07-12-2017 12:06 PM
Any thoughts or insights why Palo Alto dropped their ratings/score on the 2017 NSS Labs NGFW report?
https://www.nsslabs.com/research-advisory/security-value-maps/2017/ngfw-svm-graphic/
Please share as we will be kicking off our evaluation process. Thanks.
07-12-2017 01:09 PM
I had a meeting with the NSS engineers a few weeks back when the report was released, and the explanation was that it failed or did not do well, during the evasion tests.
07-13-2017 08:30 AM
From what I heared they already addressed the identified issues. It is also written in the box bottom left corner of graphics:
The following vendors developed fixes, which NSS has subsequently verified address the identified issues: • ... • Palo Alto Networks • ...
07-13-2017 08:31 AM
Thank you.
I hope we can get Palo Alto's view on the repor. It would be hard to push for Palo Alto if they don't have a response to the report. Thanks.
07-13-2017 10:12 AM - edited 07-13-2017 10:24 AM
I believe that their response would be exactly what @Anon1 already pointed out; they have addressed issues raised by the report already.
** Edit **
I'm going to add the actual graph so that others don't have to go through the process of getting a hold of it and can just view it here. I think it's an important note here that the PANos tested was 8.0.0. Everyone that works with Palo products should recognize that the 8.0.0 release was never a recommended release. I'm not attempting to sound like a Palo fanboy here (although in all likelihood I am) but I find the fact that NSS tested non-recommended releases in a comparison test rather strange. A comparative test would be to test all of the products not on the latest release but on the latest recommended release to actually see what the product is capable of.
07-14-2017 01:12 AM
Since they tested brand new PA-5250 they could not test with 7.1.x
Minimum PAN-OS version for the new hardware models is 8.0
07-18-2017 10:37 AM - edited 07-18-2017 10:37 AM
@rrealica I don't think you'd get an official response here from Palo. Your best bet would be to talk to your account SE.
For what it's worth. I've worked with CheckPoint, Sidewinder, ASA, Juniper, and Palo Alto firewalls IMO Palo has been the best all around FW to manage.
Cisco only acquires and hasn't yet figured out how to fit a square peg in a round hole. I didn't mind the CPs, but the integration of Palo's feature sets from what I've seen is the best.
Sure every vendor will have their short comings, but if you put the appliances on par and test them equivalently I doubt you'd see Palo lose.
Don't let a vendor sell you a product based upon what the documentation says it can do.
07-20-2017 08:07 AM
This is just one factor for our evaluation; thanks for all the feedback.
07-21-2017 03:26 PM
@rrealica, everyone,
Thanks for your questions. I work for Palo Alto Networks and wanted to share the following:
@rrealica, I see that you are about to start your evaluation process. As I’m sure you realize, the best way to determine the full impact of a security product is to evaluate the product in your own network where your corner cases are included in the assessment. This is the best way to understand the prevention capabilities and performance using applications and traffic mixes that are actually seen in your environment, as well as understand the true costs and savings, both capital and operational.
Please let your Palo Alto Networks systems engineer know if we can help you in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
