Firewalls have evolved over the last 20 years from stateless packet-based processing to stateful firewalls which were still based on ports and protocols. Then came the next evolution of Next Generation Firewall (NGFW), a term coined by Palo Alto Networks. NGFWs are what's known as "application aware."
Some legacy firewall vendors layered NGFW functionalities on top of their legacy architecture, but the additions simply took more resources and dropped the performance of the firewall. Others tried to overcome this by using ASICs (application-specific integrated circuits) that merely do raw-packet processing, claiming to be the “fastest firewall in the industry."
These vendors make claims of superior performance compared with their competitors on the basis of Transmission Control Protocol User Datagram Protocol throughputs (TCP/UDP), raw packet latencies, and similar—without mentioning it excludes any security processing. The network security industry is also still is lagging behind on appropriately representing the performance of firewalls, and customers are often misled to choose a vendor based on flawed claims published in their datasheets.
Palo Alto Networks has taken a different approach to firewalls from its inception. We have architected our product differently from the legacy vendors by fundamentally changing how we process the data with Single Pass Architecture.
In real-world deployments—unlike networking gears like switches and routers—firewalls are required to perform inspection and processing of various applications. It has been our long-standing position that we don’t believe raw L3/L4 throughputs without threat inspection turned on are correct parameters to measure performance of NGFWs. This is why we have always guided performance of our firewalls with Threat Prevention enabled.
PA-400 Series ML-Powered NGFWs and the Miercom Report
The recently launched PA-400 series ML-Powered NGFWs are purpose-built for small office locations, both distributed enterprise branch uses as well as for SMB customers. We worked with Miercom—a Network and Security testing company that performs and publishes independent analysis, research and reviews—for an independent assessment of our PA-400 series performance in real-world deployments versus Fortinet’s similarly priced Fortigate platforms. The Miercom report shows the impact of using realistic deployment scenarios in evaluating performance of firewalls.
The Miercom report proves that along with significant savings, customers do not have to choose between security and performance with PA-400 series NGFWs.
What’s in the Miercom report?
Here are the key findings from the Miercom report on Palo Alto Networks' PA-400 Series:
PA-400 series devices saw up to 6x higher throughput across the parameters tested
On single application tests, the PA-400 series consistently achieved a low performance degradation while Fortinet failed in SIP and FIX tests.
PA-400 series provide up to 9x lower Total Cost Of Operations compared to their v/equivalent Fortigate platforms
Digging a bit deeper in the report, here are some of the other findings:
Fortigate platforms’ session capacity dropped significantly (up to 97%!) when services were enabled (section 5.4.1).
Fortigate platforms are un-deployable if some of the common services like SIP and FIX that are relevant for SMB deployments are needed(section 5.3).
The PA-400 series NGFWs, in contrast, achieved consistent performance with security processing enabled, surpassing Fortigate platforms in most of the tested parameters.
In addition to the Miercom report, in the 2019 NSS NGFW report—the last independent assessment published by NSS before they ceased operations—Palo Alto Networks firewalls achieved the highest security efficacy results compared with all the vendors participating in the test.
We are excited to share these findings because they validate that Palo Alto Networks not only provides the industry’s most comprehensive security platform, but also a consistent performance for our firewalls at a lowest total cost possible.