https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552951#M112471 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150709">@JASONWONG</a>,</P> <P>It's honestly not very often that you see someone make a comparison to an open-source free product versus a PAN firewall, the capability differences between the two are just going to be rather significant. Usually it's that someone wants to compare Firepower, Sonicwall, Fortinet, and stuff like that to PAN.</P> <P>Bluntly if a customer I was pitching PAN equipment towards honestly wanted me to compare it to something like pfSense, either it's going to be a very quick overview of differences or I'm going to need to start looking at other enterprise solutions. If a proposed solution is "free" (with the heavy caveat that time to implement and update will increase) versus a product that will have high yearly costs, you really have to know the people that are asking for the comparison and how you need to target the solution.&nbsp;</P> <P>&nbsp;</P> <P>Broadly, you could point towards the following basic quick items. Substitute pfSense with any other open-source solution, because they all have the same issue:</P> <UL> <LI>Turnkey Solution - pfSense needs a whole lot of add-ons and configuration to function anywhere near what PAN has to offer. That increases complexity and time to get everything configured and vetted, and even when that's done the capability of DansGuardian and ClamAV simply don't match what PAN is offering. (Again, know your audience, good enough at the cost of free&nbsp;<EM>can&nbsp;</EM>have a lot of appeal in SMB).</LI> <LI>Central Management - pfSense doesn't have central management capabilities like PAN does. You could setup PFMonitor, but that's not a pretty elegant solution and it's going to add a monthly cost to something that is "free".&nbsp; If you don't care about that or are good at scripting, you can get around some of that limitation.&nbsp;</LI> <LI>Culpability - If you deploy pfSense and there's an issue with it or an add-on, that culpability is on you. It's your chicken to catch and return to the pen; you won't really have that "PAN pushed a bad update, I'm waiting on them to fix it". If you don't know how to fix it or where the issue even is, that's a bad day and you don't have that many options to turned towards. "I'm trying to figure out the issue, but I don't know what's wrong and pfSense doesn't think it's an issue with their software" doesn't sound as good as "I've engaged vendor support and we're working through the issue".</LI> <LI>Add-Ons - I've said it a lot here, but something like pfSense depends on using add-ons to make it an okay security product. That's a double-edged sword when it comes to an administration aspect; you can add more capability to the product, but you also introduce more complexity. What happens when you have an issue with DansGuardian or ClamAV and their add-on, who do you call? What happens if something you've configured in pfBlockerNG causes an issue with pfSense and you can't figure it out? What happens when one of the add-ons that you're using isn't being supported anymore?</LI> </UL> <P>&nbsp;</P> <P>I'll also say this, there's a lot of SMBs where I've advised a properly managed pfSense installation over a Fortinet or PAN installation.&nbsp; When you get into that 10-15 people SMB or someone who isn't willing to actually renew subscriptions a properly managed pfSense installation&nbsp;<EM>can&nbsp;</EM>be a really good way forward. I'd rather someone pay for a managed pfSense installation than pay for a single year of PAN licenses and never renew the subscriptions or have the money for someone to actually manage things.&nbsp;</P> Tue, 08 Aug 2023 14:16:54 GMT BPry 2023-08-08T14:16:54Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552376#M112396 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Kindly how do we justify the benefit of Palo Alto Networks NGFW vs Open Source Firewall.</P> <P>&nbsp;</P> <P>Is there any whitepaper or battle-card?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 03 Aug 2023 09:18:12 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552376#M112396 JASONWONG 2023-08-03T09:18:12Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552739#M112434 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150709">@JASONWONG</a>&nbsp;,</P> <P>&nbsp;</P> <P>Which Open Source Firewall is in question?&nbsp;</P> Mon, 07 Aug 2023 08:27:06 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552739#M112434 JayGolf 2023-08-07T08:27:06Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552951#M112471 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/150709">@JASONWONG</a>,</P> <P>It's honestly not very often that you see someone make a comparison to an open-source free product versus a PAN firewall, the capability differences between the two are just going to be rather significant. Usually it's that someone wants to compare Firepower, Sonicwall, Fortinet, and stuff like that to PAN.</P> <P>Bluntly if a customer I was pitching PAN equipment towards honestly wanted me to compare it to something like pfSense, either it's going to be a very quick overview of differences or I'm going to need to start looking at other enterprise solutions. If a proposed solution is "free" (with the heavy caveat that time to implement and update will increase) versus a product that will have high yearly costs, you really have to know the people that are asking for the comparison and how you need to target the solution.&nbsp;</P> <P>&nbsp;</P> <P>Broadly, you could point towards the following basic quick items. Substitute pfSense with any other open-source solution, because they all have the same issue:</P> <UL> <LI>Turnkey Solution - pfSense needs a whole lot of add-ons and configuration to function anywhere near what PAN has to offer. That increases complexity and time to get everything configured and vetted, and even when that's done the capability of DansGuardian and ClamAV simply don't match what PAN is offering. (Again, know your audience, good enough at the cost of free&nbsp;<EM>can&nbsp;</EM>have a lot of appeal in SMB).</LI> <LI>Central Management - pfSense doesn't have central management capabilities like PAN does. You could setup PFMonitor, but that's not a pretty elegant solution and it's going to add a monthly cost to something that is "free".&nbsp; If you don't care about that or are good at scripting, you can get around some of that limitation.&nbsp;</LI> <LI>Culpability - If you deploy pfSense and there's an issue with it or an add-on, that culpability is on you. It's your chicken to catch and return to the pen; you won't really have that "PAN pushed a bad update, I'm waiting on them to fix it". If you don't know how to fix it or where the issue even is, that's a bad day and you don't have that many options to turned towards. "I'm trying to figure out the issue, but I don't know what's wrong and pfSense doesn't think it's an issue with their software" doesn't sound as good as "I've engaged vendor support and we're working through the issue".</LI> <LI>Add-Ons - I've said it a lot here, but something like pfSense depends on using add-ons to make it an okay security product. That's a double-edged sword when it comes to an administration aspect; you can add more capability to the product, but you also introduce more complexity. What happens when you have an issue with DansGuardian or ClamAV and their add-on, who do you call? What happens if something you've configured in pfBlockerNG causes an issue with pfSense and you can't figure it out? What happens when one of the add-ons that you're using isn't being supported anymore?</LI> </UL> <P>&nbsp;</P> <P>I'll also say this, there's a lot of SMBs where I've advised a properly managed pfSense installation over a Fortinet or PAN installation.&nbsp; When you get into that 10-15 people SMB or someone who isn't willing to actually renew subscriptions a properly managed pfSense installation&nbsp;<EM>can&nbsp;</EM>be a really good way forward. I'd rather someone pay for a managed pfSense installation than pay for a single year of PAN licenses and never renew the subscriptions or have the money for someone to actually manage things.&nbsp;</P> Tue, 08 Aug 2023 14:16:54 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-networks-ngfw-vs-open-source-firewall/m-p/552951#M112471 BPry 2023-08-08T14:16:54Z