Buyer's Guide
Secure Web Gateways (SWG)
November 2022
Get our free report covering Cisco, Netskope, Microsoft, and other competitors of Zscaler Internet Access. Updated: November 2022.
653,757 professionals have used our research since 2012.

Read reviews of Zscaler Internet Access alternatives and competitors

Olivier DALOY - PeerSpot reviewer
Group Information Systems Security Director - CISO at Faurecia
Real User
Top 10
Secures users wherever they are and enable us to inspect SSL traffic, but we encountered too many issues
Pros and Cons
  • "The fact that it is a cloud proxy solution is another feature we like. For example, if you acquire a new company, you can use it to protect that new company without the need to install anything physically on their networks."
  • "We are now transitioning to another solution. The main reason for that is that managing all of the exceptions and troubleshooting all of the issues our users have had connecting to the internet has become too significant in terms of workload, compared to what we hope we will have with another solution."

What is our primary use case?

We use it to secure the internet connection of all of our users, ensuring that they can connect as transparently as possible to all of the websites that are, of course, not hazardous. And anything hazardous is prevented as much as possible.

How has it helped my organization?

We were looking for an isolation solution so that there would be no impact at all on the systems that we are responsible for protecting. We didn't want to wait until a first attack was successful and then find out what the impact was and how we should react to it. That's why we chose Menlo. Either you have access to something or don't have access to it. And if you do, we can ensure, 100 percent of the time, that there is nothing malicious that is going to impact our system in any way. And that's for the on-prem users who are connected to the corporate offices, as well as for the users who are roaming.

The primary benefit is that it secures users wherever they are, whether they are roaming, or they are using their PC at home, at work, or at the airport. We are able to do that, and we are even able to do it with companies that we recently acquired.

Another move forward was that we started inspecting SSL traffic, which was something we were not inspecting before. We were closing our eyes to what was happening to 98 percent of the traffic because it was encrypted. Today, we are not closing our eyes. Menlo enabled us to inspect more traffic and avoid relying on traffic that clearly can be hazardous. That may be one of the reasons we discovered new use cases that were difficult to test before, and for which we have had issues configuring Menlo to handle.

Another advantage is the ability to produce reports that help us to understand what our users are doing, even within the website. For example, are they posting files or are they downloading files? That is clearly an ability that we acquired with the solution as well.

And when it comes to isolation, we haven't seen any threats that have succeeded in coming in through Menlo. I have evidence, of course, that in some cases we were infected by malware, but it was not able to avoid Menlo's protection and connect back to the internet to get instructions from the command and control service. We have clearly demonstrated that those threats just cannot harm us.

What is most valuable?

The isolation is one of the most valuable features.

The fact that it is a cloud proxy solution is another feature we like. For example, if you acquire a new company, you can use it to protect that new company without the need to install anything physically on their networks. 

Also, the ability to rewrite the links in emails so that nobody can connect to a link without going through Menlo's protection is something we have found very valuable. 

And the reporting feature, which involves a kind of programming language to query the logs or the data from the Menlo console is something we consider to be quite useful.

What needs improvement?

The solution should have no impact but it does have a bit of impact on end-users. For example, we encountered some issues in the downloads that took longer than they did without using Menlo. That is clearly not transparent for users. We expected not to have any latency when downloading anything from the internet with Menlo compared to without Menlo.

We are now transitioning to another solution. The main reason for that is that managing all of the exceptions and troubleshooting all of the issues our users have had connecting to the internet has become too significant in terms of workload, compared to what we hope we will have with another solution. In other words, we hope to get the same level of protection, while reducing the number of visible bugs, issues, latencies, impacts on performance, et cetera, that we have today with Menlo. We already solved most of them, but we still have too many such instances of issues with Menlo, even though it is protecting us for sure.

The weak point of the solution is that it has consumed far too much of my team's time, taking them away from operations and projects and design. It took far too much time to implement it and get rid of all of the live issues that we encountered when our users started using the solution. The good point is that I'm sure it is protecting us and it's probably protecting us more than any other solution, which is something I appreciate a lot as a CISO.

But on the other hand, the number of issues reported by the users, and the amount of time that has been necessary for either my team or the infrastructure team to spend diagnosing, troubleshooting, and fixing the issues that we had with the solution was too much. And that doesn't include the need to still use our previous solution, Blue Coat, that we have kept active so that whatever is not compatible or doesn't work with Menlo, can be handled by that other solution. It is far too demanding in terms of effort and workload and even cost, at the end of the day. That is why we decided to transition to another solution.

If we had known in the beginning that we would not be able to get rid of Blue Coat, we probably would not have chosen Menlo because we were planning to replace Blue Coat with something that was at least able to do the same and more. We discovered that it was able to do more but it was not able to replace it, which is an issue.

It is not only a matter of cost but is also a matter of not being able to reduce the number of partners that you have to deal with.

In addition, they could enhance the ability to troubleshoot. Whenever a connection going through Menlo fails for any reason, being able to troubleshoot what the configuration of Menlo should be to allow it through would help, as would knowing what level of additional risk we would be taking with that configuration.

For how long have I used the solution?

We have been using Menlo Security Secure Web Gateway for two years.

What do I think about the stability of the solution?

Now, the stability is quite good. I would rate it an eight out of 10.

What do I think about the scalability of the solution?

We have it deployed worldwide, in about 300 locations.

In the case where we acquired a new company with a significant number of systems, the ability to deploy Menlo to all of them, even if we were talking about 40,000 people, would not be an issue at all. 

One thing which could be a real issue is the ability of the solution, within the development plan of Menlo, to fit our needs. This is what led to our decision to remove Menlo.

Which solution did I use previously and why did I switch?

We were using Blue Coat Systems before. First, that was clearly not protecting users who were at home or roaming. Second, it was not possible to use it to protect companies that we acquired until they confirmed that they were going to implement Blue Coat appliances on their networks. So Menlo was a huge move forward.

How was the initial setup?

The initial setup was complex from the beginning, and even once it was in operation. We even needed to have an on-prem meeting with my team in charge of the implementation and the techs from Menlo to determine the best configuration settings to make it work and avoid issues as much as possible (which we still had afterward). It is not at all simple to deploy.

We had between five and 10 people involved in the setup. They were in charge of operations, meaning any changes to or troubleshooting on equipment that was live. Others were in charge of the implementation of this type of system, including defining the proper architecture and configuration and adapting and tuning the configuration.

A couple of years later, we still had a significant number of open tickets with their help desk due to issues connecting through Menlo.

It is deployed on the cloud. We were planning to use Menlo on-prem in China, but we are rerouting the traffic from China to Hong Kong and going from Hong Kong to the internet.

The maintenace is not lightweight. I don't know what portion of the time that we were spending on the tool was due to maintenance and what part was due to new issues that were raised by our users. The maintenance is a split responsibility between the local IT operational guys and the people from my team.

What about the implementation team?

Our experience with their consultants was very good. 

Our only issue is that we kept asking them how they managed, with their other customers, the issues we were encountering. An area for improvement for them would be that when they meet their customers, don't let them think that they're troubleshooting something for the first time. There is no reason that they wouldn't have seen something different with another customer.

They were not leveraging the experience they had with other customers enough to anticipate and prevent the issues on our networks; or, at least, when they happened, to solve them much quicker than they would have if they had never been seen before. We consider that as a lack. They need to learn how to let other customers benefit from the experience they had with us.

What was our ROI?

We haven't seen a decrease in the number of security alerts that our security ops team has to follow up on, but we were not even able to measure that before deploying Menlo. It's very hard to demonstrate the return on investment by looking at the decrease in the number of incidents compared to before, as we had nothing before that was truly able to demonstrate to us what was really happening. 

If we had implemented a solution from a Menlo competitor before, and we were moving to Menlo, that would have enabled us to compare both solutions. That is something we are going to do after we transition from Menlo to Skyhigh Security, even though the alerts will not, of course, have occurred at the same time. We will be comparing things that are a couple of months, or years, apart. We will try to demonstrate the different levels of protection provided by Menlo compared to Skyhigh. But that will happen half a year from now.

What's my experience with pricing, setup cost, and licensing?

The pricing is good. We were convinced that it was the right price for such a solution at that time. Again, we didn't know that we would have to keep Blue Coat. At that time, we were thinking that we would be able to get rid of Blue Coat, and for that reason, the price would be good.

Which other solutions did I evaluate?

We evaluated several other solutions, including Zscaler and the complete portfolio of Symantec as well.

We went with Menlo because of the connection to the execs of Menlo and the ability to talk to them. The size of the company, compared to Symantec, was definitely a factor, but the ability to get in touch with the right people as quickly as possible, and trust their strategy and their level of protection, were important. The ability to get a contract where they commit to protecting, 100 percent, against any threat, as long as you use isolation, was a clear improvement for us. And the fact that it was a cloud proxy solution, was another part of the decision.

What other advice do I have?

My advice is to pay attention to all of the use cases you have and try to understand what Menlo is or isn't addressing so that you don't discover that you still need to keep an old technology that may even be outdated. To do that, you need to be very clear about your use cases and how you will cover them with Menlo or if Menlo will not cover them.

While the solution provides a single console for security policy and management, which is an interesting feature, as long as you're able to connect through APIs to all your SaaS solutions, the fact that you use the very same SaaS solution or not is probably less important. I'm not saying it is not important that Menlo has a console, but it's a bit less important if you're using an orchestration automation solution. We also have Palo Alto Cortex XSOAR that we are using to automate and orchestrate.

Regarding the fact that Menlo secures the web, email, SaaS, and private applications, the latter, private applications, is very important, as is email although probably less so. The magnitude of risk is higher for private applications that are exposed without protection on internet. It depends on the use cases that you are looking to cover. If, for example, you don't have any private applications that you need to expose, then of course that type of protection is not important at all, but you still receive emails within which you need to rewrite the links. If you have both requirements, meaning a bunch of private applications that are exposed plus emails for which you need to rewrite links, in that case, rewriting the links is probably less important than ensuring the protection of your private applications.

It doesn't make sense to only perform partial protection. Everything you implement to secure the connections and the assets you are responsible for should, at some point, merge together. It should be SD-WAN and web gateways and probably even CASBs and email protection. All of that probably will tend to merge together and you can look forward to reducing costs and the number of partners.

Don't look at it as: "I have a new need, I want a new solution," because if you do that, you will end up with a huge number of vendors and solutions on your systems and it's going to be super difficult to ensure that you manage all of that consistently. Whereas if you really have a vendor that is at least addressing, if not all the possible needs, at least all of your needs, and you are able to manage that in a consistent way, even if you have to program something in your orchestration solution, you will be able to manage all of it in a consistent way and in a timely manner.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Rainier S. - PeerSpot reviewer
Head of Integration Engineering / Enterprise Technology & Innovation at a healthcare company with 10,001+ employees
Real User
Top 10
Flexible, robust, easy to install, and the technical support is helpful
Pros and Cons
  • "What we liked best about it was the ability to apply policy to either a user ID or an IP-based network."
  • "The reporting needs improvement."

What is our primary use case?

Cisco Web Security Appliance is used for security, proxying, and obviously proxy caching to save circuit bandwidth, but it is also used for security features because it is integrated into our ecosystem.

What is most valuable?

SSL decryption was one of the features we wanted to experiment with but did not get around to because of time constraints. 

What we liked best about it was the ability to apply policy to either a user ID or an IP-based network. Your customers are either people or machines. We chose not to create a service account for the server/machine, we had to have an IP address, based on a subnet and then applied policy to that.

What needs improvement?

The reporting needs improvement. We were using a stripped-down version of Splunk at the time, and as far as I recall, there was no easy way for us to send those logs to our enterprise Splunk. It kept pushing us to use the smaller version. That was probably just a sales team thing, but other than that, the product was great, but the reporting was definitely an issue.

I would like to see Risk API included, as well as the ability to automate adding things to the blacklist and whitelist without having to do it manually and having it report into the Cisco WSA cloud via risk API.

For how long have I used the solution?

We started Cisco Web Security Appliance in 2013, we were Websense and we carried it until 2020. I had been working with it for seven years. To be clear, we decided to abandon Cisco WSA in favor of Zscaler.

We used their appliances on-premises.

We last used it approximately 18 months ago.

What do I think about the stability of the solution?

It was very stable. We enjoyed working with it. What we liked best about the WSA was the ability to block uncategorized traffic. 

Uncategorized is usually where you'll find your zero-day issues. A brand new website from a bad actor or bad country is unlikely to be categorized in the Cisco URL database, so we chose to block it. 

There are advantages and disadvantages to blocking that. If you block that, you are blocking a lot of things, and it becomes more of an administrative headache.

As long as you start using this Cisco WAS, URL reporting system, then there is a way around that. Because you could submit this URL we believe is business and whatever, or marketing.

Outside of that, you had to create a white list, which we were able to do due to our flexibility. If something was quick, this is an emergency, this is a valid site, it's not malware, it's not bad, you can add it to that list in your text file.

What do I think about the scalability of the solution?

We had 50,000 people using this solution in our organization.

Cisco Web Security Appliance is a scalable solution.

How are customer service and support?

Technical support was very good. 

I would rate them a five out of five.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used to use Websense, but it was more political. The support model for Websense revolved primarily around two individuals. That person, or two people, did not want to share the responsibilities for whatever reason, so that's part of it.

When WSA was rolled out, it was given to a support team of about 20 people; the way we implemented it went beyond that. It also provided, the flexibility to apply those various policies, which was definitely beneficial.

It made use of the Cisco ecosystem. We were a large Cisco shop, like most companies, with our routers, like firewalls, not today, because we are moving, but it was good back then.

How was the initial setup?

The initial setup is dependent on your knowledge of how to deploy proxy. Back when I was an engineer, I was the one who actually deployed it. I'm now a director, so my role is different, but I carried over my knowledge from my previous engagement. For me, it was easy based on what I knew.

What was our ROI?

If it wasn't parked in the ELA, which obviously has other things baked into it, such as support, NOS engineers, TAC, ECS, high-touch for example. Our ELA cost was in the multi-millions, so if it was separate, I could break down the costs, and based on that, I believe the return on investment would have been easier.

It's well worth the money. 

Based on my experience with Cisco WSA, I believe it was well worth the investment. The problem is that I don't know how much it cost.

I'm sure there was a breakdown somewhere, but we only saw one ELA cost.

What's my experience with pricing, setup cost, and licensing?

At the time, licensing fees were paid on an annual basis.

I don't recall the cost; it was included in our ELA.

What other advice do I have?

To be honest, nobody should consider on-premises anymore. It's a different world. There is now a cloud presence, and if Cisco WSA cloud presence matches what I know of Zscaler, you can basically go anywhere in the world and your laptop is forced to use it. Then you have coverage and monitoring.

If it meets your requirements, the person who is interested should use it. If it does not meet your personal criteria, they should look for a different solution; today is a different world, and I believe everyone works from home.

We are no longer working on-premises. If you work from home, you have two options: force people to connect to the network via VPN.

If you force people to use the VPN, you can force them to use a WSA in Cisco on-premises. I'm not familiar with the WSA cloud, but if you could force them to go directly to the cloud from your home, it's well worth considering. That's fantastic, in my opinion. Cloud definitely alters the dynamic here. It's borderless nowadays, with thoughts on everyone flowing through the inside. They need to be more open about borderless, and it appears that they are.

I would rate Cisco Web Security Appliance an eight out of ten, because, for one thing, we had issues with the reporting and didn't like the stripped-down version of the reporter. The other is that they were not in the cloud at the time, but I believe they are now.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Infrastructure Manager at a tech services company with 51-200 employees
Real User
Top 20
Scalable with good technical support and very good data leak prevention
Pros and Cons
  • "We've found the solution to be quite stable."
  • "The initial setup is a bit complex in that it takes a lot of time. In order to get the product to work as you need it to, there is a lot of configuration required."

What is our primary use case?

We are primarily using the solution for protecting the navigation of the users. We use it for data filtration and protection.

What is most valuable?

So far, the solution has been excellent.

The solution's data leak prevention is its most valuable aspect.

We've found the solution to be quite stable.

The solution can scale if you need it to.

Technical support is excellent.

What needs improvement?

We're quite new to the service. I haven't noticed any shortfalls or downsides just yet.

The initial setup is a bit complex in that it takes a lot of time. In order to get the product to work as you need it to, there is a lot of configuration required.

The information in the dashboards is not in real-time. Maybe they have a delay of one hour in the network. They have to improve that. It should be in real-time.

For how long have I used the solution?

I've only been using the solution for two months or so. It hasn't been too long.

What do I think about the stability of the solution?

The solution is very good for securing your endpoints. It's stable. We haven't had any issues so far. It doesn't crash or freeze. It's not buggy. There aren't glitches. It's good.

What do I think about the scalability of the solution?

The product has a lot of infrastructure. The scalability potential is very good. If a company needs to expand the solution, they can do so. It's very easy.

We have 103 users right now.

We do plan to increase usage in the future.

How are customer service and technical support?

So far, technical support has been excellent. We're very happy with the level of service we are provided. They are helpful and responsive.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

The initial setup and implementation are not straightforward. It was complex and time-consuming.

We had to change the way that we navigate things and we needed to install the client on all of the computers. However, it needs a lot of configuration to do the things that we wanted to do.

The full setup and deployment took about one month to complete in total.

Only five people are needed for deployment and maintenance.

What about the implementation team?

We had assistance with the implementation. We had a reseller that assisted us, as well as the provider. Overall, our experience, while working with them, was positive.

What's my experience with pricing, setup cost, and licensing?

We pay a licensing fee of $10,000 on a yearly basis.

There are no costs beyond the standard licensing fees.

Which other solutions did I evaluate?

Before choosing this product, we looked at Zscaler as an option. This solution, according to reviews, seemed to offer more benefits, and therefore we chose to go with it.

What other advice do I have?

We are just a customer and an end-user. We don't have a business relationship with the company.

I'm not sure which version of the solution we're using.

It's a good solution for securing endpoints.

Overall, we've been satisfied with the product. I would rate it at a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
BharatUjenia - PeerSpot reviewer
Sr. Group Manager - Enterprise IT at WNS Global Services
Real User
Top 10
Provides very good accessibility and handles any overload very well
Pros and Cons
  • "Provides good accessibility and handles any overload very well."
  • "Endpoints are lightweight agents, eating too much of the host resources."

What is our primary use case?

We use this solution for SSL encryption and web inspection. It's our first line of defense in terms of my internet accessibility as an end-user. We have used McAfee solutions for over 20 years and we are loyal customers of the company. I'm the company's senior group manager, IT enterprise.

What is most valuable?

McAfee Web Protection has been around for many years and the solution holds its ground as a product providing good accessibility and handling any overload very well. McAfee has developed new features similar to those found in other solutions; enabling seamless deployment, reducing the footprint on data centers, and making the solution more scalable, more resilient, and more reliable. 

What needs improvement?

Our issue is that the endpoints are lightweight agents, eating too much of the host resources. 

For how long have I used the solution?

I've been using this solution for seven years. 

What do I think about the stability of the solution?

The solution is stable unless there are dynamic components. If you have remote users then there are a lot of issues in terms of the replication that happens within the hybrid solution. If the solution is deployed on-prem it does create delays and conflicts which can take sometimes take days to sort out. 

What do I think about the scalability of the solution?

The solution is scalable but it's important to keep in mind that the more you scale, the more infrastructure you require. Scaling adds some complexity. We have around 60,000 users and have 20 people responsible for maintenance. 

How are customer service and support?

The technical support is a mixed bag. They don't always like to believe that there is a problem with the solution. Sometimes the support is better than at other times. 

How would you rate customer service and support?

Neutral

How was the initial setup?

Unless you have a unified console, the initial setup can be a little complicated.

What's my experience with pricing, setup cost, and licensing?

The licensing costs could be lowered a little. 

Which other solutions did I evaluate?

I compared McAfee with Zscaler and with Netskope, as well as other solutions. 

What other advice do I have?

I rate this solution eight out of 10. 

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Chief Information Officer at a computer software company with 5,001-10,000 employees
MSP
URL filtering plays a critical security role, but we have had problems with downtime and support

What is our primary use case?

The critical role is web URL filtering.

What needs improvement?

The functionality of this product in the current version is not up to our expectations.

This product does not have an integrated strategy for securing your web gateway with DLP.

For how long have I used the solution?

I have been working with Forcepoint Secure Web Gateway for approximately 15 years.

What do I think about the stability of the solution?

We have had issues with downtime, where the service was out one time for 48 hours and nobody knew what was happening.

What do I think about the scalability of the solution?

I don't know of any issues with scalability.

How are customer service and technical support?

I have been in contact with technical support several times, and I am not happy with them.

Which solution did I use previously and why did I switch?

We recently stopped using this product and migrated to Zscaler.

How was the initial setup?

Setting up the solution for our clients can be difficult because we are dealing with different timezones and different geography. It also depends on their data center.

The clients sometimes depend heavily on the partners, rather than take time to understand the product themselves.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Secure Web Gateways (SWG)
November 2022
Get our free report covering Cisco, Netskope, Microsoft, and other competitors of Zscaler Internet Access. Updated: November 2022.
653,757 professionals have used our research since 2012.