What the heck is it with Palo Alto Networks? I have said before they seem more like a cult than a firewall manufacturer. I have observed reasonable companies spend two to four times what a comparable Juniper, Cisco or Fortinet would cost, so they can have that special Palo Alto love. I have seen people adamantly refuse to even look at competing products once they get a taste of those sweet Palo Alto boxes. Palo Alto Networks seems to walk on water and deliver unto the faithful the warming glow of a super cool firewall.
While my hands-on experience with their devices has been mostly positive, I am skeptical of any technology that seems “too popular.” Palo Alto’s rise up the firewall stack is rather baffling. Moreover, the buzz around them is downright scary. Are these people going to be relocating to a jungle compound soon? Will they be handing out Kool-Aid soon? (Maybe it will be Kool-ID.)
Let’s start with the raw specifications. Their devices pass traffic and have decent throughput speeds. They scale from small to large with reasonable ease. They do IPS and web filtering, and all the normal unified threat management (UTM) type of stuff (or Next-Generation Firewall, NGFW, in their parlance). Okay, cool. They also tout their AppID stuff which lets them pick out applications among network traffic, okay that is cool. But it’s not unique. Lots of other products do that. They can inspect SSL traffic, cool, so can a Fortinet or a Blue Coat for that matter. Hmmm, technically they have good specs, but nothing unique.
Okay, so in the raw specs, they’re a UTM / NGFW. Great. So what makes people spend 2X for them?
Let’s take a look at the company. Solid people and investors. Nir Zuk is a smart guy if a little self-absorbed. But who isn’t? The board is all seasoned people. They have Greylock, Sequoia, and Globespan. All good investment firms with respectable portfolios. But again, nothing earth-shattering there.
Then I read this on their website… and it all became clear:
Here are some of the unique capabilities available only in next-generation firewalls from Palo Alto Networks:
- The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
- The only firewall to identify, control and inspect SSL encrypted traffic and applications.
- The only firewall with real-time (line-rate, low latency) content scanning to protect against viruses, spyware, data leakage and application vulnerabilities based on a stream-based threat prevention engine.
- The only firewall to provide graphical visualization of applications on the network with a detailed user, group and network-level data categorized by sessions, bytes, ports, threats and time.
- The only firewall with line-rate, low-latency performance for all services, even under load.
- The only firewall capable of delivering a logical perimeter for mobile users;
- The only firewall to identify unknown malicious files, often used in targeted attacks, by directly and automatically executing them in a virtual cloud-based environment.
Ah-ha… I think I have it: language. Palo Alto’s technology is maybe run of the mill, but their marketing is… world-class. Palo Alto has learned and embodies a new paradigm in technology: you don’t have to BE innovative, you have to make people THINK you’re innovative. And you do that with command of language. You cast your products as “the only” and create special words, like AppID, that make your products sound unique and special.
I don’t fault Palo Alto for doing this. A lot of companies do this now. They take what are fundamentally mediocre products and they spin them with really good marketing. This establishes a buzz about the product that forces competitors to respond. The Fortinets, Junipers, and Check Points of the world are now put into the position of not merely touting their products, but explaining them in the context of Palo Alto’s language.
Language is powerful. It demonstrates that how you explain something can have a profound impact on its success. Politics works this way. Candidates spend countless hours figuring out how to define themselves. And they create words, phrases, and memes to support that image. All of you former technical writers should pay attention here. Your words have power. But you have to transcend just explaining something to defining it and creating a context for it.
However, as a technology person, I do find this process of language manipulation to be somewhat disingenuous. Perhaps because it is exaggerating claims and using the same kinds of “compartmentalization” that politicians use. I am reminded of an infamous video where Bill Clinton argues the meaning of the word “is.”
The interesting twist to this story is the new lawsuit from Juniper. This is a classic battle of the old guard vs. the new up-and-coming challenger. Juniper has not been innovative in the security space for years. So them suing Palo Alto seems like the typical crybaby move. Fortinet sued Palo Alto long ago and that seemed to go nowhere. However, Juniper has deeper pockets than Fortinet and is in a more desperate situation. As such, this Juniper lawsuit may cause some problems for Palo Alto. It will certainly cast a shadow over their hordes of devotees. UPDATE: The Juniper lawsuit was settled for $175M.
So what is the answer? I think Palo Alto Networks is a fascinating company. And I think their ability to sell gear and take market share away from Juniper, Cisco, and Fortinet is in part due to their amazing marketing and sales and skilled leadership. However, I caution them and any user of their products that this irrational exuberance will end. Take this Juniper lawsuit as a warning. The days of Palo Alto Networks walking on water will end. That doesn’t mean you should throw away your Palo Alto boxes. But, look at the lessons of history. Anything that rises too fast, falls twice as hard.
UPDATE (9/2014): I have become increasingly more impressed with PAN’s leadership, especially when you contrast them against companies like FireEye. This is a company with experienced leaders. It’s part of why their stock keeps going up and their presence grows. However, the technical news for PAN is worrisome. The most recent NSS report for NGFW shows PAN performing poorly compared to their rivals at CheckPoint, Cisco/SourceFire, and even WatchGuard (which is a real slap in the face.) On top of that, PAN was not only a poor performer but the most expensive. PAN is still riding their buzz, but the poor performance anecdotes are piling up.
UPDATE (10/2018): PANs shift to cloud products, their purchase of Evident.IO, is more proof that for all of PANs woes, they are still a force to be reckoned with. I continue to find them a fascinating company that is a model for others, as well as a warning.