We use the solution for all the capabilities that the firewall offers, including proxy filtering, VPN connection, and Next-Gen firewall capability. We integrate the solution with clients that use ExpressRoute, which is a very common and popular service in Australia. We route all our client's local traffic, 10.x, and the client's Class B public address traffic all into Palo Alto Networks NG Firewalls. We use the solution to provide hub and spoke integration, web filtering, and for VPN.
The solution is a fully managed centralized firewall service for both public and private traffic, including on-prem traffic and Azure traffic.
The solution ties into existing services. We offer network-based services and SD-WAN overlay. We use VeloCloud appliances and put the solution at the heart of that to provide Next-Gen security capability. The solution benefits our clients by reducing the number of firewalls required in their organization, which is hosted in Azure. The solution's aggregation gives us the ability to service our clients by reducing their firewall footprint. The solution also enables us to route all traffic, including internet outbound traffic from a client's side onto Palo Alto NG Firewalls across an ExpressRoute connection.
Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities.
In combination with additional tools and services we offer, the solution makes a significant contribution to eliminating security holes.
The solution helps eliminate multiple network security tools and the effort required to have them work together. The solution simplified our operations. We only support and deliver Palo Alto NG firewalls as a service. We don't offer a firewall as a service on any other appliance. We chose Palo Alto because of its Next-Gen capabilities and being the market leader in terms of security appliances.
I like the native integration into Azure AD and the solution is fantastic from the perspective of managing user access and using the VPN client. The TLS inspection is a fantastic service that's offered in Palo Alto NG Firewalls. In my opinion, the solution is best of breed, which is one of the reasons why we adopted it in the first place.
We have had a couple of DNS attacks and predictive analytics and machine learning for instantly blocking DNS attacks worked well.
Depending on the license skew, we implement the zero delay signatures feature for some of our customers.
I can enable the features I want and configure the policies based on the user and network traffic, making firewall management much easier.
There are some features of Fortinet such as the virtual domain capability, that I would love to see in this solution, but they don't outweigh the technical capabilities of Palo Alto as the firewall.
We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value. We have developed our own reporting. Sometimes there are limitations around the APIs and it would be great if the APIs could be enhanced.
I have been using Palo Alto Networks for about 10 years, but not the Next-Generation version. Five years ago, we set up a Palo Alto firewall as a service with Palo Alto in the back end. We did this for Telstra in Australia, and we're the only company in the world that can support the default route over ExpressRoute, using the Palo Alto Networks NG Firewalls as a service that we offer.
The stability of this solution is unbelievable and the best on the market. We've never had an outage as a result of a technical problem on hundreds of firewalls that we run or thousands when we include the HA pairs and clusters that we've built.
The solution is scalable and we have never reached the limits. We stuck with Palo Alto because of their Next-Gen capabilities, and we have about 500 clients using this solution as a service.
The technical support is exceptionally good. They have more capabilities in Australia now and we've had no problems. The technical support has been so good, we haven't had to look for another vendor.
The initial setup is straightforward. We have a multi-tenanted version and a single version. We have different flavors of the implementation and it's all scripted. We can build a fully operational firewall HA pair with follow-the-sun, 24-hour, seven-days-a-week support in about 30 minutes. We use DevOps to set everything up and it is effective because it is all scripted.
The implementation was completed in-house.
Our service is incredibly profitable. We don't feel we can offer an alternative that will give us the same return on investment.
The pricing is straightforward with no hidden costs. There is a cost for the licensing, the Virtual Network if the solution is run in Azure, and there is also a cost for the operational support.
I suggest sizing correctly when in the cloud because the skew can always be changed at a later time.
We've evaluated a couple of other products in the past to make sure that we still have the right solution in the market.
I give the solution a nine out of ten.
The embedded machine learning included in the solution's firewall core used to provide inline real-time attack prevention is an important capability because it gives us the heuristics. The solution uses existing knowledge of the service and how we use the firewall, to determine if something nefarious is being undertaken. I don't believe that we are using the feature to its fullest capability.
We integrate Palo Alto NG Firewalls into Sentinel and we use additional data points to determine attacks.
We use the solution's DNS security for some of our clients.
We use a lot of data points from various systems and not only this solution to determine if a threat is live and active. We don't recommend publishing using the solution. We do local DNS resolution using the Palo Alto NG Firewalls. We're purely an Azure consultancy. We use Azure publishing services to publish. We integrate the solution into virtual networks from a DNS point of view, but we are always on the safe side, and we never use the solution for DNS publishing to the public internet. We are an ISB. We provide managed services, but we are primarily an integrator.
In terms of a trade-off between security and network performance, there will always be a performance lag when doing TLS inspections because the traffic has to be decrypted in real-time, however, the benefit outweighs the disadvantages from a network performance perspective. When the TLS inspections are sized properly, the performance lag is hardly noticeable.
We sometimes work with Palo Alto, for example, to support the default route over ExpressRoute.
The maintenance is all scripted and fully automated. We are always at the current stable release and we update as regularly as we get the updates from Palo Alto. There is no impact, no downtime, and no loss of service unless we've got a customer with a single firewall that requires a reboot, in which case we schedule the outage.
I have worked with many different appliances in Azure over the years, and I still do with some clients who already have incumbent NBAs, but for our firewall as a service, I have always used Palo Alto.
What we find is that clients want to utilize the features but don't know how to implement them or have the capability. We offer that support. Palo Alto is extremely good value for the money if we maximize its capabilities. If we want a cheap firewall, then Palo Alto isn't the answer. If we want a capable value-for-money firewall, when we are utilizing all of the services available, Palo Alto is the best on the market. If we want a cheap solution we can go to Fortinet which is not as technically sound but for someone who is price sensitive and doesn't want to use all the features and functions of Palo Alto NG Firewalls that is an option. We work with Palo Alto for our firewall as a service, and we work with Velo for our network as a service. The operational run cost for us is low with these vendors because those firewalls are extremely reliable and because we don't have problems with the firewalls, we don't need a big operational support team.
We did some work with the NHS Test and Trace program and they had a multi-client solution that we deployed hundreds of firewalls across Azure and AWS, using Palo Alto. The client did explore other vendors that were cheaper and after looking at the operational support capability, features, and how reliable the firewall was, the option was clear and not driven by price.
I would automate the solution. I would use infrastructure as code deployment and manage my devices using IHC. If I was going for a larger state, I would use the solution's management tool.
