ASA's vs Palo Alto firewalls?

Unanswered Question
Apr 1st, 2010


We use ASA's and I really like them, however our boss has invited someone from  Palo Alto to introduce teh  Palo Alto firewall range, why I don't know.  Anyone every used a  Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say  Palo Alto firewalls are better than cisco because......I need some backup for Cisco

I have this problem too.
4 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (18 ratings)
Federico Coto F... Thu, 04/01/2010 - 15:51


Are these Palo Alto Firewalls stateful Firewalls?

Three kinds of Firewalls:

1. Packet Filtering

2. Proxy

3. Stateful Firewalls

Cisco's ASA fall in the category of Stateful Firewalls which is the best category since they are the fastest and more secure, because they maintain state tables. Besides the ASA are very robust not only in Firewalling but in VPNs, IPS and content filtering.

You have the option of failover and redundancy.

You can use the MPF Framework to manipulate more deeply the handling of lots of application protocols.

Cisco ASA is All-in-one Security Appliance (not only Firewall)

There are a lot of advantages in using Cisco ASA.

Find out what exactly the Palo Alto equipment does, and we find out the relevant differences.


Leo Laohoo Thu, 04/01/2010 - 16:14

I manage a government account, so before any man-and-his-monkey can talk to us we ask the mandatory question:  Is the product listed in the Common Criterea?

How many Palo Alto firewall technical knowledge can you find out in the market?  Is someone going to be trained to use this?  How about support from Palo Alto particularly EoS?

Our organization is currently looking to replace Sidewinders because they are EoS.  Unlike Cisco when they still provide some limited support, we are getting nowhere with McAfee.

I don't know what model or specifics your boss has in mind but be aware that if all-in-one (firewall, IPS and IDS) is what is being considered think about the hardware limitation.  Nearly all manufacturers (except Cisco) claims that they have an all-in-one that can push 10Gb.  All I can say (unless someone can correct me on this) is that it's really hard to push nearly 10Gb of firewall, IDS and IPS traffic.  It has been recommended that, yes, you can push 10Gb of firewall traffic but your IPS/IDS would be ideal to be in a separate box.

Hope this helps.

Kureli Sankar Thu, 04/01/2010 - 18:24

Sorry. I have never heard of these firewall until today. I looked it up and the spec. sheet is pretty impressive.

I would ask the following questions:

1. tech support (their site only says phone support until 7:00 PM PST)

2. warranty and extended warranty

3. training

4. this being a starup company I'd question how many established customers they have.

Seems like it does PBR with the ASA's do not support.


trustcisco Tue, 04/06/2010 - 07:16

Palo Alto is an application firewall (Do not confuse it with web application firewalls).

It cannot be compared with the ASA since the are not in the same category. Palo Alto claims that it's firewall can inspect https traffic, control which application can or cannot use port 80 and 443, IPS,VPN etc. So it does the same things with an ASA plus more

It has some really good features and i think that you should ask for a trial. The only problem that you are going to face is in case that you are using custom internet applications that are not listed on the palo alto's database. In order for the firewall to be able to inspect the app you have to sit together with palo alto's developers and build custom rules. This can take some time...

I will be most concerned about the deployment of this type of firewall since it has many similarities with web security gateways.

Andy White Tue, 04/06/2010 - 07:22

Yeah we have websense servers to control the internet, which is heavily configured, plus the ASA are heavily configure too, with multiple sub interfaces, dynamic NAT's, multiple VPN's and user VPN's for 100's of users.  PLus we have the IPS module installed and in an active/stadby mode with a 2nd ASA.

I've also been asked how can we we protect from internal hackers not based around just port blocking and Windows permission, something more intelligent.

trustcisco Thu, 04/08/2010 - 05:18

Use a strict active directory policy for your users,  use patch management  software, not only wsus, you need to patch your apps also. Use HIPS for your users like CSA, CSA can stop many client side attacks, use SIEM for your net infrastructure and many more, it depends on what do you want to protect.

riskpundit Thu, 04/08/2010 - 08:47

Palo Alto Networks represents a totally new type of firewall. It supports all the standard port- and IP-based type policy rules you use now, but goes on to enable policies based on applications, users, and content.

The reason this is important is that for the last several years hundreds and hundreds of "Web 2.0" applications have been built to evade standard stateful inspection firewalls either by port sharing or port hopping. And most of the exploits used today to breach organizations are via these applications.

Of course you can put IPS, proxy server, and URL filtering appliance behind your firewall to deal with these applications. But now you have four devices to manage and create policies for. More importantly the range of policies you can implement with Palo Alto is much broader than what you can do with a stateful inspection firewall and a bunch of firewall helpers. For example, you can allow Facebook Wall and email but not games. Or you can restrict Facebook usage to just marketing and sales people using your directory service. Or you could use URL filtering categories to selectively decrypt and analyze SSL sessions. Palo Alto also supports QoS, so you could allow video but restrict the bandwidth it uses.

FWIW, Gartner's 2010 Enterprise Firewall Magic Quadrant was released a few weeks ago, and based on my reading, Palo Alto Networks is the only shipping "next-generation" firewall based on their definition of next-generation. For sure Gartner does not always get it right, but this time they have. And you know the suits listen to Gartner.

Maybe Cisco ought to buy Palo Alto Networks.

r.popson Thu, 04/08/2010 - 10:21

Not sure if you are still looking for some differences between the ASA and PA but I wanted to through my two cents in. This is coming from someone that used both the ASA and the Palo Alto at the same time.

As many people have stated before, the ASA is by far a fantastic stateful inspection firewall with a little IDS built in. Now if you are a security person, you know that firewalls these days provide a false sense of protection. All ports are being open for B2B and front end to back end web server communications. We know that nobody will ride port 80 for malicious activity right?

How does the ASA know what sort of content is within that port 80 traffic? How does it know if its a torrent transferring either PII, PHI or illegally downloaded videos and music?

The Palo Alto gives you a lot more visibility into what is actually going on within your network. You can create the policies to stop the illicit activity no matter what port its on. If your smart enough you can even create custom applications to be or not be inspected. It will if placed inline inspect ssl traffic like a man-in-the-middle, but obviously you have to look at performance and privacy considerations.

Palo Alto also gives you the functiionality of data loss prevention. WIth this you can help limit the use of web mail applications but not allowing the uploading or downloading of attachments via these accounts. Not sure about all of you, but I think compliance folks love this feature. Now we can have control over how documents are leaving the network.

To keep this short, if you are looking for security, then the Palo Alto appliance is the way to go. If you are looking for a false sense of security then stick with the old fashion firewalls.

trustcisco Fri, 04/09/2010 - 04:58

So in case a company already has a web security gateway/proxy, where PA fits ?

I know PA is not a proxy, but is there a way to combine PA's feautures with a proxy appliance for browsing acceleration ?

I am not a fan of all-in-one appliances and i really like PA'S features but from a different point of view i thing PA is trying to combine firewalling/IPS/VPN with a web security appliance features. Sure is a next-gen firewall from that perspective but what exactly is PA's target ? to replace traditional firewalls ? or both firewalls and web security gateways ?

riskpundit Sun, 04/11/2010 - 07:21

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

PA’s target is protecting your digital assets.

PA has built something that is fundamentally new. All firewalls from Cisco, Check Point, and Juniper are stateful inspection based. A stateful inspection firewall’s session/packet analysis starts by analyzing ports. Considering that there are hundreds and hundreds of applications nowadays that share ports or port hop, and that 80% of the exploits that are causing breaches leverage these applications, stateful inspection firewalls are practically useless.

PA is an “AppFirst” (my term) firewall. AppFirst means that detecting the application of the session is the first task the firewall must perform in order to decide which policy to apply, and if you have the IPS functionality, which vulnerability, anti-virus, and anti-spyware signatures to bring to bear to monitor that application. PA can also support traditional port based policies to ease the transition from Cisco, Check Point, or Juniper. But the key point is that stateful inspection, “PortFirst” policies are useless in protecting your digital assets.

Proxies are of limited value as well as they don’t understand all the applications either.

If you don’t believe this, try putting a PA box behind your existing network security infrastructure for a couple of days to see what you are missing.

Regarding the “all-in-one” issue – I can understand your concerns. These “UTMs” are nothing more than a packaging exercise, i.e. combining a stateful inspection firewall with a few other legacy network security functions. First, it offers nothing in the way of providing better protection. Second, the more functions you turn on, the worse the performance gets. Not so with PA. PA performs the full analysis process in a single pass, so there is no degradation. Of course, PA accomplishes this with specialized hardware. There is no way a standard Intel/AMD server could do this.

Finally, the range of policies you can deploy is much broader with PA. Simply blocking an application like Facebook may not be an option anymore. There are good business reasons for allowing your sales and marketing people access to Facebook. Furthermore, you might want to allow posting to the Wall and doing email but not game playing. How would you implement that with stateful inspection firewalls, IPSs, and secure web gateways?

dpalmero Fri, 04/09/2010 - 12:41

I went to a presentation by Palo Alto ("PA") some time ago.  I was pretty impressed at the time.

They are still a relatively small, unknown player with an impressive product.   However they have a number of challenges to overcome.  First, they do not have any little firewalls.  There is no such thing as an "ASA 5505" equivalent here, or even an ASA 5510.  All of their firewalls are designed to handle a lot of traffic and are priced accordingly.  Therefore, there is no little firewall they can sell for a low cost for a company to "Get used" to the solution and kick it around.  Implementing Palo Alto is therefore going to be seen as a "risk" for a significant outlay of cash (always important in the current economy).

Compounding this problem is that Palo Alto sells their solution as a replacement to "Traditional" firewalls, which they see as inadequate.  They have a pretty convincing argument, however, it is basically a Rip and Replace selling strategy.  That is going to encounter resistance when there is significant investment already outlayed in current firewalls.  The ROI here is that PA has to bring in something really significant and necessary, and most companies, or engineers who like this solution, will probably be looking at a potential IDS (for example) deployment and decide to try to implement PA instead of IDS, getting the funding that way, and then slowly replacing the Traditional Firewalls with the PA.

PA also has an uphill climb when it comes to government (or government dependant) deployments. As another poster mentioned, Common Criteria is a factor, as well as the myriad of regulations surrounding audits that are already designed for Cisco firewalls (or Juniper), and not for smaller players.

And lastly, as mentioned, PA has Cost issues.  They are NOT cheap firewalls.  If you have a need for a small firewall connected to, say, a small remote office... PA has no solution there for you (or at least they did not when last I was looking at them).  If you are a small company, you will probably not be able to afford the PA Solution (or rather, decide to go for Cisco's "Toyota" rather than PA's "Rolls Royce").

All that said, the PA firewall is extremely powerful, looks easy to manage, and has capabilities that other vendors don't seem to equal right now or require lots of other bolt on solutions.    As always, examine your requirements and your budget.

cciesec2011 Sat, 04/10/2010 - 11:55

I got some exposures to Palo Alto Firewall back in August 2007 when this product was relatively new at the time.  The product has some really good new features but also some of the down sides as well.  We were looking at Palo Alto as a possible replacements of our existing firewalls at the time.  When looking at Palo Alto firewalls versuses Cisco Checkpoint, Juniper firewalls, you need to keep these things in mind:

- There are no low-end Palo Alto Firewalls.  Unless you have a big IT budget, Palo Alto is not for you,

- Day-to-Day operation.  It is very difficult to find IT people with good Palo Alto firewall skills.  You're pretty much at the mercy of people who are responsible for maintaining your Firewall/security infrastructure.  If you use Cisco, Checkpoint and Juniper firewalls, there are a lot more people on the market with these skills.  If a firewall engineer leaves the company, that person can be replaced much more easily than someone with Palo Alto firewall skill.

- Vendor support.  Cisco TAC  support, IMHO, is the best.  Checkpoint and Juniper TAC support is also very good as well.  I can not comment on Palo Alto support because I have not worked with them but I can comment on Riverbed Steelhead TAC support.  It is not as good as Cisco TAC.  This is because of the size of the companies such as Cisco, Juniper and Checkpoint.  The resource is much bigger and better.  Small organization can not provide that.

- customers base.  The number of customers that use Palo Alto is very small compared to Cisco, Checkpoint and Juniper.  Therefore, it is much harder to find bugs/issues and the fix may take longer than other firewall vendors because the customer base is quite small.

my 2c.

riskpundit Sun, 04/11/2010 - 13:50

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

There is no doubt that PA is smaller than Cisco. But, like I said in my earlier responses today to trustcisco and dpalmero, if your goal is to protect your digital assets, you need a firewall like PA. Gartner calls it next-generation. If you want the details on that, look for Gartner’s October 2009 research report on next-generation firewalls. While I think we are going to be stuck with the term, “next-generation,” the issue is how packets/sessions are analyzed. I like the term, “AppFirst” because it’s technically meaningful. All firewall vendors are going to start using the term "next-generation" because Gartner is.

The question is, does your firewall first discover the application of the session and then execute policies based on the application (preferably in a single pass)? Second, does the firewall continue to monitor the session looking for changes in the application and react to those changes? Third, does it do this at speed with low latency?

As to support issues, I think PA has gotten to the size (1,100 customers) that you can probably find people you know who are using PA now and ask them. BTW, many of them are using PA in conjunction with (behind) Cisco, Juniper, or Check Point. So rip-and-replace is surely not the only deployment strategy.

cciesec2011 Sun, 04/11/2010 - 17:09

We are going to replace our existing firewalls next year and I am going to checkout Palo Alto Firewall as a possible replacement by looking at it again.

When I first looked at it in 2007, the customer-based for Palo Alto was less than 10 customers, the management piece for Palo Alto, Panorama, was pretty lousy and slugglish at the time.  May be the product has lot of improvements since.

I will say that if I interview someone for a Firewall Engineering position, there is about 100% probability that he or she knows Cisco, Juniper or Checkpoint firewall technologies.  I've NOT met anyone with extensive experiences with Palo Alto firewalls yet.  That makes management nervous about replacement existing firewalls with Palo Alto firewalls.

Last but not least, your comment regarding "if your goal is to protect your digital assets, you need a firewall like PA", that is very mis-leading.

Your "digital assets" can be protected via IPS and most importantly, Data Loss Prevention (DLP) devices.

riskpundit Sun, 04/11/2010 - 13:31

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Please review my response to trustcisco from this morning. PA brings something truly new to the table – it can actually protect your digital assets. Traditional stateful inspection firewalls are practically useless in the face of the hundreds and hundreds of port sharing and port hopping applications which most exploits are leveraging to gain access to your digital assets.

Regarding PA being unknown, I would say their appearance as a Visionary on Gartner’s 2010 Enterprise Firewall Magic Quadrant is going to change that. Furthermore, if you analyze what Gartner wrote about PA and the other firewall manufacturers, it’s clear that PA is the only one that meets Gartner’s next-generation firewall criteria.

As to Roll Royce, I would beg to differ. For most mid to large organizations, PA is going to save you money. First, there is appliance consolidation – firewall, IPS, proxy server, and URL filtering. Second, there is policy management simplification and improved responsiveness to the business units we serve.

In conclusion, Cisco's next firewall must be AppFirst.

trustcisco Tue, 04/13/2010 - 00:33

Thanks for your answer Bill, i have read on PA's website about https inspection. Is it true ? and if yes what is the technology used to inspect encrypted traffic ?

benreynolds Fri, 04/30/2010 - 07:06

I've just been through the process of looking at our corporate firewall replacements - To sum up we currently run about 50 clusters of ASA's with AIP SSM-10 and 4 corporate Checkpoint clusters.  It's the checkpoints we are looking to replace.

My view of the PA units are:


Powerful units

Well thought out design (built ground-up to do it's job).

Easy to Manage.

Layer 7 Firewalling  - really will be the future IMO.

As with cisco I think you can believe the throughput stats.


No certification full stop!  fips / common criteria all missing.

Support and lack of advanced training.


It's quite often sold as a proxy server - PA needs to ensure that this practice does not happen as all it is on that basis is a url filter (US based).  We wouldn't call the ASA a proxy server.

It's IPS/IDS credentials still need further testing in the market place.

On a side note - With Checkpoints recent buy-in to the facetime database and soon to be released (2010)  "application blade" the primary feature of the PA units becomes shared amongst one of the big firewall players - In fact it's useful to note that whilst PA has approx 950 apps on it's database, Checkpoints will soon have in excess of 5000 apps available to firewall with.  Of course it could be said that the PA unit has better throughput....

But if I install Checkpoint on open server platform I can out-perform even the biggest PA unit.

Cisco and Juniper are both playing catch up on the layer 7 firewall at this time.  Although it needs to be noted that the Juniper SRX platform is still buggy (move from ScreenOS to JUNOS).

I think possibly the delay from Cisco may have been the emphasis into the server market last couple of years.  Non the less I would expect Cisco to soon catch up and provide us all with a true ngfw that covers all our needs alongside the current IPS/IDS.  Hoping at least.

End result - I'll put and ASA5520 with SSM-20 facing the internet - Checkpoint cluster with IPS blade with dmz to mcafee webwasher - internal network.



Apologies trustcisco - the PA units use a fairly simple man in the middle attack to decrypt and inspect https traffic. Nothing new - webwasher can cover this in our deployment.

riskpundit Sun, 05/02/2010 - 14:48

Ben, Let me respond to your April 30 post by topics including Policy Management, Fine Grained Application Control, Intrusion Prevention, Latency, QoS, Internal Network Management, Market Acceptance, and Gartner's next-generation firewall analysis. If your organization were to issue an RFP, I believe these topics would be included.

Policy Management - Your Cisco/CheckPoint/Facetime/McAfee solution has a minimum of three points of policy management - Cisco, Check Point, and McAfee. Since the Facetime piece is not shipping yet, it's hard to know what the user interface will be for that. Palo Alto Networks provides a single, unified policy management interface. This will save time/money and enable faster response to business requirements. Depending on the size and complexity of your organization this could be significant.

More specifically, you will still need to manage IP- and port-based rules on the ASAs and probably on the Check Points. PAN will allow you over time to reduce, if not eliminate entirely, IP- and port-based policies. This will dramatically reduce the number of rules needed to implement policies and also enable auditors to more easily determine if the firewall rules actually reflect the organization's policies.

Fine grained application control - While Facetime may have more applications identified, PAN provides more fine grained control of major applications like Facebook. Facetime's Application Guide lists Facebook as one application. PAN's Applipedia shows Facebook, Facebook-apps, Facebook-chat, and Facebook-mail. Therefore you could build a PAN rule allowing Facebook mail and chat but not apps like FarmVille or MafiaWars. This is especially important if your organization wants sales and marketing to interact with Facebook's 400 million users, but not to waste time on games. Furthermore you could allow Facebook-mail but no attachments. We'll see if the CheckPoint/Facetime solution will have this fine grained control. Also, will the CheckPoint/Facetime solution support SSL decryption? If so, what will the performance hit be?

Intrusion Prevention - While Facetime may have more applications identified, how will this be integrated with the intrusion prevention technology Check Point acquired from Network Flight Recorder? When PAN identifies an application, it only checks the vulnerability signatures associated with that application (and of course those related to the underlying protocol). This approach means you don't have to manually "tune" the IPS. My final point on this - put PAN behind Cisco/CheckPoint/Facetime/McAfee and see what additional visibility it provides.

Latency - Your Cisco/CheckPoint/Facetime/McAfee solution could require four or more passes in each direction. PAN is a single-pass process no matter how many features you turn on. PAN's appliance is not a standard Intel server architecture, but specifically built to provide low latency.

QoS - PAN enables you to allocate bandwidth based on application or application category. Will the CheckPoint/Facetime solution? And how will you manage QoS among the Cisco, CheckPoint/Facetime, and McAfee components?

Internal network management - PAN's higher througput capabilities will allow you to use it for internal segment application and user control. For example you could create a policy restricting access to financial databases to only those groups (as defined in your directory service) who need access. And  PAN enables you to create multiple virtual firewalls to simplify policy management. While Check Point has this capability, I believe it's only on their high end VSX models.

Gartner analysis - In Gartner's 2010 Enterprise Firewall Magic Quadrant report, PAN is the only firewall that meets the next-generation requirements it established in October 2009. Your point about Cisco and Juniper catching up - perhaps in a couple of years. But don't assume that PAN will stand still. Also, you surely realize that Cisco and Juniper are really focused on bigger markets than security.

Advanced Training - It is my understanding that PAN does now have advanced training.

Support - The feedback I've gotten from customers, while anecdotal, is very positive.

Market acceptance - I believe that PAN has over 1,300 customers now.  While still small compared to Cisco, Check Point, and McAfee, it's significant. In fact, let me put this in the context of the "technology  acceptance curve." PAN has passed the Early Adopters phase and is now selling  into the Early Majority. Organizations who are culturally Late Majoritymay not be ready for PAN at this time. I  don't say this in a judgmental way, but how would you rate your organization?

In closing, at the end of the day, your choice really depends on how you and others in your organization weight the topics I discussed above. I would be glad to continue the discussion off line. I am not a PAN employee.

torex-hiscom Fri, 08/13/2010 - 05:50

Hi All,

I have worked with PIXes and ASAs for years and since a few weeks I'm having the chance to evaluate a Palo Alto box. Of course the application visibility is something that is unique and stands out.

However, if I want to replace one of my PIX/ASA's with Palo Alto I also have to compare the regular functions like access rules, NAT, VPN and how to configure them.  I have tried to configure an IPSec VPN, however I haven't succeeded yet to make it work although I followed the Palo Alto Administrator's Guide exactly. It looks al quite tedious and not logical to me. Of course this could come because of my "Cisco-look". Another example: making a NAT exemption is not clear to me and the PA Administrator's Guide doesn't mention this at all. The Palo Alto Guide on the whole is not as elaborate as the Cisco Configuration Guides are. Also the logging and debugging is not as extensive.

I went to the presentation of Nir Zuk and was very enthousiastic about the concept. Nevertheless I recommend everyone to try and get an evaluation box and experience every aspect by yourself. I still think application visibility is a necessary step in the evolution of firewalls.

Albert Bruggeman

Sr. Technical Consultant


The Netherlands

I've been using PIx's and ASA's now for a long time and I'm very disappointed in the latest ASA software (8,3). We're evaluating the Palo Alto's right now and I can tell you it's a dream compared to the ASA. Great management interface, very straight-through configuration for most stuff, pretty intuitive interface etc. And the reporting, Layer 7/IDs functionalities are just awesome. We're considering replacing all our ASA's with the Palo Alto units. I would definitely recommend you guys at least look at them and do an eval.

dpalmero Tue, 01/24/2012 - 10:27

Thanks Thaer this is useful feedback.

Its interesting that there is a conflict between having "one throat to choke" and "eggs in one basket".  I think that from a security perspective its ideal to have a dual-vendor solution and implement security in layers.

I like Palo Alto's vision and view of the future, but my main concerns with them are:

1) No relatively small firewall (say like a 5505) that can be used to implement a gradual implementation

2) Cost is much higher, so the entry into this space is relatively prohibitive compared to the established vendors

3) Relative immaturity of product as some have said with VPN and other functionalities.

However I will continue to investigate them as time moves on to see how they evolve. 

MooreIT01 Wed, 01/25/2012 - 11:37

I've used the PA 2050 model at a previous employer and liked it very much.  We replaced an ASA5510 with the device.  When we started looking at the Palo Alto device we were looking to add a gateway security appliance (Antivirus, Malware, URL / content filtering) to the network and I stumbled across the PA devices.  I looked at Websense right away however to make it work in our environment (heavy Citrix Xen App shop) it was going to be very expensive (not that the PA's aren't). 

I did the PA web demos and got an eval box then made the decision from there.  I won't say it was extremely easy to manage however it was better than the ASA in my opinion and I am by no means a PIX / ASA expert (I would even classify myself as lower middle on skill set).  I was able to move all of my existing functionality over (VPN's etc) as well as adding more capabilities (URL and Antivirus).  I never realized how many people had that stupid coupon tool bar thingy installed...  With my Citrix / TS users I now had the ability to craft separate policies for my Citrix users rather than defining it by the particular server they were one (AD agent and Citrix / TS agent part of the deal with the PA device) which was very nice (they used Bright Cloud for the content filtering at the time I had it, may still).

I was concerned about putting all my "eggs" in one basket as well however the eggs were new to us anyways (URL, Antivirus, SSL VPN, etc) and I was glad to have one vendor to deal with.  Sometimes being under one person's mercy is as good as or better than being under several folks.  If it were up to Cisco we'd be under their mercy solely (ASA, IronPort, IPS, etc).  As far as support goes I used several lines, the reseller who installed the device for us, their actually technical support (which was 24/7 by the way), and their user forums (lots of config docs there).  I got help when I needed from all three sources.  I did have to wait a while for a 64 bit Citrix / TS agent however it came out within the timeframe support said it would and it worked without a hitch.  Something to note, the URL and Antivirus options are subscription based in addition to the firewall price so if you have those solutions in place already you don't need to buy them if you want to keep using them.

In regards to the SSL VPN capabilities I found them a little lacking as well.  I didn't have the issues described above however it's a very basic client based VPN only, no office portal type capabilities.  With that said you do get almost unlimited (limited by device model) usage for free (no per client licensing), well its part of the overall price that is.  To me that capability definitely seems like an add-on rather than something that was designed with the whole device.  However I would think a Juniper or even Sonicwall could fill that gap if it was needed.

The Camry versus Roll's argument actually seems valid to me, I do think the PA is a better firewall overall than the ASA however if you've already got an investment in those other services (IPS, Gateway Antivirus / Malware, URL / Content) something like an ASA might be the best option if all you need is a firewall.  Palo Alto has recently expanded their product line to include the PA 200 (smallest model, next is the PA 500, 2020, 2050, etc).  However having a PA device doesn't exclude you from using an ASA 5505 at your branch offices, if all you need is a Site to Site type VPN.

I would say at a minimum they are worth a serious look, read their public docs, watch some of the demo's, schedule a demo to get specific questions answered, get an eval unit seems like fairly easy things to do.

smagargee Thu, 02/02/2012 - 09:30

I have been using the PA's for two years now ( not by choice) I do have to say the PA's have a better user interface compared to the ASA and that is about it. their phone support is lacking  I have waited more than 4 hours for a call back nor is there away to escalate a case over the phone has to be through email  which doesn't help if your firewall is down, PA's response to me on escalating a case over the phone  Buy an air card so you can escalate through email also my PA's are running at 75% cpu usage with 90K connections where my ASA has 8M connections and the CPU is running at 20%.. all in all the PA's are for small Business that cannot hire a truly trained firewall staff

I've purchased, installed, and/or migrated to/from PIX, ASA, Checkpoint/Nokia/Crossbeam/Solaris/SPLAT, Netscreen, JuniperSRX, and PaloAltoNetworks

Some of them have advantages over others for sure depending on what you want to do especially when some migration has to occur, you find out whos the easiest to manage and who's the nightmare.

PaloAlto is by far the easiest, cheapest, most enjoyable box to use.

With one Palo box you can replace IPS, VPN, firewall, and proxy at a fraction of the cost.

The fastest IPS in existence is only 20Gbit being Sourcefire which will cost you $400k for a cluster, PaloAlto is $90k and you get more than just an IPS.

The entire configuration, rules, objects, users, interface IPs located in one editable text file, try that with Provider-1 or some Linux firewall, no chance. And its not ugly like a FreeBSD firewall yuck.

When using stateful, primitive firewalls you are not protected, your customers are not protected because ports and protocols don't matter anymore, with protocol tunneling and other evasive apps ASA and all the older firewalls have no idea what is happening.

IPS' products have the same limitation, they are watching for a port to determine the application with which they then apply a signature or filter to.

PaloAlto is as easy to use and configure as a netgear router that you get from best buy. Ive deployed one out of the box in 5 minutes, no other firewall can that happen with.

When you look at documentation you find ASA has 50 pages just for HA configuration!! Paloalto is 9 pages and reallly only 2 pages that are relevant to active/standby because its that easy! You just check some boxes and go.

Most firewalls require years and years of practice and a team of people that basically have to have a bachelors degree in the product=ASA or Checkpoint, to be able to do a deep dive and troubleshoot the thing, which is why security pays so well I guess.

NSS labs highest rating for an unconfigured firewall speaks volumes of a real test, not like gartner which is a popularity contest.

Worst firewall ever JuniperSRX, take netscreen whos cli guide was 6000 pages, and grow that 4 times. Incredibly complex, went back to cli managment instead of gui for ease of policy modification. Why make it so hard and make you get a degree in the product just to be able to manage it, I will never use one of those again.

ASA cannot do app inspection for instance just recently I had to disable SQLnet inspection on a 5540 because developers were running a job that was failing after 8 hours, once i disabled that inspection the job finished in 30 minutes! That means ASA cannot inspect traffic like you would want not even one app! PaloAlto can inspect all apps all the time on all ports with no performance hit. The magic of the product is a total redesign and ignoring ports and protocols enabling them to focus their ASICs in another area.

Checkpoint cant do app inspection either, if you tried to turn on smartdefense the firewall crumbled and what are they looking at anyway to see if the right flags are set in the TCP header? thats not inspection as far as im concerned.

Whoever mentioned PBR, no firewall supports assymetric routing.

i Just found this article and learned a couple more things even

If you're like this UNIX admin I met once you might like primitive looking old style cli firewalls (ill bet he doesnt surf the internet via command line) the guy wanted it to be as painful as possible becuase thats what he was used to. Well I got used to black and white TV but I'm not going back and leaving my high-def TV/PaloAlto firewall now for nothing!


benreynolds Fri, 03/09/2012 - 02:03

Nate - are the palo units now fully fledged proxy servers as well?

It obviously won't be anywhere near as good as the palo's! But either way just to ensure a fair playing field:

Our end solution ASA's Checkpoints McAfee's is working very nicely btw.

Also nice to know that we have a multi vender set-up which is solid from a security perspective.


Hey Ben - The Palo units are a full proxy, if i remember they use brightcloud for url categorization? after having setup and supported many bluecoat, and netcache proxies it just another device you have to support and deal with and hope you remember all the commands after having not used it for a year. they don't do reverse proxying and are not a load balancer.

but they do have FIPS compliance capability, dont know much about that because ive never used that gov't sector stuff

one thing Im REALLY VERY tired of is new platforms coming out and having to learn them, entirely new OS's and their packages.

Paloalto has brought out a NAC solution inside their current firewall which seems like a lot of stuff dang, but I looked at that link you posted and i laughed a little... haha, its exactly what Ive gotten used to with Cisco another brand new platform unlike anything youve seen and are used to that is highly complex: I looked at the admin guide and did you see whats involved in setting it up? tons of config on switches at multilayers, oh and its not a firewall or proxy its a NAC product.

the other thing the link talks about is SIO, thats just ciscos SOC, everyone has a soc like that , i mean its not unique.

Also that link to Cisco Mobility solution requires a client to be installed on every phone!! Now you need a team of people just ot support that infrastructure and client phone issues, start hiring now. dont know if paloalto has a mobility thingy, but if it does it would never use a client install, that goes against cutting edge thinking.

The past of cisco security products will tell you the future:

MARS: bankrupt siem product that is gone, so what are 100% cisco shops using for consolidated logging? probably nothing

CSA: discontinued, absolute admin nightmare

IF you are going to look at NAC either Palo or Forefront would be my personal choice, i like my daily work to be easy, enjoyable, understandable. I dont want to have to spend the rest of my career reading pdfs just to understand yet another security platform that is totally unique

That means that asa is a stateful firewall, a technology built in 1993, technology that hasnt *actually advanced in 19 years, asa=dinosaur.

if you want to use asa ssl vpn good luck! you cant because they only have a couple plugins which means if the app you want to use is not browser based it will not work, they have plugins like rdp, java blah etc. just a couple not enough to actually use the product. Ive installed over 30 ASAs so i understand what they are good/not good at.

Using a PA NGFW is so easy it requires NO traiining at all just a familiarity with basic firewall rulebases aand how they work top to bottom so you dont tank something.

hehe no I dont work for Palo Alto, I work for a Fortune 50 company. I assumed you were having a capacity issue because it sounds like one and.... i read it in your earlier post.  If i take a piece of equipment and hammer it beyod what its capable of box is going to have issues.

maybe you have a bug i dont know, havent used the vpn section at all so cant say, havent used the nac part. What I do know is the  other firewalls aint so hot in my experience. What firewall would you prefer?

Torex -Whether the firewall hide NATs addresses for URL filtering or proxies them by creating a new connection doesnt matter to me, the end result is the same, soooo your point is?

torex-hiscom Fri, 03/09/2012 - 05:58


I'm sorry to say, the Palo Alto is not a proxy, neither is the ASA or most other firewalls. They don't break the connection to set up one from the box itself, except for the SSL inspection function. The MS ISA or Forefront TMG is an example of a proxy.

I'm using Palo Alto as well as ASA and can agree with most of the discussed items in all of the messages above. But the way you state it is totally exaggerated. And saying something about the cisco ssl vpn while the PA vpn has the least functionality of them all makes no sense.



ROBERTO GIANA Fri, 03/09/2012 - 06:13


I think the real answer from Cisco to PaloAlto is the ASA CX. It goes pretty into the same direction. ASA CX is a blade that will run on the ASA5585-X plattform. Hopefully the ASA PMs will realize that the market is waiting for this on ALL(!) plattform sizes.

A short intro into ASA CX can be seen here in this video:



MooreIT01 Fri, 03/09/2012 - 08:37

In my previous company experience I used the PA-2050 (which replaced a ASA 5510) and supported about 300ish users with that.  We had about 12-15 folks using the SSL VPN client with no issues while I was there.  Our WAN was a hub and spoke with the corporate office housing all of our data.  At that time all Internet traffic came back across the WAN and through the PA box.  We were fairly simple with only a few Site to Site VPN's and maybe 30 or so policies / ACL'sgoverning traffic.  I have not been formally trained on Cisco security equipment and will readily admit that I have very basic skills in regards to network security.  Like most folks I wore (and still do) many hats with lots of other responsibilities requiring my attention.  What led me to the PA box was a desire to add content filtering (actually it was management's desire) and some type of IPS.  In looking at competing options (Websense mainly) it was actually cheaper to go with the PA and with my skill set it was easier to go with the PA.  At that time at that company costs were everything, I liked (and still do) Cisco equipment however many times my choices were to go with a competing product because of costs or don't do it at all.

Thaer Ontabli, if you have specific and detailed experience with the PA's then it might be helpful to disclose which models you're using and the environment you're using them in.  When I research the Palo's now it's very difficult to find actual usable information (i.e. real world) so I think most folks would be glad to hear your specifics.  There's a lot of marketing speak around the PA's, they need to open up their support forums (or at least have a public side to them) so that folks can learn from others experience.

On the URL filtering issues pointed out I run into the same ones with Websense and the company I'm at now.  I'm just not 100% confident of the results (could just be me though) and would have a hard saying to a manger "yes you should fire that employee because they spend all day on facebook".  It's more of a "use this information in conjunction with your own then come to a decision".  My guess would be that sense both companies are using an agent that looks at your DC's (Active Directory that is) security logs it's only as clean as AD is as far as how it tags users to traffic.  I could be wrong and frequently am though.

The new ASA line (available now) plus the new "application aware" code (not available yet) are very exciting and it will be nice to see folks experience with those.  If the original poster is still looking to decide between the PA's and the ASA's then these might help to sway things in his favor.  It would help also if he would disclose what exactly they were looking for, is it a "UTM" type device?  Do they need IDS/IPS, AV scanning, URL filtering etc or are they just looking for a firewall?  Honestly if he's just looking for a firewall then the new 55XX-X would make a lot of sense to me.  I did and do still like the PA's but "real world" is looking at what fits for your company and you as the admin and making a decision based on that.  Alot of the discussions surrounding the PA's right now sound eerily similar to "Apple" versus "Android" etc debates (with a lot of passion on the PA side) and it's just silly.  More details less marketing slides please...

**EDIT** just went back and read through the whole thread, looks like at the time (2010) original poster did have URL filtering and IPS.  My guess is they've aready made a decision but it would be nice to hear which way they went and subsequent experience.  If they were making this decision right now then I think the ASA 55XX-X would make the most sense, at least that's where I would be (even liking the PA's as much as I do).  We're facing a similar decsion where I'm at now and if Websense wasn't so dang expensive the decision would be easy, just replace our Pix's with the new ASA's -- yeah, that's right I said PIX's .  However looking at the Websense renewal has us asking what else is out there, is it better, and is it cheaper.  Cisco's answer to that is either IronPort (on premise appliance) or Scan Safe (cloud based).  My guess would be that the IronPort is probably in line with Websense and previous experience with a cloud based filtering solution left me with a bad taste (MX Logic / McAffe).

Nate Newman:

Your comment "PaloAlto limitations, max size 20GB box, support dept

needs some redoing, rebuilding, something major." is really striking.

A product is only as good as the TAC support of the product.  That's one

of the reasons why people like Cisco products.  The product itself may not

be good but you can feel confident that if you need technical support,

Cisco TAC will be there to work with you and if you have Advanced Network

support, you will get excellent support from Cisco TAC, an added bonus.

If Palo Alto can not provide that kind of support, why even bother with

the product in the first place?

Thaer Ontabli :

Please disclose your specific and detailed experience with us here so that

we can learn from it.  Most of us do not get insight information on a

particular product when we make a purchase.  Most of the time, we get sale

pitch from an SE who are usually clueless, just repeat what they learn from

the brochure.  If you can share with us your particular experience, that

will help everyone here.  You can attach the ticket number if that is


munurewan1 Sat, 03/10/2012 - 19:57

Agreed with David

Product should be only evaluated on the following factors:

Tech Support and its availability

Users Experience/online docs, forums

Any vendor claiming specific features should have users to claim that proved under the specific condition with their experience.

Robert Rowland III Fri, 04/20/2012 - 05:28

Where does "how it works for you" fit into this ?

To me that is kind of important. Being able to call 1-800-553-2447 in my sleep may not be a good thing.  I can still tell you the local Range Rover service department phone number 12 years after I owned two but it is not because they kept giving me free beer on Fridays.

Along with most every other model we have 5550s with VPN Premium licensing.  We used to run ICA & voip traffic with QOS through them. Frequently around 9:am in the morning the traffic levels would hit 150 Mb (yes,150 Mb) and cause reboots of the primary ASA which would fail over to the secondary and traffic would climb back to 150 Mb and reboot again - luckily the original primary was back up by now most times.

We had to set the switch ports feeding the ASAs to 100/half to keep them functioning [I was the one with the blue cable] until ...

we had the opportunity to re-engineer our ICA environment with 4 Netscalers instead of CAGs and bypass firewalling our voip.

All the support from TAC didn't help us one bit other than to tell us our box was rebooting.

I like Cisco security products - I went to the `99 Denver Networkers talk by the folks from the Wheel Group ( great.. party ) but sometimes they don't do everything you want or need.

Maykol Rojas Sun, 08/12/2012 - 21:32


If the ASA crashes, it will generate a crash file that can be reviewed by one of the Cisco TAC firewall engineers like me. I find hard to believe that somebody at Cisco would just say, its crashing and thats it.  Did you have a ticket open, if so what´s the ticket?


Robert Rowland III Mon, 08/13/2012 - 02:05

Sure it did - bunches of times-  and we did have a ticket(s).  The issue did get resolved. It was an SSH bug along with some level of QOS stuff.  I'm the guy who had to set the 6509 ports to 100/half duplex to keep the 5550s from crashing enough so we could work - I remember it well.

  We stopped running LAN/Wifi voice through the ASAs - we still don't do this today, we do PBR to manage this differently and soon I will have to move this bypass functionality (we call it the voice bypass network) to a pair of Nexus 7010s instead of the 6509s that skip the ASAs (this decision will never be revisited, thank you) - and we purchased 4 Netscalers to be able to have internal VIPs vs DMZ ( the DMZ CAGs would flap and become unreachable ,,,, ) VIPs for 1500+ simultaneous users and we did not run LWAPP mobility anchor traffic through them either, although we do now.  Again I know, the Netscaler NS7000s I support go end of life April 1, 2013 and I help ride herd on our mixture of 10 WISMs and 5508s - I'm the guy typing the "config t"

This was the single most expensive and far reaching bug I have ever been associated with or heard of, I suspect the entire Netscaler implementation and support costs - we just migrated the Netscaler 4.5 WI servers to 6.5 (works great) over time ran us easily in excess of 2 Million dollars and over the next 5 years would add another 1.2 Million just in Netscaler hardware/support costs.

I've worked with ASAs, Juniper SRX's and SSGs extensively. And now also Palo Alto's.

In summary Palo Alto blows everything away, and ASA is the worse of the lot.

Palo Alto is a next generation firewall so can do policies such as source ip/port to destination "facebook". It also runs BGP which is not available on the ASAs. Check Points are also nextgen firewalls, but I haven't worked with them.

Unfortunately Cisco does not have a NextGen firewall yet.

Robert Rowland III Sun, 08/19/2012 - 20:34


  Might I suggest that you stop posting to this thread ? 

What the previous poster meant by "facebook" was that even if you ran http over port 22 or udp 53 the Palo Altos are able to determine that you are interacting with facebook and not some weird SSH or DNS queries.

You can even go there via ip address and point your PAs to bogus DNS servers so they can't figure out who you are talking to ... but they do anyway.

Further the PaloAltos can determine if you are doing Facebook mail or some other area ( there is like 20 flavors of just gmail stuff ) and permit or deny those very small subsets - and they do not do it by just portions of the url; I am adding this because I do not know how they do it, I just know that they do ... and it works ...

ASA .. fast boxes , sure.  simple nat rules, yep, I like the new 55xx-Xs

Ability to sort the ACL rules on an interface - nope,   Ability to sort the rules at ALL ? - nope .

Act as both L2 & L3 at the same time - nope .  Active/Active without multiple contexts on all versions of the platform - nope (This wasn't so bad what you could buy a FO-BUN box but now even the standbys cost as much as the primary). More than 4 wire speed interfaces - nope;  PAs can give you 10 or more and with multiple DMZ, core, Internet , site to site, wireless infrastructure connections it is hard to port channel a 5520 or 5550 at wire speed to more than a few devices.

I've worked with them since the PIX Classic  but there are some things they just don't do,

Julio Carvajal Sun, 08/19/2012 - 21:08

Hi Robert,

Just to talk a little about the hostname feature added on 8.4.2. (Hostnames on the ACL)

-----It does not matter the port it uses on the connection as The asa will match the FQDN so he can deny or permit the traffic so I do not understand what you mean by running http on port 22 or 53 as the ASA will still check and match on tcp or udp connection if configured like that .  I agree with you on the part that the ASA cannot perform "X" like PBR as an example but you cannot be that negative and do not point the great features it has.

And sure my friend you can say a lot of negative stuff about the cisco ASA but what about the Palo Alto firewalls? I mean we cannot  point their negative stuff as we do not know them yet.

Let me know if you don't want me to post back on this particular discussion as well, if that is not the case I will be more than glad to help you

I believe PAN FW uses application signatures to match traffic, not just a FQDN check. Ex: If you have port 80 opened from inside to outside (this is usual for web browsing), it is possible for a inside user to connect to an external server on port 80 using SSH, if the remote server runs SSH on port 80.

Ofcourse then you can do all sorts on SSH, SCP or tunnel traffic to remote servers etc.

PAN FW will stop this from happening. It will allow a TCP session to be established, and on top of that at it will look for the correct APP layer request to the remote server.  PAN does this by default.

Ofcourse I haven't worked on them long enough to find caveats, but right now I can say there is much better support for ASAs (while I am waiting for PAN helpdesk to get back to work after the weekend!).

Tony Ortiz Wed, 03/06/2013 - 17:26

Hey folks,

I, too, as someone stated above support both ASA and PAN's. I own PA-500's, two in an ACTIVE-PASSIVE configuration, one in a stand-alone at our DR site.

At first, I thought PAN's were going to be the answer to all my prayers in terms of handling both state-ful packet inspection, packet signature inspection, application categorization and identification. If the firewalls worked, it would be unbeatable, and something Cisco hasn't even come close to matching.

However, we purchased these PA-500's 6 months ago, and I still don't have them 100% in production. I so busy finding bugs, identifying them, documenting and researching over GOTOMEETINGS with tech support people, they are driving me nuts. Bugs that I have personally found and identified to PAN are:

1) ACTIVE-ACTIVE not supported on PA-500's. A design issue they found after they sold them to me. They stopped saying that on their website by the way. We found out after we bought them.

2) HIGH-AVAILABILITY bug created havoc for me initially until they fixed it in 4.1.9. They came out with 4.1.9-H1, then -H2 within 5 days after that. Crazy...

3) CAPTIVE PORTAL issues surrounding USER ID agents don't work without serious tweaks to work around the problems as they relate to TERMINAL SERVERS and the /ADMIN switch. They had me create work-around rules to compensate for both the bug, then later identified as a design-flaw that they admittedly stated they have no intention of fixing.

4) Upgraded the firewalls to hopefully save me some work to 5.0.0, then 5.0.2. WHAT A FRICKEN MISTAKE!!! Not only is there a bug that overutilizes the CPU by 300% (calculated and determined in logs and memory dumps at the CLI), but that was three weeks ago. I told them I had the problem and that I needed the fix ASAP! Found out today, two more weeks. Crap...

5) TODAY, found another bug. If you apply either SERVICE (SSL) or APPLICATION (TEAMVIEWER) variables to a custom URL CATEGORY, it treats the rule as an OR for each variable instead of AND. Why is that a problem? Well, anything needing SSL starts using this rule and because the URL CATEGORY doesn't match, the APPLICATION TYPE cannot be defined and you get an "INCOMPLETE", thus creating crappy BROWSER experiences and weird errors and delays.

Other things:

A) NAT is HORRIFIC configuring!

B) VPN is a NIGHTMARE to configure. The client is a joke!

C) Don't get me started on BGP routing and what I had to do to get that to work!!!

My final opinion, Palo Alto Networks sells a product that is no different than buying a piece of software and having it claim itself a firewall that lives on a dedicated box. Yea, ASA has software, but it does what it does well, and doesn't try to be a WEB FILTER or DLP solution. It leaves that for other products that compliment it, i.e. CISCO IRONPORT WSA. We already own CISCO IRONPORT ESA. I should have gotten the WSA instead. MAN....

Any ways. PAN, if it worked, would be unbeatable. But Palo Alto Networks has a TREMENDOUSLY poor application development department change-control process. They are non-responsive, and treat hurting customers as nothing. Will NEVER recommend this product to any one.

Trying to figure out now how to send them back and get my money back. Fat chance, but I'm hopeful...


This Discussion