What is our primary use case?
We have the Palo Alto Firewall sitting on the edge and everything that comes through it is analyzed. Even if anything comes through via email, it is forwarded to the WildFire service, which then opens up email attachments to see if they do any damage to the system. If it reports back that the attachment should not be forwarded then it keeps it out.
WildFire has discovered a lot of stuff that our other anti-spam tool did not, so it has been quite good.
How has it helped my organization?
Using WildFire has reduced the number of viruses and the amount of malware that comes into our system, which means that I don't have to rely on the end-users to identify it. This results in less chance that our systems will get infected. I would estimate that there has been a 15% - 20% reduction in that kind of stuff getting through.
What is most valuable?
The most valuable feature is where it automatically opens up the emails and checks to see if any damage occurs to the system. That's something that would be difficult for us to do here manually, simply because we get so many emails coming in. I think about 80% of the emails we get are spam and for us to be able to manually go through that, one by one, looking to see whether they are good or not, would take perhaps 50 people full-time.
What needs improvement?
Palo Alto is very tech-heavy, and the average user can't just go and deploy one. You really need to know what you're doing. I've been doing IT for more than 25 years and I sometimes have to double-check things or ask for help. The reason is that there is so much included in the solution. It would be nice if there was an easier way to install and deploy it, such as through the inclusion of wizards. Having a more complex product generally means that you need more technical expertise, although if very experienced people are still having trouble then it is probably worth revisiting and trying to improve.
It would be nice to have some sort of remote management tool. As far as I'm aware, they don't have a tool that runs on a mobile device, so you need to be in front of a workstation in order to get it up and running. If I had a remote tool that allowed me to access it then it would be very helpful. Even if I have to VPN into the network, that's fine, because being able to remotely do stuff on my phone would be useful. Everything is going that way.
For how long have I used the solution?
We have been using Palo Alto WildFire for about seven years.
What do I think about the stability of the solution?
This solution is quite stable and we've had very few problems.
We did have one false positive that nobody was able to figure out, including Palo Alto and our consultants. Ultimately, I was able to find the problem, write some code and embed it, and that has kept the problem from reoccurring. Otherwise, it has been rock solid.
It is quite extensively used in our organization. Literally, it is used non-stop.
What do I think about the scalability of the solution?
This solution is quite scalable. The specific solution that we have was sized for our environment but I know that you can get other models that will scale up or down, depending on what you need. I think that it should work fine, regardless of what type of organization you're in.
We have between 60 and 70 users. Everybody from the CEO to delivery drivers, office workers, and mobile employees use this solution.
How are customer service and technical support?
Technical support from Palo Alto is very strong. Whenever I've had problems, they've been able to help me out, every single time. I've gone to them with some pretty complex stuff and they will sit with you until it's done. They have technical support that follows the sun, so if I've got somebody who is in the same timezone and their shift ends, they will transfer me to another person who is just starting their day and can spend another eight hours with me, if necessary.
The biggest lesson that I learned from using this solution is not to hesitate to call support. You're going to bang your head against the wall trying to figure things out, and meanwhile, these guys are just sitting there waiting to help you. They will figure things out a lot faster than you will.
Which solution did I use previously and why did I switch?
The company did have a previous solution. I don't know what it was, but the switch to this product was based on the recommendation from the telco.
How was the initial setup?
The initial setup is fairly complex.
One of the challenges is that you often need to have a third-party implement the solution, and whoever handles the task needs to understand your network and your use case extremely well. They have to know it so well that really, they need to be an employee and work with the environment in order to roll it out properly. It's difficult to do, so that means you need to have a highly technically skilled individual who can go in and implement stuff that works with the company. Unfortunately, most smaller companies just don't have that kind of person.
From the point that we first started talking about it, followed by the installation, setting it up, and testing, it probably took a couple of months. We first implemented a test network, which was segmented off and used in parallel. We had some people who were willing to test the new system and helped us to gain confidence in the implementation. Once it was complete, we brought everybody over to the new network and remove the old one.
What about the implementation team?
We had a consultant come in and he did an okay-job. However, I had to go back in later on and rework a bunch of stuff, simply because he didn't understand the environment.
The company we used was Telus, which is a telco in Canada. When the primary consultant would run into problems then he would call somebody else, who in turn called somebody else. In total, we had several people from Telus who were working on the implementation.
For the deployment staff, you will be needing two or three people. They have to have an understanding of the business, networking, networking protocols, and security.
With respect to the maintenance, it is pretty hands-off. One or two people can handle it, as long as they've got a strong understanding of how the Palo Alto system works. The only time you really need to touch it is if you need to make a modification to the web filtering rules or if you need to modify the configuration to allow for different services or different devices on the network.
What was our ROI?
This solution saves us a pile of money because we don't have to manually go through all of our emails.
What's my experience with pricing, setup cost, and licensing?
Smaller organizations may find it a bit costly. It is not a cheap solution, simply because of everything that it can do, so there might be a cost barrier for smaller organizations.
We pay between $3,000 and $4,000 CAD ($2,200 - $3,000 USD) per year to maintain this solution. There are different charges the depend on the different options, such as WildFire or different virus signatures.
What other advice do I have?
This is a very good solution and from a technical perspective and it does a fantastic job. At the same time, we are actually planning on getting rid of it, as it is probably overkill for what we need. I think that when they were looking at this device, they didn't really know where to turn. I was not working here at the time, so they took the recommendation from their telco.
My intention is to replace it with four or five individual firewalls, which gives us a little bit of redundancy and does some other things for us. Palo Alto has a lot of advanced stuff that it brings with it, and we don't have a need for it.
Specifically for WildFire, we're shifting away from on-premises email and going to a cloud-based email system. In that type of managed solution, the provider handles messaging security.
My advice for anybody who is researching this solution is to consider the requirements and the cost. I guarantee that this product will do what you need, but you have to make sure that what you need is what it provides. It is possible that there is more in there than what you'll actually use, so you need to think about whether it is worth the cost. The reason that we're changing is cost-related. For what they are charging us every year, I will completely replace all of our hardware, get exactly what we need, and only pay for it once. We will be saving $3,000 - $5,000 CAD ($2,200 - $3,800 USD) every year after this, just because we don't have those licensing costs associated with it.
The bottom line is that this solution has the ability to do an awful lot of stuff, and if it were easier to configure then it would be even better.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?