What is our primary use case?
I used Palo Alto firewalls for plenty of projects and have many use cases.
When working with App-ID, it is important to understand that each App-ID signature may have dependencies that are required to fully control an application. For example, with Facebook applications, the App‑ID Facebook‑base is required to access the Facebook website and to control other Facebook applications. For example, to configure the firewall to control Facebook email, you would have to allow the App-IDs Facebook-base and Facebook-mail.
How has it helped my organization?
I like to install Palo Alto mainly on the data center side to have visibility and protection into the network because we can configure the SVI (layer 3) on Palo Alto instead of the core switch.
It gives us full visibility and protection for the core of the network.
What is most valuable?
Visibility and Protection
It gives us good visibility into the network, and this is very important because it's the core of the network. All the packets go through the firewall.
MFA is a new feature in Palo Alto and it's good to use it.
What needs improvement?
I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic.
Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
Palo Alto is very stable. I worked on Cisco products like FTD and Firepower, and they are not as stable as Palo Alto. Also, some Fortigates are not stable. Palo Alto, as far as I know, is the most stable firewall compared to these others.
What do I think about the scalability of the solution?
The solution is scalable because they are now using the next generation security network. They are integrating with endpoint protection. Palo Alto now has traps, so they integrate their traps and the next generation with the cloud. So it is scalable.
How are customer service and technical support?
Technical support in Cisco is better than Palo Alto. In Cisco, you can directly talk to the top engineers.
Which solution did I use previously and why did I switch?
We were using Cisco ASA. When Cisco moved to the next generation firewall or tried to move to the next generation firewall when they acquired Sourcefire, and they announced Firepower on ASA, it was not a good option.
They had tool management so you could configure ASA from the CLI and you could configure it on the Firepower. You need to redirect the traffic from ASA to Firepower. It was not a good idea. The packets were processed but there was latency in the packets.
Nowdays, FTD has many problems and bugs.
When selecting a vendor, the important criteria is how much the appliance is powerful and if it gives me the feature that I want, not an appliance that does everything and it will affect the throughput. Also, the value of the product, the price.
There has to be a match between the price and the features.
Which other solutions did I evaluate?
What other advice do I have?
Buy Palo Alto and try its features. In Palo Alto, you have select prevention, scan over AV, anti-spyware, vulnerability protection. and file blocking. you have good feature like WildFire to protect against unknown malware.
I rate Palo Alto at eight out of 10 because it gives me visibility and protection. This visibility and protection are very important nowadays to protect you from hackers.