Buyer's Guide
Firewalls
June 2023
Get our free report covering Fortinet, Netgate, OPNsense, and other competitors of Sophos XG. Updated: June 2023.
709,643 professionals have used our research since 2012.

Read reviews of Sophos XG alternatives and competitors

Josh Evans - PeerSpot reviewer
CEO at DragonTech IT Services, Inc
Real User
Top 10
Its simplicity, variety of features, and low pricing have enabled us to improve the security for our small business clients at a price that they are happy to pay for
Pros and Cons
  • "The majority of our clients are very small businesses, and Untangle devices have been fantastic for these small clients. We've basically standardized our stack to just simply use Untangle. We include the hardware and the service option, which makes it very easy and affordable for us to just simply push that into the monthly per-user costing that we provide as a managed services provider. It's really a no-brainer. They're easy to use, and they're easy to set up and configure. Support is generally good about resolving any issues that we have. We haven't had any real complaints."
  • "It does have multi-factor authentication in some areas, but I would love to see a more widely implemented version of that on the devices themselves."

What is our primary use case?

We are an authorized partner of Untangle, and we primarily work with small businesses that have limited needs. We have deployed Untangle NG Firewall z4 Plus to the majority of our clients. With simple hardware and a monthly service fee, it's very affordable for our clients. 

The software versioning is 16.5. We have deployed them primarily on-premises. We have a couple virtualized and on ESXi servers, and that's pretty much it. They're fully managed from our cloud database directly on untangle.com/cmd.

How has it helped my organization?

Its ease of use, variety of available features, and low pricing have enabled us to improve the security for a lot of our very small business clients at a price that they are happy to pay for. The big thing for us is that we're providing a good quality security service to them without spending thousands of dollars per year on hardware and licensing, which we would spend with something like SonicWall, Palo Alto, etc.

What is most valuable?

It is very easy to use. The user interface is very straightforward. It may not be as fancy as some of the ones I've seen, but it's very straightforward. It's very easy to find what you need, and it's very easy to get things done.

The majority of our clients are very small businesses, and Untangle devices have been fantastic for these small clients. We've basically standardized our stack to just simply use Untangle. We include the hardware and the service option, which makes it very easy and affordable for us to just simply push that into the monthly per-user costing that we provide as a managed services provider. It's really a no-brainer. They're easy to use, and they're easy to set up and configure. Support is generally good about resolving any issues that we have. We haven't had any real complaints.

What needs improvement?

I've heard other people saying that other firewalls have better detection rates, so better security. If they can improve the security of the device, I'm always for that, but at the moment, we've been happy with the service that we're getting out of them. 

It does have multi-factor authentication in some areas, but I would love to see a more widely implemented version of that on the devices themselves. 

It could use some improvement for Azure Active Directory Connections. It does exist, and it is available, but it needs work to be able to fully authenticate.

I know there are some advanced features that other firewalls have that aren't present in Untangle, but we've never noticed any feature that we need but isn't there. 

I also know a lot of people have complained about the cost per device because they license by device counts. So, once you get over a certain number of devices, it is not really a cost-effective solution.

For how long have I used the solution?

We have been using this solution for the past three years.

What do I think about the stability of the solution?

We have had one device go down in three years. I've never been certain if that was an issue with Untangle themselves or with the client location. I know for a fact that the client did unplug the device repeatedly because they did not want to listen to their tech support. They unplugged it repeatedly. They left it disconnected from the internet completely for several months. It was disconnected and turned off, and it came to a point where we were never able to remotely restore that connection. So, we had to go in and physically factory reset the device. That's the only issue that I've had in terms of stability, but I don't know if that's an issue with Untangle or an issue with the client themselves. We dropped that client shortly after.

What do I think about the scalability of the solution?

It is easy to scale. I ordered 10 of them in bulk just a month ago. We have about a hundred clients. 

We pretty much standardized it across our client base. We also provide some email services, Microsoft 365, and tech support to people who literally just work from their laptop from a Starbucks. They are the only clients who aren't using it. Any of our clients that have an office or home office have Untangle Firewall. We serve a lot of residential customers, and we've stuck the unlicensed version of the Untangle Firewall on their network. We manage those, and it's been great for the most part. The only way we would really increase that in our client base is by just increasing our client base.

How are customer service and support?

I would really like phone support for emergencies. I'm not sure if there is one. I don't think I've ever had to actually utilize it if there was. Having a direct line of contact or support, especially being a partner, would definitely be an improvement, but their tech support has been able to resolve every issue that we've had with them.

Which solution did I use previously and why did I switch?

Originally, we tested Untangle many years ago, but it wasn't a fantastic solution then. So, we didn't really utilize it and always stuck with pfSense, but over the past three years, we've been using, almost exclusively, Untangle devices for our clients.

Our clients were using a variety of solutions. They have been utilizing SonicWall. We have replaced a couple of WatchGuard firewalls. We've had people with pfSense, and we've had people with Cisco Meraki. We've seen most of the firewalls in the business, and I like Untangle.

How was the initial setup?

It was straightforward. You can basically set up a demo device with the settings that you want, take the config file, and export those configs and policies to any new device you deploy. So, the initial setup is not that complex. It is very simple and straightforward because the user interface is very simple and straight. 

When you get to whatever you like and how you want to configure it, you just save it as a policy set, save the config file, and deploy it within minutes. We order the device, get the serial number, apply the serial number to our portal, and then apply the policies, and we're done.

One person can handle the deployment. As a matter of fact, the end-user can handle the deployment, as long as the tech just tells them where to plug it in. The end-user doesn't need to do anything. As soon as it's connected to the internet, as long as it's plugged into the right place on the network, the deployment takes minutes, and we manage them all from the command center.

What was our ROI?

I'm not a financial type of person, but I can say that configuring a pfSense firewall is a couple of hours per location, and managing other firewall solutions is definitely more costly and time-consuming from what I've seen previously. We've definitely saved time in deployment, and we have also saved time in management. We save time and money in a variety of ways. So, we have definitely seen an increase in ROI. In addition, the fact that we're able to just simply include it in our monthly costs for what we charge our clients makes it all the better.

What's my experience with pricing, setup cost, and licensing?

Untangle is open-source software. So, you can get it for free. That has been a benefit, especially for the residential users because it is free. The license costs start at $25 a month for some additional features, including higher tiers of security intrusion prevention. The free version comes with intrusion detection, and then the license version has intrusion prevention. It also has some additional things for active directory connectors, etc.

It starts at $25 a month to cover 12 devices. Then it goes up from $25 to $50 a month for 12 to 25 devices. That's where it really doesn't scale out per site. If you have a site that has more than 50 devices on it, then Untangle quickly becomes cost prohibitive in comparison to several other competitors. They have a weird per-device licensing model, whereas most firewall vendors simply tell you that this is how many devices we expect you to cover and this is what your licensing costs. They don't tier it by the device. Firewalls have different costs and different licensing. So, in a way, it is the same, but Untangle is more upfront about it. They tell you that if you have X amount of devices, this is what your licensing cost is, whereas other firewall vendors tell you that if you're covering this amount of devices, you need this type of firewall that they make, and it's going to cost you this amount a month, which is going to be more, but the price comparison is definitely not favorable for Untangle once you go over 50 devices.

There is an additional cost of the hardware, which you can purchase upfront. You can pay for hardware as a service, or you can deploy it to your own hardware at no additional charge. We can deploy this for free, completely and utterly free and clear, just by simply running a VM and installing the free version of the software on it. So, there are literally no costs to it. The additional costs are basically just completely optional, except in the cases of industries where certain of these other security features are a requirement, but the only costs that you have to pay are the licensing costs. You can choose not to buy their hardware at all and just deploy it in a VM.

Which other solutions did I evaluate?

We evaluated pfSense, WatchGuard, and Sophos, and ultimately went with Untangle.

What other advice do I have?

I would definitely advise going for z4 Plus. The base z4 is good if you're going with the free licensing. It is a little bit lower powered. So, it's only good for the free tier licensing or very small offices with only a couple of devices. z4 Plus has been fantastic. We can turn on every feature that Untangle has, and it runs right along for months at a time.

I would rate it a solid nine out of ten. It has been fantastic for the uses that we put it to, which are primarily small clients. It does its job, and it does it well. I've had almost no issues in the past three years of running them except for one, and I'm pretty sure it was the client that caused the issue.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Director & CIO of IT services at Connectivity IT Services Private Limited
Real User
Top 20
The micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement
Pros and Cons
  • "ASA integrates with FirePOWER, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall."
  • "There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so you need to be slightly careful, especially on the site track."

What is our primary use case?

I'm a solution architect specializing in IT infrastructure designs. I create solutions for clients using Cisco and other products. I've developed solutions with various Cisco Firewall models. I may use an entry-level solution for smaller businesses, like the Cisco 555 Series or 5500. If it's a large enterprise, I may use the 4000 Series, or an ISR router integrated with a firewall for a branch office, and maybe an ISR router, which is integrated with the firewall.

I work with businesses of all sizes, but I see Cisco more often in medium-sized companies or large enterprises. Small businesses often pick Sophos or FortiGate because of the pricing. Large enterprises use Cisco and other products like Palo Alto or Check Point, especially for managing cloud architectures like GCP and AWS. 

If the customer only needs a plain firewall, Cisco ASA is sufficient. It can compete with FortiGate or Sophos. When I talk about a next-gen firewall, the basics include malware protection, instruction prevention, URL filtering, etc. Firepower is integrated to address these next-gen requirements. 

I may use the tabs for dynamic policy implementation in cloud environments depending on the clients' needs, but not typically VMware. I might get a false positive with the VMware operator and platform layer. If I stop some surveys, my production will stop. In such cases, I cannot just go by dynamic classification blindly. It would be better for the application layer, not the platform layer.

How has it helped my organization?

I don't have any metrics about how ASA has improved operations for my clients, but I can look at their market share relative to Check Point and other competitors. Cisco has a decent footprint today, and it reduced my customers' CapEx. I don't have the numbers. I'm just speaking relatively. Cisco can reduce operational expenditures by around 40 percent. I'm just giving a vague estimate, but I don't have any specific metrics.

Cisco offers two architectures. I can choose the Meraki track if I want an OpEx model or the traditional track, which is a CapEx model. Due to Cisco's tech acquisitions, I have various feature options within the same product. The DNA of Cisco combines the traditional Cisco architecture with the next-generation firewall.

Segmentation can be helpful for some clients. Let's use a financial organization as an example. We have traffic moving through the branch to the core banking. This is where we can employ segmentation. We can do security policy restrictions for branch employees to prevent them from accessing certain financial reporting systems. We can limit them to the branch level. 

I can enforce certain policies to prevent all branch traffic from reaching one layer of a particular segment by minimizing the overall traffic on the network. I can always control the traffic when I segment it. This set of capabilities is beneficial when a lot of financial algorithms are done.

What is most valuable?

ASA integrates with Firepower, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall. 

Deep Packet Inspection looks at the header information and inspects the contents of a particular packet. We can also look at traffic management. It can control end-user applications, and we can check device performance when we do this type of regression on our resources. This is what we look at with a DPI. It can help us reduce the overall OpEx and CapEx.

Traditionally, we needed multiple software and hardware tools. With these features, we can snoop into our network and understand each packet at a header level. That's called the service control engine.

Within Cisco's Service Control Engine Architecture, there's something called the Preferred Architecture, which has a supervisor engine. It's more of a network management tool. Cisco makes it more convenient to manage our resources. It has a nice UI, or we can go into the command-line level. 

Cisco's micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement. That's how we segregate it. Micro-segmentation is focused on the application layer. When we design a policy that is more automated or granular, and we have a specific business requirement, we get into micro-segmentation. Otherwise, the majority of the implementation will be generic network segmentation.

Dynamic classification is also essential given the current security risks and the attacks. We cannot wait for it to tell us if it's a false positive or a real threat. In those cases, dynamic classification is essential, especially at a MAC level.
When using WiFi, we may have a suspicious guest, and we cannot wait for someone to stop it manually. The firewall needs to at least block the traffic and send an alert.

In cases like these, integration with Cisco ISE is handy. If the firewall alone doesn't help, you must redesign your architecture to include various associated products as you increase your requirements. For example, you may have to get into multiple servers, so you'll need an ISE for identity management. 

As you start scaling up your requirements, you go beyond a firewall. You start from an L1 layer and go to the L7 sitting at the organization's gateway. When you talk about dynamic policy implementation, that's where you start to get serious about your operations and can change things suddenly when an attack is happening.

With ISE integration, you get another dynamic classification if an endpoint connects immediately. ISE has a lot of authorization rules, so it applies a filter. The dynamic policy capabilities enable tighter integration at the application workload level. Snort 3 IPS enables you to run more rules without sacrificing performance, and IPS puts you one step ahead of any threats to the organization.

What needs improvement?

There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track. 

We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.

Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.

For how long have I used the solution?

I have been working with firewalls for about 20 to 25 years, but I've been using Cisco for around 12 to 15 years.

What do I think about the stability of the solution?

Cisco ASA Firewall is reliable, especially in the Indian context. For example, I had a couple of banks with around 5,000 branches and ATMs. It was easy to deploy remotely or send it to each branch. 

What do I think about the scalability of the solution?

Cisco ASA Firewall is scalable to a certain extent.

How are customer service and support?

Cisco support is okay, but not great. I rate Cisco support five out of ten. The response time is too long. We need an instant response to security issues. They follow some legacy processes.

In some cases, I think they're good, but they have hundreds of questions and steps to go through before the ticket is escalated. The local partner adds a lot of value in that case.

How would you rate customer service and support?

Neutral

How was the initial setup?

The standard setup is straightforward and takes around four hours. You can also do more customization and adjustments to deploy it in a particular environment.
I design a custom implementation strategy for each customer. It depends on whether I'm migrating an existing environment or doing a fresh deployment. I try to understand the customer's security footprint and all the issues I need to address before installation. 

What's my experience with pricing, setup cost, and licensing?

I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features. 

If you add SecureX, Cisco's cost will definitely jump. We started with the standard ASA, then we added segmentation and micro-segmentation, and now we're talking about automation and unified architecture. SecureX is an integrated security portfolio. It gives a vertical and 360-degree algorithm with an open, integrated platform that can scale.

Which other solutions did I evaluate?

In most next-generation products, the UA itself will manage a lot of things, but it's easier to find people with expertise. If you put 10 firewall experts in the room, six will be talking about Cisco, but you can hardly find one or two people talking about Check Point or Palo Alto. Others would be more talking about Sophos, FortiGate, etc.

What other advice do I have?

I rate Cisco ASA Firewall seven out of ten. If you're implementing a Cisco firewall, you must be crystal clear about your business requirements and how a Cisco ASA firewall will address your problem. You need to understand whether this product line contains all the features you need. 

Can it pass a security audit? Does it integrate with your network device? How scalable is it? Will this solution you're implementing today be adequate in the next three years? These are the questions that you should ask.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
MartinFerguson - PeerSpot reviewer
Managing Director/Co-Founder at Azured
Real User
Top 10
The solution simplifies operations, ties into existing services, and uses machine learning
Pros and Cons
  • "I can enable the features I want and configure the policies based on the user and not all users and network traffic, making firewall management much easier."
  • "We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value."

What is our primary use case?

We use the solution for all the capabilities that the firewall offers, including proxy filtering, VPN connection, and Next-Gen firewall capability. We integrate the solution with clients that use ExpressRoute, which is a very common and popular service in Australia. We route all our client's local traffic, 10.x, and the client's Class B public address traffic all into Palo Alto Networks NG Firewalls. We use the solution to provide hub and spoke integration, web filtering, and for VPN. 

The solution is a fully managed centralized firewall service for both public and private traffic, including on-prem traffic and Azure traffic.

How has it helped my organization?

The solution ties into existing services. We offer network-based services and SD-WAN overlay. We use VeloCloud appliances and put the solution at the heart of that to provide Next-Gen security capability. The solution benefits our clients by reducing the number of firewalls required in their organization, which is hosted in Azure. The solution's aggregation gives us the ability to service our clients by reducing their firewall footprint. The solution also enables us to route all traffic, including internet outbound traffic from a client's side onto Palo Alto NG Firewalls across an ExpressRoute connection.

Palo Alto NG Firewalls provide a unified platform that natively integrates all security capabilities.

In combination with additional tools and services we offer, the solution makes a significant contribution to eliminating security holes.

The solution helps eliminate multiple network security tools and the effort required to have them work together. The solution simplified our operations. We only support and deliver Palo Alto NG firewalls as a service. We don't offer a firewall as a service on any other appliance. We chose Palo Alto because of its Next-Gen capabilities and being the market leader in terms of security appliances. 

What is most valuable?

I like the native integration into Azure AD and the solution is fantastic from the perspective of managing user access and using the VPN client. The TLS inspection is a fantastic service that's offered in Palo Alto NG Firewalls. In my opinion, the solution is best of breed, which is one of the reasons why we adopted it in the first place.

We have had a couple of DNS attacks and predictive analytics and machine learning for instantly blocking DNS attacks worked well. 

Depending on the license skew, we implement the zero delay signatures feature for some of our customers.

I can enable the features I want and configure the policies based on the user and network traffic, making firewall management much easier.

What needs improvement?

There are some features of Fortinet such as the virtual domain capability, that I would love to see in this solution, but they don't outweigh the technical capabilities of Palo Alto as the firewall.

We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value. We have developed our own reporting. Sometimes there are limitations around the APIs and it would be great if the APIs could be enhanced.

For how long have I used the solution?

I have been using Palo Alto Networks for about 10 years, but not the Next-Generation version. Five years ago, we set up a Palo Alto firewall as a service with Palo Alto in the back end. We did this for Telstra in Australia, and we're the only company in the world that can support the default route over ExpressRoute, using the Palo Alto Networks NG Firewalls as a service that we offer.

What do I think about the stability of the solution?

The stability of this solution is unbelievable and the best on the market. We've never had an outage as a result of a technical problem on hundreds of firewalls that we run or thousands when we include the HA pairs and clusters that we've built.

What do I think about the scalability of the solution?

The solution is scalable and we have never reached the limits. We stuck with Palo Alto because of their Next-Gen capabilities, and we have about 500 clients using this solution as a service.

How are customer service and support?

The technical support is exceptionally good. They have more capabilities in Australia now and we've had no problems. The technical support has been so good, we haven't had to look for another vendor.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward. We have a multi-tenanted version and a single version. We have different flavors of the implementation and it's all scripted. We can build a fully operational firewall HA pair with follow-the-sun, 24-hour, seven-days-a-week support in about 30 minutes. We use DevOps to set everything up and it is effective because it is all scripted.

What about the implementation team?

The implementation was completed in-house.

What was our ROI?

Our service is incredibly profitable. We don't feel we can offer an alternative that will give us the same return on investment.

What's my experience with pricing, setup cost, and licensing?

The pricing is straightforward with no hidden costs. There is a cost for the licensing, the Virtual Network if the solution is run in Azure, and there is also a cost for the operational support.

I suggest sizing correctly when in the cloud because the skew can always be changed at a later time.

Which other solutions did I evaluate?

We've evaluated a couple of other products in the past to make sure that we still have the right solution in the market.

What other advice do I have?

I give the solution a nine out of ten.

The embedded machine learning included in the solution's firewall core used to provide inline real-time attack prevention is an important capability because it gives us the heuristics. The solution uses existing knowledge of the service and how we use the firewall, to determine if something nefarious is being undertaken. I don't believe that we are using the feature to its fullest capability.

We integrate Palo Alto NG Firewalls into Sentinel and we use additional data points to determine attacks.

We use the solution's DNS security for some of our clients.

We use a lot of data points from various systems and not only this solution to determine if a threat is live and active. We don't recommend publishing using the solution. We do local DNS resolution using the Palo Alto NG Firewalls. We're purely an Azure consultancy. We use Azure publishing services to publish. We integrate the solution into virtual networks from a DNS point of view, but we are always on the safe side, and we never use the solution for DNS publishing to the public internet. We are an ISB. We provide managed services, but we are primarily an integrator.

In terms of a trade-off between security and network performance, there will always be a performance lag when doing TLS inspections because the traffic has to be decrypted in real-time, however, the benefit outweighs the disadvantages from a network performance perspective. When the TLS inspections are sized properly, the performance lag is hardly noticeable.

We sometimes work with Palo Alto, for example, to support the default route over ExpressRoute.

The maintenance is all scripted and fully automated. We are always at the current stable release and we update as regularly as we get the updates from Palo Alto. There is no impact, no downtime, and no loss of service unless we've got a customer with a single firewall that requires a reboot, in which case we schedule the outage.

I have worked with many different appliances in Azure over the years, and I still do with some clients who already have incumbent NBAs, but for our firewall as a service, I have always used Palo Alto.

What we find is that clients want to utilize the features but don't know how to implement them or have the capability. We offer that support. Palo Alto is extremely good value for the money if we maximize its capabilities. If we want a cheap firewall, then Palo Alto isn't the answer. If we want a capable value-for-money firewall, when we are utilizing all of the services available, Palo Alto is the best on the market. If we want a cheap solution we can go to Fortinet which is not as technically sound but for someone who is price sensitive and doesn't want to use all the features and functions of Palo Alto NG Firewalls that is an option. We work with Palo Alto for our firewall as a service, and we work with Velo for our network as a service. The operational run cost for us is low with these vendors because those firewalls are extremely reliable and because we don't have problems with the firewalls, we don't need a big operational support team.

We did some work with the NHS Test and Trace program and they had a multi-client solution that we deployed hundreds of firewalls across Azure and AWS, using Palo Alto. The client did explore other vendors that were cheaper and after looking at the operational support capability, features, and how reliable the firewall was, the option was clear and not driven by price. 

I would automate the solution. I would use infrastructure as code deployment and manage my devices using IHC. If I was going for a larger state, I would use the solution's management tool.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
C.T.O at Sastra Network Solution Inc. Pvt. Ltd.
Real User
Top 10
User-friendly interface, easy to monitor, and has a single pane of glass for reporting
Pros and Cons
  • "With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly."
  • "It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait."

What is our primary use case?

This is our core firewall for the data center network.

We have two on-premises appliances set up in a high availability configuration.

How has it helped my organization?

The VM-Series enables us to extend consistent next-generation protection across different infrastructures with a unified policy model, which makes it very easy for us. It is very important that we have this single pane for monitoring all of the network resources and multiple devices because, today, it's a complex environment where you have to take care of many devices.

This solution makes it very easy to quickly migrate workloads to the cloud.

Since we updated the system, the network has been very stable. Previously, there were issues with traffic throughput. With the improved visibility we now have, the traffic is being properly monitored, which means that we are better able to manage it. These are improvements that we saw very quickly.

What is most valuable?

This is a firewall product and every OEM has claims about their special features. This device is very user-friendly and offers ease of monitoring.

Changes to the configuration happen quickly.

There is a single pane of glass for reporting, which is quite good. 

The interface is user-friendly.

What needs improvement?

It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait. Having a dedicated number where we could send a text message in the case of an emergency would be helpful.

For how long have I used the solution?

We have been using Palo Alto Networks VM-Series for approximately six months.

What do I think about the stability of the solution?

We are very much satisfied with the stability and performance.

What do I think about the scalability of the solution?

This solution is quite scalable because it has options for deploying in a VM as well as an appliance. The interfaces are all license-based, which means that features can be added just by obtaining another license.

Our current environment has more than three gigs of traffic.

We have a team of four or five people that is responsible for the network. They are continually monitoring the firewall and updating the policies, as required.

How are customer service and support?

Pala Alto has very good support. Generally, the response is very good and they address our issues as soon as we contact them. For example, they assisted us during our deployment and it was a very good experience.

My only complaint about the support has to do with complications that we had with communication. Sometimes, support was done over email, and because of the difference in time zone, there was occasionally a long gap in time before we got the proper response.

Which solution did I use previously and why did I switch?

We used to have Cisco ASA and Firepower, and we had some issues with those firewalls. Once they were replaced by Palo Alto, we didn't have any problems after that. 

Compared to the previous devices that we have used from other vendors, Palo Alto is very user-friendly, and we are comfortable with the features and capabilities that it offers.

How was the initial setup?

The initial setup is very straightforward and we had no issues with it. It is not complex because the procedures are properly defined, the documentation is available, and there is proper support. Our initial setup took about 15 days, which included migrating all of the data.

Our deployment is ongoing, as we are adding policies and dealing with updates on a day to day basis. We have a very complex environment that includes a firewall for the data center, as well as for the distribution networks.

What about the implementation team?

The Palo Alto team supported us through the deployment process.

What's my experience with pricing, setup cost, and licensing?

Palo Alto definitely needs to be more competitive compared to other products. The problem that I have faced is that the price of licensing is very high and not very competitive. When a customer wants to implement Palo Alto, even a small box, there are several licenses, and having all of them is sometimes really hard to justify. It is difficult for some clients to understand why such a small box costs so much.

For instance, they have the dashboard license, and then they have the user license, and so on. If the pricing were more competitive then it would be good because more customers would use the product, rather than use simpler firewalls.

Which other solutions did I evaluate?

We have worked with firewalls like Sophos, FortiGate, and Cisco ASA. We have dealt with almost all of the vendors but at this point, our experience with Palo Alto has been the best one. Palo Alto has been doing what it claims to do, whereas the other vendors' products have various shortcomings.

For example, some vendors do not have the performance that they claim in terms of throughput. Sometimes, the user interface is complex, or the device needs to restart whenever you make changes. With Palo Alto, it's simple to use and easy to get things done.

What other advice do I have?

We have not yet used Panorama for centralized management but in the future, we may do so for other projects.

My advice for anybody who is looking into purchasing a firewall is to carefully consider what their requirements are. I have seen that when a customer procures a firewall, they initially choose products like Sophos. Over time, they engage in trials with the majority of the vendors and finally end up with Palo Alto. This is only after spending a lot of time and money on other products.

If instead, a client is aware of the requirements including how much traffic there is and what throughput is needed, it's better to invest in Palo Alto than to try all of the cheaper alternatives. Then, evaluate everything afterward and finally select Palo Alto. This, of course, is providing the client doesn't have limitations on the investment that they're going to make.

I say this because generally, in my practice, what I've seen is that when choosing a firewall, the clients first choose a cheaper alternative. Then, after some time they think that it may not be what they wanted. This could be brought about by a throughput issue or maybe some threats were not blocked or they have had some security incidents. After trying these firewalls, they replace them with another, and yet another, until finally, they settle on Palo Alto.

Essentially, my advice is to skip the cheaper vendors and go straight to Palo Alto.

In summary, this is a very good product and my only real complaint is about the cost. If it were more competitive then more customers would choose it, and those people suffering losses as a result of security incidents would be saved. I find the real reason that people don't choose the right product is due to the cost factor. Even when they know that the product is the best choice, because of the limitation that they have on the investment they can make, they're not able to choose it.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
MohammedMateen - PeerSpot reviewer
Network Administrator at Transgulf Readymix
Real User
Easy to scale advanced threat protection solution with knowledgeable technical support, but has occasional bugs
Pros and Cons
  • "Easy to scale solution that provides advanced threat protection. Their technical support is very good, very knowledgeable, and easy to reach."
  • "SonicWall NSa has occasional bugs, particularly during upgrades, and that's an area for improvement."

What is our primary use case?

Our use cases for SonicWall NSa are the Global VPN and the SSL VPN, because nowadays, everyone prefers to work from home, and prefers to connect from mobile applications to our organization.

What is most valuable?

What's valuable in SonicWall NSa is the ATP (advanced threat protection). It can protect users from malicious links, e.g. those sent to the end user email and is clicked by the end user, who'll be led to a bad website. SonicWall NSa has a Sandboxing service that is very helpful for us, especially when end users accidentally click on malicious links.

Another valuable feature of this solution is that it is very useful for site-to-site VPN connectivity issues.

SonicWall NSa also has very good hardware, e.g. from 2013 to 2021, only one product had a hardware failure, and within 24 hours, they were able to replace that product.

I also love that SonicWall has very good technical support, who are very knowledgeable, provides good suggestions, and they're easy to reach.

What needs improvement?

An area for improvement in SonicWall NSa is that sometimes, we experience bugs when upgrading, so we have to contact their technical support to fix issues.

It would be much easier if this improvement was in place: if the one-time password which is built-in, was provided as an OTP for the administrator logging into the console, so that we'll have a quicker awareness of it, rather than needing to check emails for it. Having a Telegram or WhatsApp bot integrated with the device, for example, will be very helpful for us, so we can instantly take action, without us needing to log into and check our emails, meaning we'll be able to put things right faster.

This may not be possible in SonicWall NSa, but I'm also looking for any kind of controller or device for the Windows server or client, e.g. Windows 11 and Windows 10 from SonicWall NSa itself, so that a security domain or the gateway of the organization would be able to identify the latest update for a product, whether that product is installed or not. This feature would be very helpful, and it's what I'd like to see in the next release.

For how long have I used the solution?

I've been using SonicWall NSa since 2013.

What do I think about the stability of the solution?

SonicWall NSa performs well, but sometimes, there are bugs, so I have to call their support when this happens, and I elaborate on the problem we're facing. Support then takes the diagnostic data, fixes it, then sends back to me the firmware or the setting so I can restore my SonicWall NSa.

What do I think about the scalability of the solution?

SonicWall NSa is easy to scale.

How are customer service and support?

The technical support team for this solution is very knowledgeable. They are able to fix issues. They understand what we are facing and they suggest very good options. They provide us very good support, and on a scale of one to five, I'm giving them a four to a five for technical support.

Which solution did I use previously and why did I switch?

I previously used different solutions, e.g. Sophos and Fortinet, but what I noticed is that I either couldn't find how to contact their technical support, or if I was able to call their technical support, I either get a busy tone, or it takes a long time to speak to someone. As for SonicWall support, I only had to wait 10 minutes to speak to someone, and if they accidentally drop my call, they'll immediately call me, no matter which part of the world I'm in, so I switched to SonicWall NSa.

What about the implementation team?

I deployed SonicWall NSa myself. Deployment was very easy.

Last January 14th, one of my firewalls went down, so we had to replace it, but it was unfortunate that we didn't enable the local backup. At the time, what we had was the factory set up option for the device, so it took me six hours to fix, e.g. applying for the policy site to the site VPN, creating the users, etc. All those processes took a minimum of five to six hours.

I didn't use a vendor or a third party for the deployment of this solution. I only had to call their support if there was something I couldn't understand, e.g. why the traffic wasn't working, etc. For some of the processes, I took notes from their support, while for the rest of the processes, we can do it by ourselves.

What's my experience with pricing, setup cost, and licensing?

SonicWall NSa has two types of license, so the cost would depend on the license.

The advanced license is a bit expensive when compared to the comprehensive license, but when you compare the advanced license to the licensing cost of other brands or competitors, it is expensive.

One good point about the more expensive license for this product it that they provide a hardware guarantee, which means direct replacement, no matter how long you've been using it, whether you've used it for two, three, five, or seven years. You can easily have your device directly replaced if it's having issues with the firewall, software, or hardware, etc. You can get this done as an end user, or as a customer. You just have to fill in and send back the application form for device replacement, provide the serial number and the model number, and that's it. They will replace your device. It's also easy for them to transfer your license to another device. SonicWall NSa is worth the money.

Which other solutions did I evaluate?

I evaluated Sophos and Fortinet solutions.

What other advice do I have?

The firewall products I'm using are SonicWall NSa 3600 and 2400.

We are using the latest version of this solution.

We are using a local backup, and we also enabled for my SonicWall NSa a cloud backup for all devices. We are using six firewalls, so we enabled the flow backup, with the goal of being able to restore immediately, in case of emergency.

This product doesn't require much maintenance. Our company operates 24/7, and we deal with ready-mix concrete. It depends on the production, but SonicWall NSa continuously runs 24/7. Maintenance is done monthly, particularly for upgrading the firmware, or for restarting SonicWall server patches. Maintenance of this product only takes one hour on a monthly basis.

We have 200 end users of SonicWall NSa.

I always recommend this product to my friends and colleagues. My supplier also recommends it. I suggest to them to go for SonicWall NSa, depending on the user, e.g. if you have 100 end users. We pay for the license, for example, 2,200 dirhams, so I can get the license, and also get the SonicWall SOHO device, which is the smaller one.

My rating for SonicWall NSa is seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Firewalls
June 2023
Get our free report covering Fortinet, Netgate, OPNsense, and other competitors of Sophos XG. Updated: June 2023.
709,643 professionals have used our research since 2012.