What is our primary use case?
We have a customer in Sri Lanka who uses it. They are banks with multiple branches and use the Palo Alto firewall to connect them in local area. It's also used to connect their local area network and servers. Basically, it's a standalone firewall for their setup.
Another customer is Maliban, a textile and garment company in Sri Lanka. They also use a standalone PA-800 series firewall. I haven't personally enrolled it, but I can manage it since I have experience working with the VM version in a VMware setup. Palo Alto is not only a hardware product, it can be used in VM environment.
Additionally, there's CELSI, which has a PA-5500 series firewall. I enrolled that one when I first started my current job.
Overall, our enterprise-level customers mainly want to secure their bank branches, local networks, and websites. They primarily use standalone firewalls, and I haven't had any issues managing them so far. Even though I haven't personally enrolled all of them, I'm confident I can handle any recommendations or configurations needed.
How has it helped my organization?
It handles security threats really well. Wildfire keeps updating all the security threats in the cloud environment. If we receive any latest attacks, we can forward them to the cloud and check them in Panorama. The Wildfire updates are excellent for security. That is the feature they have, as per my understanding.
What is most valuable?
The URL filtering and antivirus capabilities are great.
Users can also create custom applications and mold them as needed.
We've done QOS configurations for specific traffic, prioritizing or deprioritizing certain applications like YouTube.
We also configure GlobalProtect for remote VPN clients, and some customers even require access to the company network through GlobalProtect. I've also worked with Wildfire, URL filtering, antivirus, file blocking, QOS, and VPN. Recently, I configured a VPN with Azure.
Palo Alto has predefined applications that you can control at the application level. You can manage policies and specifically mention which applications to control. If you need to configure a custom application that's not already in Palo Alto's database, you can create one. Sometimes an application doesn't come pre-defined, so you need to create a custom application using signatures or packet captures.
What needs improvement?
Palo Alto can improve the web application firewall (WAF) feature at layer 7. Currently, I don't think it's available. If they can improve that, it would be better. We wouldn't need to purchase a separate WAF solution because they already have advanced URL filtering.
But I don't think that advanced URL filtering has the same features as a dedicated WAF, like F5 or other solutions. That is an area for improvement.
If they can improve the WAF feature, customers won't have to buy a separate WAF solution. They could do it with the same Palo Alto firewall, perhaps through a subscription-based model.
So the web application firewall feature has to be improved.
For how long have I used the solution?
I have experience with Palo Alto model, it was either a PA-2250 or PA-2220, something like that.
I have over five years of experience with Palo Alto.
What do I think about the stability of the solution?
It is stable. It's a top-notch product from a leading vendor. If it wasn't stable, it wouldn't be a leader in the Gartner Magic Quadrant.
The PA-800 had some performance issues, but the other models are better. I would give it an eight or nine.
What do I think about the scalability of the solution?
Scalability is somewhat limited. The PA-800 and PA-220 models are not modular, so we can't scale them by adding components. In an HA environment, we can add multiple firewalls for scalability. We can also improve performance by adding Ethernet ports or fiber ports.
However, I don't think it's possible to upgrade the CPU or memory on our current systems. Other models might allow for that, but I'm not sure. So, there's some level of scalability, but it's limited.
How are customer service and support?
We don't get direct support from Palo Alto. We go through a distributor in Sri Lanka. So, I don't have much experience with their support team directly. I think their support is good.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have experience with Juniper SRX Series Firewall (Juniper), SonicWall, Juniper, and Sophos firewalls and F5 Advanced Web Application Firewall. We are an F5 partner in Sri Lanka.
In the last twelve months, I've worked with Palo Alto and Juniper SRX. The SRX model was a smaller one, either a 250 or something similar. I also worked with the Elastic stack a long time ago, but not recently.
How was the initial setup?
It's a very user-friendly setup. The configuration and troubleshooting are very easy. Compared to my experience with Juniper, Palo Alto is much better and easier to setup. I have experience with multiple firewalls, so I recommend Palo Alto.
Even an administrator with less experience can manage Palo Alto using the knowledge base articles. It's very user-friendly. Installation is easy, and troubleshooting is straightforward with the traffic monitoring capabilities. We can easily filter traffic and drill down using custom filters.
They also have good monitoring features. We can monitor traffic, including the number of packets and users, directly from the Palo Alto interface. This eliminates the need to purchase additional hardware for monitoring.
Palo Alto has some level of built-in monitoring capabilities. We can monitor traffic, including the number of packets and users, directly from the Palo Alto interface. This is good because it eliminates the need to purchase additional hardware for monitoring.
What was our ROI?
From my perspective, with Palo Alto, we can manage security at the user level, unlike regular firewalls that only offer IP-based control. We can create combinations of IP and user policies. Palo Alto also has the latest advanced features that are usually found in separate security devices.
Their URL filtering features are excellent, and they keep their cloud-based threat intelligence updated, which we can use in our environment. If users [our customers] weren't using Palo Alto, they'd have to purchase additional devices to protect against the latest attacks, incurring extra costs. With Palo Alto, they save money by not needing to buy those extra devices.
Moreover, we can manage security at both the application and user levels, which isn't possible with other firewalls. Performance is generally good, although we recently had a tech case where the PA-800 was a bit slow. However, I believe their other firewalls perform very well. They have a feature called "multiprocessing" that allows them to run many features independently.
Customers will get benefits from it, but not immediately. They will see the return on their investment within three to five years. Palo Alto is a good product for security, and it's a good purchase. It's better to go for the latest firewalls like Palo Alto or Checkpoint. They will see the benefits within five years.
What's my experience with pricing, setup cost, and licensing?
It's not cheap. In Sri Lanka, it's expensive compared to other firewalls. But considering the features and the potential ROI, it's a good price. If customers are getting more benefits from it, then it's worth the cost.
What other advice do I have?
It's about what you pay and what you get. You get more features, and it's easy to manage. Even a less experienced technical person can configure and implement it. Compared to other firewalls like Juniper, which rely more on command lines, Palo Alto is much more user-friendly.
It's user-friendly. And the support is good. Overall, it's the best.
Overall, I would rate it a nine out of ten.
*Disclosure: My company has a business relationship with this vendor other than being a customer:
