What is our primary use case?
We use it to monitor all traffic, so we can do URL filtering with it. We can also use the VPN features, which we have not set up yet, but we know the functionalities are there. In addition, we use it to monitor all our trusted and non-trusted traffic, then block it as appropriate.
It does a lot of threat management as well. It is like a threat management gateway and it does some virus scanning. From that perspective, it is really good.
How has it helped my organization?
We now have a lot more details about what our users are doing on the network. Whereas before, we did not know certain things they were accessing, websites they were going to, and what vulnerabilities were potentially being introduced into our network. Now, we have a very good understanding of what is actually traversing our network, what is coming in, and what is going out.
What is most valuable?
Threat management. That is very important, obviously. There has been a lot of press about hacking, virus vulnerabilities, the cron bug, etc. It is very important that we detect these as soon as it happens, so we can implement measures before they get on to our network. It is very good at doing that; it is very good at identifying these vulnerabilities.
What needs improvement?
The interface, maybe. It is all Java-based and I would prefer an HTML5 interface. It would make things a bit quicker. It is not that it is really bad once you are in, it is just another Java-based application that is not amazing. I am not really a fan of Java-based applications.
The user-friendliness of the UI could be improved.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
No issues, it is very stable. It is fairly easy to use. I would not say it is difficult, just sometimes it can be a bit sluggish navigating through pages. That is just purely because of Java.
What do I think about the scalability of the solution?
We picked the PA-3050s. They can handle a lot of traffic, so we are nowhere near our limits on it. We are not really touching its full capacity at the moment.
How are customer service and technical support?
It is very good. I have not actually called their support line, because we have a direct contact to a senior engineer in the company for any issues that we handle with them. I will say they are very responsive, and they do give you the information you need when you need it.
Which solution did I use previously and why did I switch?
We previously used Cisco ASA. We switched to Palo Alto because it can do a lot more. They are called Next-Generation Firewalls (NGFW). They can do a lot of threat detection and things that the Cisco firewalls could not, or could only do with plugins, and the firewalls were not really built for that purpose. Palo Alto can handle a lot more and give us more insight into our network.
How was the initial setup?
The hardware install was mildly complex; it was somewhere in the middle. It was just about working out the best way to monitor our traffic, because you can have a segregation of interfaces. You can use something called vwire, which is like a bump in the wire, or you can use Layer 3 interfaces. It was just working out which way to go with. We could not really configure the Layer 3 interface solution properly, so we just went for a different setup.
It was not overly complex. There was enough information online and enough support. There is enough info in the community on their website to allow you to do what you need to do.
What's my experience with pricing, setup cost, and licensing?
For what you get, it does do what it says it does. It is a good value for an enterprise firewall.
Which other solutions did I evaluate?
We had a look at Check Point firewalls, as well as Huawei.
- With Check Point, it was a feature-rich product, but it was a bit more expensive.
- With Huawei, it was not really a valuable solution or as advanced as the other two, so we discounted them straight away.
What other advice do I have?
Make sure you have a detailed plan of what you want to get out of it, you fully understand your network infrastructure beforehand and you have all the IP addresses documented and things that you might need before you actually implement it. Also, it is a feature-rich product, so ensure you have looked at what it can give you, and decide if you need all that functionality in your network. If you do not need it, then you can obviously go for something that is a bit less feature-rich.