Palo Alto Networks NG Firewalls Reviews

We use the solution for all the capabilities that the firewall offers, including proxy filtering, VPN connection, and Next-Gen firewall capability. We integrate the solution with clients that use ExpressRoute, which is a very common and popular service in Australia. We route all our client's local traffic, 10.x, and the client's Class B public address traffic all into Palo Alto Networks NG Firewalls. We use the solution to provide hub and spoke integration, web filtering, and for VPN. 

The solution is a fully managed centralized firewall service for both public and private traffic, including on-prem traffic and Azure traffic.

The solution ties into existing services. We offer network-based services and SD-WAN overlay. We use VeloCloud appliances and put the solution at the heart of that to provide Next-Gen security capability. The solution benefits our clients by reducing the number of firewalls required in their organization, which is hosted in Azure. The solution's aggregation gives us the ability to service our clients by reducing their firewall footprint. The solution also enables us to route all traffic, including internet outbound traffic from a client's side onto Palo Alto NG Firewalls across an ExpressRoute connection.

Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities.

In combination with additional tools and services we offer, the solution makes a significant contribution to eliminating security holes.

The solution helps eliminate multiple network security tools and the effort required to have them work together. The solution simplified our operations. We only support and deliver Palo Alto NG firewalls as a service. We don't offer a firewall as a service on any other appliance. We chose Palo Alto because of its Next-Gen capabilities and being the market leader in terms of security appliances. 

I like the native integration into Azure AD and the solution is fantastic from the perspective of managing user access and using the VPN client. The TLS inspection is a fantastic service that's offered in Palo Alto NG Firewalls. In my opinion, the solution is best of breed, which is one of the reasons why we adopted it in the first place.

We have had a couple of DNS attacks and predictive analytics and machine learning for instantly blocking DNS attacks worked well. 

Depending on the license skew, we implement the zero delay signatures feature for some of our customers.

I can enable the features I want and configure the policies based on the user and network traffic, making firewall management much easier.

There are some features of Fortinet such as the virtual domain capability, that I would love to see in this solution, but they don't outweigh the technical capabilities of Palo Alto as the firewall.

We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value. We have developed our own reporting. Sometimes there are limitations around the APIs and it would be great if the APIs could be enhanced.

I have been using Palo Alto Networks for about 10 years, but not the Next-Generation version. Five years ago, we set up a Palo Alto firewall as a service with Palo Alto in the back end. We did this for Telstra in Australia, and we're the only company in the world that can support the default route over ExpressRoute, using the Palo Alto Networks NG Firewalls as a service that we offer.

The stability of this solution is unbelievable and the best on the market. We've never had an outage as a result of a technical problem on hundreds of firewalls that we run or thousands when we include the HA pairs and clusters that we've built.

The solution is scalable and we have never reached the limits. We stuck with Palo Alto because of their Next-Gen capabilities, and we have about 500 clients using this solution as a service.

The technical support is exceptionally good. They have more capabilities in Australia now and we've had no problems. The technical support has been so good, we haven't had to look for another vendor.

Positive

The initial setup is straightforward. We have a multi-tenanted version and a single version. We have different flavors of the implementation and it's all scripted. We can build a fully operational firewall HA pair with follow-the-sun, 24-hour, seven-days-a-week support in about 30 minutes. We use DevOps to set everything up and it is effective because it is all scripted.

The implementation was completed in-house.

Our service is incredibly profitable. We don't feel we can offer an alternative that will give us the same return on investment.

The pricing is straightforward with no hidden costs. There is a cost for the licensing, the Virtual Network if the solution is run in Azure, and there is also a cost for the operational support.

I suggest sizing correctly when in the cloud because the skew can always be changed at a later time.

We've evaluated a couple of other products in the past to make sure that we still have the right solution in the market.

I give the solution a nine out of ten.

The embedded machine learning included in the solution's firewall core used to provide inline real-time attack prevention is an important capability because it gives us the heuristics. The solution uses existing knowledge of the service and how we use the firewall, to determine if something nefarious is being undertaken. I don't believe that we are using the feature to its fullest capability.

We integrate Palo Alto NG Firewalls into Sentinel and we use additional data points to determine attacks.

We use the solution's DNS security for some of our clients.

We use a lot of data points from various systems and not only this solution to determine if a threat is live and active. We don't recommend publishing using the solution. We do local DNS resolution using the Palo Alto NG Firewalls. We're purely an Azure consultancy. We use Azure publishing services to publish. We integrate the solution into virtual networks from a DNS point of view, but we are always on the safe side, and we never use the solution for DNS publishing to the public internet. We are an ISB. We provide managed services, but we are primarily an integrator.

In terms of a trade-off between security and network performance, there will always be a performance lag when doing TLS inspections because the traffic has to be decrypted in real-time, however, the benefit outweighs the disadvantages from a network performance perspective. When the TLS inspections are sized properly, the performance lag is hardly noticeable.

We sometimes work with Palo Alto, for example, to support the default route over ExpressRoute.

The maintenance is all scripted and fully automated. We are always at the current stable release and we update as regularly as we get the updates from Palo Alto. There is no impact, no downtime, and no loss of service unless we've got a customer with a single firewall that requires a reboot, in which case we schedule the outage.

I have worked with many different appliances in Azure over the years, and I still do with some clients who already have incumbent NBAs, but for our firewall as a service, I have always used Palo Alto.

What we find is that clients want to utilize the features but don't know how to implement them or have the capability. We offer that support. Palo Alto is extremely good value for the money if we maximize its capabilities. If we want a cheap firewall, then Palo Alto isn't the answer. If we want a capable value-for-money firewall, when we are utilizing all of the services available, Palo Alto is the best on the market. If we want a cheap solution we can go to Fortinet which is not as technically sound but for someone who is price sensitive and doesn't want to use all the features and functions of Palo Alto NG Firewalls that is an option. We work with Palo Alto for our firewall as a service, and we work with Velo for our network as a service. The operational run cost for us is low with these vendors because those firewalls are extremely reliable and because we don't have problems with the firewalls, we don't need a big operational support team.

We did some work with the NHS Test and Trace program and they had a multi-client solution that we deployed hundreds of firewalls across Azure and AWS, using Palo Alto. The client did explore other vendors that were cheaper and after looking at the operational support capability, features, and how reliable the firewall was, the option was clear and not driven by price. 

I would automate the solution. I would use infrastructure as code deployment and manage my devices using IHC. If I was going for a larger state, I would use the solution's management tool.

We are using PA-820. This Palo Alto series is being used in our separate branch office. We are managing surveillance and internet activities with this Next-Generation security firewall. We are using the UTM features and running best security practices through this firewall. Moreover, VPNs and other remote access security features are being implemented in our environment with this firewall.

It has a very good security database for attack prevention. There are many security breaches, and most of the 2022 security breaches use automation. It has a really good automation engine that clearly prevents new types of attacks. We recently avoided an attack with Palo Alto.

DNS security is super good in this. Its DNS attack coverage is 40% more, and it can disrupt 80% of attacks that use DNS. Without requiring any change in your infrastructure, you can avoid the attacks. With this Palo Alto firewall, we are able to manage DNS security in a single device because it has single-pass architecture.

It provides a unified platform that natively integrates all security capabilities. It has a VPN. We don't need to go for additional security features or devices in our environment. It is an all-in-one solution. With other firewalls, such as FortiGate, you require separate licenses. For example, for high availability, you would require an additional license, which is not the case with Palo Alto. In this way, Palo Alto is completely in line with our budget requirements. We are also planning to go with the higher version of Palo Alto firewalls in our environments.

It has helped to eliminate security holes. It creates a usage pattern with its machine learning and artificial intelligence features. It uses a good amount of artificial intelligence to create a pattern. If there are any changes in the usage pattern, it notifies us, and we are able to take action.

In our environment, we are running a lot of production servers. So, we cannot compromise on security. We give more priority to security than performance in our architecture. We put 70% focus on security and 30% on performance. Palo Alto completely suits our requirements. They have three-tier security. We can see the application layer traffic, network layer traffic, and session layer traffic.

It integrates perfectly. It integrates with SIEM solutions such as Darktrace. For log analysis, we are able to completely retrieve the logs.

The most important feature is advanced threat prevention. It stops most malware. It provides 96% or 97% prevention against malware. It has a leading intrusion prevention system in the industry. It is really good at malware prevention. It ensures that files are saved in a good and secure environment. It automatically detects and prevents unknown malware with its powerful malware prevention engine. 

It has a unique approach to packet processing. It has single-pass architecture. We can easily perform policy lookups, application decoding, and integration or merging. This can be all done with a single pass. It effectively reduces the amount of processing required to perform multiple actions. This is the main advantage of using Palo Alto.

It is a complete product, but the SSL inspection feature requires some improvements. We need to deploy certificates at each end point to completely work out the UTM solutions. If you enable SSL encryption, it is a tedious process. It takes a lot of time to deploy the certificates to all endpoints. Without SSL inspection, UTM features will not work properly. So, we are forced to enable this SSL inspection feature. 

It has been three years.

It is extremely stable.

It is scalable. There is a VM solution also, so it is completely scalable. 

We have about 3,000 users in our branch office. In terms of our plans to increase its usage, we are also planning to go for Palo Alto as our main firewall. We are planning to go with the higher-end version.

I would rate them an eight out of ten.

Positive

In our branch office, before the Palo Alto firewall implementation, we have been using FortiGate. We switched because of the budgetary requirements. With FortiGate, for the high availability feature, we required two devices. We had to buy two licenses, whereas Palo Alto required only one license. It was completely in tune with our budget. So, we had to go with Palo Alto.

FortiGate did not have single-pass architecture. It took a huge amount of resources for each action. For policy lookups, it took a considerable amount of system resources, such as CPU, RAM, etc. The waiting time was too high for policy lookup, application decoding, and signature matching. All this is carried out in a single pass in Palo Alto. So, it is considerably fast and also secure. There is no compromise in terms of security. It is completely secure, and we are able to do more functions in a single pass with the Palo Alto firewall. So, we save a lot of resources. With FortiGate, security was around 50%. After the implementation of PA 820, it has increased to 80%. We have achieved about a 30% increase in security. Even though PA 820 is not a higher-end series, performance-wise, it matches the higher-end series of FortiGate. So, there is a considerable amount of cost savings. We are able to save 20% to 30% extra.

In our organization, we have multiple vendors. We have FortiGate, Cisco ASA, and other security implementations. We have already purchased many other products. So, we cannot simply suggest Palo Alto across the organization. We have to consider the older purchases.

Palo Alto is a good competitor to FortiGate. Cisco, FortiGate, and Palo Alto are the three main competitors. When we compare these products, they have similarities, but I would suggest going with Palo Alto for higher security. If you are giving more priority to security and less priority to performance, definitely consider this. Cisco ASA and FortiGate are more performance-oriented. So, if you are planning to give more priority to security, I would definitely suggest Palo Alto.

Its initial setup was complex. It was not straightforward. It required a considerable amount of time and effort. Migration was a little bit complex because we had a different vendor product. Migrating to this product required a considerable amount of time and planning because we didn't want to disrupt the networking in our existing environment. It took a good amount of planning and decision-making to migrate to Palo Alto.

Its deployment took about a week. In terms of the implementation strategy, we were deploying it at the branch office. We already had a solution there. So, we had to completely migrate the policies and everything else. We also had to identify the interfaces with the utmost urgency. We first migrated important interfaces and made sure that they all are working fine and all the security features are working fine. After that, we enabled all the policies and other features. In this way, we were able to completely migrate in seven days.

It required three network administrators. They are responsible for actively managing the firewall configurations, taking backups, etc.

With this highly secure environment, we are able to maintain our production-level servers on-premises. We were planning to move them to the cloud for security, but with the implementation of Palo Alto, we were able to maintain them on-premises. We could create a considerable amount of production service, and thereby, we had a great return on investment through this.

It is not that expensive. I would rate it an eight out of ten in terms of pricing. Other than the licensing, there are no additional costs.

We didn't evaluate anything other than FortiGate and Palo Alto.

I would recommend this solution if security is more important to you. If the performance of the users is more important, I would not suggest Palo Alto. It gives more priority and weight to security. It has a complete security mechanism with AI, log-based analysis, etc. I would recommend it for higher cybersecurity and IT-related environments.

I would rate it a nine out of ten.

On-premises, we used Cisco but replaced our core firewall world with Palo Alto because we wanted more visibility. Plus, we were looking for features such as IPS for PCI compliance. We wanted next-generation capability, but we had the ASA traditional firewall with Cisco, which doesn't do much, so we replaced it with Palo Alto. 

In the cloud, we use Palo Alto for the zero trust implementation. Initially, we tried to work with the Azure firewall, but we found a lot of limitations in terms of visibility. It couldn't provide us with the same visibility we wanted for Layer 4 and above.

The solution is deployed both on cloud and on-premises. The cloud provider is Azure.

We have about 6,500 endpoints in my organization and five administrators.

One of our key challenges was for the PCI, the new standard 3.1. There's a requirement that financial applications need to have some sort of zero trust architecture. They need to be completely segregated. We implemented zero trust using Palo Alto so that if we are within the same subnet within the network, we have protection.

The unified platform helps us eliminate security holes. We use another product from Palo Alto, called WildFire, which is basically sandboxing. We have layers of products. Because of WildFire, we're able to identify any weaknesses in the upper layers.

We give a copy of the same packet to WildFire, and this helps us identify things that were bypassed, such as malware or malicious files. It's especially helpful when we're transferring files, like on SMB, because it's integrated.

The unified platform helps eliminate multiple network securities, and the effort needed to get them to work with each other. It's a very good product for us because it fits well in our ecosystem. 

Our other vendor is Fortinet. Previously, we struggled with having multiple products. One of them was command-line based and the other one was web-based. The engineers would have some difficulty because not everyone is good with a command line platform. Palo Alto and Fortinet are both managed by the UI and they're very similar products. They work well with each other, so we use certain capabilities here and there.

For example, for some internet browsing, we generally have a separate solution for our proxy, but there are situations where we need to provide direct internet access to a particular server in a certain situation. The problem is when a particular product does not work with the proxy for some reason. This is where we use Palo Alto's web filtering. If we didn't have a solution that could do this, it would be difficult on our side because how can we provide direct access to the server without securities?

When browsing, the logs provide us with the required information. For example, we allow certain URLs to a particular server, and we have that data also. This goes back into our same solution. With Palo Alto, the connectors are built in.

Our Palo Alto Firewall has the zero-delay signatures feature implemented. For the IPS capability, we rely completely on Palo Alto. If we don't have this implemented and there's a new, ongoing attack, we will be exposed. We make sure there are controls on the policies we have on each layer.

Even if a patch is released for that particular issue, it would take us time to implement it. We actually rely on the network layer, which is our Palo Alto box, to prevent that in case someone tries to exploit it. In the meantime, we would patch it in the background.

One of the key features for us is product stability. We are a bank, so we require 24/7 service.

Another feature we like about Palo Alto is that it works as per the document. Most vendors provide a few features, but there are issues like glitches when we deploy the policy. We faced this with Cisco. When we pushed policies and updated signatures, we ran into issues. With Palo Alto, we had a seamless experience.

The maintenance and upgrade features are also key features. Whenever we have to do maintenance and upgrades, we have it in a cluster and upgrade one firewall. Then, we move the traffic to the first one and upgrade the second one. With other vendors, you generally face some downtime. With Palo Alto, our experience was seamless. Our people are very familiar with the CLI and troubleshooting the firewall.

It's very important that the solution embeds machine learning in the core of the firewall to provide inline real-time attack prevention. There is one major difference in our architecture, which we have on-premises and on the cloud. Most enterprises will have IPS as a separate box and the firewall as a separate box. They think it's better in terms of throughput because you can't have one device doing firewall and IPS and do SSL offloading, etc. In our new design, we don't have a separate box.

When we looked at Palo Alto about five years ago, we felt that the IPS capability was not as good as having a separate product. But now we feel that the product and the capabilities of IPS are similar to having a separate IPS.

Machine learning is very important. We don't want to have attacks that bypass us because we completely rely on one product. This is why any AI machine learning capability, which is smarter than behavioral monitoring, is a must.

There was a recent attack that was related to Apache, which everyone faced. This was a major concern. There was a vulnerability within Apache that was being exploited. At the time, we used the product to identify how many attempts we got, so it was fairly new. Generally, we don't get vulnerabilities on our web server platform. They're very, very secure in nature.

We use Palo Alto to identify the places we may have missed. For example, if someone is trying something, we use Palo Alto to identify what kind of attempts are being made and what they are trying to exploit. Then we find out if we have the same version for Apache to ensure that it protects. Whenever there are new attacks, the signature gets updated very quickly.

We don't use Palo Alto Next Generation Firewalls DNS security. We have a separate product for that right now. We have Infoblox for DNA security.

Palo Alto Next Generation Firewall provides a unified platform that natively integrates with all security capabilities. We send all the logs to Panorama, which is a management console. From there, we send it to our SIM solution. Having a single PAN is also very good when we try to search or if we have issues or any traffic being dropped. 

Panorama provides us with a single place to search for all the logs. It also retains the log for some time, which is very good. This is integrated with all our firewalls. Plus, it's a single pane of glass view for all the products that we have for Palo Alto.

When we have to push configurations, we can push to multiple appliances at one time. 

Previously for SSL offloading, we utilized a different product. Now we use multiple capabilities, IPS, the SSL offload, and in certain cases the web browsing and the firewall capability altogether. Our previous understanding was that whenever you enable SSL offloading, there is a huge impact on the performance because of the load. Even though we have big appliances, they seem to be performing well under load. We haven't had any issues so far.

We have had some challenges. There are some advanced features that we aren't able to use, which include active IP authentication and app ID. We are facing challenges with implementing those two features.

Other products provide you with APIs that allow you to access certain features of the product externally with another solution. In the cloud, we have a lot of products that provide us with these capabilities, such as Microsoft. It has its own ecosystem, which is exposed through Graph API. I would like to have the capability to use the feature set of Palo Alto and provide it to another solution.

For example, if we have a very good system to identify malicious IPs within Palo Alto, we would like the ability to feed the same information into another product using the APIs. These are obviously very advanced capabilities, but it would be great if Palo Alto would allow this in the future.

I have used this solution for more than five years. I'm using version 10.1.

It's extremely stable. We've used it on the parameter and as a core firewall in our data center. In both cases, it's what we rely on today.

The scalability is amazing. When you look at the data sheet, sometimes you'll find that the equipment won't perform well under the same load. However, if something is mentioned on the data sheet and you implement it, you'll find places where you have high CPU and high memory utilization. When you buy something, maybe it should be 50% load, but when you put it into actual implementation, you find out that the CPU and memory remain very high.

With Palo Alto, the CPU and memory are both intact. It's performing well under load. We have different timings where we have a large load and it goes down and then goes up again. In both scenarios, the product is very good. The CPU performs well. Especially during upgrades, it was very stable and straightforward.

We have plans to increase usage. We're doing a migration in the cloud right now, and we plan to move a lot of our services to the cloud. This is where we'll either add more virtual firewalls in the cloud or increase the size and capacity of firewalls that we have there.

The technical support is great. We've faced very, very serious problems where our systems were impacted due to some reason, and they were able to provide adequate support at the same time. When we raised a P1, an engineer started to work with us right away. Some vendors don't touch the customer's product.

Palo Alto's support is great; they're willing to get their hands dirty and help us.

I would rate technical support nine out of ten.

We previously used Cisco ASA. We switched because of the IPS for compliance, but there were other factors as well, such as usability. We didn't have enough engineers who were well trained on Cisco because it's a very traditional kind of product that's completely CLI driven. We only had one or two people who could actually work on it. Even though people understand Cisco, when we asked them to implement something or make a change, they weren't that comfortable. 

With Palo Alto, it was very simple. The people who knew Fortinet also learned Palo Alto and picked it up very quickly. When we had new people, they were able to adjust to the platform very quickly.

It was straightforward for us. For the initial deployment, we had two experiences. In one experience, we replaced one product with Palo Alto. In that particular situation, we used a tool from Palo Alto to convert the rules from Cisco to Palo Alto. It took us around four or five days to do the conversion and verification to make sure that everything was as it was supposed to be. The cloud deployment was straightforward. We were able to get the appliance up and running in a day.

For our deployment strategy, when we replaced our core, one of the key things was if we wanted to go with the same zones and to identify where the product would be placed and the conversion. We tested the rule conversion because we didn't want to make a mistake. We took a certain set of policies for one particular zone, and then we did the conversion and applied it. We did manual verification to ensure that if we went with an automated solution, which would do the conversion for us, it would work correctly and to see the error changes. Once we applied it to a smaller segment, we did all of it together.

For the cloud deployment, we had some challenges with Microsoft with visibility issues. From the marketplace, we took the product and deployed it. We did a small amount of testing to check how it works because it was new to us, but we were able to understand it very quickly. The engineers in UA helped us because the virtual networking for the cloud is a little bit different than when it's physical.

We were able to get it up and running very quickly. Palo Alto provides a manual for the quick start, which we used to do the deployment. It was pretty straightforward after that.

For maintenance and deployment, we have two engineers working in two shifts. We have around 15 or more Palo Alto firewalls, so we can survive with six members. That's more than enough to handle operations.

We offer security services, so it's difficult to calculate ROI. But since we're an organization where we cannot compromise on security, I would say the ROI is very good. We don't have any plans to change the product since we moved from Cisco.

The cost is much better. We've worked with multiple vendors, and Palo Alto is very straightforward. We've done many implementations with Cisco, and they kill you on the licensing. When you enable each capability, it costs a lot. They charge you for the software and for the capabilities. They charge you for the licensing. It's very complicated. 

With Palo Alto, the licensing is very straightforward. For example, if you only have a requirement for a firewall, you can go with that. If you want to go with a subscription, you get all the features with it.

I work for an enterprise, so we have the topmost license for compliance reasons. There is an essential bundle and a comprehensive bundle for enterprises.

Palo Alto also has a security essential bundle, which covers everything that's required for a small organization.

The PA-400 series of Palo Alto is the smaller box for small businesses. The good thing is that it has the same functionality as the big boxes because it runs the PAN-OS operating system in the background. It's a very good product because it provides you with the same capabilities that an enterprise uses. It provides the same operating system and signatures.

It's also good for an enterprise because you get the same level of capabilities of the firewall. There are firewalls that are 20 times more expensive than this. However, on a small box, you have the same capabilities, the same feature set, and the same stability, so I feel it's a very good product.

We chose Palo Alto right away because we couldn't go with the same vendor, which was Fortinet. We needed a different vendor, and the only option left was Palo Alto.

I would rate this solution nine out of ten. 

As a recommendation, I would say go for it. It's a very good product. With implementation, we looked at a lot of different processes that said they offered a lot of capabilities. We've used almost all of them, such as GlobalProtect, which is for the VPN capability, and site-to-site VPN. We have done all kinds of implementations and in most of the cases, it's pretty much worked for us.

At some point, you will have requirements where you have third-party vendors, or you have to integrate with a third party. With Palo Alto, you're safe no matter what. With other open-source solutions, they work but you'll face issues, and you'll have to step up your security. 

With Palo Alto, it's straightforward. You'll have adequate security, it works well, and you'll be able to work with other solutions too, create tunnels, and GlobalProtect.

There are people who utilize open source products also, and it works well for them. But if you're an enterprise that provides 24/7 services, it's better to go with a company that has the support and features that work. We don't have any challenges with it. 

This is very important because maybe you can get a cheaper solution, but stability and functionality matter, especially when we talk about zero-day issues every single day. This is where Palo Alto would be best.

Secondly, with new types of technologies, like with Kubernetes or microservices, it's better that you go with a company that's actually able to cope with all the technology changes that are happening in the background. If you have a multi-operating system, you'll notice that the signatures for the attack are different for different types of operating systems. 

For instance, if you have Linux, Windows, and Unix, you need a product that understands all the different types of attacks on different systems. I think it's better to go with something that's well supported, works well, and is stable.

Some of my customers have Palo Alto firewalls, and the use cases include security policies, VPN connections, remote access, side-to-side VPN, and some user ID functionality. To solve these problems, I usually use the web UI monitor, system logs, end capture, CLI, etc. 

We don't have large-scale implementations in Poland as you'd find in Western Europe, but last year I did a big Palo Alto project with 20 Next-Generation firewalls and it was a success. We deployed eighteen PA 800 CVS firewalls for branch offices and a PA 52 series and NPA 5200 series at the data center. It was a high-availability model. The project was a migration from previously used Palo Alto firewalls, including the PA 500, 3000 series, PA 800 series, and PA 32 series. About 95 percent of our firewalls are on-premises, but some customers in Poland want to move to cloud solutions like Prisma Cloud. 

The most significant benefit is threat protection. Anti-malware uses signatures, so dynamic analyzers like WildFire are the best way to protect the company. It is a firewall based on application control, user ID, and security policy. We can use it based on user and application ID without a stateless firewall or TCPIP ports.

Palo Alto Next-Generation Firewalls have security functionality like a traditional IPS system. You can configure it to download new signatures from the threat intel cloud every five minutes. We also have data filtering, disk protection, SD-1, and machine learning functions. We only have one full working path on a Palo Alto Networks solution, but it is not a classic UTM. In a traditional UTM, checks occur in a series, but everything in Palo Alto Networks is inspected in parallel. 

The security features are the most valuable aspect of Palo Alto's Next-Generation Firewalls. It has all the typical static threat protection based on signatures and WildFire dynamic analyzers. I love this feature. Palo Alto Networks updates the signatures of global threats on the cloud every 60 seconds, so we are protected against the latest threats. 

It also has SD-1, but unfortunately, very few customers in Poland want to enable SSL decryption. From time to time, we have customers who want to test this. Machine learning is crucial to security features like anti-spyware and URL security profiles. Palo Alto was one of the first firewalls to have this capability. It helps us analyze real-time traffic using machine learning instead of signatures. Palo Alto has a better web interface than other firewalls I've used.

The DNS Security checks if your DNS queries are valid because infected computers try to connect to the DNS domain. We have this configuration to block access to the domain. We can use the application to block the DNS tunnel link. 

When we enable security functions like threat prevention, performance generally degrades, but this is normal. Of course, Palo Alto could always improve its security. 

I have been working with Palo Alto's Next Generation Firewalls for four or five years because some of my customers use them. 

Palo Alto firewalls are stable compared to Fortinet, Check Point, or Cisco. From time to time, the firewall is unstable, but that's related to the connection 99 percent of the time. I recommend doing a test with a resource monitor to see if the model is right for you. 

Palo Alto firewalls are scalable because we can find models suitable for any infrastructure in the company's portfolio. 

I rate Palo Alto Networks' support eight out of ten. I periodically have problems, but I typically try to resolve the issue myself. Sometimes I need to send a troubleshooting file to support, but that's rare. Palo Alto Networks provides us with lots of troubleshooting information we can use.

I worked with Fortinet and Cisco firewalls, like PEAK, FirePOWER, and ISA. I also used Check Point firewalls from time to time. I believe Palo Alto has the best technology in the world, and there is a significant demand for these solutions in Poland, so I want to be a person who can implement and configure this technology.  

Many customers think about security in terms of their entire ecosystem, so we have on-premises firewalls and Prisma Cloud, plus endpoint protection solutions like Cortex XDR. I have two customers in Poland who have WildFire in an on-premise sandbox. 

Before implementation, I have to prepare a technical project document containing information about what I will do on this infrastructure, like migration or something like that. I start implementation once the customer approves this document. 

Prior to the physical installation in the server rooms, I need to connect the management interface to the network to update the software and signatures. I have to perform tasks to prepare a device to work. Once I've configured the device, I can switch the firewalls from the current security setup to Palo Alto's firewall. 

It depends on the customer, but sometimes my customers want to enable dynamic protocols first, but they don't enable them. About 95 percent are in working route mode, but we have L3 interfaces from time to time. Generally, migration is simple because I don't use an expedition tool. I made some changes, switching the firewall from the older models to the new ones. After that, I used the optimizer to convert rules, including the TCP UTP power services. 

Then I enabled this project's network and security functions, like the aggregation interface and the trunk. I use aggregation interfaces with virtual interfaces, like the 802.1 queues, sub interfaces with VLAN, and DHCP server relay. I haven't used dynamic working protocols. I only used static working protocols, but maybe my customer will be ready for dynamic working protocols in the future.

The time it takes to deploy depends on the project. Usually, it's about two weeks for the basic installation. However, my current project took between one and two months. Some customers require a lot of other tasks, so the installation might take six to eight weeks.

I'm able to do everything by myself, but I have some problems with functionality every now and then. For example, I recently had a problem with the side-to-side VPN, but the configuration was okay. In the end, I found it was a problem with the internet connection, not the VPN. Initially, our internet provider told us that everything was okay on our networks. 

Unfortunately, Palo Alto Networks products aren't cheap, but you have to pay the price for good security technology. I don't know the exact price, but it's about $10,000 to $15,000 without a subscription. Cisco is priced similarly. FortiGate is inexpensive in Poland, so a lot of customers prefer that.

Though it's pricey, customers ultimately realize Palo Alto is the best security solution because it's stable and the network security functions are practical. Cisco has some problems from time to time, but I feel comfortable with Palo Alto Networks. 

I rate Palo Alto Networking Next-Gen Firewalls seven out of ten. I have to qualify that by saying that I probably don't know enough about Palo Alto Networks technology because we don't have advanced projects in Poland. I want more opportunities to develop my skills with this technology. I want to know more about Prisma Cloud and Strata products. 

Depending on the client's infrastructure, I would recommend a different Palo Alto firewall. I would use PA 220 or maybe a PA 420 maybe for a small office. These devices are for small and medium-sized businesses. We would use a 52 and a 54 series or a 7000 series for a large enterprise.

A VM deployment might be suitable for some security projects. We've even deployed Palo Alto in Polish government institutions. For example, I implemented a VM 500 security solution two years ago. This device works in high availability mode. I think VM is a good starting point for a customer. It allows them to try the security product, open the Web UI, etc. After that, we should develop a proof of concept test and show the customer how this device works on their infrastructure. 

I would recommend a Palo Alto firewall with next-generation security functions like IPS, and the ability to use user or application IDs. I will tell my customers about dynamic functionality and threat intelligence in the Palo Alto Networks cloud.

We protect certain applications in the data center with Palo Alto Networks NG Firewalls.

Application layer security and integration with other components that we have in our networks are valuable features.

Compared to other firewalls from Check Point, Fortinet, and Cisco, for example, Palo Alto Networks NG Firewalls use the most advanced techniques. They have sandbox integration and others in the orchestrator. Palo Alto's security features are at a higher level than those of the competitors at the moment.

It's very important that we be able to integrate all security capabilities within the firewall. This is one of the key reasons why we chose to go with Palo Alto Networks NG Firewalls.

We are heavily investing in technology that uses machine learning. Thus, it is important for us that Palo Alto Networks NG Firewalls embed machine learning in the core of the firewall to provide inline, real-time attack prevention.

Palo Alto needs to provide more support during the design phase and with proposals. They need to be more proactive, try to anticipate issues, and then help us to implement the transformation quickly.

I have been using Palo Alto Networks NG Firewalls for five years now.

We have not had any issues with stability. I have not heard from our SOC about issues with devices either.

The scalability has been good. We are the biggest bank in Italy with 100,000 employees.

Palo Alto's technical support is extremely good and responsive. The ticketing system, however, is a little bureaucratic especially when you are in a hurry or are dealing with an emergency. On a scale from one to ten, overall, I would rate technical support a nine.

Positive

The deployment was quite easy.

We have seen a return on investment in general. Our company is moving to the cloud and toward digital transformation in the financial sector. Palo Alto plays a key role in this return on investment.

My advice to you, if you're looking for the cheapest and fastest firewall, is that the cheapest firewall is not the best for security.

We use firewall solutions from multiple vendors, and from a security point of view, Palo Alto Networks NG Firewalls are one of the best in comparison. Also, you get the best value from Palo Alto with application layer security, machine learning, and integration.

Overall, I would rate Palo Alto Networks NG Firewalls a nine out of ten.

I find it valuable to attend an RSA Conference because I get the opportunity to participate in several seminars, share, and learn from other people as well.

Attending RSAC also impacts our purchasing decisions because what I see at the conference will end up in the budget the following year or the year after that.

We use the solution to protect our internal network from external threats.

Up until recently we were not using multilayer firewalls and were using several solutions that are combined in Palo Alto Networks NG Firewalls.

We are required to provide our network test results to our central bank, and Palo Alto Networks NG Firewalls offer a robust report for this purpose that would otherwise be a cumbersome human task.

The performance of Palo Alto Networks NG Firewalls is the most valuable feature.

The analytics could be improved. I would like to have a unified analysis tool within Palo Alto, as we currently use Perimeter 81 and Fortinet FortiGate, which makes the analysis process take a long time.

I have been using the solution for almost four years.

The solution is stable.

The solution is scalable. We have three people that monitor the solution and maintain it.

The initial setup is straightforward. We had to secure our parameter network. We required two engineers from a reseller and two from our organization.

The implementation was completed with the help of a partner.

The solution is worth the price, as it can be utilized without the need for high-processing CPUs and resources, thus saving us overall.

I evaluated Check Point and decided to use Palo Alto because of its performance. Palo Alto can be used with fewer CPUs. 

I give the solution a nine out of ten.

Before using Palo Alto Networks NG Firewalls you must first know what our requirements are.

We use the solution as a firewall for our network. We can manage our traffic between internal traffic and external traffic handling. The solution protects the traffic and we manage the standard firewall issues.

The solution's embedded machine learning in the core of the firewall that provides in-line real-time attack prevention is important and provides good insight for us. The machine learning actions and learning activities provide some useful information. 

The solution's machine learning for securing our networks against rapidly evolving threats is good. We utilize an IoT tool that comprehends IoT devices, such as webcams, and can therefore interpret their behavior and send information on their activity. The tool also applies appropriate firewall rules to these devices, taking into account the clearance level of each device based on its traffic.

Before implementing Palo Alto, we had to rely on a management company to handle our firewall security. However, now that we have Palo Alto, we can manage our firewall security in-house.

Palo Alto Networks NG Firewalls unified platform helped to eliminate security holes.

The zero-delay signature feature helps keep our security updated against new attacks.

Palo Alto Networks NG Firewalls provides a unified platform that natively integrates all security capabilities which is important to our organization.

Palo Alto Networks NG Firewalls' zero-delay signature feature is important, and it receives daily updates.

At times, server capacity can result in issues. While Palo Alto is a top firewall company, it's crucial to properly size the firewall to meet our needs. In the case of larger attacks, the capacity of our current firewall may not be adequate, requiring us to obtain more advanced and expensive versions to ensure network protection.

There is a tradeoff between security and network performance, as security is always top-notch, but performance can sometimes lag and has room for improvement.

The cost of the solution has room for improvement.

I have been using the solution for one year.

I give the stability an eight out of ten.

The solution is not very scalable. We need to define our requirements and purchase the correct product for our needs.

We are an enterprise company with over 3,000 people. All the network traffic goes through the solution but we have five people that work directly on the solution.

The technical support is great.

Positive

We previously used Check Point NGFW and switched to Palo Alto Networks NG Firewalls because of the stability.

I give the initial setup a five out of ten. The deployment took one month.

Implementation was completed in-house by a consultant.

Compared to other firewall solutions, this is an expensive solution.

I give the solution an eight out of ten.

We use Palo Alto Networks NG Firewalls to protect small businesses that work within the defense industrial base.

By using Prisma Access, we can easily connect to our network from different locations around the world without having to deploy multiple firewalls. This not only makes it more convenient but also saves us a lot of expenses.

Prisma Access is the most valuable feature of Palo Alto Networks NG Firewalls.

The ability to provide secure access to people without having to carry an additional device around really benefits us in the defense industrial base.

The training provided is satisfactory, but there is certainly room for improvement. It would be great to have more comprehensive training at a lower cost, or even for free.

I would say that Palo Alto Networks NG Firewalls provide a unified platform for many, but not all.

Having everything in one pane of glass is important to me because I have a lot of responsibilities. It would be really nice to have everything in one place, so I don't have to switch around between different applications and can stay focused on one platform.

It's important to have machine learning embedded, but it's equally important to not solely rely on it. We still need human interaction to ensure proper security measures. Nonetheless, machine learning is a vital component of our security strategy.

I have been using Palo Alto Networks NG Firewalls for five years.

Palo Alto Networks NG Firewalls have been instrumental in reducing our downtime as we moved away from less robust devices. By implementing Palo Alto firewalls, we have significantly improved our network stability.

If I had to estimate, it has saved us 10 to 15 hours per year.

Palo Alto Networks NG Firewalls is a very stable solution.

I haven't encountered the need to scale the solution yet. Our current setup meets our requirements and has been working well for us. Given that we are a small company, we have not felt the need to look into scaling it at this point.

The technical support provided by Palo Alto Networks is excellent. Although I have only needed to contact them a few times, they have always been quick to respond, and their team is very knowledgeable.

I would rate the technical support a nine out of ten.

Positive

Before, we used SonicWall, but we decided to switch to Palo Alto Networks NG Firewalls because they offer a much better solution and are leading the market.

I was part of the deployment team, but since I was new to Palo Alto devices, the deployment process was more complex for me. That's where the training came into play.

I had to familiarize myself with their user interface and terminologies since I was used to using a different system. It took some time for me to learn and compare it with what I've used before.

We purchased from a reseller.

It was a straightforward process. We made the purchase online and they shipped it to us. After that, it was a matter of getting it up and running.

It's difficult to determine. When looking at the ten to fifteen hours a year, it's unclear whether or not I would consider that as part of the return on investment. It's a bit challenging to assess from an IT perspective.

Reducing costs is important, especially since Prisma can be expensive. It would be great if it were more affordable.

Although the hardware can be expensive, the quality of Palo Alto Networks NG Firewalls is excellent. While a lower cost would be desirable, we recognize the value of investing in a reliable and effective solution.

When we were moving away from SonicWall, we evaluated FortiGate and Meraki's solutions.

In my opinion, I was impressed with FortiGate's system on a chip. It was really fast compared to Palo Alto's, but I think Palo Alto has a better feature set and interface. As for SonicWall, we had several reasons for leaving. Regarding Meraki, I find their management interface not suitable for my needs, and they seem to be more of a consumer-grade or prosumer-grade product.

I am not in a position to comment on the solution's ability to secure data centers consistently across all workplaces, from the smallest office to the largest data centers since I have only used their smaller solutions.

My advice to those who are seeking a firewall solution is not to prioritize the cheapest or the fastest options, as it could be risky. Instead, it is important to invest in the best quality firewall that is within your budget. This is something that I have experienced with Palo Alto Networks, which provides a high-quality solution that is worth the investment.

I would rate Palo Alto Networks NG Firewalls a nine out of ten.

The experience has been amazing, with a few sessions resulting in new services that I can offer my company directly. The best part is that I can do it without having to invest in an expensive tool that costs hundreds of thousands of dollars.

It does impact the purchases we will make throughout the year.

If I can perform 95% of the work at a lower cost, we are unlikely to consider Mandiant and spend a significant amount of money.