in cost is not much at all. I would highly recommend Palo Alto products to anyone.

I just started getting in some of the PA-400 series a couple weeks ago. As far as pricing goes, it was not that much more than the existing hardware platform or the existing firewall that we had in there, i.e., the PA-220. It was not much more expensive and the performance was way better, as far as the management of the firewall itself. The management of those firewalls has greatly been increased.

When we were looking to switch, we narrowed it down to two or three. Then, we obviously decided to go with the Palo Alto product. Palo Alto had better specifications for their hardware.

I would highly recommend the solution as well as looking at the new PA-400 series product line with the machine learning and AI. That is a very good feature that is now available.

The biggest lesson for me was to not skimp out on hardware based on pricing.

I would give this solution 10 out of 10. I am very happy with the product.

We use Palo Alto Networks NG Firewalls in our offices and data centers.

Embedded machine learning within our firewall core has enhanced our business performance by enabling us to process higher volumes of data more efficiently. Single-pass parallel processing and machine learning provide real-time insights, allowing us to maintain a strong security posture.

There is no trade-off for the single-pass architecture. The firewall meets the standards and expectations.

The most valuable features are Wildfire, URL filtering, and IPS.

Palo Alto's support could be improved. Compared to Cisco's community portal, its support resources appear lacking.

I have been using Palo Alto Networks NG Firewalls for over three years.

Palo Alto Networks NG Firewalls are stable.

Palo Alto Networks NG Firewalls are scalable.

We previously used Cisco but found it not on par with Palo Alto, especially with throughput. Performance is essential, and Cisco was lacking in this area.

From a technical standpoint, our engineers have significantly reduced labor hours by utilizing Palo Alto, resulting in a substantial return on investment.

I would rate Palo Alto Networks NG Firewalls nine out of ten.

We have a large number of users within our organization.

We have a maintenance team for Palo Alto.

For organizations with budget constraints, Fortinet is a viable alternative; however, if budgetary limitations are not a concern, the Palo Alto PA-440 Firewall is recommended.