ASA 5585X vs Palo Alto 3020 - differences - help needed understanding

Unanswered Question
Jun 25th, 2014
User Badges:

I was hoping to get some clarifications on the ASA technology vs the Palo Alto 3020. Below are the specs from the website for the 3020.

Questions

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9.  Correct?

2) The ASA doesn't have zones, only Security Contexts, right?

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

Thank you,

Palo Alto PA-3020 Hardware Firewalls

•         2 Gbps firewall throughput (App-ID enabled1)

•         1 Gbps threat prevention throughput

•         500 Mbps IPSec VPN throughput

•         250,000 max sessions per second

•         50,000 new sessions per second

•         1,000 IPSec VPN Users

•         10 Virtual routers

•         1/6 virtual systems (base/max2)

•         40 security zones

•         2,500 max number of policies

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marius Gunnerud Thu, 06/26/2014 - 01:52
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9.  Correct?

No, the 5525X with a 10 context license would be a more accurate match for the Palo Alto settings you posted.  The only difference would be the new sessions per second is 20,000 on the ASA...all other stats match.

2) The ASA doesn't have zones, only Security Contexts, right?

Correct, the ASA contexts are virtual firewalls.  Though secure zone and non-secure zone would either be defined by a security context or security-levels on the interfaces (accompanied with ACLs)

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

This I am not sure of, as I am not very familiar with Palo Alto...yet ;-)  But for a little explanation, the ASA is a firewall, with some routing capabilities and each context has its own routing table.  So I would assume that virtual routers and virtual systems could be combined into what the ASA defines as a security context.  Cisco routers have zones defined when using the zone based firewall, however the ASA does not define security zones in the same way.  Zones on the ASA would be the administrator defining a interface security level, or a context and defining the network connected to the interface or context as being a highly sensitive subnet, regular user subnet, internet...etc.

--

Please remember to select a correct answer and rate helpful posts

support sbt Wed, 07/01/2015 - 17:27
User Badges:

Hi ,

I believe that asa 5585-x does not support trafficfic shaping the way palo alto is doing .?

Thanks

 

rdboyd Wed, 07/01/2015 - 23:38
User Badges:

Both the ASA and PA support traffic shaping. This is actually a great feature to limit unwanted traffic too - if designed correctly.

As with Cisco and Palo Alto, the higher end hardware will obtain better results for traffic shaping.

Hope this helps!

Ricky Boyd

CCIE 2901

Security and Data Center Consultant

Dimension Data

support sbt Thu, 07/02/2015 - 01:43
User Badges:

Hi,

In palo alto we can create 8 classes where we can give priority (high ,low..)
and Egress Max and Egress Guaranteed . Is it possible in the same way 

Moreover that 

based on the appication  (for example skype , windows update ) we can limit the traffic 

 

 

Thanks

fsebera Mon, 10/05/2015 - 12:42
User Badges:
  • Bronze, 100 points or more

I don't think the Palo Alto chassis setup is redundant. You have to buy 2.

With the 6500, 2 sups, 2 ASA-SM, 2 Line cards, 2 power supplies in one box!!

 

Also, the Palo Alto only supports 64k prefixes.

My .02 worth

Frank

rdboyd Mon, 11/24/2014 - 22:26
User Badges:

I use Palo Alto firewalls extensively in the past and also have used ASA's since inception.

Questions

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9.  Correct?

The correct firewall to size against the PA-3020 would be the ASA 5585-X SSP-20 w/ FirePOWER Services. An important thing to note is sizing needs to be with full Application/IPS detection. Here is a great reference:  http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-serie...

2) The ASA doesn't have zones, only Security Contexts, right?

Both the ASA and Palo Alto have similar zones and virtual firewalls you can bring up. The wording is a little different but function similarly. 

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

Cisco leverages 'contexts' while Palo Alto leverages 'VSYS'. Here is a reference for ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/gu...

Here is the reference for Palo Alto: https://live.paloaltonetworks.com/docs/DOC-3892

I hope this helps.

Ricky Boyd

CCIE

Please rate if helpful

Actions

This Discussion

Related Content