Palo alto

kal#4

Palo alto firewalls, any feed back would be helpful! good, bad ugly...

cisco_trooper

I have heard great things but have never actually touched one. That being said, I am also quite interested in people's hand's on experiences with Palo Alto.

ColbyG

cisco_trooper wrote: »

I have heard great things but have never actually touched one.

Same here. I'll get some time with the gear soon though, I have some training coming up.

Bl8ckr0uter

I have used them (not in a production). They are pretty decent boxes. They are very capable devices and the cli is very cisco like.

unclerico

I'll sing it from the frigging mountain top, Palo Alto is fantastic. I'll never be able to go back to a traditional firewall again due to the visibility that these bad boys give to you. The only thing that PAN needs to work on is the SSL VPN piece because it is pretty much terrible . Strike that, there is actually a second thing that they need to work on and that is the amount of time it takes to commit a configuration. Any change, no matter how small, requires a complete re-parsing of the entire XML file which can take upwards of 1 1/2 minutes so when you're new to the devices and are making frequent changes it gets really annoying really fast. The frustration goes away when you are more experienced and know what changes need to be made. Do a POC with one and you'll see for yourself.

docrice

Thanks for the insight. I'm actually meeting with Palo Alto Networks tomorrow. Configuration changes requiring a minute or two to go live concerns me as that can get operationally expensive when you're working on an issue. It reminds me of Check Point where you have to push changes and wait for it to complete. Another issue I hear is that finding hit counts on a rule set isn't like the ASA. Do you have any experience with the IPS functionality? How good is the company when it comes to keeping up with application behaviour changes? How about rate-limiting capabilities on a per-application basis?

Are there any other comparable firewall vendors in the so-called next-gen space? I've been told both HP TippingPoint and Sourcefire are working on theirs, but I'm not in the mood to beta test.

unclerico

docrice wrote: »

Thanks for the insight. I'm actually meeting with Palo Alto Networks tomorrow. Configuration changes requiring a minute or two to go live concerns me as that can get operationally expensive when you're working on an issue. It reminds me of Check Point where you have to push changes and wait for it to complete. Another issue I hear is that finding hit counts on a rule set isn't like the ASA. Do you have any experience with the IPS functionality? How good is the company when it comes to keeping up with application behaviour changes? How about rate-limiting capabilities on a per-application basis?

Are there any other comparable firewall vendors in the so-called next-gen space? I've been told both HP TippingPoint and Sourcefire are working on theirs, but I'm not in the mood to beta test.

I think the newer version of code makes it easier to find hit counters than previous releases. I have the IPS feature enabled, but I can't say that it's ever been tripped. The rules engine is pretty flexible on the IPS side and allows you to capture packets of suspect flows so that you and/or palo alto can look at the traffic for analysis. They constantly update the application signatures which may or may not be an issue depending on how you have it configured to apply the updates. I had an issue once with Windows activation. Activations worked fine for months and all of the sudden they no longer worked. Turns out they developed a new application signature for ms-activations and I had to permit it through. Rate limiting is pretty good. An example of how I use it is for users that need access to YouTube; I rate-limit the traffic as opposed to completely denying access. I can't speak for any other next-gen firewalls.