Reply
Highlighted
L6 Presenter

Negative experience from PA/PAN?

Of course there are no such thing as bugfree soft/hardware (perhaps with the exeption for that kernel which Gernot Heiser at Open Kernel Labs is involved in (http://www.etn.se/images/expert/Gernot_Heiser_OK_Labs.pdf) which is mathematical proven to be bugfree ;-) which then comes down to how the supportorganisation works to handle the customers and fix the bugs who are found.

In this forum we can also see that PA is constantly trying to improve how support works (for example a few months ago there were some issues with phonesupport).

When I was googling for some input regarding VPN between PA and TMG (another thread in this forum) I stumbled upon a thread in Ciscos supportforum which have both good and bad things to say about PA.

What draw my attention was the (currently) last post in that thread made by "thaer.ontabli" at "Mar 13, 2012 7:35 AM (in response to david.tran@finra.org)".

In that post there is a summary of a couple of supportcases (along with case-id's) which I wonder if someone from PA can tell me/us some more about?

For example 5 months handling time is in my opinion at bit too long, has this been addressed since these particular cases occured (or was the long handling time, for example, due to slow responseness from the customer - for example if PA answers within 24hours and then it takes 1 week to get the response back from the customer)?

But also the remaining issues which are mentioned (with OS 4 released) - is it possible to get a comment from PA on these aswell?

The thread in question: https://supportforums.cisco.com/thread/2011246

The case-id's mentioned:

1) Userlogging: 15350, 21993, 30788
2) QoS not working for application grouping: 22967, 23047
3) Web, SSL VPN and Captive Portal crashing: 32874

Highlighted
L6 Presenter

Re: Negative experience from PA/PAN?

Here is that post from Cisco forum in question (in case someone is too shy to click on the above link ;-)

"

thaer.ontabli
5 posts since
Mar 20, 2011

Mar 13, 2012 7:35 AM (in response to david.tran@finra.org)
ASA's vs Palo Alto firewalls?

This is my experience with Palo Alto:

A PA Engineer spec’ed out two 2050 for our environment of approx. 1000 user. Soon after the box was installed I discovered a couple of issues with their 3.x OS:

1 ) User activity report not giving accurate reporting, it’s all messed up and doesn’t match what’s in the log. Support confirmed it’s a bug and I filed three cases (every time I escalate or they tell me they have a fix I had to open another ticket ) case# 15350, 21993, 30788. The case took more than 5 months and was never fixed until OS 4 was released

2 ) QoS does not work when you filter application with application grouping. Alternate is you have to enter every application manually in a rule to filter out for example all P2P applications need to be entered in a rule instead of grouping all P2P in an object. Case was open for more than 5 months until it was fixed in OS 4. Case # 22967, 23047

3) Web, SSL VPN, captive portal services crashes. Service crash for some reason and the fix for it with OS 3 were for me to call support and have them login and restart the service for me. Was very frustrating as more than 6 months past with support and engineers having no idea what’s going on. A lot of cases were open and closed. Case # 32874

With OS 4 released:

1 ) still having issues with web, ssl, and captive portal service crashing. Now with OS 4 they made the services auto restart so I don’t have to call them, but now the problem the service is crashing in the back end three times a day causing the services to be unresponsive which I think is related to the next case

2 ) Gui or CLI interface very slow and impossible to apply any changes during daytime without having the commit job fail two or three times. Called support and they think it’s a bug with the software OS 4. Now its release 4.1.3 and still no fix or clue as to what is wrong.

3 ) VPN Global Protect is ridiculous. Client would act in a weird way by going into infinite state of trying to connect. On some client it will just not work until the client machine is formatted. Now its Global Protect release 1.1.3 and still no fix.

There a lot more smaller issues not worth mentioning as there is a work around to them or you can ignore them.

I had my sales rep involved with all these cases and was not able to do anything to expedite or get a firm ETA with Palo Alto support. My sales rep was able to get me a demo of PA4050 which seemed to resolve 80% of the problems, so I went back to support and told them if a PA4050 fixed the problem doesn’t that mean the engineer undersized the box for our environment. They kept refusing that idea and claiming there is a bug with the OS. Now after two years it got to a point where it’s just a waste of time to go back to support that I just closed all the cases and working on slowly replacing the system

"

Highlighted
L0 Member

Re: Negative experience from PA/PAN?

I have never dealt with tech support but can say an IT person I know stated that he has had excellent support, they take ownership like it is their network, etc.

Bob

Highlighted
L3 Networker

Re: Negative experience from PA/PAN?

It's certainly a shame that you feel you have got to the stage where the issues you have listed mean that you're now wanting to replace the devices. I do though appreciate that the features that others consider 'additional' can actually make or break the success of the implementation. For us, Policy Based Forwarding was a key item for us and we've been fortunately very happy with how it has worked.

What I would say is that while a company is quite young, like Palo is, there is quite the risk that everyone is very evangalistic about the company and perhaps all too ready to smooth over any issues. This is a bad thing. PAN will be a success if it takes on board all the feedback it gets as almost always users who bother to post here do so with a genuine desire to get their devices working well.

My personal experience with the Palo Support is that they know what they're doing. Unfortunately we have to go through a middle man support company who just sits and listens on the support calls, but they guys in the US I've spoken with have been able to resolve my problems or be honest about where the product has gaps in features.

So, to the oringial poster, I'd say, don't give up - they devices are very good and have many good feaures, especially with the latest software versions. Forget 3.x it's not worth bothering with when 4.x has so many improvements.

to Palo chaps, keep listening to everyone on this board as we really do want our expensive purchases to be a success and don't ignore the moans!

UKRB.

Highlighted
L6 Presenter

Re: Negative experience from PA/PAN?

Just to clearify, its not me who wrote that post over at Cisco forums.

Highlighted
Palo Alto Networks Guru

Re: Negative experience from PA/PAN?

I am really sorry that some folks are posting on other forums about Palo Alto Networks experience.  I think that this particular customer has had many interactions with our support and has unfortunately found some bugs that required changes that were too large to put in a maintenence release.  This was the root cause of the long closure times.  I went through each case listed and here are my notes.  Hope this helps folks understand that we are very customer focused and work diligently to create the best product on the market. 

15350 – solved within 60min

21993 – solved within 60min

30788 – Worked with the customer, did debugging sessions with engineers on their system and made a fix that could not be back ported and required an upgrade so it took a while to close the case. 

22967 – solved within 90min

23047 –This case required engineering to debug on their device as well and led to a fix that could not be back ported, and therefore the customer had to upgrade for the fix. 

32874 – This was a complicated case that had over 100 comments (between support and the customer) on the case over a period of months with much engineering interaction an eventual bug fix that again was too large to put in a maintence release. 

Highlighted
L4 Transporter

Re: Negative experience from PA/PAN?

Hello,

Just give me my own experince with PA.

I'm woking some in security area with more than 10 years with firewall vendors like Cisco, Juniper, Fortinet, Checkpoint, Sonicwall and...PA

PS : PA, Checkpoint and Fortinet are the only product we distribute now...

First, bug free IS IMPOSSIBLE !

Second, if possible and if you don't need it, avoid installing Early release software. Also avoid selling new hardware modem. Wait 2 or 3 releases patch..

If some critical features (like SSL VPN for example) for your business are required maybe it's better to choose another device (sometimes brand) to handle this function (in the SSL VPN case, we use Juniper SSL VPN).

We have already deployed many PA (PA-500, cluster or single) firewalls and ALL of them are working fine.

Some people complains about slow commit, slow GUI BUT never had production/business impact...

Regards,

Hedi

Highlighted
L4 Transporter

Re: Negative experience from PA/PAN?

I agree with Hedi. There is always room for improvement but bug free is impossible. I have only had one bug that caused user impact greater than a few minutes during a failover and that was with a failover link bug. I've run into my share of bugs but only that one time did it have a critical business impact. The benefit is they are always very knowledgeable and you rarely if ever have to ask them to escalate because they don't care about closing the call out on their own, they care about getting you the resolution you are seeking. Sometimes you might have to wait for a release, but... it hasn't been the end of the world.

I also agree that PAN isn't always the right solution particularly with VPN or SSL VPN. I use several vendors to accomplish my full perimeter security. However what I like about PAN the most is their vision. Yes, Cisco has an app level firewall now but it is still just a band-aid redirect to a supplemental appliance module running a separate OS and separate management from the ASA. So, you have to upgrade to the firewall that supports it and then Cisco's favorite thing... pay them MORE for the optional equipment, licensing, and maintenance. The only drawback of PAN not having a nickel and dime you philosophy is you can't get an inexpensive firewall like the ASA 5505 for small or home offices.

Everyone I have worked with at PAN TAC has been great to over the top. Keep up the good work guys!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!