Palo Alto

[kefkef]

Been getting the hard sell from these guys recently, wondered if people had experience with the, what the hardware and feature sets are like, ease of learning/use?

Not sure what models we would be looking at but we currently use ASA5540's with AIP-SSM40's, have around 60 external IP's for publising web sites/apps, close to 500 concurrent AnyConnect SSL VPN users.

Any ideas or thoughts on if they are worth taking a look at? What they come in at cost point wise? (Currently get around 56-60% off list price of Cisco kit)

 

[m4cc45]

Had a look at it and it caused massive network latency to the point whereby the network was unusable. No idea on the cost other than massively expensive.

We trialled it, got the guys in to fix the issues (which they couldn't) and binned it off.



M.

 

[Yamahahahahaha]

The hardware is similar to the high-end Cisco kit. Discrete CPUs for different tasks (Management backplane etc.).

I haven't had a play with the VPN client side of things at all, mostly we were looking at PA-200s for branch offices and a couple of PA-5050s for HA at the core.
I started typing a response, but it ended up looking very sales-y. Get them to lend you a demo unit and have a play for yourself - the interfaces are great.

From the perspective of IPS and threat prevention, they are stronger than the ASA range (from what I've seen), although I haven't looked at them since 2010ish.

It would be best if you looked at the 4000 or 5000 series for your needs.
They are expensive, and the support is expensive. PanOS does also have some very odd bugs in it, for which the remedy is not necessarily that speedy.

 

[GhostlyPea]

Skilldibop on here uses the PAs heavily and he swears by them, although I wasn't much impressed.

As Yamahahahhahaha says, they will be better than the ASAs at IPS etc. (The ASA IPS modules suck) but if you want a full on UTM then I'd consider investigating Checkpoint/juniper/Watchguard depending on budget. If you just need a firewall with VPN then stay with the Cisco kit

- GP

 

[Hulkster]

Another thing to consider is that the PA kit's main selling point is their Layer 7 awareness and fine grained application control which they really excel at. I have seen a demo but not yet taken it further.

I suppose a key question is...what do you want from them? Purely firewall? IPS? Is your currentl solution lacking?

I would also add Sourcefire 3D appliances to the potential shopping list

 

[kefkef]

It's just something thats been bugging me for a bit as everywhere else i have had control of IT, we always made sure we had a mix of firewalls on the gateways to give an additional layer of security, rather than the current Cisco only estate. I'm at the point now where i finally have control of a budget to implement this type of infrastructure if required.

 

[York]

We've just bought a couple here (PA-3020's now that they've been officially announced) and have to say it's a lovely appliance to work with. We do make extensive use of their Layer 7 feature set, VPN, IPS etc and find it does everything we want.

We actually replaced our Juniper SRX's with Palo Alto in the end.

 

[TheKnat]

I use them at my work and the application aware features are nice, but I find the interface painful to use in comparison to both the checkpoint and Cisco ones in terms of speed. It's a shame that this let's down an otherwise good product.

As others have said, unless you are going to take advantage of the layer 7 monitoring or filtering, then I've found the Palos to be quite pricey to just be doing port based rules.

 

[mrbios]

Anyone able to give me an idea as to how much the Palo Alto solution, based on a PA-3020 device, costs? They seem unwilling to reply to my emails at the moment

EDIT: Also is anyone able to tell me what the url filtering is like on these? I need both a firewall and a filtering system, but the filtering part needs to be quite thorough and good at its job