Palo Alto - Security in a box
December 06, 2019

Palo Alto - Security in a box

Jeremy Cejka | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Software Version

PA-800 Series

Overall Satisfaction with Palo Alto Networks Next-Generation Firewalls - PA Series

Palo Alto serves as our perimeter defense product, from threat assessment on the internal network, to ingressing connectivity from the internet. Provides inline web proxy and ssl inspection without the need of other machines/hardware. A few problems it solves are: 1) perimeter defenses, 2) sanity and 3) DFARs.
  • Inline rule threat assessment
  • Good information dataplane and graphics
  • GlobalProtect VPN needs a user launchable option from pre-logon. This has been a challenge for government customers for years. Their competitor Cisco AnyConnect has SBL.
  • Quality of upgrades/updates has been getting worse throughout the years. As of recent things they supposedly fixed have been making it back into the newer updates causing more headache for administrators to roll back. Especially if the update addresses a CVE.
  • Some of the lower end units do not perform to the spec on paper - 220/800.
  • Ease of setup and security is a net gain for the cost of a security appliance in a box.
I've been using NGFW since 2014. When it really was the main player in the new term "Next Gen Firewall". I'm sure the bar is pretty matched across the board with Fireeye and other niche players and even Juniper/Cisco etc. Eventually there will be equilibrium. I chose Palo Alto because I am comfortable with them, I know the product fairly well from my time using them at Raytheon/(Websense/Forcepoint). I would certainly choose them over a Sophos UTM or Forcepoint Firewalls at the moment. I say this with extreme caution, if PA cannot get their update quality resolved in the future, I may be forced to look at other products that may spend more time QA'ing their updates.

A prime example is in the upgrade/iupdate stream, there are newer versions out that are not stable or recommended by support, but yet there is no indication from the "Update Software" if that release is GA, ED, or Beta/Alpha. There needs to be more visual communication to [system administrators] whether a release is GA or no from within the update options in the firewall.
It's hit or miss on support.
I often solve my problems before they can figure it out.

When I cant, its usually a hardware replacement.

Do you think Palo Alto Networks Next-Generation Firewalls - PA Series delivers good value for the price?

Yes

Are you happy with Palo Alto Networks Next-Generation Firewalls - PA Series's feature set?

Yes

Did Palo Alto Networks Next-Generation Firewalls - PA Series live up to sales and marketing promises?

Yes

Did implementation of Palo Alto Networks Next-Generation Firewalls - PA Series go as expected?

Yes

Would you buy Palo Alto Networks Next-Generation Firewalls - PA Series again?

Yes

I cannot see a scenario where a Palo Alto firewall would not be well suited. It's security end to end in a box. The only challenge is cost. And if you size it appropriately for a medium business in a single location a PA 850 is an adequate device witn 10G connectivity. For 25K roughly you get peace of mind. That's a small price for a business.

Next-Generation Firewalls - PA Series Feature Ratings

Identification Technologies
8
Visualization Tools
8
Content Inspection
8
Policy-based Controls
8
Active Directory and LDAP
7
Firewall Management Console
8
Reporting and Logging
9
VPN
5