I got some exposures to Palo Alto Firewall back in August 2007 when this product was relatively new at the time.  The product has some really good new features but also some of the down sides as well.  We were looking at Palo Alto as a possible replacements of our existing firewalls at the time.  When looking at Palo Alto firewalls versuses Cisco Checkpoint, Juniper firewalls, you need to keep these things in mind:

- There are no low-end Palo Alto Firewalls.  Unless you have a big IT budget, Palo Alto is not for you,

- Day-to-Day operation.  It is very difficult to find IT people with good Palo Alto firewall skills.  You're pretty much at the mercy of people who are responsible for maintaining your Firewall/security infrastructure.  If you use Cisco, Checkpoint and Juniper firewalls, there are a lot more people on the market with these skills.  If a firewall engineer leaves the company, that person can be replaced much more easily than someone with Palo Alto firewall skill.

- Vendor support.  Cisco TAC  support, IMHO, is the best.  Checkpoint and Juniper TAC support is also very good as well.  I can not comment on Palo Alto support because I have not worked with them but I can comment on Riverbed Steelhead TAC support.  It is not as good as Cisco TAC.  This is because of the size of the companies such as Cisco, Juniper and Checkpoint.  The resource is much bigger and better.  Small organization can not provide that.

- customers base.  The number of customers that use Palo Alto is very small compared to Cisco, Checkpoint and Juniper.  Therefore, it is much harder to find bugs/issues and the fix may take longer than other firewall vendors because the customer base is quite small.

my 2c.

There is no doubt that PA is smaller than Cisco. But, like I said in my earlier responses today to trustcisco and dpalmero, if your goal is to protect your digital assets, you need a firewall like PA. Gartner calls it next-generation. If you want the details on that, look for Gartner’s October 2009 research report on next-generation firewalls. While I think we are going to be stuck with the term, “next-generation,” the issue is how packets/sessions are analyzed. I like the term, “AppFirst” because it’s technically meaningful. All firewall vendors are going to start using the term "next-generation" because Gartner is.

The question is, does your firewall first discover the application of the session and then execute policies based on the application (preferably in a single pass)? Second, does the firewall continue to monitor the session looking for changes in the application and react to those changes? Third, does it do this at speed with low latency?

As to support issues, I think PA has gotten to the size (1,100 customers) that you can probably find people you know who are using PA now and ask them. BTW, many of them are using PA in conjunction with (behind) Cisco, Juniper, or Check Point. So rip-and-replace is surely not the only deployment strategy.

We are going to replace our existing firewalls next year and I am going to checkout Palo Alto Firewall as a possible replacement by looking at it again.

When I first looked at it in 2007, the customer-based for Palo Alto was less than 10 customers, the management piece for Palo Alto, Panorama, was pretty lousy and slugglish at the time.  May be the product has lot of improvements since.

I will say that if I interview someone for a Firewall Engineering position, there is about 100% probability that he or she knows Cisco, Juniper or Checkpoint firewall technologies.  I've NOT met anyone with extensive experiences with Palo Alto firewalls yet.  That makes management nervous about replacement existing firewalls with Palo Alto firewalls.

Last but not least, your comment regarding "if your goal is to protect your digital assets, you need a firewall like PA", that is very mis-leading.

Your "digital assets" can be protected via IPS and most importantly, Data Loss Prevention (DLP) devices.

Please review my response to trustcisco from this morning. PA brings something truly new to the table – it can actually protect your digital assets. Traditional stateful inspection firewalls are practically useless in the face of the hundreds and hundreds of port sharing and port hopping applications which most exploits are leveraging to gain access to your digital assets.

Regarding PA being unknown, I would say their appearance as a Visionary on Gartner’s 2010 Enterprise Firewall Magic Quadrant is going to change that. Furthermore, if you analyze what Gartner wrote about PA and the other firewall manufacturers, it’s clear that PA is the only one that meets Gartner’s next-generation firewall criteria.

As to Roll Royce, I would beg to differ. For most mid to large organizations, PA is going to save you money. First, there is appliance consolidation – firewall, IPS, proxy server, and URL filtering. Second, there is policy management simplification and improved responsiveness to the business units we serve.

In conclusion, Cisco's next firewall must be AppFirst.

Thanks for your answer Bill, i have read on PA's website about https inspection. Is it true ? and if yes what is the technology used to inspect encrypted traffic ?

Ben, Let me respond to your April 30 post by topics including Policy Management, Fine Grained Application Control, Intrusion Prevention, Latency, QoS, Internal Network Management, Market Acceptance, and Gartner's next-generation firewall analysis. If your organization were to issue an RFP, I believe these topics would be included.

Policy Management - Your Cisco/CheckPoint/Facetime/McAfee solution has a minimum of three points of policy management - Cisco, Check Point, and McAfee. Since the Facetime piece is not shipping yet, it's hard to know what the user interface will be for that. Palo Alto Networks provides a single, unified policy management interface. This will save time/money and enable faster response to business requirements. Depending on the size and complexity of your organization this could be significant.

More specifically, you will still need to manage IP- and port-based rules on the ASAs and probably on the Check Points. PAN will allow you over time to reduce, if not eliminate entirely, IP- and port-based policies. This will dramatically reduce the number of rules needed to implement policies and also enable auditors to more easily determine if the firewall rules actually reflect the organization's policies.

Fine grained application control - While Facetime may have more applications identified, PAN provides more fine grained control of major applications like Facebook. Facetime's Application Guide lists Facebook as one application. PAN's Applipedia shows Facebook, Facebook-apps, Facebook-chat, and Facebook-mail. Therefore you could build a PAN rule allowing Facebook mail and chat but not apps like FarmVille or MafiaWars. This is especially important if your organization wants sales and marketing to interact with Facebook's 400 million users, but not to waste time on games. Furthermore you could allow Facebook-mail but no attachments. We'll see if the CheckPoint/Facetime solution will have this fine grained control. Also, will the CheckPoint/Facetime solution support SSL decryption? If so, what will the performance hit be?

Intrusion Prevention - While Facetime may have more applications identified, how will this be integrated with the intrusion prevention technology Check Point acquired from Network Flight Recorder? When PAN identifies an application, it only checks the vulnerability signatures associated with that application (and of course those related to the underlying protocol). This approach means you don't have to manually "tune" the IPS. My final point on this - put PAN behind Cisco/CheckPoint/Facetime/McAfee and see what additional visibility it provides.

Latency - Your Cisco/CheckPoint/Facetime/McAfee solution could require four or more passes in each direction. PAN is a single-pass process no matter how many features you turn on. PAN's appliance is not a standard Intel server architecture, but specifically built to provide low latency.

QoS - PAN enables you to allocate bandwidth based on application or application category. Will the CheckPoint/Facetime solution? And how will you manage QoS among the Cisco, CheckPoint/Facetime, and McAfee components?

Internal network management - PAN's higher througput capabilities will allow you to use it for internal segment application and user control. For example you could create a policy restricting access to financial databases to only those groups (as defined in your directory service) who need access. And  PAN enables you to create multiple virtual firewalls to simplify policy management. While Check Point has this capability, I believe it's only on their high end VSX models.

Gartner analysis - In Gartner's 2010 Enterprise Firewall Magic Quadrant report, PAN is the only firewall that meets the next-generation requirements it established in October 2009. Your point about Cisco and Juniper catching up - perhaps in a couple of years. But don't assume that PAN will stand still. Also, you surely realize that Cisco and Juniper are really focused on bigger markets than security.

Advanced Training - It is my understanding that PAN does now have advanced training.

Support - The feedback I've gotten from customers, while anecdotal, is very positive.

Market acceptance - I believe that PAN has over 1,300 customers now.  While still small compared to Cisco, Check Point, and McAfee, it's significant. In fact, let me put this in the context of the "technology  acceptance curve." PAN has passed the Early Adopters phase and is now selling  into the Early Majority. Organizations who are culturally Late Majoritymay not be ready for PAN at this time. I  don't say this in a judgmental way, but how would you rate your organization?

In closing, at the end of the day, your choice really depends on how you and others in your organization weight the topics I discussed above. I would be glad to continue the discussion off line. I am not a PAN employee.

Hi All,

I have worked with PIXes and ASAs for years and since a few weeks I'm having the chance to evaluate a Palo Alto box. Of course the application visibility is something that is unique and stands out.

However, if I want to replace one of my PIX/ASA's with Palo Alto I also have to compare the regular functions like access rules, NAT, VPN and how to configure them.  I have tried to configure an IPSec VPN, however I haven't succeeded yet to make it work although I followed the Palo Alto Administrator's Guide exactly. It looks al quite tedious and not logical to me. Of course this could come because of my "Cisco-look". Another example: making a NAT exemption is not clear to me and the PA Administrator's Guide doesn't mention this at all. The Palo Alto Guide on the whole is not as elaborate as the Cisco Configuration Guides are. Also the logging and debugging is not as extensive.

I went to the presentation of Nir Zuk and was very enthousiastic about the concept. Nevertheless I recommend everyone to try and get an evaluation box and experience every aspect by yourself. I still think application visibility is a necessary step in the evolution of firewalls.

Albert Bruggeman

Sr. Technical Consultant

iSOFT

The Netherlands

Thanks Thaer this is useful feedback.

Its interesting that there is a conflict between having "one throat to choke" and "eggs in one basket".  I think that from a security perspective its ideal to have a dual-vendor solution and implement security in layers.

I like Palo Alto's vision and view of the future, but my main concerns with them are:

1) No relatively small firewall (say like a 5505) that can be used to implement a gradual implementation

2) Cost is much higher, so the entry into this space is relatively prohibitive compared to the established vendors

3) Relative immaturity of product as some have said with VPN and other functionalities.

However I will continue to investigate them as time moves on to see how they evolve. 

I have been using the PA's for two years now ( not by choice) I do have to say the PA's have a better user interface compared to the ASA and that is about it. their phone support is lacking  I have waited more than 4 hours for a call back nor is there away to escalate a case over the phone has to be through email  which doesn't help if your firewall is down, PA's response to me on escalating a case over the phone  Buy an air card so you can escalate through email also my PA's are running at 75% cpu usage with 90K connections where my ASA has 8M connections and the CPU is running at 20%.. all in all the PA's are for small Business that cannot hire a truly trained firewall staff

.