We use ASA's and I really like them, however our boss has invited someone from Palo Alto to introduce teh Palo Alto firewall range, why I don't know. Anyone every used a Palo Alto firewall, I can't find any comparision documents, I kow the sales guys will say Palo Alto firewalls are better than cisco because......I need some backup for Cisco
Solved! Go to Solution.
I, too, as someone stated above support both ASA and PAN's. I own PA-500's, two in an ACTIVE-PASSIVE configuration, one in a stand-alone at our DR site.
At first, I thought PAN's were going to be the answer to all my prayers in terms of handling both state-ful packet inspection, packet signature inspection, application categorization and identification. If the firewalls worked, it would be unbeatable, and something Cisco hasn't even come close to matching.
However, we purchased these PA-500's 6 months ago, and I still don't have them 100% in production. I so busy finding bugs, identifying them, documenting and researching over GOTOMEETINGS with tech support people, they are driving me nuts. Bugs that I have personally found and identified to PAN are:
1) ACTIVE-ACTIVE not supported on PA-500's. A design issue they found after they sold them to me. They stopped saying that on their website by the way. We found out after we bought them.
2) HIGH-AVAILABILITY bug created havoc for me initially until they fixed it in 4.1.9. They came out with 4.1.9-H1, then -H2 within 5 days after that. Crazy...
3) CAPTIVE PORTAL issues surrounding USER ID agents don't work without serious tweaks to work around the problems as they relate to TERMINAL SERVERS and the /ADMIN switch. They had me create work-around rules to compensate for both the bug, then later identified as a design-flaw that they admittedly stated they have no intention of fixing.
4) Upgraded the firewalls to hopefully save me some work to 5.0.0, then 5.0.2. WHAT A FRICKEN MISTAKE!!! Not only is there a bug that overutilizes the CPU by 300% (calculated and determined in logs and memory dumps at the CLI), but that was three weeks ago. I told them I had the problem and that I needed the fix ASAP! Found out today, two more weeks. Crap...
5) TODAY, found another bug. If you apply either SERVICE (SSL) or APPLICATION (TEAMVIEWER) variables to a custom URL CATEGORY, it treats the rule as an OR for each variable instead of AND. Why is that a problem? Well, anything needing SSL starts using this rule and because the URL CATEGORY doesn't match, the APPLICATION TYPE cannot be defined and you get an "INCOMPLETE", thus creating crappy BROWSER experiences and weird errors and delays.
A) NAT is HORRIFIC configuring!
B) VPN is a NIGHTMARE to configure. The client is a joke!
C) Don't get me started on BGP routing and what I had to do to get that to work!!!
My final opinion, Palo Alto Networks sells a product that is no different than buying a piece of software and having it claim itself a firewall that lives on a dedicated box. Yea, ASA has software, but it does what it does well, and doesn't try to be a WEB FILTER or DLP solution. It leaves that for other products that compliment it, i.e. CISCO IRONPORT WSA. We already own CISCO IRONPORT ESA. I should have gotten the WSA instead. MAN....
Any ways. PAN, if it worked, would be unbeatable. But Palo Alto Networks has a TREMENDOUSLY poor application development department change-control process. They are non-responsive, and treat hurting customers as nothing. Will NEVER recommend this product to any one.
Trying to figure out now how to send them back and get my money back. Fat chance, but I'm hopeful...
Are these Palo Alto Firewalls stateful Firewalls?
Three kinds of Firewalls:
1. Packet Filtering
3. Stateful Firewalls
Cisco's ASA fall in the category of Stateful Firewalls which is the best category since they are the fastest and more secure, because they maintain state tables. Besides the ASA are very robust not only in Firewalling but in VPNs, IPS and content filtering.
You have the option of failover and redundancy.
You can use the MPF Framework to manipulate more deeply the handling of lots of application protocols.
Cisco ASA is All-in-one Security Appliance (not only Firewall)
There are a lot of advantages in using Cisco ASA.
Find out what exactly the Palo Alto equipment does, and we find out the relevant differences.
I manage a government account, so before any man-and-his-monkey can talk to us we ask the mandatory question: Is the product listed in the Common Criterea?
How many Palo Alto firewall technical knowledge can you find out in the market? Is someone going to be trained to use this? How about support from Palo Alto particularly EoS?
Our organization is currently looking to replace Sidewinders because they are EoS. Unlike Cisco when they still provide some limited support, we are getting nowhere with McAfee.
I don't know what model or specifics your boss has in mind but be aware that if all-in-one (firewall, IPS and IDS) is what is being considered think about the hardware limitation. Nearly all manufacturers (except Cisco) claims that they have an all-in-one that can push 10Gb. All I can say (unless someone can correct me on this) is that it's really hard to push nearly 10Gb of firewall, IDS and IPS traffic. It has been recommended that, yes, you can push 10Gb of firewall traffic but your IPS/IDS would be ideal to be in a separate box.
Hope this helps.
Sorry. I have never heard of these firewall until today. I looked it up and the spec. sheet is pretty impressive.
I would ask the following questions:
1. tech support (their site only says phone support until 7:00 PM PST)
2. warranty and extended warranty
4. this being a starup company I'd question how many established customers they have.
Seems like it does PBR with the ASA's do not support.
Palo Alto is an application firewall (Do not confuse it with web application firewalls).
It cannot be compared with the ASA since the are not in the same category. Palo Alto claims that it's firewall can inspect https traffic, control which application can or cannot use port 80 and 443, IPS,VPN etc. So it does the same things with an ASA plus more
It has some really good features and i think that you should ask for a trial. The only problem that you are going to face is in case that you are using custom internet applications that are not listed on the palo alto's database. In order for the firewall to be able to inspect the app you have to sit together with palo alto's developers and build custom rules. This can take some time...
I will be most concerned about the deployment of this type of firewall since it has many similarities with web security gateways.
Yeah we have websense servers to control the internet, which is heavily configured, plus the ASA are heavily configure too, with multiple sub interfaces, dynamic NAT's, multiple VPN's and user VPN's for 100's of users. PLus we have the IPS module installed and in an active/stadby mode with a 2nd ASA.
I've also been asked how can we we protect from internal hackers not based around just port blocking and Windows permission, something more intelligent.
Use a strict active directory policy for your users, use patch management software, not only wsus, you need to patch your apps also. Use HIPS for your users like CSA, CSA can stop many client side attacks, use SIEM for your net infrastructure and many more, it depends on what do you want to protect.
Palo Alto Networks represents a totally new type of firewall. It supports all the standard port- and IP-based type policy rules you use now, but goes on to enable policies based on applications, users, and content.
The reason this is important is that for the last several years hundreds and hundreds of "Web 2.0" applications have been built to evade standard stateful inspection firewalls either by port sharing or port hopping. And most of the exploits used today to breach organizations are via these applications.
Of course you can put IPS, proxy server, and URL filtering appliance behind your firewall to deal with these applications. But now you have four devices to manage and create policies for. More importantly the range of policies you can implement with Palo Alto is much broader than what you can do with a stateful inspection firewall and a bunch of firewall helpers. For example, you can allow Facebook Wall and email but not games. Or you can restrict Facebook usage to just marketing and sales people using your directory service. Or you could use URL filtering categories to selectively decrypt and analyze SSL sessions. Palo Alto also supports QoS, so you could allow video but restrict the bandwidth it uses.
FWIW, Gartner's 2010 Enterprise Firewall Magic Quadrant was released a few weeks ago, and based on my reading, Palo Alto Networks is the only shipping "next-generation" firewall based on their definition of next-generation. For sure Gartner does not always get it right, but this time they have. And you know the suits listen to Gartner.
Maybe Cisco ought to buy Palo Alto Networks.
Not sure if you are still looking for some differences between the ASA and PA but I wanted to through my two cents in. This is coming from someone that used both the ASA and the Palo Alto at the same time.
As many people have stated before, the ASA is by far a fantastic stateful inspection firewall with a little IDS built in. Now if you are a security person, you know that firewalls these days provide a false sense of protection. All ports are being open for B2B and front end to back end web server communications. We know that nobody will ride port 80 for malicious activity right?
How does the ASA know what sort of content is within that port 80 traffic? How does it know if its a torrent transferring either PII, PHI or illegally downloaded videos and music?
The Palo Alto gives you a lot more visibility into what is actually going on within your network. You can create the policies to stop the illicit activity no matter what port its on. If your smart enough you can even create custom applications to be or not be inspected. It will if placed inline inspect ssl traffic like a man-in-the-middle, but obviously you have to look at performance and privacy considerations.
Palo Alto also gives you the functiionality of data loss prevention. WIth this you can help limit the use of web mail applications but not allowing the uploading or downloading of attachments via these accounts. Not sure about all of you, but I think compliance folks love this feature. Now we can have control over how documents are leaving the network.
To keep this short, if you are looking for security, then the Palo Alto appliance is the way to go. If you are looking for a false sense of security then stick with the old fashion firewalls.
So in case a company already has a web security gateway/proxy, where PA fits ?
I know PA is not a proxy, but is there a way to combine PA's feautures with a proxy appliance for browsing acceleration ?
I am not a fan of all-in-one appliances and i really like PA'S features but from a different point of view i thing PA is trying to combine firewalling/IPS/VPN with a web security appliance features. Sure is a next-gen firewall from that perspective but what exactly is PA's target ? to replace traditional firewalls ? or both firewalls and web security gateways ?
PA’s target is protecting your digital assets.
PA has built something that is fundamentally new. All firewalls from Cisco, Check Point, and Juniper are stateful inspection based. A stateful inspection firewall’s session/packet analysis starts by analyzing ports. Considering that there are hundreds and hundreds of applications nowadays that share ports or port hop, and that 80% of the exploits that are causing breaches leverage these applications, stateful inspection firewalls are practically useless.
PA is an “AppFirst” (my term) firewall. AppFirst means that detecting the application of the session is the first task the firewall must perform in order to decide which policy to apply, and if you have the IPS functionality, which vulnerability, anti-virus, and anti-spyware signatures to bring to bear to monitor that application. PA can also support traditional port based policies to ease the transition from Cisco, Check Point, or Juniper. But the key point is that stateful inspection, “PortFirst” policies are useless in protecting your digital assets.
Proxies are of limited value as well as they don’t understand all the applications either.
If you don’t believe this, try putting a PA box behind your existing network security infrastructure for a couple of days to see what you are missing.
Regarding the “all-in-one” issue – I can understand your concerns. These “UTMs” are nothing more than a packaging exercise, i.e. combining a stateful inspection firewall with a few other legacy network security functions. First, it offers nothing in the way of providing better protection. Second, the more functions you turn on, the worse the performance gets. Not so with PA. PA performs the full analysis process in a single pass, so there is no degradation. Of course, PA accomplishes this with specialized hardware. There is no way a standard Intel/AMD server could do this.
Finally, the range of policies you can deploy is much broader with PA. Simply blocking an application like Facebook may not be an option anymore. There are good business reasons for allowing your sales and marketing people access to Facebook. Furthermore, you might want to allow posting to the Wall and doing email but not game playing. How would you implement that with stateful inspection firewalls, IPSs, and secure web gateways?
I went to a presentation by Palo Alto ("PA") some time ago. I was pretty impressed at the time.
They are still a relatively small, unknown player with an impressive product. However they have a number of challenges to overcome. First, they do not have any little firewalls. There is no such thing as an "ASA 5505" equivalent here, or even an ASA 5510. All of their firewalls are designed to handle a lot of traffic and are priced accordingly. Therefore, there is no little firewall they can sell for a low cost for a company to "Get used" to the solution and kick it around. Implementing Palo Alto is therefore going to be seen as a "risk" for a significant outlay of cash (always important in the current economy).
Compounding this problem is that Palo Alto sells their solution as a replacement to "Traditional" firewalls, which they see as inadequate. They have a pretty convincing argument, however, it is basically a Rip and Replace selling strategy. That is going to encounter resistance when there is significant investment already outlayed in current firewalls. The ROI here is that PA has to bring in something really significant and necessary, and most companies, or engineers who like this solution, will probably be looking at a potential IDS (for example) deployment and decide to try to implement PA instead of IDS, getting the funding that way, and then slowly replacing the Traditional Firewalls with the PA.
PA also has an uphill climb when it comes to government (or government dependant) deployments. As another poster mentioned, Common Criteria is a factor, as well as the myriad of regulations surrounding audits that are already designed for Cisco firewalls (or Juniper), and not for smaller players.
And lastly, as mentioned, PA has Cost issues. They are NOT cheap firewalls. If you have a need for a small firewall connected to, say, a small remote office... PA has no solution there for you (or at least they did not when last I was looking at them). If you are a small company, you will probably not be able to afford the PA Solution (or rather, decide to go for Cisco's "Toyota" rather than PA's "Rolls Royce").
All that said, the PA firewall is extremely powerful, looks easy to manage, and has capabilities that other vendors don't seem to equal right now or require lots of other bolt on solutions. As always, examine your requirements and your budget.
I got some exposures to Palo Alto Firewall back in August 2007 when this product was relatively new at the time. The product has some really good new features but also some of the down sides as well. We were looking at Palo Alto as a possible replacements of our existing firewalls at the time. When looking at Palo Alto firewalls versuses Cisco Checkpoint, Juniper firewalls, you need to keep these things in mind:
- There are no low-end Palo Alto Firewalls. Unless you have a big IT budget, Palo Alto is not for you,
- Day-to-Day operation. It is very difficult to find IT people with good Palo Alto firewall skills. You're pretty much at the mercy of people who are responsible for maintaining your Firewall/security infrastructure. If you use Cisco, Checkpoint and Juniper firewalls, there are a lot more people on the market with these skills. If a firewall engineer leaves the company, that person can be replaced much more easily than someone with Palo Alto firewall skill.
- Vendor support. Cisco TAC support, IMHO, is the best. Checkpoint and Juniper TAC support is also very good as well. I can not comment on Palo Alto support because I have not worked with them but I can comment on Riverbed Steelhead TAC support. It is not as good as Cisco TAC. This is because of the size of the companies such as Cisco, Juniper and Checkpoint. The resource is much bigger and better. Small organization can not provide that.
- customers base. The number of customers that use Palo Alto is very small compared to Cisco, Checkpoint and Juniper. Therefore, it is much harder to find bugs/issues and the fix may take longer than other firewall vendors because the customer base is quite small.
There is no doubt that PA is smaller than Cisco. But, like I said in my earlier responses today to trustcisco and dpalmero, if your goal is to protect your digital assets, you need a firewall like PA. Gartner calls it next-generation. If you want the details on that, look for Gartner’s October 2009 research report on next-generation firewalls. While I think we are going to be stuck with the term, “next-generation,” the issue is how packets/sessions are analyzed. I like the term, “AppFirst” because it’s technically meaningful. All firewall vendors are going to start using the term "next-generation" because Gartner is.
The question is, does your firewall first discover the application of the session and then execute policies based on the application (preferably in a single pass)? Second, does the firewall continue to monitor the session looking for changes in the application and react to those changes? Third, does it do this at speed with low latency?
As to support issues, I think PA has gotten to the size (1,100 customers) that you can probably find people you know who are using PA now and ask them. BTW, many of them are using PA in conjunction with (behind) Cisco, Juniper, or Check Point. So rip-and-replace is surely not the only deployment strategy.
We are going to replace our existing firewalls next year and I am going to checkout Palo Alto Firewall as a possible replacement by looking at it again.
When I first looked at it in 2007, the customer-based for Palo Alto was less than 10 customers, the management piece for Palo Alto, Panorama, was pretty lousy and slugglish at the time. May be the product has lot of improvements since.
I will say that if I interview someone for a Firewall Engineering position, there is about 100% probability that he or she knows Cisco, Juniper or Checkpoint firewall technologies. I've NOT met anyone with extensive experiences with Palo Alto firewalls yet. That makes management nervous about replacement existing firewalls with Palo Alto firewalls.
Last but not least, your comment regarding "if your goal is to protect your digital assets, you need a firewall like PA", that is very mis-leading.
Your "digital assets" can be protected via IPS and most importantly, Data Loss Prevention (DLP) devices.
Please review my response to trustcisco from this morning. PA brings something truly new to the table – it can actually protect your digital assets. Traditional stateful inspection firewalls are practically useless in the face of the hundreds and hundreds of port sharing and port hopping applications which most exploits are leveraging to gain access to your digital assets.
Regarding PA being unknown, I would say their appearance as a Visionary on Gartner’s 2010 Enterprise Firewall Magic Quadrant is going to change that. Furthermore, if you analyze what Gartner wrote about PA and the other firewall manufacturers, it’s clear that PA is the only one that meets Gartner’s next-generation firewall criteria.
As to Roll Royce, I would beg to differ. For most mid to large organizations, PA is going to save you money. First, there is appliance consolidation – firewall, IPS, proxy server, and URL filtering. Second, there is policy management simplification and improved responsiveness to the business units we serve.
In conclusion, Cisco's next firewall must be AppFirst.
Thanks for your answer Bill, i have read on PA's website about https inspection. Is it true ? and if yes what is the technology used to inspect encrypted traffic ?
I've just been through the process of looking at our corporate firewall replacements - To sum up we currently run about 50 clusters of ASA's with AIP SSM-10 and 4 corporate Checkpoint clusters. It's the checkpoints we are looking to replace.
My view of the PA units are:
Well thought out design (built ground-up to do it's job).
Easy to Manage.
Layer 7 Firewalling - really will be the future IMO.
As with cisco I think you can believe the throughput stats.
No certification full stop! fips / common criteria all missing.
Support and lack of advanced training.
It's quite often sold as a proxy server - PA needs to ensure that this practice does not happen as all it is on that basis is a url filter (US based). We wouldn't call the ASA a proxy server.
It's IPS/IDS credentials still need further testing in the market place.
On a side note - With Checkpoints recent buy-in to the facetime database and soon to be released (2010) "application blade" the primary feature of the PA units becomes shared amongst one of the big firewall players - In fact it's useful to note that whilst PA has approx 950 apps on it's database, Checkpoints will soon have in excess of 5000 apps available to firewall with. Of course it could be said that the PA unit has better throughput....
But if I install Checkpoint on open server platform I can out-perform even the biggest PA unit.
Cisco and Juniper are both playing catch up on the layer 7 firewall at this time. Although it needs to be noted that the Juniper SRX platform is still buggy (move from ScreenOS to JUNOS).
I think possibly the delay from Cisco may have been the emphasis into the server market last couple of years. Non the less I would expect Cisco to soon catch up and provide us all with a true ngfw that covers all our needs alongside the current IPS/IDS. Hoping at least.
End result - I'll put and ASA5520 with SSM-20 facing the internet - Checkpoint cluster with IPS blade with dmz to mcafee webwasher - internal network.
Apologies trustcisco - the PA units use a fairly simple man in the middle attack to decrypt and inspect https traffic. Nothing new - webwasher can cover this in our deployment.
Ben, Let me respond to your April 30 post by topics including Policy Management, Fine Grained Application Control, Intrusion Prevention, Latency, QoS, Internal Network Management, Market Acceptance, and Gartner's next-generation firewall analysis. If your organization were to issue an RFP, I believe these topics would be included.
Policy Management - Your Cisco/CheckPoint/Facetime/McAfee solution has a minimum of three points of policy management - Cisco, Check Point, and McAfee. Since the Facetime piece is not shipping yet, it's hard to know what the user interface will be for that. Palo Alto Networks provides a single, unified policy management interface. This will save time/money and enable faster response to business requirements. Depending on the size and complexity of your organization this could be significant.
More specifically, you will still need to manage IP- and port-based rules on the ASAs and probably on the Check Points. PAN will allow you over time to reduce, if not eliminate entirely, IP- and port-based policies. This will dramatically reduce the number of rules needed to implement policies and also enable auditors to more easily determine if the firewall rules actually reflect the organization's policies.
Fine grained application control - While Facetime may have more applications identified, PAN provides more fine grained control of major applications like Facebook. Facetime's Application Guide lists Facebook as one application. PAN's Applipedia shows Facebook, Facebook-apps, Facebook-chat, and Facebook-mail. Therefore you could build a PAN rule allowing Facebook mail and chat but not apps like FarmVille or MafiaWars. This is especially important if your organization wants sales and marketing to interact with Facebook's 400 million users, but not to waste time on games. Furthermore you could allow Facebook-mail but no attachments. We'll see if the CheckPoint/Facetime solution will have this fine grained control. Also, will the CheckPoint/Facetime solution support SSL decryption? If so, what will the performance hit be?
Intrusion Prevention - While Facetime may have more applications identified, how will this be integrated with the intrusion prevention technology Check Point acquired from Network Flight Recorder? When PAN identifies an application, it only checks the vulnerability signatures associated with that application (and of course those related to the underlying protocol). This approach means you don't have to manually "tune" the IPS. My final point on this - put PAN behind Cisco/CheckPoint/Facetime/McAfee and see what additional visibility it provides.
Latency - Your Cisco/CheckPoint/Facetime/McAfee solution could require four or more passes in each direction. PAN is a single-pass process no matter how many features you turn on. PAN's appliance is not a standard Intel server architecture, but specifically built to provide low latency.
QoS - PAN enables you to allocate bandwidth based on application or application category. Will the CheckPoint/Facetime solution? And how will you manage QoS among the Cisco, CheckPoint/Facetime, and McAfee components?
Internal network management - PAN's higher througput capabilities will allow you to use it for internal segment application and user control. For example you could create a policy restricting access to financial databases to only those groups (as defined in your directory service) who need access. And PAN enables you to create multiple virtual firewalls to simplify policy management. While Check Point has this capability, I believe it's only on their high end VSX models.
Gartner analysis - In Gartner's 2010 Enterprise Firewall Magic Quadrant report, PAN is the only firewall that meets the next-generation requirements it established in October 2009. Your point about Cisco and Juniper catching up - perhaps in a couple of years. But don't assume that PAN will stand still. Also, you surely realize that Cisco and Juniper are really focused on bigger markets than security.
Advanced Training - It is my understanding that PAN does now have advanced training.
Support - The feedback I've gotten from customers, while anecdotal, is very positive.
Market acceptance - I believe that PAN has over 1,300 customers now. While still small compared to Cisco, Check Point, and McAfee, it's significant. In fact, let me put this in the context of the "technology acceptance curve." PAN has passed the Early Adopters phase and is now selling into the Early Majority. Organizations who are culturally Late Majoritymay not be ready for PAN at this time. I don't say this in a judgmental way, but how would you rate your organization?
In closing, at the end of the day, your choice really depends on how you and others in your organization weight the topics I discussed above. I would be glad to continue the discussion off line. I am not a PAN employee.
I have worked with PIXes and ASAs for years and since a few weeks I'm having the chance to evaluate a Palo Alto box. Of course the application visibility is something that is unique and stands out.
However, if I want to replace one of my PIX/ASA's with Palo Alto I also have to compare the regular functions like access rules, NAT, VPN and how to configure them. I have tried to configure an IPSec VPN, however I haven't succeeded yet to make it work although I followed the Palo Alto Administrator's Guide exactly. It looks al quite tedious and not logical to me. Of course this could come because of my "Cisco-look". Another example: making a NAT exemption is not clear to me and the PA Administrator's Guide doesn't mention this at all. The Palo Alto Guide on the whole is not as elaborate as the Cisco Configuration Guides are. Also the logging and debugging is not as extensive.
I went to the presentation of Nir Zuk and was very enthousiastic about the concept. Nevertheless I recommend everyone to try and get an evaluation box and experience every aspect by yourself. I still think application visibility is a necessary step in the evolution of firewalls.
Sr. Technical Consultant
I've been using PIx's and ASA's now for a long time and I'm very disappointed in the latest ASA software (8,3). We're evaluating the Palo Alto's right now and I can tell you it's a dream compared to the ASA. Great management interface, very straight-through configuration for most stuff, pretty intuitive interface etc. And the reporting, Layer 7/IDs functionalities are just awesome. We're considering replacing all our ASA's with the Palo Alto units. I would definitely recommend you guys at least look at them and do an eval.
Thanks Thaer this is useful feedback.
Its interesting that there is a conflict between having "one throat to choke" and "eggs in one basket". I think that from a security perspective its ideal to have a dual-vendor solution and implement security in layers.
I like Palo Alto's vision and view of the future, but my main concerns with them are:
1) No relatively small firewall (say like a 5505) that can be used to implement a gradual implementation
2) Cost is much higher, so the entry into this space is relatively prohibitive compared to the established vendors
3) Relative immaturity of product as some have said with VPN and other functionalities.
However I will continue to investigate them as time moves on to see how they evolve.
I've used the PA 2050 model at a previous employer and liked it very much. We replaced an ASA5510 with the device. When we started looking at the Palo Alto device we were looking to add a gateway security appliance (Antivirus, Malware, URL / content filtering) to the network and I stumbled across the PA devices. I looked at Websense right away however to make it work in our environment (heavy Citrix Xen App shop) it was going to be very expensive (not that the PA's aren't).
I did the PA web demos and got an eval box then made the decision from there. I won't say it was extremely easy to manage however it was better than the ASA in my opinion and I am by no means a PIX / ASA expert (I would even classify myself as lower middle on skill set). I was able to move all of my existing functionality over (VPN's etc) as well as adding more capabilities (URL and Antivirus). I never realized how many people had that stupid coupon tool bar thingy installed... With my Citrix / TS users I now had the ability to craft separate policies for my Citrix users rather than defining it by the particular server they were one (AD agent and Citrix / TS agent part of the deal with the PA device) which was very nice (they used Bright Cloud for the content filtering at the time I had it, may still).
I was concerned about putting all my "eggs" in one basket as well however the eggs were new to us anyways (URL, Antivirus, SSL VPN, etc) and I was glad to have one vendor to deal with. Sometimes being under one person's mercy is as good as or better than being under several folks. If it were up to Cisco we'd be under their mercy solely (ASA, IronPort, IPS, etc). As far as support goes I used several lines, the reseller who installed the device for us, their actually technical support (which was 24/7 by the way), and their user forums (lots of config docs there). I got help when I needed from all three sources. I did have to wait a while for a 64 bit Citrix / TS agent however it came out within the timeframe support said it would and it worked without a hitch. Something to note, the URL and Antivirus options are subscription based in addition to the firewall price so if you have those solutions in place already you don't need to buy them if you want to keep using them.
In regards to the SSL VPN capabilities I found them a little lacking as well. I didn't have the issues described above however it's a very basic client based VPN only, no office portal type capabilities. With that said you do get almost unlimited (limited by device model) usage for free (no per client licensing), well its part of the overall price that is. To me that capability definitely seems like an add-on rather than something that was designed with the whole device. However I would think a Juniper or even Sonicwall could fill that gap if it was needed.
The Camry versus Roll's argument actually seems valid to me, I do think the PA is a better firewall overall than the ASA however if you've already got an investment in those other services (IPS, Gateway Antivirus / Malware, URL / Content) something like an ASA might be the best option if all you need is a firewall. Palo Alto has recently expanded their product line to include the PA 200 (smallest model, next is the PA 500, 2020, 2050, etc). However having a PA device doesn't exclude you from using an ASA 5505 at your branch offices, if all you need is a Site to Site type VPN.
I would say at a minimum they are worth a serious look, read their public docs, watch some of the demo's, schedule a demo to get specific questions answered, get an eval unit seems like fairly easy things to do.
I have been using the PA's for two years now ( not by choice) I do have to say the PA's have a better user interface compared to the ASA and that is about it. their phone support is lacking I have waited more than 4 hours for a call back nor is there away to escalate a case over the phone has to be through email which doesn't help if your firewall is down, PA's response to me on escalating a case over the phone Buy an air card so you can escalate through email also my PA's are running at 75% cpu usage with 90K connections where my ASA has 8M connections and the CPU is running at 20%.. all in all the PA's are for small Business that cannot hire a truly trained firewall staff
I've purchased, installed, and/or migrated to/from PIX, ASA, Checkpoint/Nokia/Crossbeam/Solaris/SPLAT, Netscreen, JuniperSRX, and PaloAltoNetworks
Some of them have advantages over others for sure depending on what you want to do especially when some migration has to occur, you find out whos the easiest to manage and who's the nightmare.
PaloAlto is by far the easiest, cheapest, most enjoyable box to use.
With one Palo box you can replace IPS, VPN, firewall, and proxy at a fraction of the cost.
The fastest IPS in existence is only 20Gbit being Sourcefire which will cost you $400k for a cluster, PaloAlto is $90k and you get more than just an IPS.
The entire configuration, rules, objects, users, interface IPs located in one editable text file, try that with Provider-1 or some Linux firewall, no chance. And its not ugly like a FreeBSD firewall yuck.
When using stateful, primitive firewalls you are not protected, your customers are not protected because ports and protocols don't matter anymore, with protocol tunneling and other evasive apps ASA and all the older firewalls have no idea what is happening.
IPS' products have the same limitation, they are watching for a port to determine the application with which they then apply a signature or filter to.
PaloAlto is as easy to use and configure as a netgear router that you get from best buy. Ive deployed one out of the box in 5 minutes, no other firewall can that happen with.
When you look at documentation you find ASA has 50 pages just for HA configuration!! Paloalto is 9 pages and reallly only 2 pages that are relevant to active/standby because its that easy! You just check some boxes and go.
Most firewalls require years and years of practice and a team of people that basically have to have a bachelors degree in the product=ASA or Checkpoint, to be able to do a deep dive and troubleshoot the thing, which is why security pays so well I guess.
NSS labs highest rating for an unconfigured firewall speaks volumes of a real test, not like gartner which is a popularity contest.
Worst firewall ever JuniperSRX, take netscreen whos cli guide was 6000 pages, and grow that 4 times. Incredibly complex, went back to cli managment instead of gui for ease of policy modification. Why make it so hard and make you get a degree in the product just to be able to manage it, I will never use one of those again.
ASA cannot do app inspection for instance just recently I had to disable SQLnet inspection on a 5540 because developers were running a job that was failing after 8 hours, once i disabled that inspection the job finished in 30 minutes! That means ASA cannot inspect traffic like you would want not even one app! PaloAlto can inspect all apps all the time on all ports with no performance hit. The magic of the product is a total redesign and ignoring ports and protocols enabling them to focus their ASICs in another area.
Checkpoint cant do app inspection either, if you tried to turn on smartdefense the firewall crumbled and what are they looking at anyway to see if the right flags are set in the TCP header? thats not inspection as far as im concerned.
Whoever mentioned PBR, no firewall supports assymetric routing.
i Just found this article and learned a couple more things even http://josteinnymoen.files.wordpress.com/2011/02/fact_v_fiction_competing_with_checkpoint_applicationblade.pdf
If you're like this UNIX admin I met once you might like primitive looking old style cli firewalls (ill bet he doesnt surf the internet via command line) the guy wanted it to be as painful as possible becuase thats what he was used to. Well I got used to black and white TV but I'm not going back and leaving my high-def TV/PaloAlto firewall now for nothing!
Nate - are the palo units now fully fledged proxy servers as well?
It obviously won't be anywhere near as good as the palo's! But either way just to ensure a fair playing field:
Our end solution ASA's Checkpoints McAfee's is working very nicely btw.
Also nice to know that we have a multi vender set-up which is solid from a security perspective.