What is most valuable?
Panorama: Provides a central management capability for all of the firewalls. It has the ability to manage the devices in groups based on their use. We use the firewalls in two primary functions and the ability to provide management of the different groups of firewalls is very useful.
Firewalls: The application ID capabilities have been very useful for things like Active Directory, and not having to identify every port that Microsoft has decided to use.
How has it helped my organization?
I can’t say that it has significantly improved the functions of the organization over the firewalls that we were previously using. The addition of a good central management capability has helped improve the management of the firewalls, but the functions for the service that is provided to the users has not significantly changed.
What needs improvement?
Panorama: The ability to add scheduled jobs would be a significant improvement. Panorama has the ability to push out OS updates, but it would be nice to be able to schedule those updates so not to affect the site during normal business hours.
- (1) App-ID is good, but could be better. We use off ports for some common services and App-ID does identify the application correctly, but the rule allowing the traffic does not allow the traffic without adding the ports to the rule. This negates the need for App-ID in the rule. If App-ID worked as I think it should, we would use it and then block the common port.
- (2) Integration with Microsoft Active Directory incurs significant additional traffic across the WAN circuits. We have a number of GCs across our environment and the configuration of Active Directory in the firewalls requires significant communications to all of the GCs across our environment. We were seeing the firewalls generate around 500kb of WAN traffic communicating with all of the GCs. After reviewing the configuration with Palo Alto support, the config was correct. While we do want to be able to use the User-ID functionality of the firewalls, that kind of overhead is not acceptable.
For how long have I used the solution?
We have been using Panorama and the PAN FWs for just over one year.
What do I think about the stability of the solution?
So far we have not seen any issues with stability.
What do I think about the scalability of the solution?
We have not run into any issues with scalability.
How are customer service and technical support?
Technical support with Palo Alto has been very good and responsive.
Which solution did I use previously and why did I switch?
We previously were using Cisco ASA devices. The switch was made based on central management and the NGFW functions. The timing was in the middle of Cisco delivering their NGFW functionality. The other issue that led to the move was when Cisco presented their recommended replacement for the existing devices, they recommended their Meraki line with Internet management, which was not in line with our requirements for many of our more sensitive firewalls.
How was the initial setup?
Initial setup is very easy. After working with a few new installations we were able to put together a script to apply the new firewalls to setup the management access, Panorama location, high availability (HA) configuration and the initial IP stack. This makes it easy to start the OS updates and initial rules from Panorama. By having the HA setup scripted, it also makes the OS updates a single download instead of a download for each device. The HA connection allows the firewalls to copy the OS over to the other firewall with the single download. That is important because there are several large downloads necessary to update the OS to the current OS levels.
What's my experience with pricing, setup cost, and licensing?
Pricing is high compared to other vendors in the same space. Licensing is also fairly high for different functions to be added on, like Intrusion detection/prevention, user VPN, URL filtering. Some firewall vendors offer the “additional” licensing/functions as part of their license for the device and then others offer it like Palo Alto.
Which other solutions did I evaluate?
The original decision was made by a different group within the company. The re-evaluation included Cisco ASA, Cisco Meraki, Fortinet and Palo Alto.
What other advice do I have?
Talk to other customers. Start with the ones recommended by the vendor, but also in forums as well. Everyone understands that recommended customers are handpicked and forums can be contain spurned customers. But if you look for information regarding specific functions that you need, you can find more useful information. Make sure if you hear something glowing from a vendor recommended customer about a function, check on that function online.