Palo Alto Networks Advanced Threat Prevention vs. pfSense

Palo Alto NTP is an appropriate suite of protection for any enterprise environment or anyone that truly needs some serious perimeter protection in a one-stop, all-in-one unit. There are no modules or add-ons or clunky interfaces to deal with it; everything works out of one management plane, licensing, implementation, monitoring. updating, etc. As a network admin, that is immensely valuable to me. Additionally, I get real-time reporting on all the stuff NTP is catching, and it is nothing to shirk at. The real value in NTP comes in only after you begin doing SSL-decryption, however, to truly inspect the traffic. Short of that, you are just seeing a bunch of encrypted data and the NTP suite of tools isn't going to avail you. NTP plus decryption, though, is invaluable!

Incentivized

I believe PFSense is well suited for both home lab environments as well as up to small to mid-size business environments on a tight budget. However, I would implore that anything in production requires the use of the authorized hardware that PFSense sells to receive support. However, in my experience, PFSense is a solid set-and-forget firewall solution.

• The threat engine has constant updates for important threats.
• Wildfire helps supplement the Threat engine to help protect against 0 day threats.
• The way the threat engine can be added at different levels to different zones and policies helps to ensure business essential traffic can have policies that are tuned to ensure traffic will flow.

Incentivized

• Easy to use. Good user interface design! Easy to understand and easy to set up.
• Lower hardware requirement. 3 years ago, we used an old PC to run it. Now, we have changed to a router device with Celeron CPU and 8GB RAM. It runs smoothly with a 1000G commercial broadband.

Incentivized

• Cost is high, but it is a premium product
• Endpoints are still vulnerable.
• TAC engineers aren't always equipped with ATP knowledge

Incentivized

• I did kind of mention a Con in the Pro section with OpenVPN.
• When I create a config for an employee other employees are able to login to that config.
• I could be doing something wrong when I am making it - I am not afraid to admit that as I am pretty new to all of this, but it seems like it builds a key and I would think the key would be unique in some way to each employee, but I could be wrong.
• I actually do not have a lot of Con's for this software - I did not get to set this up on our work network so I am not sure of any downfalls when installing.
• I installed this on my personal machine in a Hyper-V environment to get a feel for it before I started working on it at work and it seemed pretty smooth. I didn't run into any issues.

Incentivized

The reason to give ATP this rating is it specialises in detecting command control traffic whose primary role is to identify unusual outbound traffic patterns which blocks the command control communication and notifies to different security team to take necessary actions. ATP Global protect holds the responsibility of inspecting all the inbound and outbound traffic going to and from corporate system regardless of the network they are on. ATP plays a major role to identify the threats that blocks threats that could lead to data breach also it identifies any malicious file enter the system will be blocked proactively

Incentivized

The pfSense UI is easy to navigate and pretty go look at. It is much better than some high dollar firewalls that just throw menus you you. The pfSense UI is quick and responsive and makes sense 99% of the time. Changes are committed quickly and the hardware rarely requires a reboot. It just runs.

Incentivized

pfSense+ basic provides "As Available" email support. pfSense+ Pro offers 24 hr turn around email support. pfSense+ Enterprise offers 24/7 phone support.

Incentivized

Having used Palo Alto Firewalls for years, implementing threat protection was the next step in perimeter security. Works much better than the few competitors I have personally used. Frequent content updates occur which may impact some policy rules, but that is normal across most vendors.

Incentivized

Meraki has a unified management login for all devices, which is nice. It also has decent content filtering, both areas where pfSense is weaker. Where pfSense far ouclasses Meraki is in the ease of use and the other width of features. These include features such as better VPN interoperability, non-subscription based pricing, auditability, not relying on the infrastructure of a third party, more transparency of what's actually going on, easier to deploy replacements if hardware fails. Additionally, the NAT management for pfSense seems to be a bit better, as you can NAT between any network segment and not just the LAN segments out the WAN interfaces.

• After adding PA Threat Protection, we are now getting our network traffic completely inspected.
• We are now applying security checks and scans like AV scan and Anti Spyware checks.
• This is also giving visibility into threat and attack vectors that are using vulnerabilities and exploits to enter our environment.

Incentivized

• pfSense can be installed on commodity hardware with no licensing fees. With a simple less than 10 minute restore time, on most hardware, it's an extremely inexpensive way to achieve the same results that some of the more expensive vendors provide.
• The easy to use interface has allowed configuration management to be preformed by lower level technicians with quick and easy training.

Incentivized