We use ASA's and I really like them, however our boss has invited someone from Palo Alto to introduce teh Palo Alto firewall range, why I don't know. Anyone every used a Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say Palo Alto firewalls are better than cisco because......I need some backup for Cisco
I, too, as someone stated above support both ASA and PAN's. I own PA-500's, two in an ACTIVE-PASSIVE configuration, one in a stand-alone at our DR site.
At first, I thought PAN's were going to be the answer to all my prayers in terms of handling both state-ful packet inspection, packet signature inspection, application categorization and identification. If the firewalls worked, it would be unbeatable, and something Cisco hasn't even come close to matching.
However, we purchased these PA-500's 6 months ago, and I still don't have them 100% in production. I so busy finding bugs, identifying them, documenting and researching over GOTOMEETINGS with tech support people, they are driving me nuts. Bugs that I have personally found and identified to PAN are:
1) ACTIVE-ACTIVE not supported on PA-500's. A design issue they found after they sold them to me. They stopped saying that on their website by the way. We found out after we bought them.
2) HIGH-AVAILABILITY bug created havoc for me initially until they fixed it in 4.1.9. They came out with 4.1.9-H1, then -H2 within 5 days after that. Crazy...
3) CAPTIVE PORTAL issues surrounding USER ID agents don't work without serious tweaks to work around the problems as they relate to TERMINAL SERVERS and the /ADMIN switch. They had me create work-around rules to compensate for both the bug, then later identified as a design-flaw that they admittedly stated they have no intention of fixing.
4) Upgraded the firewalls to hopefully save me some work to 5.0.0, then 5.0.2. WHAT A FRICKEN MISTAKE!!! Not only is there a bug that overutilizes the CPU by 300% (calculated and determined in logs and memory dumps at the CLI), but that was three weeks ago. I told them I had the problem and that I needed the fix ASAP! Found out today, two more weeks. Crap...
5) TODAY, found another bug. If you apply either SERVICE (SSL) or APPLICATION (TEAMVIEWER) variables to a custom URL CATEGORY, it treats the rule as an OR for each variable instead of AND. Why is that a problem? Well, anything needing SSL starts using this rule and because the URL CATEGORY doesn't match, the APPLICATION TYPE cannot be defined and you get an "INCOMPLETE", thus creating crappy BROWSER experiences and weird errors and delays.
A) NAT is HORRIFIC configuring!
B) VPN is a NIGHTMARE to configure. The client is a joke!
C) Don't get me started on BGP routing and what I had to do to get that to work!!!
My final opinion, Palo Alto Networks sells a product that is no different than buying a piece of software and having it claim itself a firewall that lives on a dedicated box. Yea, ASA has software, but it does what it does well, and doesn't try to be a WEB FILTER or DLP solution. It leaves that for other products that compliment it, i.e. CISCO IRONPORT WSA. We already own CISCO IRONPORT ESA. I should have gotten the WSA instead. MAN....
Any ways. PAN, if it worked, would be unbeatable. But Palo Alto Networks has a TREMENDOUSLY poor application development department change-control process. They are non-responsive, and treat hurting customers as nothing. Will NEVER recommend this product to any one.
Trying to figure out now how to send them back and get my money back. Fat chance, but I'm hopeful...