03-29-2017 01:07 PM
I would like to request assistance from anyone who has had experience with different firewall vendors and currently is a Palo Alto firewall user as I'm not a firewall expert whatsoever.
I'm considering buying a Palo Alto 850 Series firewall over a Fortigate 200E firewall to handle up to 1 Gbps of traffic with any and eventually all security features enabled, but I'm having a tough time understanding the different throughput jargon that Sales engineers and reps put out there to make a sale. The Palo Alto sales representative that visited us strongly claims that the throughput of their firewalls is NOT affected AT ALL when security features are turned on such as Threat Prevention, App ID, IPS, etc. versus any other vendor out there such as Fortinet (which I found hard to believe.)
So we pulled up the sales documentation for Palo Alto firewalls and they have different throughput numbers when AppID is enabled, another number for when Threat prevention is enabled, and so forth. The sales representative came back saying that the numbers are published running ideal tests using 64 Kb HTTP transactions and that the throughput is much higher when the payload is bigger as it usually happens in the real world, but now approvals to buy equipment are halted because of the disparage in information available and the distrust for sales engineers often making unsubstantiated claims in order to close the sale.
Can anyone shed light on this? To be more exact:
-What has been your experience with the real world throughput of the Palo Alto firewalls you manage?
-What did you use to judge the performance of the devices when the numbers given during sales pitches are coming from ideal conditions using small transactions?
-What has been your Palo Alto tech support experience? Are they so big that wait times to get the right engineer are in the hours even before a call back (think Cisco) or do you get an engineer right away?
-Comparing support costs to other vendors such as Fortinet, Palo Alto firewalls are 3 to 4 times more expensive, but do you think it's been worthwhile for your business to stay with Palo Alto over any other vendor?
I really appreciate your input here and thanks for your time!
03-29-2017 01:49 PM - edited 03-29-2017 02:16 PM
@Techlove It is difficult to compare firewall, since every company network traffic pattern is different. The PAN 850 spec sheet stated as 1.9Gbps firewall throughput (App-ID enalbed) and 780Mbps threat prevention througput. That is the best case, if the firewall is passing 780Mbps with Threat prevention enabled, the data plane processor will be close to 100%. It is best to leave some headroom for other situtation (ie DDOS attack or strange thing happening on the network) .
Throughtput is just one important benchmark factor. Please also consider about the WebUI, CLI syntax. Does it have all the reports that you needed. How easy to look for logs and apply filter. How easy is it to troubleshoot traffic problem. The ability to use API to help manage the firewall. Also, the different between the features and the total cost of ownership for 5 years (hardware + 5 years support + subscription licenses) as well.
My experience with PAN firewall, PAN is on point of the spec sheet. Support depends on what time and which day that you called in, hold time could various. Support has been generally good for the last 4 years. In my option, it takes them a long time to fix bugs, also the early release of the code has been buggy (5.0, 6.0, 6.1, 7.0, 7.1) . But it get better over time just like any other vendors.
03-29-2017 05:32 PM - edited 03-29-2017 05:42 PM
>What has been your experience with the real world throughput of the Palo Alto firewalls you manage?
I wish I had a scientific answer for this, but I don't. What I can tell you about what you've been told (and I'm probably just regurgitating information) is this. First, AppID is always active. This is the core concept behind the Palo Alto NextGen firewall. The rule of thumb is that when Threat Prevention is enabled (in any capacity), the total theortical maximum bandwidth is halved, give or take. The argument about the HTTP testing is because Palo Alto wants you to know that their measurements come tests that simulate real world traffic, it's not pure bytes as there is tremendous overhead in typical TCP traffic, so PAN's philosophy is to base tests on the worst possible conditions in an effort to produce a number they feel comfortable with as a result. In reality, the boxes should be able to handle more than promised, as they'd rather undersell the product and leave customers happy rather than oversell and make customers upset.
>What did you use to judge the performance of the devices when the numbers given during sales pitches are coming from ideal conditions using small transactions?
The only real world information I can share is I have a 220 at home and the promised throughput with Threat Prevention is 150Mbpbs and it hasn't affected my 100Mb connection at all (I just ran speedtest.net and it peaked at 111Mb for me).
>What has been your Palo Alto tech support experience? Are they so big that wait times to get the right engineer are in the hours even before a call back (think Cisco) or do you get an engineer right away?
I can directly compare Cisco ASA support to Palo Alto support and I know exactly what you mean. With Cisco, you can get someone on the line by calling them and making it a level 1 or 2 call and waiting on hold for 10-15 minutes after going through the negotiation process with the non-support agent that answers the call. With Palo Alto, you call and the person that answers the phone is the one who will help you, and they aren't a level 1 type person either, they generally know their stuff. It hasn't necessarily been 100% with me, but I wouldn't hesitate to say I have at least a 90%-95% satisfaction rate with them. I've never had to wait for more than 5 minutes to get someone from PA on the line.
For lesser, maybe less technical issues, my SE has been tremendously responsive as well.
>Comparing support costs to other vendors such as Fortinet, Palo Alto firewalls are 3 to 4 times more expensive, but do you think it's been worthwhile for your business to stay with Palo Alto over any other vendor?
Even though in my environment, we have Checkpoint, Juniper and ASA (in the process of migrating completely to Palo Alto), my only real experience has been with ASA when it comes to firewalls and it really is night and day. Based on my admitedly limited experiences, conceptually, I think PAN is second to none on just about every level (probably including the high cost). Whether or not the investment is worth it, is completely for you to decide, but you can buy into the 220 lab version for a very modest investment and see for yourself.
And just to add, another massive strength for PA is WildFire (cloud version, not on-prem). I've heard SEs and reps from other vendors (including those from competitors) commend WildFire as a viable sandboxing technology.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!