This is our core firewall for the data center network.
We have two on-premises appliances set up in a high availability configuration.
Download the Palo Alto Networks VM-Series Buyer's Guide including reviews and more. Updated: June 2022
The VM-Series is a virtualized form factor of our next-generation firewall that can be deployed in a range of private and public cloud computing environments based on technologies from VMware, Amazon Web Services, Microsoft, Citrix and KVM.
The VM-Series natively analyzes all traffic in a single pass to determine the application identity, the content within, and the user identity. These core elements of your business can then be used as integral components of your security policy, enabling you to improve your security efficacy through a positive control model and reduce your incident response time though complete visibility into applications across all ports.
In both private and public cloud environments, the VM-Series can be deployed as a perimeter gateway, an IPsec VPN termination point, and a segmentation gateway, protecting your workloads with application enablement and threat prevention policies.
Warren Rogers Associates
This is our core firewall for the data center network.
We have two on-premises appliances set up in a high availability configuration.
The VM-Series enables us to extend consistent next-generation protection across different infrastructures with a unified policy model, which makes it very easy for us. It is very important that we have this single pane for monitoring all of the network resources and multiple devices because, today, it's a complex environment where you have to take care of many devices.
This solution makes it very easy to quickly migrate workloads to the cloud.
Since we updated the system, the network has been very stable. Previously, there were issues with traffic throughput. With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly.
This is a firewall product and every OEM has claims about their special features. This device is very user-friendly and offers ease of monitoring.
Changes to the configuration happen quickly.
There is a single pane of glass for reporting, which is quite good.
The interface is user-friendly.
It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait. Having a dedicated number where we could send a text message in the case of an emergency would be helpful.
We have been using Palo Alto Networks VM-Series for approximately six months.
We are very much satisfied with the stability and performance.
This solution is quite scalable because it has options for deploying in a VM as well as an appliance. The interfaces are all license-based, which means that features can be added just by obtaining another license.
Our current environment has more than three gigs of traffic.
We have a team of four or five people that is responsible for the network. They are continually monitoring the firewall and updating the policies, as required.
Pala Alto has very good support. Generally, the response is very good and they address our issues as soon as we contact them. For example, they assisted us during our deployment and it was a very good experience.
My only complaint about the support has to do with complications that we had with communication. Sometimes, support was done over email, and because of the difference in time zone, there was occasionally a long gap in time before we got the proper response.
We used to have Cisco ASA and Firepower, and we had some issues with those firewalls. Once they were replaced by Palo Alto, we didn't have any problems after that.
Compared to the previous devices that we have used from other vendors, Palo Alto is very user-friendly, and we are comfortable with the features and capabilities that it offers.
The initial setup is very straightforward and we had no issues with it. It is not complex because the procedures are properly defined, the documentation is available, and there is proper support. Our initial setup took about 15 days, which included migrating all of the data.
Our deployment is ongoing, as we are adding policies and dealing with updates on a day to day basis. We have a very complex environment that includes a firewall for the data center, as well as for the distribution networks.
The Palo Alto team supported us through the deployment process.
Palo Alto definitely needs to be more competitive compared to other products. The problem that I have faced is that the price of licensing is very high and not very competitive. When a customer wants to implement Palo Alto, even a small box, there are several licenses, and having all of them is sometimes really hard to justify. It is difficult for some clients to understand why such a small box costs so much.
For instance, they have the dashboard license, and then they have the user license, and so on. If the pricing were more competitive then it would be good because more customers would use the product, rather than use simpler firewalls.
We have worked with firewalls like Sophos, FortiGate, and Cisco ASA. We have dealt with almost all of the vendors but at this point, our experience with Palo Alto has been the best one. Palo Alto has been doing what it claims to do, whereas the other vendors' products have various shortcomings.
For example, some vendors do not have the performance that they claim in terms of throughput. Sometimes, the user interface is complex, or the device needs to restart whenever you make changes. With Palo Alto, it's simple to use and easy to get things done.
We have not yet used Panorama for centralized management but in the future, we may do so for other projects.
My advice for anybody who is looking into purchasing a firewall is to carefully consider what their requirements are. I have seen that when a customer procures a firewall, they initially choose products like Sophos. Over time, they engage in trials with the majority of the vendors and finally end up with Palo Alto. This is only after spending a lot of time and money on other products.
If instead, a client is aware of the requirements including how much traffic there is and what throughput is needed, it's better to invest in Palo Alto than to try all of the cheaper alternatives. Then, evaluate everything afterward and finally select Palo Alto. This, of course, is providing the client doesn't have limitations on the investment that they're going to make.
I say this because generally, in my practice, what I've seen is that when choosing a firewall, the clients first choose a cheaper alternative. Then, after some time they think that it may not be what they wanted. This could be brought about by a throughput issue or maybe some threats were not blocked or they have had some security incidents. After trying these firewalls, they replace them with another, and yet another, until finally, they settle on Palo Alto.
Essentially, my advice is to skip the cheaper vendors and go straight to Palo Alto.
In summary, this is a very good product and my only real complaint is about the cost. If it were more competitive then more customers would choose it, and those people suffering losses as a result of security incidents would be saved. I find the real reason that people don't choose the right product is due to the cost factor. Even when they know that the product is the best choice, because of the limitation that they have on the investment they can make, they're not able to choose it.
I would rate this solution a nine out of ten.
We are a service provider and I work on both shared firewall and dedicated firewall solutions for our customers. The primary focus is firewall threat protection. The rest of the features are used, albeit not too much. At this moment, it is not an overly complicated or advanced solution.
What I like about the VM-Series is that you can launch them in a very short time. You don't have to wait for the hardware to route for them to be staged and installed. From that perspective, it's easy to launch and it's good because it is more scalable.
The product is quite responsive.
The one issue that I didn't like is that the SNMP integration with interfaces didn't record the interface counters. It seems that you really need to upgrade to the very latest version, whereas the physical one has worked for ages now. I think that it narrowly affects the Azure deployment because I remember that we were using the VMware solution before, and we didn't have such issues.
I think that the most important point for Palo Alto is to be as consistent and compatible as possible. It should be compliant such that all of the features are consistently available between the physical and virtualized deployments.
It is not always easy to integrate Palo Alto into the network management system. This is significant because you want to compare what your network management system is giving you to what Palo Alto is giving you. Perhaps in the GUI, they can allow for being able to monitor the interface traffic statistics.
The other things are pretty much great with traffic calls and sessions, but just being able to look at it on an interface physical level, would either avoid using the monitoring integration by SNMP or would create a reference, a baseline check. This would allow you to see whether your network monitoring system or tool is actually giving you correct traffic figures. You need traffic figures for being able to recognize trends and plan the capacity.
I have been using the VM-Series for almost five years, since 2016.
We have not had trouble with bugs or glitches.
The scalability is good. We haven't experienced any constraint limitations for scaling.
I have been in contact with technical support and I find them to be quite good.
In my previous work, I dealt with both physical and virtual systems. However, currently, I am only working on virtual solutions.
I have found the initial setup to be okay. But, then again, I have been using Palo Alto firewalls since 2014, so it's hard for me to say if it is difficult to become familiar with or not.
Our in-house team is responsible for maintenance. We usually have three people who are able to work on it and do so from time to time, depending on the requirement.
I don't have too many complaints as I compare the virtualized version to the physical one. Perhaps I haven't noticed any issues because we use the proper hardware, and it was strong enough to carry the workload and remain quite responsive.
My advice for anybody who is implementing the VM-Series is to be very well prepared and test it in advance. Make sure to scope it and understand the performance implications. Also, be sure that the core features are understood and are supported on the VM. Then, test it before implementation or migration.
This is a very good product but I can't rate it as perfect because there are these little issues that are pretty common and you expect things to work, but they don't because of some incompatibilities. I think there was also some limitation on how you can do the high availability on virtualized power, in Azure in particular. If these common features were consistently working on both physical and virtual deployments then I would probably rate it a ten out of ten.
As it is now, I would rate this solution a nine out of ten.
We are using it on Azure Cloud for our internal systems, where we have set up our internal workloads. We are using it as a perimeter firewall.
We are using it because our internal workflows are on the cloud. Almost everything in our production and development uses these instances. We are using it extensively for conducting reports of the development environment. It is working fine.
It improved all compliance activities. We can close open cases. Compared to other firewalls in these cases, it improved our score on the compliance side.
We are using the complete box. We are mostly using the security services and firewall rules in Panorama.
We need to look at different variables and granular policies of various tools. This makes it easy to understand.
We use Palo Alto’s Panorama centralized management system. We have an on-prem firewall where Panorama is very good for pulling logs in from the cloud so we can see what is going on. It gives us visibility into that as well as showing us what attacks are coming in.
Palo Alto’s Panorama centralized management system simplifies our security posture based on our requirements. Instead of manually pulling logs, then generating them into readable formats, it gives us the console in a readable format to view.
We have been using it for the last two years.
Stability has so far been good. We monitor the resources on the firewall to determine if there will be any spikes on the CPU, RAM utilization, or the load of the firewall. Though, we are yet not putting much load on it.
I don't think that scaling will be a problem since we can adjust the VM-Series model that we want.
I have around 100 instances protected behind this device.
The customer support is good. They are able to give fast, readily-available solutions upon the creation of a help ticket. I would rate them as 10 out of 10.
Positive
We did a fresh setup for this, but it was pretty easy. We could easily integrate with the VM-Series, then just create our business servers. We were able to do this with the help of the tech team.
It took around seven to eight hours to deploy this solution and configure it to our environment.
We feel that the setup was complex. So, we asked the tech team about the setup process. They explained how to deploy it in the right way, which made it very simple. Once we had a checklist of what to do, it was pretty easy to deploy.
Deploying Panorama has saved us a lot of time. When any incidents happen, our people are comfortable going to the Panorama logs and view the incident report to see what happened.
Initially, pricing was high. Later on, we were able to negotiate the pricing and get something that fits our budget.
The solution provides protection and there wasn't an additional cost involved, in terms of security.
We evaluated FortiGate, Cisco, and the stuff that we are using. Compared to other products, we found it a very useful part of our compliance requirements and liked its format on the graphical interface. It is also a more secure firewall compared to other existing ones in the market. Based on our evaluation, it matched our compliance requirements.
Cisco is pretty complex in nature to deploy. It is helpful to have a skilled person with at least two years of experience.
We are happy with their features for how we are using it and what we have deployed.
I would recommend giving the solution a try and see the difference between it and your existing firewalls. Give it a shot and see the difference.
In the firewall market, it is the number one product right now. I would rate it as 10 out of 10.
It is deployed on the Azure cloud to inspect the outbound traffic, but in the near future we will be working to inspect inbound and Azure Express Route traffic as well.
With Palo Alto VM-Series, we are capable through a single point of management and visualization both in infrastructure and on premises and in the cloud. This allows us to improve the speed to create new rules, speed up the resolution of problems, having a holistic vision of our firewall infrastructure.
Its security features, i.e. antimalware, threat prevention, URL Filtering, VPN, antivirus are the most valuable. The ID-User integrated with AD and 2FA feature is also very useful to provide access to servers and some users in the company.
It can be improved in areas such as DevOps and quality assurance. The installation rules deployment process we also improved when we deployed these firewalls. In terms of new features, for simplicity reasons, it is faster, because as I mentioned above we can reused the same rules and the same objects from the local PAN that has a Panorama such as the single point of supervision.
We are looking for ways to integrate with other cloud in the future. For this, we will require a more secure integration and encrypted connections with other companies.
I have been using this brand for more than ten years in on premises (appliances). Now, we are expanding this features to our Azure tenant with PAN VM-Series + Panorama.
It is stable and robust solution. Through Panorama manager, we can scale up automatically if the demand increase. At the moment, we do not have any problems with its stability.
We currently don't have many end-users of this solution. It is being used mostly for servers. We have around 100 servers. In the future, we plan to have more users. Our company has around 10,000 people.
PAN provides good support in general through its partners in Chile
No, the same brand is deployed, but in this case the change was a high availability architecture under Azure VM Scale Set mode.
We had some complexity because we had no experience in implementing it in the cloud, but with the support of the partner and the endorsement of the brand it was solved quickly. It took us a couple of weeks to implement it, and then we started testing. (traffic stress, fault escenarios, scale up, vulnerability assessment, etc.)
We took the professional services of a PAN partner or reseller in Chile. We had a good experience with them. They provide good support and have a qualified team working in security, together with the internal team of our company.
Its cost is $75.000. This is the total cost, and it includes the license, implementation fee, and support for two years.
We also evaluated Check Point, Fortinet, and Azure Firewall. We needed a single point to manage the on-premises firewall and cloud firewall. Our focus was simplicity without losing the security.
Fortinet is growing in the industry. Many companies in Chile are adopting this brand. Our company has not yet adopted this solution. Our maintenance teams don't know this technology, which would have been a problem.
Check Point is a good brand. Their product is robust, but we found an issue in using their firewall manager with the hybrid architecture like ours, where we have both on-premises and on-cloud deployments.
Both are also a leader in Gartner Quadrant and Forrester together with Palo Alto.
Azure Firewall needs to improve.
Good support from the brand and local partner in Chile.
I am a firewall expert, although my job is not on the management side. I take care of the routing and switching aspects. We have approximately 1,000 firewalls in the company.
This product is a complete security system, wherein we provide direct internet access to our hub site.
The most valuable feature is that you can control your traffic flowing out and coming out, allowing you to apply malware and threat protection, as well as vulnerability checks.
It has an advanced engine that does parallel processing for packet and deep packet inspection. It also supports user authentication.
The disadvantage with Palo Alto is that they don't have a cloud-based solution that includes a secure web gateway. For example, if a person is working from home and you want a proxy then you have to rely on a secure web gateway. Palo Alto cannot do that because they don't have a cloud solution. So, if you want direct internet access and if you also want the proxies then Palo Alto is not a good choice.
I have been working with the Palo Alto VM-Series for four years.
The stability is absolutely good and there is no problem with it.
We have almost 3,000 branch offices set up across the globe.
Our intention is to increase usage of Palo Alto, adopting it for security in all of our future products.
Technical support from Palo Alto is very good.
We did not use another firewall product before this one.
With any organization, if you want to change the firewalls that are being used in production then it's a hectic task. You have some rules and engines that can be used, but it's a step-by-step process.
Migrating from an existing solution to Palo Alto needs to be done in phases. Phase one would be installing the devices. Phase two is testing a lab setup and diverting traffic, then analyzing it. Finally, the third phase is to enable other features like threat protection, malware detection, and other advanced options.
Depending on the size of the organization, if a migration is well planned then it will take three to four months to complete.
The configuration is different between our branch offices in order to meet our requirements. Some use the hardware appliance, whereas others use the software version.
We had a Palo Alto engineer who was assisting us, in-house, for our deployment. We also have support from our vendor, which provides LAN and WAN solutions.
We considered using Cisco ASA, but we chose Palo Alto because it can also act as a proxy for your hub site. Palo Alto is more advanced than the Cisco solution.
This is definitely a product that I can recommend.
Overall, it is a good product, although it would be better if they offered a cloud proxy.
I would rate this solution a seven out of ten.
We primarily use the solution for IT. I am from the Palo Alto Partner end, so I am not using it deliberately. I usually deploy to clients in various industries, including the payment gateway industry.
In Palo Alto the most important feature is the App-ID. It's the biggest selling point in my opinion.
Another important application feature is the Content-ID.
The solution offers great templates.
Overall, the solution has a lot of great features on offer.
Even when the solution locks away a virus, there seems to be a delay for four or five minutes. It should be as little as one. Right now, it's such a long delay. It can be frustrating for clients and I need to answer a lot of questions surrounding that.
The solution needs to have more easily searchable details or documentation about it online, so it's easier to Google if you have queries.
The solution requires more use cases.
I've been on this Firewall for the last two years.
The stability is very good. There aren't bugs, glitches, or crashes. It's very reliable.
Although I haven't personally tried to scale the solution, my understanding is that it's easy to do so. It's convenient for enterprises. It's my understanding it would scale especially well for enterprises.
I've had to reach out to technical support many times. Sometimes, I find that it can take a while to reach support, or for them to get back to us. This is especially true on weekends and holidays. Other than that, it's been pretty good. We're pretty satisfied with the level of support we get.
I only have experience with Palo Alto; I don't know much about other VM firewall solutions.
The initial setup is not complex. It's quite straightforward. The deployment process is great. It only takes about five to ten minutes or so.
I handle the maintenance and troubleshoot any issues that arise.
I mostly figured out the deployment myself and used Google to assist when I had questions.
I don't have any dealings with the accounting side of the solution. That's handled by someone else. I'm not sure what the cost is or if we pay monthly or yearly.
We're partners with Palo Alto. We're using the latest version of the solution.
We have a VM-Series via Palo Alto and K2K and the hardware Series.
I'd rate the solution seven out of ten.
We use the solution for hands-on testing purposes and also for activating firewall re-entries, which is easy to accomplish. We only need to turn up the VM to the firewall. This serves users who are working at home due to the COVID-19 pandemic. We also utilize the solution in respect to several servers which are behind the firewall.
A valuable feature of the solution is that it is not dependent on the hypervisor so we can install it on Hyper-V Microsoft software and deploy it. We have even installed it on Nutanix 81, in which it is supported. It is not dependent on the platform and is stable.
When we activate the solution on Amazon, instead of AWS, GCP or another type of public cloud, we encounter problems, as our engineers are not yet completely hands-on in respects of the public cloud platforms. Still, they can configure the firewall just fine.
Integrative capabilities with other solutions should also be addressed.
I have been using Palo Alto Networks VM-Series for the past five-and-a-half years.
The solution is reliable.
We have tried to scale. The Western side of migration is very easy in terms of scalability. Our customers may increase their licensing counts in tandem with their increased performance requirements from the firewall. In this case, they would procure a VMP and the license. The activation of the firewall would be accomplished by the tech in the back-end. The customer would get the migration capabilities and procure the license without experiencing any downtime.
There is room for improvement from the side of technical support.
The initial setup was straightforward.
The deployment takes two days. This includes installing the solution on the OVO files, upgrading the firewall panel records, activating the license and configuring basic policies and rules. However, our setup was basic and did not involve business activity, which would necessitate a technical business setup. In such case, the process from start to finish may take a customer up to 10 or 15 days.
The VM series is licensed annually.
The option exists to procure a basic license. With this, the firewall feature comes with the application and the board, with everything in code. A subscription is included.
The solution is cost effective in comparison to others.
We deploy the solution on-premises for customers and organizations, although we also do so via AWS.
There are around 16 users connected to the VMP firewall.
The security feature is really good, although there would be a bit of a learning curve when it comes to the cloud.
I rate Palo Alto Networks VM-Series as a nine out of ten.