cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
182586
Views
103
Helpful
84
Replies

ASA's vs Palo Alto firewalls?

Andy White
Level 3
Level 3

Hi,

We use ASA's and I really like them, however our boss has invited someone from  Palo Alto to introduce teh  Palo Alto firewall range, why I don't know.  Anyone every used a  Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say  Palo Alto firewalls are better than cisco because......I need some backup for Cisco

http://www.paloaltonetworks.com/products/

1 Accepted Solution

Accepted Solutions

Tony Ortiz
Level 1
Level 1

Hey folks,

I, too, as someone stated above support both ASA and PAN's. I own PA-500's, two in an ACTIVE-PASSIVE configuration, one in a stand-alone at our DR site.

At first, I thought PAN's were going to be the answer to all my prayers in terms of handling both state-ful packet inspection, packet signature inspection, application categorization and identification. If the firewalls worked, it would be unbeatable, and something Cisco hasn't even come close to matching.

However, we purchased these PA-500's 6 months ago, and I still don't have them 100% in production. I so busy finding bugs, identifying them, documenting and researching over GOTOMEETINGS with tech support people, they are driving me nuts. Bugs that I have personally found and identified to PAN are:

1) ACTIVE-ACTIVE not supported on PA-500's. A design issue they found after they sold them to me. They stopped saying that on their website by the way. We found out after we bought them.

2) HIGH-AVAILABILITY bug created havoc for me initially until they fixed it in 4.1.9. They came out with 4.1.9-H1, then -H2 within 5 days after that. Crazy...

3) CAPTIVE PORTAL issues surrounding USER ID agents don't work without serious tweaks to work around the problems as they relate to TERMINAL SERVERS and the /ADMIN switch. They had me create work-around rules to compensate for both the bug, then later identified as a design-flaw that they admittedly stated they have no intention of fixing.

4) Upgraded the firewalls to hopefully save me some work to 5.0.0, then 5.0.2. WHAT A FRICKEN MISTAKE!!! Not only is there a bug that overutilizes the CPU by 300% (calculated and determined in logs and memory dumps at the CLI), but that was three weeks ago. I told them I had the problem and that I needed the fix ASAP! Found out today, two more weeks. Crap...

5) TODAY, found another bug. If you apply either SERVICE (SSL) or APPLICATION (TEAMVIEWER) variables to a custom URL CATEGORY, it treats the rule as an OR for each variable instead of AND. Why is that a problem? Well, anything needing SSL starts using this rule and because the URL CATEGORY doesn't match, the APPLICATION TYPE cannot be defined and you get an "INCOMPLETE", thus creating crappy BROWSER experiences and weird errors and delays.

Other things:

A) NAT is HORRIFIC configuring!

B) VPN is a NIGHTMARE to configure. The client is a joke!

C) Don't get me started on BGP routing and what I had to do to get that to work!!!

My final opinion, Palo Alto Networks sells a product that is no different than buying a piece of software and having it claim itself a firewall that lives on a dedicated box. Yea, ASA has software, but it does what it does well, and doesn't try to be a WEB FILTER or DLP solution. It leaves that for other products that compliment it, i.e. CISCO IRONPORT WSA. We already own CISCO IRONPORT ESA. I should have gotten the WSA instead. MAN....

Any ways. PAN, if it worked, would be unbeatable. But Palo Alto Networks has a TREMENDOUSLY poor application development department change-control process. They are non-responsive, and treat hurting customers as nothing. Will NEVER recommend this product to any one.

Trying to figure out now how to send them back and get my money back. Fat chance, but I'm hopeful...

View solution in original post

84 Replies 84

Hi,

Are these Palo Alto Firewalls stateful Firewalls?

Three kinds of Firewalls:

1. Packet Filtering

2. Proxy

3. Stateful Firewalls

Cisco's ASA fall in the category of Stateful Firewalls which is the best category since they are the fastest and more secure, because they maintain state tables. Besides the ASA are very robust not only in Firewalling but in VPNs, IPS and content filtering.

You have the option of failover and redundancy.

You can use the MPF Framework to manipulate more deeply the handling of lots of application protocols.

Cisco ASA is All-in-one Security Appliance (not only Firewall)

There are a lot of advantages in using Cisco ASA.

Find out what exactly the Palo Alto equipment does, and we find out the relevant differences.

Federico.

What is a CISCO firewall we can compare with a PA220 from Palo Alto?

 

(this is an old thread to dig up!)

 

To answer your question, on form-factor a 5506-X is comparable, but on performance a 5508-X is a better match, although not suited to sitting on your desk.

 

An SRX300 is also worth considering.

 

cheers,

Seb.

Leo Laohoo
Hall of Fame
Hall of Fame

I manage a government account, so before any man-and-his-monkey can talk to us we ask the mandatory question:  Is the product listed in the Common Criterea?

How many Palo Alto firewall technical knowledge can you find out in the market?  Is someone going to be trained to use this?  How about support from Palo Alto particularly EoS?

Our organization is currently looking to replace Sidewinders because they are EoS.  Unlike Cisco when they still provide some limited support, we are getting nowhere with McAfee.

I don't know what model or specifics your boss has in mind but be aware that if all-in-one (firewall, IPS and IDS) is what is being considered think about the hardware limitation.  Nearly all manufacturers (except Cisco) claims that they have an all-in-one that can push 10Gb.  All I can say (unless someone can correct me on this) is that it's really hard to push nearly 10Gb of firewall, IDS and IPS traffic.  It has been recommended that, yes, you can push 10Gb of firewall traffic but your IPS/IDS would be ideal to be in a separate box.

Hope this helps.

Sorry. I have never heard of these firewall until today. I looked it up and the spec. sheet is pretty impressive.

http://www.paloaltonetworks.com/literature/datasheets/PA2000_Specsheet.pdf

I would ask the following questions:

1. tech support (their site only says phone support until 7:00 PM PST)

2. warranty and extended warranty

3. training

4. this being a starup company I'd question how many established customers they have.

Seems like it does PBR with the ASA's do not support.

-KS

What is PBR?

PBR - Policy Based Routing.

-KS

trustcisco
Level 1
Level 1

Palo Alto is an application firewall (Do not confuse it with web application firewalls).

It cannot be compared with the ASA since the are not in the same category. Palo Alto claims that it's firewall can inspect https traffic, control which application can or cannot use port 80 and 443, IPS,VPN etc. So it does the same things with an ASA plus more

It has some really good features and i think that you should ask for a trial. The only problem that you are going to face is in case that you are using custom internet applications that are not listed on the palo alto's database. In order for the firewall to be able to inspect the app you have to sit together with palo alto's developers and build custom rules. This can take some time...

I will be most concerned about the deployment of this type of firewall since it has many similarities with web security gateways.

Yeah we have websense servers to control the internet, which is heavily configured, plus the ASA are heavily configure too, with multiple sub interfaces, dynamic NAT's, multiple VPN's and user VPN's for 100's of users.  PLus we have the IPS module installed and in an active/stadby mode with a 2nd ASA.

I've also been asked how can we we protect from internal hackers not based around just port blocking and Windows permission, something more intelligent.

Use a strict active directory policy for your users,  use patch management  software, not only wsus, you need to patch your apps also. Use HIPS for your users like CSA, CSA can stop many client side attacks, use SIEM for your net infrastructure and many more, it depends on what do you want to protect.

riskpundit
Level 1
Level 1

Palo Alto Networks represents a totally new type of firewall. It supports all the standard port- and IP-based type policy rules you use now, but goes on to enable policies based on applications, users, and content.

The reason this is important is that for the last several years hundreds and hundreds of "Web 2.0" applications have been built to evade standard stateful inspection firewalls either by port sharing or port hopping. And most of the exploits used today to breach organizations are via these applications.

Of course you can put IPS, proxy server, and URL filtering appliance behind your firewall to deal with these applications. But now you have four devices to manage and create policies for. More importantly the range of policies you can implement with Palo Alto is much broader than what you can do with a stateful inspection firewall and a bunch of firewall helpers. For example, you can allow Facebook Wall and email but not games. Or you can restrict Facebook usage to just marketing and sales people using your directory service. Or you could use URL filtering categories to selectively decrypt and analyze SSL sessions. Palo Alto also supports QoS, so you could allow video but restrict the bandwidth it uses.

FWIW, Gartner's 2010 Enterprise Firewall Magic Quadrant was released a few weeks ago, and based on my reading, Palo Alto Networks is the only shipping "next-generation" firewall based on their definition of next-generation. For sure Gartner does not always get it right, but this time they have. And you know the suits listen to Gartner.

Maybe Cisco ought to buy Palo Alto Networks.

r.popson
Level 1
Level 1

Not sure if you are still looking for some differences between the ASA and PA but I wanted to through my two cents in. This is coming from someone that used both the ASA and the Palo Alto at the same time.

As many people have stated before, the ASA is by far a fantastic stateful inspection firewall with a little IDS built in. Now if you are a security person, you know that firewalls these days provide a false sense of protection. All ports are being open for B2B and front end to back end web server communications. We know that nobody will ride port 80 for malicious activity right?

How does the ASA know what sort of content is within that port 80 traffic? How does it know if its a torrent transferring either PII, PHI or illegally downloaded videos and music?

The Palo Alto gives you a lot more visibility into what is actually going on within your network. You can create the policies to stop the illicit activity no matter what port its on. If your smart enough you can even create custom applications to be or not be inspected. It will if placed inline inspect ssl traffic like a man-in-the-middle, but obviously you have to look at performance and privacy considerations.

Palo Alto also gives you the functiionality of data loss prevention. WIth this you can help limit the use of web mail applications but not allowing the uploading or downloading of attachments via these accounts. Not sure about all of you, but I think compliance folks love this feature. Now we can have control over how documents are leaving the network.

To keep this short, if you are looking for security, then the Palo Alto appliance is the way to go. If you are looking for a false sense of security then stick with the old fashion firewalls.

So in case a company already has a web security gateway/proxy, where PA fits ?

I know PA is not a proxy, but is there a way to combine PA's feautures with a proxy appliance for browsing acceleration ?

I am not a fan of all-in-one appliances and i really like PA'S features but from a different point of view i thing PA is trying to combine firewalling/IPS/VPN with a web security appliance features. Sure is a next-gen firewall from that perspective but what exactly is PA's target ? to replace traditional firewalls ? or both firewalls and web security gateways ?

PA’s target is protecting your digital assets.

PA has built something that is fundamentally new. All firewalls from Cisco, Check Point, and Juniper are stateful inspection based. A stateful inspection firewall’s session/packet analysis starts by analyzing ports. Considering that there are hundreds and hundreds of applications nowadays that share ports or port hop, and that 80% of the exploits that are causing breaches leverage these applications, stateful inspection firewalls are practically useless.

PA is an “AppFirst” (my term) firewall. AppFirst means that detecting the application of the session is the first task the firewall must perform in order to decide which policy to apply, and if you have the IPS functionality, which vulnerability, anti-virus, and anti-spyware signatures to bring to bear to monitor that application. PA can also support traditional port based policies to ease the transition from Cisco, Check Point, or Juniper. But the key point is that stateful inspection, “PortFirst” policies are useless in protecting your digital assets.

Proxies are of limited value as well as they don’t understand all the applications either.

If you don’t believe this, try putting a PA box behind your existing network security infrastructure for a couple of days to see what you are missing.

Regarding the “all-in-one” issue – I can understand your concerns. These “UTMs” are nothing more than a packaging exercise, i.e. combining a stateful inspection firewall with a few other legacy network security functions. First, it offers nothing in the way of providing better protection. Second, the more functions you turn on, the worse the performance gets. Not so with PA. PA performs the full analysis process in a single pass, so there is no degradation. Of course, PA accomplishes this with specialized hardware. There is no way a standard Intel/AMD server could do this.

Finally, the range of policies you can deploy is much broader with PA. Simply blocking an application like Facebook may not be an option anymore. There are good business reasons for allowing your sales and marketing people access to Facebook. Furthermore, you might want to allow posting to the Wall and doing email but not game playing. How would you implement that with stateful inspection firewalls, IPSs, and secure web gateways?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: