Palo Alto Networks NG Firewalls Reviews

These firewalls are only used for perimeter purposes, in gateway mode.

In addition to our environment being secure, we can monitor compliance of VPN users. Security and monitoring are the two big benefits.

It's also very critical for us that it provides a unified platform that natively integrates all security capabilities. We have multiple vendors and multiple solutions. Palo Alto has to work with them. For example, when it comes to authentication, we can integrate LDAP and RADIUS, among others. And in one of our customer's environments, we have integrated a new, passwordless authentication.

Apart from the security, Palo Alto NG Firewalls have nice features like App-ID and User-ID. These are the two most useful features.

With App-ID, we can identify exact traffic. Even if someone tries to fool the firewall with a different port number, or with the correct port number, Palo Alto is able to identify what kind of traffic it is.

With User-ID, we can configure single sign-on, which makes things easy for users. There is no need for additional authentication for a user. And for documentation and reporting purposes, we can fetch user-based details, based on User-ID, and can generate new reports.

Another good feature is the DNS Security. With the help of DNS security, we can block the initial level of an attack, and we can block malicious things from a DNS perspective.

The GlobalProtect VPN is also very useful.

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

We have been using Palo Alto Networks NG Firewalls for two years. I've worked on the 800 Series and the 3000 Series.

It's quite stable. They are launching a new firmware version, but compared to other products, Palo Alto is quite stable.

I have worked with Palo Alto's support many times and it is quite good. Whenever we create a support ticket, they are on time and they update us in a timely manner. In terms of technical expertise, they have good people who are experts in it. They are very supportive of customers.

Positive

The initial deployment is straightforward; very simple. The primary access for these firewalls is quite simple. We can directly access them, after a few basic steps, and start the configuration. Even the hardware registration process and licensing are quite simple.

The time it takes to deploy a firewall depends upon hardware and upon the customer's environment. But a basic to intermediate deployment takes two to three months.

Our customers definitely see ROI with Palo Alto NG Firewalls, although I don't have metrics.

I am not involved in the commercial side, but I believe that Palo Alto is quite expensive compared to others.

One of the pros of Palo Alto is the GlobalProtect, which is a VPN solution. GlobalProtect has broader compliance checks. I have worked on Check Point and FortiGate, but they don't have this kind of feature in their firewalls. Also, Check Point does not have DNS Security, which Palo Alto has.

If you're going with Palo Alto, you have to use all its features, including the DNS Security, App-ID, and SSL decryption. Otherwise, there is no point in buying Palo Alto.

We are a solution provider and this is one of the firewalls that we implement for our clients.

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

The scalability is very good.

We have a small number of clients with this solution in place.

The support is good.

I have experience with multiple firewall vendors and I have seen that products from other vendors have bugs. My feeling is that Palo Alto does not have this problem.

Some of the vendors that I have worked with are Fortinet and Sophos. The setup and management of these products are easy compared to Palo Alto.

Implementing this product can be a little bit difficult. The configuration is difficult compared to other products, so it would be nice if there were videos are other instructions available. It can be very time consuming for the network administrator.

The pricing is very high.

My advice for anybody who is implementing this firewall is to follow the guide or instructions that are available. There are multiple resources and examples of use cases available on the Palo Alto website, and you can directly follow them.

I would rate this solution a nine out of ten.

I used Palo Alto firewalls for plenty of projects and have many use cases.

When working with App-ID, it is important to understand that each App-ID signature may have dependencies that are required to fully control an application. For example, with Facebook applications, the App‑ID Facebook‑base is required to access the Facebook website and to control other Facebook applications. For example, to configure the firewall to control Facebook email, you would have to allow the App-IDs Facebook-base and Facebook-mail.

I like to install Palo Alto mainly on the data center side to have visibility and protection into the network because we can configure the SVI (layer 3) on Palo Alto instead of the core switch.

It gives us full visibility and protection for the core of the network.

Visibility and Protection

It gives us good visibility into the network, and this is very important because it's the core of the network. All the packets go through the firewall.

MFA is a new feature in Palo Alto and it's good to use it.

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic.
Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic. 

Palo Alto is very stable. I worked on Cisco products like FTD and Firepower, and they are not as stable as Palo Alto. Also, some Fortigates are not stable. Palo Alto, as far as I know, is the most stable firewall compared to these others.

The solution is scalable because they are now using the next generation security network. They are integrating with endpoint protection. Palo Alto now has traps, so they integrate their traps and the next generation with the cloud. So it is scalable.

Technical support in Cisco is better than Palo Alto. In Cisco, you can directly talk to the top engineers.

We were using Cisco ASA. When Cisco moved to the next generation firewall or tried to move to the next generation firewall when they acquired Sourcefire, and they announced Firepower on ASA, it was not a good option.
They had tool management so you could configure ASA from the CLI and you could configure it on the Firepower. You need to redirect the traffic from ASA to Firepower. It was not a good idea. The packets were processed but there was latency in the packets. 
Nowdays, FTD has many problems and bugs.

When selecting a vendor, the important criteria is how much the appliance is powerful and if it gives me the feature that I want, not an appliance that does everything and it will affect the throughput. Also, the value of the product, the price. 

There has to be a match between the price and the features.

Palo Alto, Cisco.

Buy Palo Alto and try its features. In Palo Alto, you have select prevention, scan over AV, anti-spyware, vulnerability protection. and file blocking. you have good feature like WildFire to protect against unknown malware.

I rate Palo Alto at eight out of 10 because it gives me visibility and protection. This visibility and protection are very important nowadays to protect you from hackers.

We shifted an existing network from Cisco to Palo Alto. It was like a branch to head office network.

We have done public and private cloud deployments as well as on-prem deployments. We are using versions 8, 9, and 10.

IoT security is most valuable in the current version. Content IDs, DDoS protection, zone protection, and DLP are the most prominent features in Palo Alto Networks NG Firewall. It is easier to configure than other solutions.

People sometimes find it more expensive as compared to other solutions. There are also fewer training opportunities for Palo Alto than Cisco and other vendors.

I have been using this solution for the last four or five years.

It is working fine.

Its scalability has been fine for our use cases. It is good for large-scale environments, and there are no problems.

Their technical support is excellent. 

It is very straightforward. They also have a very good script, so it runs very smoothly.

It is expensive as compared to other brands.

If we are comparing firewalls, this is the best firewall. I would rate Palo Alto Networks NG Firewall a nine out of ten.

We use this solution to block malicious or suspicious activity by creating policies that define which action should be blocked or allowed.

The firewall is a security device. We use this solution to create policies like ISPs for a specific purpose. We only allow the policies for a particular application, so this is a way for the firewall to secure an unwanted connection.

The most valuable feature is the ability to deeply analyze the connection or connection type.

Overall it is good. It is reliable and easy to understand. However, the monitoring feature could be improved.

They have many solutions already. I don't think I have seen any missing features. Every device has different functions, but as a firewall, this solution has a lot.

Stability is good.

There are no scalability issues to date.

We have about 2,500 users behind the firewall using this solution. I think we don't have any requirement to increase usage. Currently, we have around 2,500 users, but if this increases, we may need a new requirement.

We hired one or two people to maintain the solution.

Technical support is good. Once you call up with your issue, it takes around one or two hours for them to contact and give you a solution accordingly.

We were using Cisco ASA. We switched because of legal reasons and difficulty to understand. That's why they had decided to change to Firewall.

It is very easy to use. It's straightforward, easy to understand, and easy to configure.

Deployment time depends on your requirements. If you talk about the system requirements, it hardly takes up to 15 or 20 minutes for the configuration.

That said, it totally depends on your requirements: What kind of policy you require that supports what kind of block, etc.

The deployment time would change based on these requirements, but the system configuration: accessing the internet and creating policies hardly takes 20 minutes.

Deployment is configured by administrators, so if we have any kind of issue in policies or any confusion, we get tech support.

Pricing is yearly, but it depends. You could pay on a yearly basis or every three years.

If you want to add a device or two, there would be an additional cost. Also, if you want to do an assessment or another similar add-on you have to pay accordingly for the additional service.

We also evaluated Check Point and Fortinet solutions.

This solution is easy to understand, reliable, and user-friendly.

I would rate this solution as eight out of ten.

We primarily use the solution as security - as a next-generation firewall.

The application control portion of the solution is its most valuable aspect.

The malware protection on offer is excellent.

The initial setup is very easy.

We found the scalability to be quite good.

The stability is excellent.

Technical support is great.

The interface is very user-friendly.

Either the application or the vendor needs to provide a more updated list of internet applications.

The price of the solution is very high.

We've been dealing with the solution for about three or so years at this point. It's been a while now.

The solution has been extremely stable. There are no bugs or glitches. It doesn't crash or freeze. It's very reliable.

We tend to work with enterprise-level organizations.

The scalability is quite good. If a company needs to scale, it can do so with ease.

We found the technical support to be quite good. They are helpful, knowledgeable, and responsive. We have no complaints. We are very satisfied with the service they provide to us.

We also work with Fortinet.

I'd likely recommend Palo Alto over Fortinet as I find Palo Alto to be more user-friendly. The performance is also very good.

We found the initial setup to be very simple and straightforward. It was not overly complex or difficult. A company shouldn't have any trouble implementing the solution.

The deployment is also very quick. It only takes about ten to 15 minutes or so.

The cost, overall, is pretty expensive.

We are a Palo Alto partner. We are a systems integrator.

I'd recommend the solution. If a company has the budget, I would suggest the product to them. If a customer has a more limited budget, however, I would highly recommend Fortinet as an option.

I'd rate the solution at an eight out of ten.

Our primary use case was for perimeter protection.

Innovative, advanced threat protection is the most valuable feature. 

I don't see any specific room for improvement.

The user interface is probably not as slick as it could be.

I have been using Palo Alto for three years. 

We're on-premises primarily at the moment, but also a cloud product. 

The stability is generally pretty good. I haven't heard any complaints from our customers around Palo Alto's stability. It's one of the reasons why they're the leaders in this space.

We've got our own team for maintenance. My company is a large multinational with 20,000 employees.

I have contacted their support once. It's very good support. They help me to fix our problem quickly.

The initial setup was complex. It's not very intuitive. You need to know what you're doing for the initial setup, you need to be a Palo Alto expert.

If you compare it to their competitor Fortinet, Fortinet's FortiGate product is a lot easier to install, if you're not an expert.

The time it takes to deploy depends on how complex the deployment needs to be for the client. If it's a basic deployment, is going to take around two days. 

My advice would be to make sure the firewall is configured properly.

I would rate it an eight out of ten. Not a ten because you have to be really excellent before you get a ten out of me.

In the next release, I would like to have the ability to auto-generate rule and policy, based on known traffic, based on the baseline. That is a feature that I think Palo Alto should be able to have in some form or fashion to auto-generate and propose a policy and rules set, after putting the file into a learning mode for some period.

We're customer facing; each customer uses it for a different purpose. Some use NG Firewalls for IPS capability, some for application capabilities, these kinds of things.

The accessibility, antivirus, and stability features are the most valuable. It's so stable, the customer can use the decryption features without impacting performance.

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

It's a very stable solution.

I am the customer's technical support. If a customer has issues, they would call me.

The initial setup was basic. It was very simple. The basic configuration will only take 15 minutes. Anyone can set it up. If a person has worked with a firewall before, they can do it themselves. You only need one person for deployment.

Licensing is on a three year basis. Customers prefer one to three years. Licencing is pretty expensive. Check Point is cheaper than Palo Alto. There's also an international license. If a customer wants to control different things, they will need an extra license. 

I've helped customers using Fortinet and Check Point. They are compromised. Their firewall is not stable. But for some features, for example, encryption, they want to use this feature, but the firewall feature isn't great. With Palo Alto, there isn't any problem, you can open any feature - IPS feature, data encryption feature - there isn't an issue.

Implementation is simple, the product is stable, but I advise if people get the firewall I strongly recommend the use of the API features. They may not be accustomed to using a next-generation firewall. If they want to use NG Firewalls, they need to use and implement the API features. They need to create uses based on the application.

My understanding is Version 9 will introduce some logic features.

I would rate this solution 9 out of 10.