Item: Palo Alto Networks Next-Generation Firewalls - PA Series
Rating: 9
Author: Paul Luchini

Use Cases and Deployment Scope

We are using two Palo Alto PA-5220 firewalls in a high availability configuration as our data center/HQ head-end firewalls as well as our Global Protect VPN portal and gateway. They are used agency-wide for both data center and user traffic, and have allowed us to combine features from our past firewall, VPN and content/URL filtering solutions into one.

Pros and Cons

It does an excellent job of securing by applications rather than relying on ports.
With the separate management and data planes we've never experience performance issues.
Content updates (apps, URLs, threats) are seamless and automatic.
It is very flexible and powerful on the network configuration side.

When web managing, you cannot sort by columns by clicking on a column.
Palo Alto does not officially bless specific versions as recommended.
The Global Protect client upgrade process does not provide feedback on progress.
Logging queries sometimes take a while to complete.

Return on Investment

It has decreased the number of individual devices we have deployed, saving costs and management required.
It has maintained high uptime for our services.
When we replaced our 5000 series firewalls with 5200 series firewalls the performance increased so much we were able to move down a model and actually save money over three years by upgrading (when including support costs).

Alternatives Considered

Check Point Next Generation Firewall

At first we continued using Check Point as our port-based firewall while using Palo Alto for content/URL filtering and threat prevention. However, we soon realized the Palo Alto did everything the Check Point did, plus quite a bit more. Hence, it made sense to consolidate all functions on the Palo Alto instead of splitting them between the two. The Palo Alto was also quite a bit more advanced as far as routing and policy-based routing goes.

Support Rating

We've run into a couple undocumented bugs, but that seems to happen with every brand and technology. Any time we've had to engage Palo Alto support they've always been professional, knowledgeable and prompt. In almost all cases we've been able to resolve our issues without having to escalate our tickets.

Key Insights

Do you think Palo Alto Networks Next-Generation Firewalls - PA Series delivers good value for the price?

Yes

Are you happy with Palo Alto Networks Next-Generation Firewalls - PA Series's feature set?

Yes

Did Palo Alto Networks Next-Generation Firewalls - PA Series live up to sales and marketing promises?

Yes

Did implementation of Palo Alto Networks Next-Generation Firewalls - PA Series go as expected?

Yes

Would you buy Palo Alto Networks Next-Generation Firewalls - PA Series again?

Yes

Other Software Used

Cisco Nexus, Cisco Catalyst 3850 Series Switches, Cisco Catalyst 9500 Series Switches

Likelihood to Recommend

Palo Alto PA Series firewalls are well suited to be your main firewall/NAT/VPN/content/URL filtering gateway. It simplifies management and design by having all of these features integrated into one device. It also handles our AD and terminal server user identification requirements well, which a lot of other products don't do at all. Finally, it scales up well since you can manage all of your Palo Alto firewalls from a single Panorama server.

Palo Alto PA Series firewalls deliver tons of features and straightforward management

Software Version

Overall Satisfaction with Palo Alto Networks Next-Generation Firewalls - PA Series