NSS Labs NGFW 2017 report

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

NSS Labs NGFW 2017 report

L1 Bithead


Any thoughts or insights why Palo Alto dropped their ratings/score on the 2017 NSS Labs NGFW report?



Please share as we will be kicking off our evaluation process. Thanks.



I had a meeting with the NSS engineers a few weeks back when the report was released, and the explanation was that it failed or did not do well, during the evasion tests.

L4 Transporter

From what I heared they already addressed the identified issues. It is also written in the box bottom left corner of graphics:

The following vendors developed fixes, which NSS has subsequently verified address the identified issues: • ... • Palo Alto Networks • ...

Thank you.


I hope we can get Palo Alto's view on the repor. It would be hard to push for Palo Alto if they don't have a response to the report. Thanks.


I believe that their response would be exactly what @Anon1 already pointed out; they have addressed issues raised by the report already. 


** Edit **

I'm going to add the actual graph so that others don't have to go through the process of getting a hold of it and can just view it here. I think it's an important note here that the PANos tested was 8.0.0. Everyone that works with Palo products should recognize that the 8.0.0 release was never a recommended release. I'm not attempting to sound like a Palo fanboy here (although in all likelihood I am) but I find the fact that NSS tested non-recommended releases in a comparison test rather strange. A comparative test would be to test all of the products not on the latest release but on the latest recommended release to actually see what the product is capable of. 


L4 Transporter

Since they tested brand new PA-5250 they could not test with 7.1.x

Minimum PAN-OS version for the new hardware models is 8.0

@rrealica I don't think you'd get an official response here from Palo.  Your best bet would be to talk to your account SE.


For what it's worth.  I've worked with CheckPoint, Sidewinder, ASA, Juniper, and Palo Alto firewalls IMO Palo has been the best all around FW to manage.


Cisco only acquires and hasn't yet figured out how to fit a square peg in a round hole.  I didn't mind the CPs, but the integration of Palo's feature sets from what I've seen is the best.


Sure every vendor will have their short comings, but if you put the appliances on par and test them equivalently I doubt you'd see Palo lose.  


Don't let a vendor sell you a product based upon what the documentation says it can do.


This is just one factor for our evaluation; thanks for all the feedback.

L1 Bithead

@rrealica, everyone,


Thanks for your questions. I work for Palo Alto Networks and wanted to share the following:


  • The 2017 NSS Labs Next-Generation Firewall Test Report results reflect 6 missed evasions out of more than 1,000 attacks.
  • As soon as we were informed of the misses, our engineering team collaborated with NSS to detect and block the missed evasions. Within two weeks, we released Content Update 699 which blocked all evasions tested by NSS. NSS Labs has tested this Content Update.
  • Please feel free to read our full report from NSS to verify this, or get in touch with your Palo Alto Networks systems engineer, who can share more documentation.
  • We recommend that you use Content Update 699 or later on your Palo Alto Networks Next-Generation Firewall.


@rrealica, I see that you are about to start your evaluation process. As I’m sure you realize, the best way to determine the full impact of a security product is to evaluate the product in your own network where your corner cases are included in the assessment. This is the best way to understand the prevention capabilities and performance using applications and traffic mixes that are actually seen in your environment, as well as understand the true costs and savings, both capital and operational.


Please let your Palo Alto Networks systems engineer know if we can help you in any way.

  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!