We changed our name from IT Central Station: Here's why

Palo Alto Networks NG Firewalls Room for Improvement

Solutions Architect at a comms service provider with 501-1,000 employees

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

View full review »
CyberSecurity Network Engineer at a university with 5,001-10,000 employees

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

View full review »
Network Analyst at a recreational facilities/services company with 1,001-5,000 employees

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now.

It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

View full review »
Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
566,121 professionals have used our research since 2012.
Chief Architect at a recruiting/HR firm with 1,001-5,000 employees

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

View full review »
Network Administrator at a real estate/law firm with 201-500 employees

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

View full review »
Network Solutions Architect at Ecobank Transnational Incorporated

There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better.

I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

View full review »
Security Team Technical Manager at ECCOM Network System Co., Ltd.

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

View full review »
Director Of Technology at La Jolla Country Day School

There is a web-based GUI to do management, but you need to know how the machine or firewall operates. There are hundreds of different menus and options. I have used other firewalls before. Just implementing or designing a policy with Palo Alto, if you want a certain port to be open to different IP addresses, then that could take 20 to 25 clicks. That is just testing it out. It is quite complex to do. Whereas, with other places, you tell it, "Okay, I want this specific port open and this IP address to have access to it." That was it. However, not with Palo Alto, which is definitely more complex.

The VPN is only available for Windows and Mac iOS environments. We have a variety of iPads, iPhones, and Android stuff that wouldn't be able to utilize the built-in VPN services.

I would like easier management and logging. They can set up some profiles instead of having you create these reports yourself. However, you should be able to set it up to give you alerts on important things faster.

View full review »
Presales Specialist at a tech services company with 1-10 employees

The only area I can see for improvement is that Palo Alto should do more marketing.

View full review »
Senior Network Engineer at a tech services company with 201-500 employees

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good.

In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

View full review »
Security Consultant at a tech services company with 501-1,000 employees

The solution would benefit from having a dashboard.

From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

View full review »
President at MT-Data

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. 

The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes.

Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly.

The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam. 

View full review »
Sr. Engineer at a comms service provider with 51-200 employees

The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market.

Clients are typically looking for a solution that's more aggressive in the market.

For example, with Fortinet, they have an SD-WAN that really has many capabilities. For example, it can inject a GSL SIM card along with the MPLS connection. It connects the system within one product. Palo Alto doesn't offer this. This is one area that will need to improve. In Indonesia, the market is growing strategically. Palo Alto has this one product, however, with the limitation of the GSM sim card they are getting left behind. 

View full review »
Manager IT Security & Infrastructure at a consumer goods company with 1,001-5,000 employees

There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI.

View full review »
Team Lead Network Infrastructure at a tech services company with 1-10 employees

Palo Alto has all the features that any firewall should have. Other firewalls should actually copy Palo Alto so that they can provide better stability, performance, and protection - at levels that are at least at Palo-Alto's.

This isn't necessarily an issue with the product per se, however, sometimes basically there are some features, depending on the customer environment, do not work as well. Sometimes some of the applications the customer has do not respond as they normally should. Palo Alto support needs to understand the customer requirements and details so that they can resolve customer queries more effectively.

View full review »
Solutions Architect at a comms service provider with 51-200 employees

Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete.

Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet.

We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks.

View full review »
Network Security Engineer at a tech services company with 11-50 employees

There will always be room for improvement. On a daily basis you get patches for everything. They build new features, apply new technologies and new applications which need to be integrated and with that you get bugs. There are always issues, whether it's hardware or software. 

View full review »
Technology Manager at a comms service provider with 1,001-5,000 employees

We work very closely with the vendors here and at this point they use external support.

Maybe they could add some tools and more competing services, like servers, but that would increase the cost of the solution.

View full review »
Security Engineer at Hitachi Systems, Ltd.

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

View full review »
Network Administrator at a healthcare company with 201-500 employees

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem. 

View full review »
Information Security Specialist at UAEU

There could be improvement with their logs, especially their CLI. When you go to the command line to understand the command line interface it's tricky and requires a deep understanding of the product. We recently faced one issue where the server side configuration changed and it wasn't replicated at the firewall. It required us to tweak things and now it is working fine. Finally, the HIPS and audio call features could be improved. 

View full review »
Technical Manager at a tech services company with 201-500 employees

The configuration part could be improved. It's very difficult to configure. It doesn't have a user-friendly interface. You have to know Palo Alto deeply to use it.

Also, it doesn't support open-source protocols like EIGRP. We had to find another solution for that.

View full review »
Security Expert at a aerospace/defense firm with 10,001+ employees

There is another solution from Palo Alto for endpoints - XDR  that integrates with the firewall  thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls.

The price could be lower.

View full review »
Software Engineer at a comms service provider with 51-200 employees

The scalability is limited and depends on the size of the firewall that you will buy. 

The solution is very expensive. There are cheaper options on the market.

View full review »
System Administrator at a mining and metals company with 51-200 employees

Its price can be improved. It is expensive.

Other vendors have pre-configured policies for the protection of web servers. Palo Alto has an official procedure for protecting the web servers. Many people prefer pre-configured policies, but for me, it is not an issue. 

View full review »
Server Administrator and Operation Manager at a computer software company with 501-1,000 employees

I can't recall a feature that was missing. It's a pretty complete solution.

The cost of the device is very high.

To buy license support is very slow. For renewing devices and products, it's slow in terms of contacting and activating upgraded devices.

View full review »
Senior Network & Security Administrator at a consultancy with 1,001-5,000 employees

In terms of what could be improved, comparatively the price is very high. That would be the one thing. But technically-speaking, it's perfect.

View full review »
Security Presales Solutions Architect at a tech services company with 201-500 employees

They can work on the price. They are a little bit expensive, and not all customers are able to afford this solution. Taking into consideration that there is huge competition in the market and there are multiple firewall companies that are much cheaper than them and offer almost the same features, it would be good to improve the price.

View full review »
Technology consultant at a tech services company with 501-1,000 employees

The support could definitely be improved. Whenever I call the tech engineers, there's a long wait time. For an additional feature, I'd like to see the segmentation in policy. Check Point has a good feature for segmenting policies that I'd like to see implemented in Palo Alto. It would make things easier for the operation team to create & identify particular policies, or to place a policy in that segment. Finally, there are limitions to the hardware in the number of objects & policy we can create is limited which is not the case with Check Point or FortiGate.

View full review »
Network Engineer at a tech services company with 201-500 employees

I think visibility can be improved. If I use the Panorama monitoring dashboard, it's still the same with or without Panorama. Even with monitoring, we don't get any valuable information. 

If I am a customer, I will take many variables into considerations. If I choose to use Panorama, there should be a difference between when I use it and when I'm not. If I'm a customer who paid for Panorama even when I have many firewalls, I won't get good visibility of the information I need to easily monitor our security environment.

My customers have been attacked by ransomware. It's difficult to understand how the ransomware got through Palo Alto Panorama and Palo Alto dashboard monitoring from reporting. It makes it difficult to conclude what happened on the traffic which passed through Palo Alto. As such, I have to generate an all block report CSV file and analyze it through Excel.

View full review »
Chief of IT security department at a financial services firm with 1,001-5,000 employees

They could improve their support and pricing and maybe integration. It's a little more expensive than Check Point but the quality is better. Integration with firewall endpoints could be better. Palo Alto does have very good malware or antivirus protection. I think they could improve on that front.

View full review »
Sr. Solution Architect at a tech vendor with 501-1,000 employees

The GSW needs some improvements right now.

The endpoints could use improvement. The solution is mostly a cloud solution now, and there are a lot of competing solutions that are playing in the space and may be doing things a bit better.

The pricing could be improved upon.

View full review »
Partner Alliance Director at a comms service provider with 1,001-5,000 employees

The ability to check cases could be improved upon. We find that most of the packets we have to directly open with the PA. Until then, it's possible that there cannot be any support.

Take, for example, the XDR. The XDR is the real power to all our solutions from PA, however, when we are using their XDR, we have directly to contact PA. It's like this for the licensing or for any technical issues.

The solution could offer better pricing. We'd like it if it could be a bit more affordable for us.

The solution should offer SD-WAN.

View full review »
Vice President and Head - IT Telecom, Software License Management and Collaboration at a tech services company with 10,001+ employees

The interface contains some decentralized tools, so simplifying it would be an improvement.

I would like the option to be able to block the traffic from a specific country in a few clicks.

Some of the implements under artificial intelligence should provide better visibility in terms of my traffic, such as where it originates and where it is going.

Better integration with industry tools would allow me to do quicker automation and reduce my operational costs.

View full review »
Network Security Engineer at a tech services company with 1,001-5,000 employees

I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.

View full review »
System Engineer at IRIS

The price is expensive and should be reduced to make it more competitive.

Information about Palo Alto products is more restricted than some other vendors, such as Cisco, which means that getting training is important.

The traps should be improved.

I would like to see better integration with IoT technologies. Having a unified firewall for OT and IT would be very good.

View full review »
Director, Middle East, East India & SAARC at a tech company with 51-200 employees

The VPN connectors should be better. We had some challenges in terms of the VPN with Palo Alto Networks NG Firewall, and that's one of the main reasons why we moved to Sophos.

Its load handling can also be improved. There were challenges when traffic was high. During peak business hours, it did not function very well. There was a lot of slowness, and the users used to complain, especially when they were connecting from outside. We even reported this to the support team.

Their support should also be improved. Technical support was a bit of a concern while using this solution. We didn't get very good support from the Palo Alto team.

View full review »
Vice President of Digital Transformation at Sysnet Global Technologies

The features should be built into the system. For example, it generates many logs with a lot of information that can be converted into security and business information and shown to the user. This is a time-consuming job.

I would like to see it provide us with intelligent information from the data that it captures, within the same cost.

View full review »
Security Consultant at a computer software company with 201-500 employees

Either the application or the vendor needs to provide a more updated list of internet applications.

The price of the solution is very high.

View full review »
Network Engineer & Security Specialist at a tech services company with 51-200 employees

Its stability can be better. Their technical response from the support side can also be better.

View full review »
Cyber Security Solutions Architect at a tech services company with 10,001+ employees

I don't see any specific room for improvement.

The user interface is probably not as slick as it could be.

View full review »
Service Delivery Engineer - Network Security Lead at a tech services company with 51-200 employees

The interface could be improved visually and simplified. It sometimes feels like some of the features are hidden and not easy to find. 

View full review »
Sr. Product Management Specialist at a comms service provider with 10,001+ employees

Its scalability for on-prem deployments can be better. For an on-prem deployment, the hardware has to be replaced if the volume goes up to a certain level.

View full review »
Technical Manager El Salvador at a tech services company with 51-200 employees

Currently, they don't have email protection. They can maybe add it in the future. Currently, if you want to do so, you need to go with another solution.

View full review »
Senior Network Engineer at a tech services company with 201-500 employees

They've improved a lot of things but we'd like to see more mobility between on-prem and cloud based. I'd also like to see security synchronization between the firewalls. Managing can be difficult. 

View full review »
Director IT Security at a healthcare company with 501-1,000 employees

As things are evolving, we want to make sure that Palo Alto is able to keep up with what is going on outside. They should continue to do more intelligence-related enhancements and integrate with some of the other security tools. We want to have a more intelligent toolset down the road.

View full review »
Network Manager at a financial services firm with 1,001-5,000 employees

Palo Alto could do better with integrating the Palo Alto Next-Gen Firewall with SD-WAN.

The biggest issue with Palo Alto is that they are expensive. They are very expensive for what they offer. They should improve their pricing.

View full review »
Senior Staff Security Engineer at a renewables & environment company with 1,001-5,000 employees

Its software updates can be improved. It sometimes becomes very slow with the software updates for different features.

It should have an External Dynamic List of data. The malicious IP is not frequently getting updated in Palo Alto, and this should be done.

View full review »
IT Architect at a computer software company with 501-1,000 employees

For an upcoming release, they could improve on the way to build security rules per user. Palo Alto has this functionality but in implementation, we had some problem. This functionality should be better in our opinion.

View full review »
Lead Consultant at a tech services company with 1-10 employees

Having a better pricing model would make this product more competitive, and more affordable for our customers.

View full review »
System Engineer at a non-profit with 10,001+ employees

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device.

The hardware is weak.

In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security.

I would like a collaboration system and reporting ASA policy needs to be smarter.

View full review »
Director of Information Technology at a hospitality company with 10,001+ employees

It would be better to have more tools to control Palo Alto Networks NG Firewalls. We don't have too many tools to access Palo Alto. For example, the IT team doesn't have access to it. We can see it physically and see if it's running or not. We need to contact a special team to receive that information. I would also like to see more reporting in the next release.

View full review »
Technology Engineer at a computer software company with 51-200 employees

They need to provide documentation for CLI, as most of the commands, we get from Community Forums.

View full review »
Network Security Engineer at Next Step

People sometimes find it more expensive as compared to other solutions. There are also fewer training opportunities for Palo Alto than Cisco and other vendors.

View full review »
Senior solution architect at a comms service provider with 51-200 employees

There are some options available in other firewall products that are not supported, so there is room for improvement in that regard.

Technical support could be faster.

The cost of this firewall could be cheaper.

View full review »
CIO/CTO at a manufacturing company with 501-1,000 employees

The way that the roles are made, specifically with how you specify the path, could be simpler.

View full review »
Head of IT Infrastructure at a financial services firm with 1,001-5,000 employees

I don't like the reporting. The reports it provides are not helpful. They should include more executive summaries and other important information — they're too technical.

View full review »
Network Engineer at Vibs

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

View full review »
Cyber Security Trainee at Macroview Telecom Limited

I would like to see better third-party orchestration so that it is easier for the team to work with different products. 

Improvements should be made in the Cortex module.

View full review »
Marine Consultant/Captain/Senior DPO at Jan Arild Hammer

Its price can be better. They should also provide some more examples of configurations online.

View full review »
Network Security Engineer

The areas that need to improve are network protection and user identification.

In the next release of the solution the VPN could improve because it is not as good as competitors.

View full review »
Team Leader at a tech services company with 501-1,000 employees

The solution is not straightforward.

View full review »
ITSM Engineer at a comms service provider with 11-50 employees

They can improve the handling and management of User-ID. They should also improve its price. Their technical support can also be improved.

View full review »
Senior Network Security Engineer at Locuz Enterprise Solutions Ltd

In the future, I would like to see more OTP features.

The price of this product should be reduced.

View full review »
Assistant Manager at Net One Systems

The whole performance takes a long time. It takes a long time to configure. 

View full review »
Vice President, Security Engineering at a financial services firm with 1,001-5,000 employees

I wish that the Palos had better system logging for the hardware itself.

View full review »
Regulatory Specialist at a healthcare company with 501-1,000 employees

When it comes to their support, we have to select every single component that we want to include in a particular bundle. That is a very tedious process. The vendor will help us identify the product and the features, but it could be better. The price could also be better.

View full review »
Cloud Security Engineer at a tech services company with 1,001-5,000 employees

In the cloud, the HA could be a lot better. 

Its price could also be better. It is very expensive.

View full review »
System Engineer at a tech services company with 11-50 employees

The solution could be simplified.

View full review »
Information Technology Project Manager at JSC "Penkiu kontinentu komunikaciju centras"

An additional feature that should be included in the next release is spam filtering. 

View full review »
Sr. Security and Enterprise Architect at a security firm with 11-50 employees

In Mexico, Palo Alto's discounts are significantly lower than Cisco's. They are also more expensive – about 15% or 20% – than Cisco, but their platforms are very similar.

View full review »
Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
566,121 professionals have used our research since 2012.