Palo Alto

Bl8ckr0uter

Anybody work with any of there gear?

down77

I have a few clients with some of their gear and they all rave about it. With that being said I have yet to configure/play with any of their gear myself.

L0gicB0mb508

I've never touched it, but my co-worker used to admin some of their stuff and he loved it.

Bl8ckr0uter

Cool. I will be rolling one out sometime next month.

Everyone

The job I'm leaving has had a couple of the big boy Palo Alto firewalls for over a year now I think. Network Engineer is taking his sweet time implementing it. It was supposed to replace both an old ISA 2004 firewall, and a crappy iPrism web proxy. The only thing he's managed to put into production off of it, is the SSL VPN, replacing an old Cisco VPN. He seems to spend more time playing around with pfsense for other little projects. It's a shame, I would have liked to see it in action before I left.

Bl8ckr0uter

Everyone wrote: »

The job I'm leaving has had a couple of the big boy Palo Alto firewalls for over a year now I think. Network Engineer is taking his sweet time implementing it. It was supposed to replace both an old ISA 2004 firewall, and a crappy iPrism web proxy. The only thing he's managed to put into production off of it, is the SSL VPN, replacing an old Cisco VPN. He seems to spend more time playing around with pfsense for other little projects. It's a shame, I would have liked to see it in action before I left.

Hey don't hate on pfsense man, those are fighting words (current pfsense user, at home anyway).


I have been trying to find more info about them but I haven't been able to turn up much about them at least not admin type stuff.

Everyone

Bl8ckr0uter wrote: »

Hey don't hate on pfsense man, those are fighting words (current pfsense user, at home anyway).


I have been trying to find more info about them but I haven't been able to turn up much about them at least not admin type stuff.

Not hating on pfsense, I think pfsense is great. Just annoyed that the Palo Alto stuff has been sitting around for over a year and hasn't replaced the overloaded ISA and iPrism crap like it was supposed to.

Bl8ckr0uter

Everyone wrote: »

Not hating on pfsense, I think pfsense is great. Just annoyed that the Palo Alto stuff has been sitting around for over a year and hasn't replaced the overloaded ISA and iPrism crap like it was supposed to.

I can understand that.

Bl8ckr0uter

I am going to bump this again. It is a palo alto 500 firewall, apparently it is their entry level firewall. Anyone work with these?

unclerico

I have a 2050 for my perimeter firewall and a 4050 in my core doing IPS. Hands down the best frigging firewall I've configured/used. It takes some getting used to, but they are bad ass boxes. They did it right and built them from the ground up with them being application layer firewalls. You won't find any bolt-on junk like you see with a lot of other vendors which results in overall throughput and performance taking a crap. I believe they are in their own class in Gartner reviews now as well.

Bl8ckr0uter

unclerico wrote: »

I have a 2050 for my perimeter firewall and a 4050 in my core doing IPS. Hands down the best frigging firewall I've configured/used. It takes some getting used to, but they are bad ass boxes. They did it right and built them from the ground up with them being application layer firewalls. You won't find any bolt-on junk like you see with a lot of other vendors which results in overall throughput and performance taking a crap. I believe they are in their own class in Gartner reviews now as well.

Have you in suggestions for learning the interface?

Geek1969

We have had one in prod for almost a year now at a remote site and will be replacing an ASA 5510 with a high availability pair of PA-500's in the next two weeks. The interface isn't too tough to learn, but it does take some getting used to. Our company sent two of us to a 3-day Palo Alto training class in May. I'll be working on the config this week. As far as learning the interface.....there is an Administrators guide available on their site under "support" if you are a registered user. Google is always useful also. The current guide is version 4 as far as I know.

it_consultant

Bl8ckr0uter wrote: »

Anybody work with any of there gear?

If you can afford them they are the firewall to get. I have used several and love them, its tough to get people to shell the money for them though. Light years ahead of Cisco, Juniper...maybe only one light year ahead of Checkpoint.

Bl8ckr0uter

it_consultant wrote: »

If you can afford them they are the firewall to get. I have used several and love them, its tough to get people to shell the money for them though. Light years ahead of Cisco, Juniper...maybe only one light year ahead of Checkpoint.

Wow...


I have a palo alto 500 that I need to set up next week. Should be fun, as soon as I get this other issue figured out...

Ahriakin

it_consultant wrote: »

If you can afford them they are the firewall to get. I have used several and love them, its tough to get people to shell the money for them though. Light years ahead of Cisco, Juniper...maybe only one light year ahead of Checkpoint.

They are ahead in some areas, behind in others. For carrier level they are a no-no, they don't have the raw packet pushing capacities needed (and some essential features). But if I was back in Enterprise land I'd definitely consider them, for identity and content/application based firewall they're a clear market leader (In fact I have a 5060 in our lab ready for some testing for non-customer traffic functions).

it_consultant

Ahriakin wrote: »

They are ahead in some areas, behind in others. For carrier level they are a no-no, they don't have the raw packet pushing capacities needed (and some essential features). But if I was back in Enterprise land I'd definitely consider them, for identity and content/application based firewall they're a clear market leader (In fact I have a 5060 in our lab ready for some testing for non-customer traffic functions).

In enterprise-land the best thing from my perspective is the reporting. I can give pretty graphs to non-techs which make sense to them and makes me look good. Internal application control exists in other products and layer 7 firewalling also exists with other vendors, ease of use with these things is so very nice. Esp if you have worked on an IBM Proventia system or something.

Bl8ckr0uter

If the field test is to my bosses liking, we may be moving to these (well a couple of models up) which is really making me feel nervous about a CCNP:Security lol. We will see!

Bl8ckr0uter

So I'm just curious but is anyone here Palo Alto certified?

Zartanasaurus

Getting a WebEx demo from Palo Alto next week. Really looking forward to that and the Checkpoint demo. Hoping they don't come in too expensive as I'd like one of them or a Juniper FW in our new data center.