Palo Alto Networks VM-Series Review
A reliable tool with excellent support


Primary Use Case

For this VM in particular, it is microsegmentation which is used for implementing the firewall inside the data center.

Improvements to My Organization

When talking about the VM or the virtual firewall, it is mostly about the sessioncapacities that it can handle. In the early version of the firewall, the session or traffic that it could inspect was low. 

In quite a few releases, they have improved a lot. They started with the physical firewall, therefore it is almost virtually the same firewall with the same features, only that it is a virtual one. The main improvements that they have made are surrounding the processing capacity for the virtual machines.

Valuable Features

The granularity which is used to confirm applications based in users. 

When you have VMware NSX, it is easy to deploy this virtual firewall because it is fully integrated with the VM solution. If I want to segment any type of network inside the data center, it is about two or three clicks, and it works.

Room for Improvement

The reporting. There are various reports that come with the box or with VMware, but you can only run them daily. If you want to generate a report from this week or the past month, you have to create a custom report. It is not that difficult, but I expect these reports to be pre-made. I would like to be able to choose the dates that I can run the reports. As of now, you can only run it for the day before, so this is one improvement they need to make. 

Use of Solution

One to three years.

Stability Issues

From time to time, maybe twice a year, they have released content updates which have some issues. When they release content updates, the applications with these updates give us a false positives. I manage older software developers and members, and almost everyone has one or two missteps a year regarding these updates.

Scalability Issues

The Series 2000 version of Palo Alto were somewhat big for small or medium customers. They did not have a middle box. 

In the newer version (3850s), all of them are scalable. They fit better into medium or small businesses, so it is easy for us. E.g, if we have a VMware 500 appliance, we can upgrade it to a 100. They have improved in this way.

Customer Service and Technical Support

The technical support is extremely good. They are a 10 out of 10, not only because of their fast response time, but their knowledgeable personnel as well. They have knowledge regarding very specific issues. 

When we finish creating tickets in the support portal, there are a lot of knowledge-based documents. They answer almost immediately, calling you back about 10 minutes later. When creating a support ticket, I always get a quick answer.

Previous Solutions

I was using Cisco, but I was using the old Cisco. The firewall was the only working protocol. The Palo Alto Network Firewall is a Next-Generation Firewall, so it is a lot different. 

This is the first and only Next-Generation Firewall that I have used. I have put in several Sophos Firewalls, but they are not the same as Palo Alto.

Initial Setup

You will need to know what are you doing with the firewall. 

It's different than Sophos or Fortinet where you only need to click two or three times, and it puts you in engaged mode in the simplest way. 

With Palo Alto, you need to know where you are going to be implementing and what architectures you want. It is not complicated, but it is not as easy as Sophos or Fortinet, because when you start with these two firewalls, the quick setup wizard chooses for you and it automatically creates for you network rules.

With Palo Alto, you need to do all those steps manually, but it is somewhat better because it gives you the flexibility to choose how you want your network set up and how you are going to segment the networks.

Pricing, Setup Cost and Licensing

I know Palo Alto is not cheap because my finance team has been telling me that it is not a cheap solution. It is about the maturity of your security team or infrastructure team and whom you want to work with no matter how big your organization is: small, medium, or large.

The newest version of Cisco, the Next-Generation Firewall, is less expensive than Palo Alto. The price is more comparable to Check Point.

For licensing, it depends how you want to use the firewall. The firewall can be used only for IPS purposes. If you only want that firewall IPS, you will only need a license called threat prevention which includes vulnerabilities, antivirus signatures, and one additional measure; it includes three measures and security updates. 

If you do not want to buy the threat prevention license in the box, you can buy it with only the support license which is for the support of the hardware. It works like a simple firewall. It integrates what it calls user IDs and application IDs. If you do not buy any other license, only the firewall, Palo Alto will also help you improve your security.

Other Solutions Considered

We evaluated VanGuard for their Next-Generation Firewall.

We chose between Check Point and Palo Alto for their support teams. Check Point is very bad for support. We switched from Check Point to Palo Alto.

Other Advice

If you do not have a Next-Generation Firewall, Palo Alto is a good choice. It is reliable and the support is very good. The VMware version is in all the boxes and they use the same OS, so it is not different if you manage a physical box or a virtual box. The only difference is the virtual box depends on where it will be placed, and its main usage is for microsegmentation and data center firewalls.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.

Add a Comment

Guest
Why do you like it?

Sign Up with Email