Looking to switch to PAN for NGFW, need insight into IPS, reporting and analytics, network visibility, etc

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Looking to switch to PAN for NGFW, need insight into IPS, reporting and analytics, network visibility, etc

L1 Bithead

Hey all,


I work IT security for a SMB in the financial sector and I'm looking into PAN, FortiGate and Check Point for a better NGFW solution than what we currently have, which is Sonicwall. For about 6 years we've been using an NSA 3600 to cover our main company network and then a TZ500 to connect back to the main branch via point to point VPN at a single remote branch. I also have a subscription to their Network Security Manager (NSM) (hosted) mainly for reporting and analytics. The base functionality of our Sonicwalls have been fine, and I like them for the most part. However, things like reporting, analytics, network visibility into traffic and threat events and more, are pretty sub-par. The Security Services technically work, but they work very poorly. Also, NSM doesn't even function properly despite months of working with support to get it working. The end result is that it is not meeting our needs with regards to perimeter network security monitoring and reporting.


A while back, we had an IT vulnerability audit and pen test, which resulted in a finding that basically displayed that our Sonicwall's IDS/IPS/Security Services were not adequately reporting on external port scans and intrusion attempts. The auditor did an aggressive scan with nmap (among other things), and I was simply unable to spot the scan and report it back to them. Best I could do was dig through SIEM firewall logs to find the IP address, but there wasn't even any specific details as far as if the traffic was blocked or not (it showed accepted). This leads into another issue where the Sonicwall's Syslog logging doesn't seem to include all of the Security Services events in a way that our SIEM can adequately parse the log data, even with custom parsing.


The point is, all our Sonicwall's and their various security service components don't work well enough and I am really hoping to strike gold with Palo Alto (or someone else). Can someone speak to the quality of PAN to report on threats in real-time, with regards to things as simple as excessive port-scans and other intrusion attempts. I do understand that nodes on the WAN get scanned 24/7 which can result in endless alerts and things, but I would assume that there'd be some kind of visibility in the form of pop-ups and categorizations that can tell when/where/how frequently certain malicious activity is hitting our firewall.


Additionally, I have been jumping into the PAN products and documentation and I see that the PA-3220 might be a good / similar unit to our current NSA 3600 and the various tools (like deep packet inspection) sound like they probably work a lot better than what I'm used to. The PA-420 or 220 looks like a decent replacement for the TZ500.


Is there integrated Wi-Fi with PAN firewall units? Currently we use SonicPoint APs integrated with the firewalls, I'm hoping PAN has something similar.


And input or insight will be greatly appreciated!


L5 Sessionator

No current integrated wifi in a PAN NGFW, but we do sell our own APs. Say hello to Okyo Garde!


Most of my customers in the critical infrastructure sector utilize HTTP log forwarding. Aka, block all critical / high severity events, but anything medium and below log and pcap. 


The threat log (aka from this source to this place using this app and this AV signature) is importable to any HTTP receiver. Many customers use webhooks to pull that into slack/teams/etc. You are also able to send it to an email address (internal or external SMTP gateway like google) which you could also pull into slack/teams or monitor a triage inbox. 


Full custom reporting, alerting, comes at no cost. If you use Panorama then you get all your network in one spot. However we find the integrated reporting in the ACC typically sufficient, see below:


Screen Shot 2022-04-04 at 6.16.41 PM.png


That's just out of the box. With custom signatures a whole new reporting game occurs because you're able to alert on things that are more operational. Out of date browsers? Deprecated TLS suites? All that. 


Found their datasheet here, they do not make it clear if their antimalware / antivirus numbers are combined (aka do you take a bigger hit the more secure you are). All our competitors are built that way, we are not. So if you have a target in mind (aka 2Gbps throughput with everything including SSL decrypt) a 3220 works. I would recommend a 460 just for the pricepoint, both newer hardware and the subs come bundled so big savings. 


Help the community! Add tags and mark solutions please.
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!