topic Re: POC Plan in General Topics

POC Plan

aggeios — Wed, 03 Oct 2012 16:51:34 GMT

Hui

Was wondering if anyone has a POC Plan/Criteria Sheet to test PA5020 against Fortinet & Sonicwall.

Appreciate alll the help.

Thanks

Manoj

Re: POC Plan

arkadios — Wed, 03 Oct 2012 19:36:32 GMT

Hi,

To have a POC Plan, you need to read about TAP Mode (with mirror or span port), this mode is the best way to test PA against another firewall,

greetings

Marco.

Re: POC Plan

mikand — Thu, 04 Oct 2012 08:06:32 GMT

Or by plan do you mean things to test which the PA can do and the others might fail at?

I hope your sales engineer should be able to give you such a list.

There is a (by now somewhat old) document crated by PA in response to Checkpoints various claims of what PA does or do not. This doc will give you some hints on what to verify which at least Checkpoint cannot handle.

There is also the "techbusters" episodes which might bring you some ideas:

http://media.paloaltonetworks.com/documents/TechBusters-Episode-1.pdf

http://media.paloaltonetworks.com/documents/TechBusters-Episode-2.pdf

http://media.paloaltonetworks.com/documents/TechBusters-Episode-3.pdf

http://media.paloaltonetworks.com/documents/TechBusters-Episode-4.pdf

http://media.paloaltonetworks.com/documents/TechBusters-Episode-5.pdf

Palo Alto Networks — TechBusters: Check Point Myths Busted!

I dont know how Sonicwall handles this but I know that Fortinet, at least previously, could only do buffered antivirus scanning. Meaning the whole file must be downloaded first before the scan can proceed. This also meant that various models hade various limits on how large files (and how many concurrent large files) they could scan.

PA uses streambased scanning which means virtually no upper limit on how large the files which will be scanned can be - but on the other hand not all fileformats can be scanned this way.

Edit: I forgot about Wildfire. Hopefully in future Wildfire will be available as a local installation (so your sensitive stuff isnt sent to the cloud on internet (currently Amazon) but stays in your datacenter) and by that Wildfire will hopefully be able to deal with antivirusscanning aswell (and not only analyze runnable code).

Another hope is when or if PA will support ICAP because then you can get one (or two) ICAP servers running your choice of antivirus (no matter if its Kaspersky or something else) and by that cover the buffer based scanning.

Re: POC Plan

licenselu — Thu, 04 Oct 2012 09:18:43 GMT

Hello,

Just to clarify :

"Fortinet could only do buffered antivirus scanning."

That's not true ! Fortinet can also do stream based scanning BUT cannot scan compressed file (like zip file for example).

If application control is key of the project, there's ONLY one way: Palo Alto.

Another benefit is the single path architecture, even if you enable all 'UTM' features like AV, IPS, etc the throughput remains constant

Other brand are based on an overlay model: more features you add, less performance you have.

PA benefit over Fortinet and Sonicwall

- Does not provide user feedback when an application is blocked (page simply times out). Could lead to high numbers call from end users...

- Does not allow to use directly AD group name in the policy (need to a group locally then create the mapping between local and AD group)

- Does not allow to use AD user in the policy (only groups though group mapping)

- Fortinet : Flow based AV does NOT scan compressed files (ZIP, etc). Sonicwall: can't remember...

- Exception for SSL Insection must be done in CLI (Fortinet). Sonicwall: can't remember...

- Reporting needs an extra box (FortiAnalyzer for Forti and Viewpoint for Sonic).

Hope it can help you

Regards,

Re: POC Plan

mikand — Thu, 04 Oct 2012 09:49:10 GMT

Perhaps Fortinet can do this today - not when I evaluated them autumn 2009 and explictly asked them about their scanning capabilities.

And according to your reply it seems that they still have issues regarding this (not able to scan zip files? they could do this back in 2009 - or is this an option if you want streambased or bufferbased today?).

Anyway this was to point out that it isnt as simple as "Antivirus? Yes!" because it drills down to how the antivirus scanning is being performed and which limits it might offer based on which major technology is being used (streamed vs buffered).

Also I dont get your lines in the "PA benefit over Fortinet and Sonicwall", do you mean that the PA doesnt provide user feedback (because they do but of course it depends on which protocol is being used) or do you mean that Fortinet and Sonicwall doesnt provide user feedback? 🙂

Re: POC Plan

licenselu — Thu, 04 Oct 2012 10:03:54 GMT

Hello,

Sorry for the confusion.

Fortinet and Sonicwall

- Does not provide user feedback when an application is blocked (page simply times out). Could lead to high numbers call from end users...

- Does not allow to use directly AD group name in the policy (need to a group locally then create the mapping between local and AD group)

- Does not allow to use AD user in the policy (only groups though group mapping)

- Fortinet : Flow based AV does NOT scan compressed files (ZIP, etc). Sonicwall: can't remember...

- Exception for SSL Insection must be done in CLI (Fortinet). Sonicwall: can't remember...

- Reporting needs an extra box (FortiAnalyzer for Forti and Viewpoint for Sonic).

Regards,