Palo Alto Networks NGFW VS Open Source Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Palo Alto Networks NGFW VS Open Source Firewall

L1 Bithead

Hi, 

 

Kindly how do we justify the benefit of Palo Alto Networks NGFW vs Open Source Firewall.

 

Is there any whitepaper or battle-card?

 

Thanks.

2 REPLIES 2

Community Team Member

Hi @JASONWONG ,

 

Which Open Source Firewall is in question? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

@JASONWONG,

It's honestly not very often that you see someone make a comparison to an open-source free product versus a PAN firewall, the capability differences between the two are just going to be rather significant. Usually it's that someone wants to compare Firepower, Sonicwall, Fortinet, and stuff like that to PAN.

Bluntly if a customer I was pitching PAN equipment towards honestly wanted me to compare it to something like pfSense, either it's going to be a very quick overview of differences or I'm going to need to start looking at other enterprise solutions. If a proposed solution is "free" (with the heavy caveat that time to implement and update will increase) versus a product that will have high yearly costs, you really have to know the people that are asking for the comparison and how you need to target the solution. 

 

Broadly, you could point towards the following basic quick items. Substitute pfSense with any other open-source solution, because they all have the same issue:

  • Turnkey Solution - pfSense needs a whole lot of add-ons and configuration to function anywhere near what PAN has to offer. That increases complexity and time to get everything configured and vetted, and even when that's done the capability of DansGuardian and ClamAV simply don't match what PAN is offering. (Again, know your audience, good enough at the cost of free can have a lot of appeal in SMB).
  • Central Management - pfSense doesn't have central management capabilities like PAN does. You could setup PFMonitor, but that's not a pretty elegant solution and it's going to add a monthly cost to something that is "free".  If you don't care about that or are good at scripting, you can get around some of that limitation. 
  • Culpability - If you deploy pfSense and there's an issue with it or an add-on, that culpability is on you. It's your chicken to catch and return to the pen; you won't really have that "PAN pushed a bad update, I'm waiting on them to fix it". If you don't know how to fix it or where the issue even is, that's a bad day and you don't have that many options to turned towards. "I'm trying to figure out the issue, but I don't know what's wrong and pfSense doesn't think it's an issue with their software" doesn't sound as good as "I've engaged vendor support and we're working through the issue".
  • Add-Ons - I've said it a lot here, but something like pfSense depends on using add-ons to make it an okay security product. That's a double-edged sword when it comes to an administration aspect; you can add more capability to the product, but you also introduce more complexity. What happens when you have an issue with DansGuardian or ClamAV and their add-on, who do you call? What happens if something you've configured in pfBlockerNG causes an issue with pfSense and you can't figure it out? What happens when one of the add-ons that you're using isn't being supported anymore?

 

I'll also say this, there's a lot of SMBs where I've advised a properly managed pfSense installation over a Fortinet or PAN installation.  When you get into that 10-15 people SMB or someone who isn't willing to actually renew subscriptions a properly managed pfSense installation can be a really good way forward. I'd rather someone pay for a managed pfSense installation than pay for a single year of PAN licenses and never renew the subscriptions or have the money for someone to actually manage things. 

  • 3234 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!