>What has been your experience with the real world throughput of the Palo Alto firewalls you manage? I wish I had a scientific answer for this, but I don't. What I can tell you about what you've been told (and I'm probably just regurgitating information) is this. First, AppID is always active. This is the core concept behind the Palo Alto NextGen firewall. The rule of thumb is that when Threat Prevention is enabled (in any capacity), the total theortical maximum bandwidth is halved, give or take. The argument about the HTTP testing is because Palo Alto wants you to know that their measurements come tests that simulate real world traffic, it's not pure bytes as there is tremendous overhead in typical TCP traffic, so PAN's philosophy is to base tests on the worst possible conditions in an effort to produce a number they feel comfortable with as a result. In reality, the boxes should be able to handle more than promised, as they'd rather undersell the product and leave customers happy rather than oversell and make customers upset. >What did you use to judge the performance of the devices when the numbers given during sales pitches are coming from ideal conditions using small transactions? The only real world information I can share is I have a 220 at home and the promised throughput with Threat Prevention is 150Mbpbs and it hasn't affected my 100Mb connection at all (I just ran speedtest.net and it peaked at 111Mb for me). >What has been your Palo Alto tech support experience? Are they so big that wait times to get the right engineer are in the hours even before a call back (think Cisco) or do you get an engineer right away? I can directly compare Cisco ASA support to Palo Alto support and I know exactly what you mean. With Cisco, you can get someone on the line by calling them and making it a level 1 or 2 call and waiting on hold for 10-15 minutes after going through the negotiation process with the non-support agent that answers the call. With Palo Alto, you call and the person that answers the phone is the one who will help you, and they aren't a level 1 type person either, they generally know their stuff. It hasn't necessarily been 100% with me, but I wouldn't hesitate to say I have at least a 90%-95% satisfaction rate with them. I've never had to wait for more than 5 minutes to get someone from PA on the line. For lesser, maybe less technical issues, my SE has been tremendously responsive as well. >Comparing support costs to other vendors such as Fortinet, Palo Alto firewalls are 3 to 4 times more expensive, but do you think it's been worthwhile for your business to stay with Palo Alto over any other vendor? Even though in my environment, we have Checkpoint, Juniper and ASA (in the process of migrating completely to Palo Alto), my only real experience has been with ASA when it comes to firewalls and it really is night and day. Based on my admitedly limited experiences, conceptually, I think PAN is second to none on just about every level (probably including the high cost). Whether or not the investment is worth it, is completely for you to decide, but you can buy into the 220 lab version for a very modest investment and see for yourself. And just to add, another massive strength for PA is WildFire (cloud version, not on-prem). I've heard SEs and reps from other vendors (including those from competitors) commend WildFire as a viable sandboxing technology.
... View more