What is our primary use case?
This is a solution that we implement for our customers.
It allows our customers to manage several firewalls from a central location. Some examples are securing the internet edge, data centers, micro-segmentation within the data centers, and securing their campuses.
The majority of the deployments are on-premises, however, we have more and more customers that are moving to the cloud. This solution is helping them to secure their cloud, as well.
How has it helped my organization?
Using this solution means that you can store logs for longer periods, up to perhaps two years, depending on your attached storage.
What is most valuable?
The most valuable feature is the ease of use that comes from the GUI. I have found that you can do almost everything from the GUI. You rarely have to log into the CLI, at perhaps once in six months or a year.
This solution offers a lot of advanced functionality that is easy to deploy and not available from other vendors. An example of this is credential theft. Credentials are sometimes collected through phishing emails or websites, and this solution helps to reduce that type of attack. Every five minutes, Palo Alto updates the list of phishing websites. You can set up a profile to ensure that if anybody tries to access such a website, whether it be Http or https, then the attempt will be blocked.
Palo Alto will automatically monitor the contents of POST messages and check to see if they contain credentials such as a username and password. If they do then it may indicate an attempt to steal credentials by an external site. The traffic will be blocked, the incident will be reported, and the admin will be notified.
This solution makes the lives of security admins very easy in cases, as an example, for configuring IPS. If you want to secure traffic between any two zones, we need to make sure that the applications are identified, the users are identified, and all of the security profiles are applied. These including antivirus, anti-spyware, and IPS. This solution makes the configuration very easy.
Each firewall is treated as a security sensor where the firewall talks to the cloud and a machine running artificial intelligence helps to detect malware or other threats. This is an important step in the protection that this solution offers.
What needs improvement?
The dual WAN functionality is missing in this solution.
For how long have I used the solution?
We have been using this solution for almost two years.
What do I think about the stability of the solution?
This solution is very stable. It is a mature solution with a mature operating system. I have one firewall that has been running since 2010, and it is still upgrading to the latest software and still working.
What do I think about the scalability of the solution?
This solution scales well.
We have many more than forty customers who are using this solution. One is a university with twenty thousand students, and we have deployments in large banks, different branches of government, etc. There are many thousands and thousands of users who are being secured.
The demand is very high and the standards are improving. Data centers are booming, and customers are looking for more enhancement in their platforms.
How are customer service and technical support?
Technical support for this solution is awesome. However, I rarely open a case because their platform is very stable. Most of the cases are related to basic support, such as an RMA. I have seen other vendors like Fortinet or Cisco, where the enabling of a function means that you have to deal with support, and there are issues that come from that.
How was the initial setup?
The initial setup of this solution is very easy. The length of time for deployment depends on how many policies you have, but the basic configuration should not take more than one hour.
For policy tuning, you need to review and tune the devices. Palo Alto has several tools to help with migration from the legacy approach of port-based policies to application-based policies.
What's my experience with pricing, setup cost, and licensing?
Initially, Palo Alto looks expensive, but if you dig deeper then you will find that it is very comparable, or even cheaper than other solutions. For example, if you are looking for a one-gig next-generation firewall then you will start looking at the Palo Alto 850. If you compare the price of this to Fortinet, Worksense, Forcepoint, or Sophos, then you will see that they offer three or four gig performance at half the price. However, it is not true.
The reason for this is that not all of the security features are enabled. When you enable them, the performance degrades by more than ninety percent, and I have seen this happen in many different scenarios. This means that for the Palo Alto 1GB, it actually means 1GB with all of the functionality enabled. For the other vendors, you will never see their datasheet with all of the functionality enabled for a real environment with real traffic. It is based on lab traffic. Because the reality is that the performance of Palo Alto is better, it means that the price is better. When you compare models using real performance, and you do the calculation, you will see that Palo Alto is very comparable.
Which other solutions did I evaluate?
We have worked with many, many vendors, and this is the most mature next-generation firewall in the market. The performance of Palo Alto is very predictable, unlike other vendors who are faking their datasheet in terms of high-performance numbers that are unrelated to a real network, or real traffic.
Palo Alto provides numbers that reflect what is happening when all of the security functions are enabled, whereas other vendors do not show their performance will all of the functionality enabled. In reality, they are better than others. At the end of the day you are buying a security device, and you don't want to turn off any of the functionality to enhance your performance. Palo Alto is designed from day zero for performance and security.
What other advice do I have?
This is the most mature next-generation firewall in the market and a solution that I strongly recommend.
The biggest lesson that I have learned from this solution is not to trust internet users. Whether it is regular users or employees, they do not like to be detected. They keep trying to work around the policies using different applications and peer-to-peer functionality. I have learned this because Palo Alto has full visibility to all types of traffic, and we're able to catch these scenarios and put security policies int place.
Palo Alto has done a lot towards closing gaps in security. Cloud security is not their only focus. It is concerned with the flows between VMs, storage, and containers. They are concerned with PCI requirements and compliance. They have also launched Cortex Analytics to help close gaps further. They are in a very good position to lead the future.
At the end of the day, everything is relative, and I would rate this solution a ten out of ten compared to other products. However, there is room for improvement.
Overall, I would rate this solution a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.