Topic: Palo Alto Next generation Firewalls

[deanb]

Hi everyone

has anyone any experiences with Palo Alto Next generation Firewalls to share? It's not just rule/port based machine (L3) like any other firewall. What about choosing over SSG series or SRX?

http://www.paloaltonetworks.com/products/pa500.html

[c3lin3]

We plan to evaluate these devices. At least they have great marketing

I love the presentations of Nir Zuk - especially when he compares the Checkpoints, Ciscos, and Whatevers out there with a straight ethernet cable.

Currently I cannot find some features in their portfolio (not verified):
- VPN Manager in der Central Management
- Special kind of VPNs: Auto Connect VPNs/Group VPN (Juniper), DMVPN, GETVPN (Cisco)
- and a lot more ...

For me their product looks more like an add-on than a replacement of a traditional firewall/router.

As soon as I have configured one of these devices I will update this post.

[kcullimo]

Pointing out a device's lack of add-on functionality and deeming it best classified as an add-on device would appear to make for a challenging eval process. I've not encountered situations where purchasing decisions are made based upon extensive add-on functionality, but some customers (typically, ones with generous budgets) are happy with
1. performance
2. classifying packets based upon transport-layer payload, potentially leading to more granular forwarding decisions

[c3lin3]

You call it extensive add-on functionality - I call it essentials for a security device 

[deanb]

How much costs this devices (price range)?

[c3lin3]

Starting at Palo Alto Networks PA-500 $ 3,735.00
Ending at Palo Alto Networks PA-4060 $ 66,400.00

The PA-500 is doing things in software which all other models do in hardware.

The model after the PA-500 is the PA-2020 ($ 9,960.0)

All prices are without any discount.

[kcullimo]

My use of "exstensive add-on functionality" wasn't referring to the list of features you outlined. Traditional routers & firewalls didn't terminate virtual connections at all, so I'd hesitate to equate them with modern "security devices." It still seems to be the case that you'd only spend that much money if you cared about the L5-7 filtering functionality, which didn't fall under the purview of ANY traditional router/firewall offering.