1. Home
  2. Firewall Software
  3. Next-Generation Firewalls - PA Series Reviews
  4. User Review of Next-Generation Firewalls - PA Series
Not Beginner-friendly, but Powerful and Comprehensive
October 17, 2017

Not Beginner-friendly, but Powerful and Comprehensive

John Orleans, CISSP | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Software Version

PA-3000 Series

Overall Satisfaction with Palo Alto Networks Next-Generation Firewalls - PA Series

We used our Palo Alto firewalls to analyze and filter all traffic coming into and leaving our network, including the DMZ.
  • Web Filtering - Analysis is fast and comprehensive, with all the options one should expect from a professional Web filter. Admins can set options to audit, warn, click-through, password-protect, or block sites based on numerous criteria. Changing site categories is easy and Palo Alto do a good job of being pretty up-to-date on their site catalog.
  • Packet Identification - This is an area where Palo Alto excels. Want to allow your users to use Facebook, but block IM and/or file transfers? Easy. Have an inbound file that says it's a jpeg but is really an Excel spreadsheet? Busted.
  • WildFire - I hated it at first, but it's come a long way. Unknown files can be sent to WildFire for them to sandbox and analyze. The result is fairly fast return times and a process that contributes to the improvement of your firewall's function.
  • Updates - They happen often and are quick to install, but new definitions with a threat level of critical should be blocked by default, not set to audit-only.
  • SSL Proxy - This works great if you have very little traffic on your PA. If you turn this on, expect to cut the firewall's performance in half. Even then, no SSL Proxy is perfect, so some sites just won't work.
  • Within minutes of installing a PA in passive mode, we were able to identify dozens of attacks on our network.
  • In the first month, we were able to provide executive reviews of attacks on our network, usage statistics of our Internet connections, and use of our cloud resources.
  • Our PA installation helped us discover a major exfiltration attempt, document it, and bring a compelling case against the perpetrator.
All the other products varied from just okay to very good at their individual tasks, but none had the complete vision package provided by Palo Alto. Some were easier to use and setup, with very friendly interfaces. Palo Alto have come a looong way with their Web interface, which is great, but still isn't easy to setup properly, at least compared to Sophos, Smoothwall, and Barracuda. Some applied rules immediately, whereas Palo Alto requires a full configuration update that can take a few minutes (much better than the 15-20 minutes it used to take). However, again, Palo Alto blew the others away when it came to performance, flexibility, and accuracy.
If you don't have the money to have a good VAR set it up or don't have the desire/expertise in-house to properly configure Palo Alto, then take a pass and use something like a Cisco ASA or Sophos XG. Also, expect to spend a lot of time fine-tuning it. Also, since there are so many ways of doing the same thing, it's important for your team to be disciplined about how and where they use rules. However, Palo Alto firewalls are well worth the effort. After they're properly set up, you'll have a very good, comprehensive view of your traffic with excellent reporting and alerting ability.