The Cult of Palo Alto Networks

What is it with Palo Alto Networks?

What the heck is it with Palo Alto Networks? I have said before they seem more like a cult than a firewall manufacturer. I have observed reasonable companies spend two to four times what a comparable Juniper, Cisco or Fortinet would cost, so they can have that special Palo Alto love. I have seen people adamantly refuse to even look at competing products once they get a taste of those sweet Palo Alto boxes. Palo Alto Networks seems to walk on water and deliver unto the faithful the warming glow of a super cool firewall.

While my hands-on experience with their devices has been mostly positive, I am skeptical of any technology that seems “too popular.” Palo Alto’s rise up the firewall stack is rather baffling. Moreover, the buzz around them is downright scary. Are these people going to be relocating to a jungle compound soon? Will they be handing out Kool-Aid soon? (Maybe it will be Kool-ID.)

Let’s start with the raw specifications. Their devices pass traffic and have decent throughput speeds. They scale from small to large with reasonable ease. They do IPS and web filtering, and all the normal unified threat management (UTM) type of stuff (or Next-Generation Firewall, NGFW, in their parlance). Okay, cool. They also tout their AppID stuff which lets them pick out applications among network traffic, okay that is cool. But it’s not unique. Lots of other products do that. They can inspect SSL traffic, cool, so can a Fortinet or a Blue Coat for that matter. Hmmm, technically they have good specs, but nothing unique.

Okay, so in the raw specs, they’re a UTM / NGFW. Great. So what makes people spend 2X for them?

Let’s take a look at the company. Solid people and investors. Nir Zuk is a smart guy if a little self-absorbed. But who isn’t? The board is all seasoned people. They have Greylock, Sequoia, and Globespan. All good investment firms with respectable portfolios. But again, nothing earth-shattering there.

Then I read this on their website… and it all became clear:

Here are some of the unique capabilities available only in next-generation firewalls from Palo Alto Networks:

  • The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
  • The only firewall to identify, control and inspect SSL encrypted traffic and applications.
  • The only firewall with real-time (line-rate, low latency) content scanning to protect against viruses, spyware, data leakage and application vulnerabilities based on a stream-based threat prevention engine.
  • The only firewall to provide graphical visualization of applications on the network with a detailed user, group and network-level data categorized by sessions, bytes, ports, threats and time.
  • The only firewall with line-rate, low-latency performance for all services, even under load.
  • The only firewall capable of delivering a logical perimeter for mobile users;
  • The only firewall to identify unknown malicious files, often used in targeted attacks, by directly and automatically executing them in a virtual cloud-based environment.

Ah-ha… I think I have it: language. Palo Alto’s technology is maybe run of the mill, but their marketing is… world-class. Palo Alto has learned and embodies a new paradigm in technology: you don’t have to BE innovative, you have to make people THINK you’re innovative. And you do that with command of language. You cast your products as “the only” and create special words, like AppID, that make your products sound unique and special.

I don’t fault Palo Alto for doing this. A lot of companies do this now. They take what are fundamentally mediocre products and they spin them with really good marketing. This establishes a buzz about the product that forces competitors to respond. The Fortinets, Junipers, and Check Points of the world are now put into the position of not merely touting their products, but explaining them in the context of Palo Alto’s language.

Language is powerful. It demonstrates that how you explain something can have a profound impact on its success. Politics works this way. Candidates spend countless hours figuring out how to define themselves. And they create words, phrases, and memes to support that image.  All of you former technical writers should pay attention here. Your words have power. But you have to transcend just explaining something to defining it and creating a context for it.

However, as a technology person, I do find this process of language manipulation to be somewhat disingenuous. Perhaps because it is exaggerating claims and using the same kinds of “compartmentalization” that politicians use. I am reminded of an infamous video where Bill Clinton argues the meaning of the word “is.”

The interesting twist to this story is the new lawsuit from Juniper. This is a classic battle of the old guard vs. the new up-and-coming challenger.  Juniper has not been innovative in the security space for years. So them suing Palo Alto seems like the typical crybaby move. Fortinet sued Palo Alto long ago and that seemed to go nowhere. However, Juniper has deeper pockets than Fortinet and is in a more desperate situation. As such, this Juniper lawsuit may cause some problems for Palo Alto. It will certainly cast a shadow over their hordes of devotees. UPDATE: The Juniper lawsuit was settled for $175M.

What other solutions exist?

So what is the answer? I think Palo Alto Networks is a fascinating company. And I think their ability to sell gear and take market share away from Juniper, Cisco, and Fortinet is in part due to their amazing marketing and sales and skilled leadership. However, I caution them and any user of their products that this irrational exuberance will end. Take this Juniper lawsuit as a warning. The days of Palo Alto Networks walking on water will end.  That doesn’t mean you should throw away your Palo Alto boxes. But, look at the lessons of history. Anything that rises too fast, falls twice as hard.

UPDATE (9/2014): I have become increasingly more impressed with PAN’s leadership, especially when you contrast them against companies like FireEye.  This is a company with experienced leaders.  It’s part of why their stock keeps going up and their presence grows. However, the technical news for PAN is worrisome. The most recent NSS report for NGFW shows PAN performing poorly compared to their rivals at CheckPoint, Cisco/SourceFire, and even WatchGuard (which is a real slap in the face.) On top of that, PAN was not only a poor performer but the most expensive. PAN is still riding their buzz, but the poor performance anecdotes are piling up.

UPDATE (10/2018): PANs shift to cloud products, their purchase of Evident.IO, is more proof that for all of PANs woes, they are still a force to be reckoned with. I continue to find them a fascinating company that is a model for others, as well as a warning.

Anitian SecureCloud for Compliance Automation is simply the fastest path to PCI, ISO 27001, and FedRAMP compliance.

103 thoughts on “The Cult of Palo Alto Networks

  1. Mediocre? Listen, son, I’ll fix you up with a POC. 🙂

    It monitors 65,535 (UDP/TCP) ports all of the time, makes no presumptions of what’s on those ports, and monitors state changes on active sessions? Manages Facebook chat like it’s Gopher. As a firewall gives IPS a proper run for is’t money, despite the fact the rules were IPS’s to begin with. Sourcefire woke in a cold sweat at merely the name Palo Alto. SRX did that? Before or after it crashed?

    Innovation? Palo Alto Networks has handed it out like it’s unleavened bread crumbs to CheckPoint, who have dutifully followed them into the Gartner Magic Quadrant, no doubt scrounging for more.

    Fortinet? Who the f**k are they?

    It’s not a cult, it’s the only interesting thing to happen in 20 years.

    1. I have experience with all kinds of different brand firewalls as well as Palo Alto Networks firewalls and based on your comments I see nothing but sour grapes here and no real significant information.

  2. I thought the same thing when I initially heard of them. Then I took a good look. It wasn’t the new marketing language, but rather the fact that the App-ID was built into the Firewall engine and not the IPS engine (unlike most other UTM systems). And the firewall policy is repeatedly referenced during a session, not just at the beginning of a TCP/UDP port-based session. So if the application changes within that session then the firewall rule set can dictate new behavior.

    Not only that, but by doing this, the efficiency that can be gained with the IPS engine is increased. Basically App-ID in the Firewall reduces the threat surface the IPS engine has to scan. For example, no longer does the IPS have to scan all of TCP port 80 traffic for all forms of malware. By understanding what exactly that port 80 traffic is, the IPS engine can be more effective while being more efficient.

    Then I realized there really isn’t a FW engine that is separate from an IPS engine or blade. Hence the difference between the UTM and this new thing called the next generation firewall.

    So once I got past the market words and took that really close look I saw the reason for the cult-like following. So much so that I went to work for them.

    Dave Klein

    1. Thanks for an actually useful post in this thread – and I think it’s notable that you first needed to take the marketing shell away to find a good core.
      Some people (I’ll include me there) will avoid dealing with someone that comes up with too bold claims.

    2. Well, it’s good to have a pack leader to keep moving forward. By the way, I cannot imagine that the competition is not already contemplating the possibility to cycle several times through the rule table, no matter where the app detection takes place in the software. This is a most striking need when one works with Fortinet for instance, because there is currently no way to escape the tyrany of the srcip|dstip|dstport rule indexing. It is obvious that the possibility of “marking” the traffic differently based on app/url combinations and then re-entering the rule table becomes not only useful, but necessary. Moreover, a sort of route enforcing at the end of the flow is also quite needed. Of course, the way a vendor builds the user interface comes next after the functionality, and maybe others could find even better ways to hide the intricacies of app detection and internal traffic flows around the rule table. Thanks for pointing out that the marketing hype can sometimes hurt by promoting distrust, when explaining the real advances could do a better job.

  3. Great post, Andrew. I couldn’t agree with you more. Language and marketing are very powerful. Isn’t Palo Alto just following in the footsteps of other great marketeers like Apple, Microsoft, etc.? One of the key lessons of the Internet era is that you don’t have to be the innovator, but the one who exploits the innovations. I still like my Fortinets, even if they don’t have that Palo Alto glow.

  4. I used to work for a reseller that carried just about all the firewalls you could ever think of… ASA, Netscreen/SRX, Sonicwall, Checkpoint, Fortinet, etc.

    The first time I heard of Palo Alto, it was from a university who was looking at updating their firewalls. I believe I was going to lead with Fortinet, and they asked me about PAN. My response: “never heard of them, but a firewall is a firewall. I’m sure they’re not doing anything different.”
    After losing that deal to PAN, and 4 or 5 more over the next 10 months, my company reached out to them to partner. After getting exposure to the boxes, and seeing the visibility and control they provide in every environment I’ve put them in, I have to say that PAN is truly doing something different.
    I believe that if anyone has had to “market” themselves into being relevant, it’s all those legacy firewalls out there that have had to bolt-on some semblance of what PAN can do. Now, at least on paper, just about everyone can say they control apps and users the way PAN does.
    Don’t knock it til you try it.

  5. Special Sauce lettuce cheese pickles onions on a …..

    You get the picture. I have used Checkpoint since day 1. I too was skeptical of Palo Alto, however once I got the POC, I realized this was different.
    Different in a good way.. It works!

    And it works well. I am the network guy for a college and while I have always known bad stuff was all around me, I did not have 1 pane of glass to see what it was. Checkpoint did not show it, I had to go nMap, Snort and a myriad of other tools to figure it out, time consuming and frustrating. Checkpoint tries to show some of this, but who cares a “flying donut” about the new GUI and attempts at keeping up with Palo Alto. It does not do it as well and does not scale (I too POC’ed the new Checkpoint)

    Now with my box (5050) I can see so much. Frankly, I almost wish I did not realize how bad it was.

    Now that I know, I also have the tools to show the other team members in other departments on why mitigation needs to happen and on what machines. The primary tools I was using, SNORT etc, are now my backup tools to validate the work to be done.

    This is the coolest thing to happen in networking in quite some time, but for a reason!

    I am on the bandwagon and a convert. Also for the first time in while, in the drivers seat of my network, fighting to get back my network from the students and what they bring, but armed with the right tools.

  6. Andrew, as an information security professional, you’ve embarrassed yourself with this post. I’ll just respond to one of your points:

    “They also tout their AppID stuff which let’s them pick out applications amongst network traffic, okay that is cool. But its not unique. Lots of other products do that.”

    Palo Alto Networks performs application identification in the firewall. This means you can build a Positive Enforcement Model (default deny) at the application level as well as the traditional stateful inspection port, protocol, and IP address.

    To the best of my knowledge and Gartner’s (see their recently released Firewall Magic Quadrant), Palo Alto Networks’ Next Generation Firewalls are the only firewalls that can do this.

    From my perspective this is the sine qua non of a firewall. Every other firewall/UTM vendor that provides application identification uses Intrusion Detection technology, i.e. a negative enforcement model.

    As an information security professional myself, I look forward to competing with you in the market.

    1. I’ve embarrassed myself over lesser issues.

      And there are other firewalls and IPS products that can identify applications. Protocol analysis is not new or unique. IPS technologies have been doing that since the late 90s. And those products worked either as a negative or positive model. I will hand it to Palo Alto for making it an integral part of the product.

      I’ve been an infosec professional for 17 years. I have seen lots of companies claim they are “the only.” I don’t doubt Palo Alto’s ability to change the conversation about firewalls. However, simply because somebody says they are “the only” does not make it true.

      You should pay attention to the point of my article, which was not questioning the raw capabilities of Palo Alto, but the use of language to alter the perception of a product.

      1. No one is questioning the fact that many companies offer network security devices that can identify protocols and applications.

        The point is being able to do this in a firewall. Perhaps I was not clear about positive and negative enforcement models. The definition of a firewall is that it has the ability to implement a positive enforcement model, i.e. define what is allowed and block everything else. This is also referred to as “default deny.” A network device that is not capable of implementing a PEM is not really a firewall.

        Intrusion Detection/Prevention Systems, by definition use a negative enforcement model. They look for specific signatures (or other ways of detecting bad traffic) to alert and block. If the traffic is unknown or does not match a pattern it’s looking for, the traffic is allowed. Also, you are probably aware of the fact that many IDS/IPSs don’t even monitor all 65K+ ports for all protocols.

        Palo Alto Networks is the only firewall I am aware of that enables an organization to implement a PEM at the application level as well as the more traditional network level using stateful inspection functionality. Therefore, putting marketing aside, it is the only device that qualifies as a Next Generation Firewall as defined by Gartner.

        If anything, it’s Palo Alto Networks’ competitors that “market” themselves as Next Generation Firewalls, but cannot actually implement a PEM.

        Maybe what you are really asking is, why this is important. Who cares where or how applications are identified? This goes back to the debates in the 1990’s about whether a firewall is needed. It seems to me that that issue was resolved then.

        I believe we have agreement that the first requirement of network security is to control the traffic that moves between networks of different trust levels to reduce the attack surface of the more trusted network.

        We moved from router ACLs to stateful inspection firewalls in the 1990s. Now we are moving to Next Generation Firewalls in response to massive changes in application technology which started in the early 2000s. These changes have rendered traditional stateful inspection based firewalls useless in performing their jobs. Hence the need for a new type of firewall capable of performing traditional stateful inspection for backward compatibility AND controlling application traffic using a PEM.

        In closing, let me comment on Palo Alto Networks’ excellent marketing. Historically we have seen great marketing trump great technology. I have been as dismayed about this as you no doubt have been. But you should not conclude that a company with great marketing must therefore have inferior technology. Palo Alto Networks just happens to be this happy coincidence of great product and great marketing.

        1. Bill,
          I do not know if you have a history of using other NGFW but there are a couple of Firewalls that allow PEM, they do not do it as pretty and as easy but it is available if you use them. Sonicwall and Fortinet come to the top of my head. In fact when it comes to application control profiles available, Palo Alto doesn’t even have the most available yet they claim to be the leaders. App control is not unique at all.
          The truth of the matter with Palo Alto is that they are a marketing machine (The Apple of Security) and their user interface is quite intuitive. But in bakeoffs with other firewalls for performance they are not in the top 5 and hence why they are visionaries leaders in the quadrant but their ability to execute is below the other solutions.
          Now they have this new thing called WildFire which they named to be very similiar to another solution that deals with Modern Malware. They claim that they can detect and prevents APTs. Yet it is a glorified cloud based signature generator. However their marketing machine is claiming it to revolutionary when there are better and more effective solutions out there.

          1. Palo Alto, when measured against REAL traffic (not UDP 1518 traffic), blows every other firewall out of the water – even with their apps and IPS on. It is the best firewall from a performance perspective, period. You guys should do your homework.

        2. Wow, you can do application inspection plus stateful filtering in a *firewall*?
          And you can have a default deny ruleset?
          Now that must be the most unique thing to ever happen.
          Not like it’s new.
          But hey, it made you really be amazed. That’s great.

          1. @Maginot, not sure if you ever had the opportunity to play with a SRX5800 which gets you closer to “real” 150+ Gbps throughput… just saying. And it can also do Positive Enforcement, and heck, it can even do AppID.

    2. Bill, read the report again. Also, SonicWALL, for example, does the app control (has had it since ’07) and has been doing non-buffering stream based inspection on all ports since 2003. Now they also have 20 Gig products that do that. PAN marketing is superb, but their technology is far, far from being first or unique.

    3. Untrue Bill.
      McAfee Firewall previously Sidewinder) does their application identification (called AppPrism) in firewall policy and not IPS. The IPS/IDS is an add other security feature with a different engine and can also be applied against an application on a per rule basis. McAfee Firewall has also had a positive security model since it’s inception.

  7. The cult of Avatar – I don’t know what all the hype is about the movie Avatar – I personally haven’t seen it but I can say that it is no different than any other sci-fi movie that has come out in the past. It is all just a bunch of marketing. The exuberance will end… Keep in mind that Palo Alto has grown to over 5000 customers faster than just about any security company – EVER. AND, 100% of these customer evaluated, tested, and selected the products over the legacy products out there – they went way beyond the marketing. Is it so hard to fathom that every once in a while a really innovative and game changing technology comes along that is truly revolutionary? By the way, their products are not more expensive – might be time for you to step beyond the competitive marketing.

  8. Excellent post, Mr. Plato. The comments are funny. I don’t think people realize that in voraciously defending PAN, they are in essence proving you right. That PAN has a cultish following who don’t take kindly to having their sacred cow be criticized. Try criticizing an Apple product or Linux, the same trolls will crop up and be supremely offended.

    I run security for a large retailer and we looked at PAN along with Juniper, Fortinet, and Cisco as a replacement for our aging CheckPoint FWs. They have a good product. But, they were more expensive and they did not have as good a feature set. At the time, their IPv6 support was weak. I went with Fortinet because they were less money and equal in features to PAN. But, PAN was a serious 2nd choice. I agree their marketing exaggerates their capabilities.

    I think the Juniper lawsuit is just typical of all the patent trolls, like SCO or Trend Micro. They have these beancounters sitting around who realize its more profitable to harass and sue others than be innovative. This is why my company has no Juniper technologies in use.

    Anyway, keep up the good work and the blog. I always enjoy hearing your thoughts on security.

    1. You are discounting the comments of real users of the Palo Alto technology. It is real, and it is effective. Like one of the first posters said – it is the first interesting thing that has happened in 20 years.

  9. My experience has been mostly in the realm of Cisco and Checkpoint, with a few evaluations of FortiNet and only some limited exposure to Juniper. Most of the forthcoming input is based mainly upon Cisco and Checkpoint experience:
    ———————–

    The Palo Alto inspection engine is unique and superior to anything out there. If you do a little more homework focused on the technical aspects; You will understand that the technology isn’t “run of the mill”. There really is a good reason why this product is catching fire. It starts from their ground up approach to the Inspection Engine.

    The “Language” they speak, is the Technology they enforce and basically how they built the product, and they do it very well.

    Over the last 2-3 years, I have been involved in Security Appliance review and upgrade for two different Organizations. Each event consisted of teams of personel that compared several major players in the market and scrutinized each technology carefully. Each Vendor was put through it’s paces. The teams, except for myself, had different members both times. PaloAlto was the only one left standing each time.

    As far as actual hands on:

    I have minimal experience with the PaloAlto technology as I have only had about three good weeks of actual “Hands On”, compared to years upon years of hands on with Checkpoint and Cisco. However, the more I work with it, the more this products shows its true colors and just makes sense. Those that end up purchasing and using this product end up standing up on a soap box and telling everyone that this is the real deal; and for a good reason. That is probably where the buzz is being generated from that gives it that “Walk on Water” input you have mentioned.

    This is also one of those little gems of a product that generates that sort of reputation because the more you work with it the happier you are. You tell your peers about it, and so forth. One of my peers in the industry just recently canned our overall response into something that made sense to all of us. “The products is simply a “No Brainer” in regards to it vs anyone else out there”. We all share similar sentiment as customers and users of the products after what we have seen over the last 10+ years.

    In all fairness:

    I am not qualified to comment on the VPN capabilities and platform however, as I do not currently use that aspect of the product. I can also say that this product can use a few feature ehancements. With that said, this is a very polished product in its own right. But there are certainly a few things they could do with some upgrades that would be nice to see.

    The Juniper Lawsuits?

    As a Palo Alto customer, I did have some concern when I heard the news. I did the due dilligence of looking up the patents and reading them myself. The patents they have submitted to the courts are obscure and cover too broad an area to hold any weight. In fact, they could sue ANYONE that has a firewall based upon the generality of some of the patents. For instance, one of them is basically Packet Inspection over a Layer 2 trunk. That is like IBM suing Cisco for making products that route.

  10. Great article. You’re spot on with this ePANdemic. Palo is a jack of all trades and master of none. They do nothing that is new or even better. It may be better and new to the people replacing their 20 year old firewalls, but not to anyone who actually works in the network security space and has been keep up with the technology.

    Here’s another marketing twist for you:
    “Industry Leading IPS Effectiveness
    The results of the NSS tests referenced above found that Palo Alto Networks accurately detected and blocked 93.4% of all of the 1,179 attacks, putting Palo Alto Networks easily in the uppermost echelon of IPS solutions based on core functionality. Tests included all types of attack methodologies, applications and targets. As a reference, the 2009 IPS group test found IPS block rates ranging from 17% to 89%.”

    They are industry leading by taking their NSS numbers from August 2010 and referencing them to 2009 numbers. Where do they stack up compared to the other vendors 2010 numbers? What they don’t tell you is that CheckPoint blocked 97.4%.

    PAN lovers, keep buying into the marketing so hackers have easier networks than mine to target.

    Sources:
    https://www.paloaltonetworks.com/literature/forms/nss-labs-report.php
    https://www.checkpoint.com/campaigns/intrusion-prevention-system/index.html

  11. An example of somewhat misleading information from Paloalto can be seen in Nir Zuk presentation in Slides 39 and 40
    at https://www.slideshare.net/dtimal/modern-malware-by-nir-zuk-palo-alto-networks

    The numbers can be correct if you only look at the vendor names at OSVDB (I have not actually counted them)
    https://osvdb.org/affiliations/1148-palo-alto-networks
    vs.
    https://osvdb.org/affiliations/1094-tippingpoint-dvlabs

    But in the TippingPoint Case the numbers do not reflect the fact that TippingPoint also uses the ZeroDay initiative as well.
    https://osvdb.org/affiliations/1092-zero-day-initiative-zdi

    So in the slides it seems that PA is the leader of discovering new vulnerabilities… and yes it might be true if you only
    count the credited to each vendor but I doubt it holds if you count in the real numbers behind each vendors other sources for
    vulnerabilities. (I have not checked for other vendors than TippingPoint in this case).

    1. The whole point is vendor discovered vulnerabilities… The Zero Day initiative is an informal group of researchers who are “rewarded” for their submissions. By definition they are NOT on TP’s Payroll. Unique security research is illustrative of an organization’s commitment to a market.

  12. Websense has been doing the “you don’t have to BE innovative, you have to make people THINK you’re innovative” thing for years and it’s worked for them too.

    Palo Alto AppID can do a lot of really cool things that other firewalls can’t but…do you really want your firewall doing ALL that stuff? Doesn’t the term “too many eggs in one basket” resonate with anyone anymore?

    As a side note, their AV/malware protection doesn’t even detect the Eicar test virus. The powerful AppID feature can’t even do true file type detection…what?

  13. Well keep embarrassing yourself. If you saw how the tech worked, analyzed it, and understand it and then pointed it flaws, etc maybe you could stand on this ridiculous post. Simple thinking something is marketing and calling it a cult is doing what a true security professional does not do – ASSUME.

    (Kevin – it does pick EICAR, its picked a zero as well that after uploading to virus total only 14 AV vendors picked. It also does file detection. Clearly you set it up wrong. Don’t post BS – that is called “marketing”)

    Dave

    PS. Case in point – I had to modify my home palo to allow me to “blog-post” to do this since I was whitelisting….doesn’t work is so humorous.

    1. So every time a corporation needs to post something on a blog they have to edit a rule on their firewall? That does not seem very practical or realistic.

      I do have experience with their devices, and I said before I think they have some good features and capabilities. However, they are not unique. Fortinet, Juniper, Cisco, CheckPoint, Sonicwall…heck even WatchGuard and Astaro all can do the same things that Palo Alto can do. That does not diminish their value, but it should put it into perspective. I have seen how all of those devices implement their security controls. And I think PAN has some novel ideas. I also think Fortinet has some technically superior aspects to it as well. Every company has their strengths and weaknesses.

      Moreover, whitelisting, while conceptually sound, is practically impossible in a large setting. It quickly gets turned off after the security team was inundated with requests for access. I know, I have watched clients attempt to do strict whitelisting of applications. The effort imploded after about a week. Users complained non-stop about access restrictions and problems.

  14. I have struggled with numerous firewalls over the years. I recently tried out, then purchased a Palo Alto 500.

    I have been telling everyone I know about it’s capabilities. Why? Because it is a game changer, never seen anything quite like it. It reminds me of Equallogic a few years back when ISCSI started getting popular.

    Bob

    1. Its funny you would use the word “game changer.” I have been telling everybody lately that any technology that tells you it is a game changer, is not a game changer. Because that is a marketing word designed to make you think its special. Things that really change the game, are not called game changers when they are first released. Case in point, the iPhone was not called a game changer at first. It wasn’t until people consumed it and others began copying it that it could really be classified as a “game changer.” It was then that people really saw the innovation. And that innovation was not technical. Apple’s innovation was in aesthetics and presentation. Technically, their products were good, but not great. But their marketing, branding, packaging, and presentation – that was innovative.

      As for PAN’s “game changer” status. Time will decide that. PAN has two strikes against it. 1. The technology is derivative of others. 2. Their marketing is derivative of others. As such, I see PAN as evolutionary, not revolutionary. But, again, time will judge them and their game changer-ness.

      1. Except… he indicated that he experience (Hands on experience) with the product led him to believe it was a game-changer. The technology did not tell him that it was a game changer – he came to that conclusion by himself.

      2. All I know is that I find their product much easier to use than others for reporting and general use.

        As for marketing, I doubt they are selling a lot of their products based solely on the marketing, without having the end users try them first, given they sell through VARs.

        Granted that I am in the SMB space so can’t become an expert in any single type of product.

        It meets my needs better than any other product I have found and I will be recommending to other companies who do not have a dedicated firewall expert.

        Bob

  15. As someone who has worked with PAN, Fortinet, Juniper, Cisco, and SonicWalls and also received bids for McAfee and CheckPoints I will add this:

    Fortinet is the best bang for the buck and does most of the things that the PAN does with a higher throughput. I cannot comment on the webfiltering portion of the PAN because we are not using it.

    Juniper – what model? The SSG series is a dinosaur now and the SRX model does not compare. Sorry, while they say they are trying, Juniper’s lawsuit is simply a grasp for relevance.

    Cisco – please. Note how many government agencies were broken into after the Sidewinder to Cisco swap. Regardless of anything else, this has product has seen more vulnerabilities than others. Why would you trust this?

    CheckPoint – where to start? The interface? The performance? How about the price….twice as much as a PAN for half the performance and not all of the feature set.

    McAfee – may be a good product, but they priced themselves out of our range. Literally about 2.5x the cost of the PAN for the same performance with less features included.

    I cannot comment on the new SonicWalls since none of the vendors we solicited responded with them.

    So out of the box with price for performance and feature set we ranked them as follows:

    1. Fortinet
    2. Palo Alto Networks
    3. Take your pick of the least evil / cost effective solution from McAfee and Check Point and throw in SonicWall if you can get a bid & eval.
    4. Cisco – simply due to their numerous vulnerabilities
    10. Juniper – sorry…my old favorite is at the bottom now. They have an image issue to address with their SRX line. While I know why they made the change, they alienated their current client base. Note the number I put. Until they change I probably will not look at another firewall product from them.

  16. Are all these posts coming from palo alto employees? Haven’t even seen one mention that the interface is so slow that you need to wait 2 minutes to make any change in the firewall. I don’t see it as the game changer they claim to be, they have nice features but fortinet, checkpoint and sonic wall filter apps as well

    1. I’m glad someone called out the slow interface—we recently bought some 5050s, and I can’t get over how sluggish they are…I’ve become very comfortable with the cli because of the sometimes unusable GUI…unfortunately, there are some things that can’t be done in the GUI (really? I can’t search the config in set format AND use grep/pipe include? That’s unacceptable). I feel like the cli was an afterthought, and lacks polish compared to its competitors.

      Of course, our environment didn’t have a need for the application filtering…we are a multi-tenant environment that by design doesn’t want filtering based on the application in the place the PAN devices were put, because the tenant doesn’t tell us what application they are running where…so our expensive PAN devices are acting like a simple stateful firewall, and don’t seem to measure up to even Cisco from an operational standpoint…the name palo alto makes my engineers cringe, because they are so inconvenient to work with operationally on a day to day basis.

      While I’m sure they do exactly what they say they do, they were the wrong choice for the piece of our environment they were purchased for.

      1. What version of PANos software are you running? There was issues with version 4.1.6 (memory overflow that caused the management plane to be slow) This was sorted in version 4.1.7 and 4.1.8. I am running 4.1.8-h3 on my devices and I am very happy with this version.

    2. I have a pair of 500’s and the interface is the slowest I have ever seen. In fact I just found this thread while searching to see if I could find anyone else suffering with the same problem.

      That is a shame, since the product itself is quite nice otherwise.

  17. “I admit to having limited experience with their appliances.”

    This discussion could go on forever. Go out and get your hands on a PA firewall, then come back and judge…

  18. Application Identification has been around for quite some time, particularly in the realm of QOS and traffic classification. In fact, I know that L7 filter has been used with Netfilter to do the sort of things these Next-Gen vendors are touting now. That was back around 2005 or 2006 that I saw it.

  19. It may be a good idea to talk on some outputs of NSS IPS 2012 reports that just have been released a couple of days ago.

    In which aspects PAN did a greater job than Checkpoint and Fortinet and so on…

    Performance? Catch rate? CPS? # of sessions? or stability, evasion tests? none of these…

    Nothing new in terms of protecting networks.

    Maybe they’re doing things using different ways but let’s look at results… It’s not something interesting that happened in last 20 years…

  20. It’s too bad this post is entirely unfounded. I’ve recently completed 5+ months of NGFW research and analysis with tools that allow me to run real-world, line-rate (10Gb+) traffic across 4 major vendors (PANW included).

    A few of your misconceptions:
    1) NGFW != UTM. NGFW leverages heavily on application inspection as UTM did not. UTM was legacy hardware with bolt-on functionality that included IPS, DLP, etc. NGFW are new platforms – of which there are few. Palo has the advantage of building a firewall right after 20+ years of the same old standby architecture. Upstream hardware for application awareness that gets pushed down into more hardware for the true security analysis and a one-time deep inspection across all of the security functionality gives them a significant advantage in the heavy lifting. Nobody else, besides Fortinet, has a true hardware accelerated NGFW.

    2) Cost – you’ve got this completely wrong.

    3) Cult – if you’ve dealt with the pains of any of the other platforms with regards to a platform that actually works as advertises and doesn’t tip over based on traffic pattern types (you’d be surprised) you’d realize that this isn’t fanboyism or a cult at all. In fact it’s a draw of well seasoned individuals gravitating towards the only thing in the marketplace that actually works as advertised.

    4) You’ve never used, tested or otherwise interacted with PANOS at time of writing. That, in itself, just showcases where you’re at with regards to perspective and credibility.

    1. 1: You should read this: UTM v NGFW – A Single Shade of Gray
      2: I just pulled up the price list for Fortinet, Astaro, Palo Alto and Juniper (I have access to all of them). I compared list prices for a mid-sized box that can do 1GB of full IPS / Application ID. The Astaro was the least expensive. Juniper and Fortinet were the same, about $3000 more than the Astaro. PAN was $10,000 more than the Astaro and about $7000 more than the Fortinet.
      3. The line between cult and genuine innovation is thin (I admit). But its easy to say you’re innovative without actually being innovative. Time will tell, but I’d say NGFW is more evolutionary than revolutionary. PAN has a good product, but its not a “game changer.”
      4. I have used PAN, I have configured them, I have direct, hands-on experience with their appliances. At the time of the writing, I did not have a lot of experience. I do now. And my opinion of PAN’s technology and marketing do not change. I still think they are an innovative, interesting company with a solid product that is overplaying their hand on marketing. I think the effect they have on people, such as yourself, is proof enough that they are a cult. Nobody has ever written a post like yours so passionately defending Sonicwall, Astaro, Fortinet or Juniper.

  21. So Nir took Deep Inspection, he had developed for Juniper, and made Palo Alto out of it. The interesting aspect is certainly marketing, as I cannot remember much traction on DI, or AppID, as it is called on SRX these days. But it is there and astonishing powerful, albeit without less flashy logging and reporting. His “only firewall” claim is kind of amusing under this context, specifically where PAN has not even been the first.

  22. The difference in hardware comes down the use of FPGA’s instead of ASIC’s. This is what allows the single pass architecture to work and deliver not only line rate but low latency.

    This is what sets the price point for PAN devices so high and no other vendor offers a solution built around FPGA yet.

    1. That doesn’t make sense. ASICs are significantly faster than FPGAs. Also, lots of security products use FPGAs. TippingPoint, for example, used them. FPGAs are great for lots of little tasks, but are terrible for complex tasks. The benefit of ASICs is they can be super-optimized to a particular job and therefore operate at much higher speeds.

      Also, I would note that the only UTM/NGFW that uses ASICs is Fortinet and SonicWall.

    2. Sorry, but this distinction is just wrong.

      In this space, FPGA’s and ASIC’s provide the same benefit, but each with opposing pros and cons.

      They both provide the ability to use silicon that is customized to one or some specific applications, which allows them to be much much faster at performing those applications than can be achieved with software running on a general purpose CPU.

      The distinction between each is summarized like this:

      CPU: Pro is that CPU’s are general purpose and the software they run can be updated and changed easily. Con is that they make inefficient use of their transistor count in order to be able to be so flexible.

      Field Programmable Gate Arrays: Pros are that they can be made to perform specific tasks with a more efficient use of their transistor count than CPU’s, but they are also flexible enough even to build a general purpose CPU and most importantly their design can be updated numerous times and in-product. Cons are that although they can be made to make more efficient use of their transistor count for a specific task than a CPU, they are made up of a small subset of types of logic gates which are used to form the building blocks of the logic that is used to carry out the tasks of their application design. They do not allow arrangement right down to the transistor level. The limitation of those types of gates means that their transistor count is not fully utilized (many many gates, made up of many many transistors, are simply not used in ALL FPGA designs by the very nature of how they are used) and nor is the arrangement of the transistors used anywhere near as efficiently as ASIC designs.

      ASIC: Pro is that ASIC designs are efficient right down to individual transistor arrangements, meaning that the full silicon wafer worth of transistors can be utilized to maximize design efficiency for maximum performance and minimum power usage. The performance capabilities of ASIC designs for a specific task are just stunning. This is what has enabled 3D accelerators to provide the giant leap forward in 3D rendering performance over software/CPU equivalents, hyper fast encryption and digital signal processing, etc and is how Fortinet are able to build firewalls that can sustain full saturation packet filtering and forwarding no matter how small the packets and 25Gbps IPS, 100+ Gbps IPSec, 18 Gbps inline AV, etc. For a specific application, an ASIC design provides by far the highest performance capabilities. Con is that they cannot be amended once burned into silicon, however their tasks are well defined and in this space a lot of the design can be broken down into smaller less complex security related tasks that can be chained together.

      BTW, Juniper were using FPGA’s in their SSG range a decade ago.

  23. Having experience with every firewall discussed here except Checkpoint, I believe your anti-Palo Alto stance is just an ax to grind or you are doing it for one of the other vendors. You play around with words an through your assumptions assume that is ALL Palo Alto is doing and that noting is different here technology wise. You don’t present any facts just rhetoric. Just like politicians I take your comments with a grain of salt.

    Another thing, I don’t care if APP-ID has been around for a while the point is it hadn’t been done in a firewall until Palo Alto did it.

    The other thing that separates Palo Alto from the rest besides the user friendly interface and having the logs easily available to you on the box, is how they inspect traffic and how they continue to inspect traffic while the session is still open. Other firewalls do not do this. Once they allow the traffic they are done with it which is not as secure.

    Just my two cents worth.

    1. Thanks for the feedback Duane.

      In actuality, PAN does NOT inspect traffic once the session is open. That is what the whole bug in their App-ID is about. Of course you can turn off the DSRI and have it continually inspect the stream, but you take a massive performance hit.

      I like PAN, I like them a lot. I think they are a super cool product. But that does not mean they are perfect. I think you mistake my analysis with some bigger agenda. I am an industry analyst, and what we do it share our opinions with the community. I respect your right to disagree, of course.

      1. “PAN does NOT inspect traffic once the session is open”

        Flat out false statement. Caching the AppID doesn’t mean it stops all other forms of inspection, and incidentally the cache poisoning issue was obscure (an attacker would have to know your security policies) and easily dealt with by following best practice (application default as your port). There’s a 1-5% performance hit if the feature is disabled which still leaves it pumping more data through than any competitor. And it was fixed in 5.0.7 anyway (or was it 6).

        If you have a reasonable alternative to PA, please let us know. Cisco or Juniper are a joke and playing catchup, Sonicwall and Fortinet are low-end, Sourcefire costs more for less; who else do you have? As it stands, no one else comes close to the integration of features and PA was, as far as I know, the first to integrate NAC, AD, and URL into security policies.

        One PA = Gigamon + Tipping Point + BlueCoat URL + BlueCoat SSL decrypt + legacy firewall of your choice. Suddenly, the cost is much more reasonable when you realize you don’t need to manage 15 different appliances anymore or pay the Checkpoint/BlueCoat extortion renewals.

        1. I think the characterization if PANs flaw as “obscure” is simply untrue. And dismissing Sonicwall and Fortinet as low-end suggests you are already sold on PAN, since Fortinet has significantly more powerful devices than PAN.

          In the most recent NSS reports, both sonicwall and fortinet were more accurate from an IPS perspective than PAN. I would not dismiss them so easily.

          1. I sell Fortinet – we’re very happy to go head to head against PAN. We take out the BreakingPoint gear and the PAN usually goes into hiding away 🙂

            Seriously, PAN got less than 50% on BP’s in-house “Resiliency Score” . Fortinet gets 95% on these tests (with a 3950). Their purpose is to validate how solid your box works under load and how well it survives. PAN does not survive well due to various architectural reasons.

            I can recognize that PAN has value, but please take off your blinders and open up to the fact that Fortinet never was just an SMB player. Fortinet is most definitely an enterprise-grade solution and is very much present in the Fortune 500. Hard to believe how people have drank the NGFW=enterprise/UTM=SMB joint Gartner/PAN koolaid…

        2. Quote
          “One PA = Gigamon + Tipping Point + BlueCoat URL + BlueCoat SSL decrypt + legacy firewall of your choice. Suddenly, the cost is much more reasonable when you realize you don’t need to manage 15 different appliances anymore or pay the Checkpoint/BlueCoat extortion renewals.”

          This is the joke of the decade. Trade off the expertise of all these companies combined into a company with no real expertise in none of these technologies, what’s the result? A Frankenstein product!

          I am heavily involved with big security IT projects and support. Don’t get me wrong, I think PA is a great product, for SMB. For enterprise, I would honestly be cautious. They deliver everything, but it doesn’t mean they deliver everything good. Their application approach is great, but when I check 10 out of 10 big customers I have with their products, what do you see? Policies with ports and no apps. Their DLP is a joke, their Vulnerability Prevention (aka IPS) is confusing and a nightmare to tune, their url filtering is not as precise as Bluecoat and other players. They don’t do antispam and antivirus for e-mail protocols (SMTP, POP, etc) lacks features and maturity. Their sandbox product, wildfire, has more marketing than real results, unlike Fireeye.

          On their favor, I like how simple they delivered ssl decryption and their mgmt interface is clean, mature, way better than Fortigate. Panorama is also a great tool, even thou it’s a bit confusing to initially understand its concepts.

          As much as Fortigate, PA is only good for SMB. I would be very careful to place these firewalls in a big datacenter or even a campus and leave their over-engineering code run things on the wild.

      2. Anyone who would enable DSRI for outbound web traffic is insane and you do not need to disable this for high throughput on their boxes.

        Every product mentioned is far from perfect, but lets get past this DSRI argument I keep seeing.

        Since then, the cache issue has been resolved and the box has become quite the performance beast.

        1. But still slow compared to Fortinet…

          BTW have you looked at their small packet performance? PANW usually only tests packet sizes at 1M (1024K).

          What it boils down to, is that it is not a magical box:

          The PAN 5060 comes with a 160GB Hard drive, 64MB Flash, 29GB Memory, an Intel L5410 Management processor, an EZ chip network processor, and three Cavium Octeon Plus CN5650s used for datapath processors. The dedicated management processor is an Intel chip – this is what runs the CLI and WebUI – and it needs to communicate with the datapath processors to apply the configuration to and from them. The datapath processors do the heavy lifting of what the device does — they are general purpose CPUs, but they are network- based general purpose CPUs from Cavium that handle more advanced L4-L7 functions, while the EZ Chip network processor performs any pure L3-L4 stateful inspection firewall functions.

          Stateful throughput test in firewall + application control mode, results fall far short of the data sheet value of 20 Gbps. The data sheet value of 20 Gbps was first given several years ago when the product was released, back when DSRI was enabled by default. Today DSRI is not enabled, yet the data sheet number didn’t change and PAN has not been challenged about it. Actual testing shows the 20 Gbps number is orders of magnitude too high, and proof that customers should verify all data sheet claims.

          This is not FUD. It is simple testing with an Ixia Breaking Point. If you are a customer of PANW already and you bring someone in to test, you can get a lot of money off a renewal.

  24. I work for a large IT solutions provider and can tell you what the buzz is about.

    PaloAlto spares NO expense when treating the VPs to lunch, dinner, who knows what else. The world of Politics is spreading into our industry…it is not what you know…it is who. Sad… in another 20 years this industry will be as poisoned as Real Estate or Wall Street.

    1. I also work for a major solutions provider and can tell you that having said employment does not mean you know what all the buzz is about.

      PAN is dining VPs just as much as other manufacturers from what I can see; it appears to be on par with other large manufacturers when trying to get in with larger enterprises (Fortune 500 and below).

      I don’t have a dog in the fight, we want to sell what the customer needs. This is because a long-term relationship is desired, not a quickie. We like to do bake offs with customers, PAN tends to win every time.

  25. I used at PA 2020 for a year or so at my last employer and I’ve missed it ever sense 🙂 We made the Palo Alto decision in late 2010 and what led me too them was not a directive for a NGFW. I was initially asked to add gateway antivirus and web content filtering to our network in addition to our ASA5510 firewall. I approached the VAR we normally dealt with and they pointed us to WebSense and Iron Port (as an alternative), which lead to severe sticker shock (we were a heavy Citrix Xen App shop and all the pieces etc I would need to cover that traffic was pricey). Somehow I stumbled across Palo after that and made the decision to evaluate. After spending a few weeks with the device I fell in love with it and from that point my time was spent trying to figure out how to get the cost approved 🙂 All that to say I have no where near the knowledge that most of ya’ll do in regards to firewalls and network security technology but from my experience switching from Cisco to Palo was a plus.

  26. You just have to listen to the derogatory comments from Check Point staff about Palo Alto to realise they are running scared, it’s not just marketing hype, CP is actually losing business to PA.

    Why? 4 Reasons:
    1. The product does what it claims, turn on extra features like AV & threat inspection and the product doesn’t choke.
    2. I don’t know what market you’re all in, but PA appliances are on par with CP appliances here and CP dramatically dropped the price of Provider-1 to compete with Panorama.
    3. Have you ever tried to understand CP licensing? and then they introduced software blades. I’ve been working with CP products since the 3.0 days and have never been able to fully understand their licensing.
    4. Upgrades. PA releases weekly content updates, regular PanOS dot upgrades, and yearly major version number upgrades, all ascending. Compare this to the CP release stream nightmare where some lower version numbers aren’t upgradeable to higher version numbers, major releases get basically abandoned (R76) without notification and every upgrade introduces new bugs into the management functions.

    The PA products do exactly what the vendor says they do in a way that is easy to manage and understand, this is what makes us recommend them to our peers.

    1. I will agree, Checkpoint licensing is a dark art. Nobody understands it. Also, you’re right, CP is scared. They have good reason to be. Checkpoint is a very big company with big valuations, and they don’t want to lose that to some punks in California who claim to have a better mousetrap.

    2. Well put Rob, I think Andrew works for CP or hasn’t really used the Palo Altos. I’ve been using firewalls since the Pix days and although there other vendors out there have good products, the PA features, functionality and ease of use are the best combination. The biggest drawback PA is price for performance. You will be paying more for PA to get the same performance but it more then makes up with all the other features and ease of use. I suggest download a trail and put in vwire mode in your network and test it and compare it to your firewall to see the features and the ease of us. The threat prevention alone is worth is weight in gold with all the malware out there.

    3. This is laughable and far from the truth. PAN underperforms on throughput, detection, and scalability. The only thing it does is paint a pretty picture with App Prism. Essentially they mastered the sales process but bring little real world value. In fact I would argue they have created more security problems than they have solved due to evasion vuln’s, poor detection, and no one wanting to turn on security functions in fear of killing their basic FW performance.

      1. I loathe Palo Alto Networks for their consistently dishonest behaviour.

        At my last job I had deployed an old firewall with some new FortiGate 310B’s and took care of them for about 7 years, until they were replaced with FortiGate 600C’s.

        In that time, Palo Alto Networks contacted us on numerous occasions and asked to meet with us to discuss their offerings. On each occasion they claimed that only their firewalls were capable of features x, y and z and argued with us when we pointed out that our FortiGates had been performing those features for us for years.

        Eventually they stopped contacting myself and my Infrastructure manager and instead made direct contact with our CIO, in an attempt to woo him with their BS. Thankfully they got nowhere with that tactic.

        Our final interaction with PAN was out-of-band with a pen tester who asked if they could install a PAN firewall in transparent mode to perform an Application Visibility and Risk Report. Unsurprisingly the PAN AVR did not identify a single issue that our FortiGates and FortiAnalyzer was not already flagging.

        And now, with PAN continuing to not want to play fair, there is this…

        https://www.nsslabs.com/blog/seriously

        1. In regards to the NSS labs report, half of their issues with the PAN was a direct result of their misconfigurations. Since then, the issues have been fixed, with the help of both PAN and NSS. They earned a recommended rating soon after from NSS.

  27. Full Disclosure: I work for one of the discussed vendors.

    I have found there is a lot of marketing hype from quite a few manufacturers. Some of it bullcorn some of it not. One thing I do know is that the author of this blog knows his stuff because he seems to know that UTM and NGFW are similar things. Gartner is kinda hair-brained about this sort of stuff.

    I have found a lot of false advertisements and misinformation. Nir Zuk was not the creator nor the principal developer on the state packet inspection firewall. Nor does that have anything to do with things like NGFW or UTM.

    Typically I would say that I classify a NGFW by two things (above and beyond SPI firewall) Application Detection and User AuthenticationSingle Sign On.

    I would say UTM is an additional capability that most vendors have now and are either flow or proxy-based antivirus (I think only one vendor has both). If Palo acknowledges this, they lose the marketing war. So the conversation has stayed on NGFW. I saw that one of the last posters said something like “Forti-Who?” and that really goes to show that their marketing is fantastic. I could go into a dissertation here about Fortinet and PAN being sister companies literally born from NetScreen, but that is too much for here. Aso, F5 has is a new competitor in town. They don’t really do NGFW, just firewall but they have a fast firewall product.

    Now, Palo has one of the best interfaces in town. They do some really cool correlation in their GUI and their reporting is top notch. So they make a pretty good device for the mid-market if you put them in-line. If you use them as a reporting tool only they can take on more, but PAN does not stand up under load because of the way they handle fast path vs. slow path (not to mention they use a generic Cavium FPGA which they did not engineer and it can run hotexpensive). The biggest problem they have is because of Intellectual Property (which they are already in hot water for). PAN, because of their engine, needs to push every session out of fast path that does not meet the previous hash for packets. So you introduce enough noise in TCP restarts and UDP congestion notifiers and the box will tip over from process switching all the packets.

    So, PAN is not the highest performance or lowest latency UTMNGFW. I would venture to guess blows are being traded between Sonicwall and Fortinet for that title, but noone is paying much attention since their marketing engines don’t seem to match up. I did note that Checkpoint just came out with a new gen blade for their 61000 series chassis the m250. That might be able to deal with more firewall in a single chassis.

    I will say this, who out there can tell me who writes the antivirus engines for each of the companies or supplies each of them with signatures? That is the real key. You can make all the bad ass looking boxes you want, but unless your threat analysis and forensics are good, your UTM and IPS catch rates are high, your box is useless.

    That is the reason why FireEye, Fortinet, Checkpoint, and Sourcefire tend to be the choices of the military and government.

  28. Interesting article. I have found that same attitude towards Palo Alto with some of our customers. Marketing seems to be their strongest attribute.

    Most of the big players in the UTM space are doing the FW, VPN, URL filtering, IPS and Anti-x adequately, so the marketing aspect becomes the game changer.

    Cisco have fallen behind once again. Juniper SRX has been a disaster. SonicWall have made huge advances since Dell dumped money into them, Fortinet are well ahead of the game and Palo Alto are still making headway despite what I would consider an inferior product.

  29. Does any other firewall has the capability to filter traffic based on domain and send it to external DSL Network internal Company WAN ?

  30. I think sandboxing / virtual execution environments are going to play a larger role in the NGFW/UTM space in the near future. Signature based AV and IPS are useful but are based on a dated model that will always be playing catch up with the bad guys.

    Fireeye have separate appliances for web/email/file that are not cheap at all. About 6 figures per box if I recall. They also did pretty poorly in the last shootout I read about them, although there’s plenty of large companies that rely on them (Target excluded!).

    Fortinet have come into the market with their FortiSandbox. From what I’ve read it performs well but it seems like it only works on a separate appliance. You can’t make use of this technology on the Fortigates themselves. Not exactly cheap either. Their cheapest model is almost $30K (https://www.avfirewalls.com/FortiSandbox-1000D.asp).

    I’m not a Checkpoint guy myself but it looks like they have this covered with their ThreatCloud emulation service. If anyone has any good/bad experiences with this let us know. Not sure on pricing on this, or anything else with Checkpoint. Not interested due to their horrendous licensing model.

    Palo Alto has their Wildfire service which works really well from a POC I’ve done. Their newest update adds new file types including office docs, pdfs, android apks etc and runs them in both XP and Windows 7 VMs. There’s a yearly subsciption if you want to keep up to date, price depends on the size of the firewall.

    So it looks like Checkpoint and Palo Alto are the only ones that can do this natively at the moment. Any others? I think this really differentiates on what is ‘Next Generation’ or not.

    1. From what I understand, PAN and Checkpoint refused to participate in the NSS test, which makes me question their accuracy and capabilities. At this point, the only APT products we have hard data on is the ones from the NSS report. I am always inclined to “follow the data” vs “follow the marketing.” Moreover, I’d be skeptical about running sandboxing natively on the existing hardware. Sandboxing is profoundly CPU intensive. As such, it makes perfect sense to have a separate box or cloud-based version that can make use of dedicated resources.

      Sandboxing is part of the Security Analytics market and will converge with the other SA products. The UTM/NGFW vendors are in a good place to be part of that ecosystem, but as of right now, none of them are fully convereged. That much being said, PAN has made some very savvy acquisitions lately and seems to have some grand vision in the works. So, they can remain a player, but they really need to put their products up for independent testing.

      1. Sorry by natively I mean that you don’t need a separate appliance to do the sandboxing. Both Palo Alto and Checkpoint firewalls use cloud based analysis for this purpose. I agree with your other points though.

        1. In the Gartner’s latest Enterprise Firewall MQ 2014, there is a statement:
          “Fortinet was one of the first firewall vendors to offer cloud-based sandboxing (in December 2012 with FortiOS 5)”

    2. Cisco’s approach is a little different – their sandbox lives off-box so it can be shared across their NGFW / IPS, email, web and endpoint solutions, you get to choose whether you want the sandbox in the cloud or on-prem depending on your compliance regime.

  31. My company used to have pfsense firewalls as the corporate firewall. Since the money spent on the Palo Alto Networks firewalls, we’ve wished for nothing but the pfsense firewalls to come back. Far more price and trouble than they’re worth, they don’t do what they claim and they perform terribly.

  32. PAN has a good technology with an amazing Marketing around it. Is this necessarily bad?. I don’t think so. But just spend 20 mins reading PAN’s own documentation and you’ll see that most of their value proposition is just unfounded marketing.

    PAN irrupted the market with a very strong message of being a revolutionary technology. They based this message around some so called “innovations”:

    1) APP-ID will allow you to identify traffic based on application instead of the “old” protocol/port approach.

    From a security perspective this is a wrong approach and PAN acknowledged it when recommended not using “any” as service. They found it the hard way after being hit by cache poison vulnerability.

    From a management standpoint, getting rid of port/protocol blocking as the first layer of defense is not only incorrect but also not applicable. Can you imagine an administrator letting pass only “allowed” applications and blocking everything else?. How would unknown applications be handled? (believe me that there’re a lot of unknown application in PAN). Border security follows by nature a positive model and trying to implement it using App-ID is a no go. PAN knows this.

    2) The single-pass architecture (SP3) integrates multiple threat prevention disciplines (IPS, anti-malware, URL filtering, etc.) into a single stream-based engine with a uniform signature format.

    SP3 is an IPS engine with additional signatures on it (those corresponding to viruses and URLs). As any approach has its pros and cons. It’s good for improving performance (in comparison to proxying the traffic) but is bad from a security perspective. IPS and AV engines don’t work the same way and trying to do so of course has its downsides. Bypassing PAN’s anti-malware engine is pretty easy and straightforward. Have you seen any decent anti-malware benchmarks where PAN is mentioned?.

    3) Content is processed only once, and performance remains steady even as additional Content-ID features are enabled.

    First: PAN does suffer performance impact when thread prevention is activated (usually drops to half the throughput). See their datasheets.

    Second: PAN publish performance numbers with DSRI (Disable Server Response Inspection) enabled. DSRI basically means that traffic going from server to client is not inspected. Guess what? Traffic from server to client tends to be the heaviest part of a communication (think about an HTTP request and an HTTP response) and is where the malware come. DSRI is enabled by default and is one of the most (intentional?) misleading configurations I ever saw in a networking device.

    Disabling DSRI has a huge impact in performance. A PA-7050 will go from 120Gbps to 60Gbps. This is public available information. Talking about more private information, I can tell you that PAN did horrible on any performance test I’ve seen.

    4) NGFW is Enterprise oriented while UTM is SMB

    Getting into the NGFW vs UTM discussion seems to me like a waste of time. The only thing I would say on this regard is that there’s no industry accepted definition for NGFW nor for UTM so arguing about products being classified as one or the other is a nonsense.

    Talking about Enterprise oriented products I wonder myself: Is DSRI an enterprise feature?. Is not using port/protocol filter a good recommendation for enterprise segment?. Is an enterprise product one that can go to 10Gbps of thread protection at the best (apart from the PA-7050)?.

    PAN might be the best product for your business needs and that’s fine. Other people find that SonicWall, Cisco, Fortinet or even Juniper is the best for their needs. Just don’t say that PAN technology is cutting-edge because of App-ID, Content-ID, SP3, etc.

    1. Mariano…. it has been well over a year since your post. I hope you’ve had some time to think about the things you’ve said here.

      Who in their right mind would ever DSRI for web browsing traffic? Are you insane? DSRI is for a scenario where you’ve got heavy traffic from two internal trusted servers, not browsing out to the web.. come on, use your head!
      It could speed up transfer speeds over SMB.

      Many people develop exploits, like the last 666 ways to bypass a palo alto video, yet they are completely dependent upon misconfigurations of the product. They even read out the ‘suggested’ configuration steps from Palo Alto, but entirely skipped half of the document and went straight to the exploit.

      Also, no, enabling threat prevention does not cut throughput in half as someone had mentioned. The Palo Alto is not a CheckPoint and I’ve heavily used both.

      I’d encourage you to take another look and compare all of these products back to back. If you truly had before, you would have never typed the majority of your comment.

  33. I have worked on cisco ASA, checkpoint , Palo Alto and bluecoat.
    I feel Palo Alto has a better web Gui in terms of ease of use.
    But there PAN DB is downright horrible.You cant for sure compare with it bluecoats URL filtering capabilities.

    1. Compared to other vendors? Fortinet do it and more in one device. There are loads of vendors that do it in once device, under the moniker of “UTM” or “NGFW”. Fortinet, Juniper, Sophos, etc.

  34. I’ve used a number of firewall and filter products and have now been using Palo Alto for the last 6 months.

    The best suggestion I have? Ignore the sales pitch and do your own testing, especially the User-ID design as it has some flaws compared to a traditional proxy SSO design.

  35. Just found your article from a while ago so i realize most people wont read this far down on the comments section. That being said I just finished a bake off of Checkpoint, Fortinet, Cisco, and Palo Alto.

    For most of my testing roughly (80% of my 300 test cases) every firewall did what I wanted. That final 20% is where the differences started popping up. Ease of setup for advanced threats Palo Alto won hands down. Stopping more advanced threats, Checkpoint and Palo Alto. Ease of administration Palo Alto for advanced features Palo Alto again.

    I realize this isn’t very descriptive, though I will say this I have been using ASA’s most of my career or fortinet. My network is 100% Checkpoint so the advantage was for checkpoint to stay as my in-house solution. But when I put all 4 head to head Palo Alto won hands down. I will say this about checkpoint when using them as a traditional Firewall and for a higher throughput solution they will win everytime over Cisco, Fortinet, and Palo Alto. But I care less about huge throughput and more about security…REAL security not just compliance security.

    Again just my opinion and what I found was from a straight up cost comparison yes Palo Alto is more expensive but for my org the delta between knowing that our data is MORE secure(not 100% obviously) is very satisfying to all my C- Level executives.

  36. Fortinet is rubbish. They were kicked off the common criteria list for cheating and look at the NGFW throughput, not the L3/L4 throughput. It ends up being about 4-5% of the starting number. Why do you think that is ?

    1. Nearly every NGFW on the market has a similar performance drop.

      NSS labs (and independent testing group) has done ample NGFW tests, and Fortinet routinely comes out on top for performance and accuracy.

      Also, a quick check shows Fortinet is on the Common Criteria list. So your data seems wrong. https://www.fortinet.com/corporate/about-us/product-certifications.html

      That much being said, Fortinet is by no means perfect. PAN and others can best Fortinet in look and feel and ease of use. PANs traps integration is compelling as well.

    2. Michael, have you used any of Fortinet’s Content Processor ASIC equiped accelerated models (not just the Network Processor ASIC equiped models)?

      Over the last 9 years or so, I’ve taken care of a bunch of 310B’s and 600C’s and I can say that they are phenomenal in performance. Even my little SoC2 based 60D at home is an amazing little performer, considering the price point.

      Given that Fortinet are one of the few companies using ASIC acceleration for the pattern matching required for NGFW tasks around AV, IPS, anti-SPAM, etc, I would expect their Content Processor equiped models to be the excellent performers that they actually are.

      I’m curious about this mention of them being kicked off the common criteria list. Can you elaborate on that? The only blatant cheating I am aware of, was from PAN, which they got slated for.

      Like Andrew, I agree that Fortinet could do better in some areas. For example, although I am not thrilled with the performance and value of Check Point, their logging is fantastic and I wish Fortinet was as good in that respect (I understand Fortinet have or are teaming up with Splunk, so this aspect might get amazing for them).

      But to say that Fortinet is rubbish, is just silly.

  37. I have a Palo Alto firewall and I am warning everyone out there to be careful of the hype surrounding them. Everything is great until you setup SSL Decryption then you are in the world of a “house of cards”. One slightest incorrect policy and the thing blocks you with no warning, no logic, no error messages, nothing. The appliance is very buggy! The reports are useless and error logging is almost incomprehensible. Frankly, I’d go back to my old ISA if I could!

    1. Watch out for traffic/application denies on TLS sessions, where the block message is sent back in the TLS layer response and not the payload. A packet capture will show the block message, but the web page on the client will hang.

      1. Its the mixed content pages that cause all the problems. It just seems to me they haven’t really developed a robust solution, it shouldn’t be this hard to implement stable policies. Everything is great when the policy complexity is low, but its a nightmare when you introduce any complexity.

  38. It’s painfully obvious you haven’t used a PAN firewall in production. To say that AppID is just a made up word with nothing behind shows your ignorance. What do you call making policy based on an application signature rather than simply port and protocol? You are a dolt with a fancy website.

  39. Happy PAN user here went from ASA and never looked back, not sure why so much hate on this blog. Seems like maybe some money has changed hands at some point 🙂

  40. I disagree somewhat even though I have only done a few PA deployments. I’ve been deploying CheckPoint and FortiGate for years. Based on my personal experience for firewalls, with regards to really having that single plane of glass to peer into, I would really say PA is far different because of its ability to truly look deep into your ingress/egress traffic without having to buy additional hardware or software. PA excels in this aspect. No doubt, it has run-of-the-mill specs for everything else, nothing beats PA in terms of having such depth of visibility. FortiNet has very similar capabilities but they require you to purchase the additional FortiAnalyzer appliance to be able to peer deeply into your traffic and see what’s really going on. Built-in FortiView is enough to see things from a high level though. I guess it boils down to price vs capabilities vs depth of protection. Overall considering the price point, I still see FortiNet as being the most viable where cost is a concern, else if you have the budget for PA, you should try to get it. PA is a “best to have” thing, rather then a “must have”. FortiNet can still a pretty decent job too, with FortiAnalyzer and good solid configuration. FortiNet’s price point is above all still a winning point.

  41. I’ve been a long time user of Sophos but need more visibility on my traffic. I have only about 60 desktops and around a 100 mobile devices daily. I was given a choice between Fortinet and Pan. Basically a PA-220 or fortunate 101E and FortiAnalyzer. I already wanted the PAN beforehand after looking at the traffic visibility. When I was given the pricing I said fuck Fortinet. The PA-220 with all the licences was $2200 whereas the Fortigate and FortiAnalyzer came to about $6000. Who said it was cheaper?

  42. “The PA-220 with all the licences was $2200 whereas the Fortigate and FortiAnalyzer came to about $6000.” – I believe the bulk of costs comes from the FortiAnalyzer. I disagree with Fortinet’s pricing for the FortiAnalyzer too. I think it’s way overpriced. They need to start looking into re-pricing it more competitively else more customers will start leaving Fortinet. Any Fortinet employees here? I hope you guys are listening, I’m a HUGE fan of Fortinet, and I know your firewalls are cheaper, but you guys need to re-think your pricing when it comes to other Forti appliances.

  43. Greetings from México.
    Perhaps you are right, but Palo Alto is not the only company that plays those dirty tricks.
    I remember wheh we bought the Cisco’s FWSM (Firewall Module for Catalyst 6500). In the ads the card almost flew. In the paper, the card had a unique “stateful sync feature” that allowed it to mantain the state information of thousands of flows and maintain the TCP connections even if the peer crashed, that was the reason because it was so incredible expensive, because no other vendor had such feature…
    We went to a test to see the wonder-feature in action. We forced the provider to turn-off a card on the fly and…. Surprise!!! All TCP flows were lost.
    After that Cisco said that particular version of software had a bug that affected the operation of the wonder-feature, but soon it would be fixed. I cannot remeber how many years passed to get the feature fixed.

Leave a Reply