ASA 5585X vs Palo Alto 3020 - differences - help needed understanding

jacob6000 · ‎06-25-2014

I was hoping to get some clarifications on the ASA technology vs the Palo Alto 3020. Below are the specs from the website for the 3020.

Questions

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?

2) The ASA doesn't have zones, only Security Contexts, right?

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

Thank you,

Palo Alto PA-3020 Hardware Firewalls

• 2 Gbps firewall throughput (App-ID enabled1)

• 1 Gbps threat prevention throughput

• 500 Mbps IPSec VPN throughput

• 250,000 max sessions per second

• 50,000 new sessions per second

• 1,000 IPSec VPN Users

• 10 Virtual routers

• 1/6 virtual systems (base/max2)

• 40 security zones

• 2,500 max number of policies

Marius Gunnerud · ‎06-26-2014

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?

No, the 5525X with a 10 context license would be a more accurate match for the Palo Alto settings you posted. The only difference would be the new sessions per second is 20,000 on the ASA...all other stats match.

2) The ASA doesn't have zones, only Security Contexts, right?

Correct, the ASA contexts are virtual firewalls. Though secure zone and non-secure zone would either be defined by a security context or security-levels on the interfaces (accompanied with ACLs)

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

This I am not sure of, as I am not very familiar with Palo Alto...yet ;-) But for a little explanation, the ASA is a firewall, with some routing capabilities and each context has its own routing table. So I would assume that virtual routers and virtual systems could be combined into what the ASA defines as a security context. Cisco routers have zones defined when using the zone based firewall, however the ASA does not define security zones in the same way. Zones on the ASA would be the administrator defining a interface security level, or a context and defining the network connected to the interface or context as being a highly sensitive subnet, regular user subnet, internet...etc.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

susim · ‎07-01-2015

Hi ,

I believe that asa 5585-x does not support trafficfic shaping the way palo alto is doing .?

Thanks

rdboyd · ‎07-01-2015

Both the ASA and PA support traffic shaping. This is actually a great feature to limit unwanted traffic too - if designed correctly.

As with Cisco and Palo Alto, the higher end hardware will obtain better results for traffic shaping.

Hope this helps!

Ricky Boyd

CCIE 2901

Security and Data Center Consultant

Dimension Data

susim · ‎07-02-2015

Hi,

In palo alto we can create 8 classes where we can give priority (high ,low..)
and Egress Max and Egress Guaranteed . Is it possible in the same way

Moreover that

based on the appication (for example skype , windows update ) we can limit the traffic

Thanks

fsebera · ‎10-05-2015

I don't think the Palo Alto chassis setup is redundant. You have to buy 2.

With the 6500, 2 sups, 2 ASA-SM, 2 Line cards, 2 power supplies in one box!!

Also, the Palo Alto only supports 64k prefixes.

My .02 worth

Frank

rdboyd · ‎11-24-2014

I use Palo Alto firewalls extensively in the past and also have used ASA's since inception.

Questions

1) I believe the ASA 5585X would be right choice/equivalent: ASA5585-S10C10-K9. Correct?

The correct firewall to size against the PA-3020 would be the ASA 5585-X SSP-20 w/ FirePOWER Services. An important thing to note is sizing needs to be with full Application/IPS detection. Here is a great reference: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-732253.html

2) The ASA doesn't have zones, only Security Contexts, right?

Both the ASA and Palo Alto have similar zones and virtual firewalls you can bring up. The wording is a little different but function similarly.

3) The Palo Alto box lists "Virtual routers, virtual systems and zones. What are the ASA equivalents? I imagine Virtual Systems is the equivalent of a Security Context but I'm not sure. Any explanations here would be very helpful.

Cisco leverages 'contexts' while Palo Alto leverages 'VSYS'. Here is a reference for ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1002608

Here is the reference for Palo Alto: https://live.paloaltonetworks.com/docs/DOC-3892

I hope this helps.

Ricky Boyd

CCIE

Please rate if helpful

tabique22 · ‎10-05-2015

I believe starting at version 12.4(6) and version 15.x Cisco does support zone based firewalls

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html