Ours is an enterprise environment and some of the services are hosted in our private data centers and some of the servers are hosted on Azure. We have the IPSec tunnels from the firewalls to our own data centers and from the firewall to the cloud as well. It depends on the type of application being hosted.

We are using Panorama for centralized management of all our firewalls around the world, as well as for centralized management of security policies and network settings. We have not completely migrated to the cloud. We are in transit.

Palo Alto has many features for troubleshooting real-time scenarios. The troubleshooting, compared to other firewalls has been optimized in a way that saves a lot of time.

I like the UI. Most things are accessible from the user interface and it is quite user-friendly. With respect to both VM-based firewalls and physical firewalls, it's easy to create updates.

They have a centralized Palo Alto Customer Support Portal and if we require any licenses, such as a next-generation firewall license, we can easily download and integrate them with this solution. We can also schedule periodic updates. That is quite user-friendly.

In terms of functionality, we are using IPSec tunneling and Palo Alto's WildFire feature. We use the security policies, Panorama, and Prisma Cloud as well.

We use Panorama to manage our security policy model across on-prem and public cloud environments. It plays a key role with respect to centralized management, for physical enterprise firewalls and cloud-based firewalls. It gives you centralized control over all the infrastructure. Unified policies can be pushed from that centralized place with templates.

When you deploy VM-Series Firewalls, they are quite flexible. You just have to select the instances, storage, security policies, and firewall rules. Within minutes, you can deploy the firewalls.

We are also able to adjust firewall sizing on the fly, which is important. Initially, we decided on a firewall based on the throughput assumptions. But in peak hours or during a peak month for traffic, we need to scale the firewalls. That should be automatically done. AWS and Azure provide very good features and, by using them, within a second it automatically scales, based on the incoming traffic.

Palo Alto has launched different products, such as physical firewalls as well as cloud and VM-based firewalls. Recently, they introduced their Prisma Cloud solution. Compared to the previous technologies, like Panorama, which is used for centralized firewall management, or even individual firewalls, it's a bit challenging to integrate the traditional firewall policies into Prisma Cloud. And the Prisma Cloud interface isn't very user-friendly. 

Our organization has been using Palo Alto Networks VM-Series for more than five years, and I have worked on this solution for two years.

The solution is certainly stable. I have worked with many vendors' firewalls and Palo Alto's are definitely stable.

Obviously, it is scalable as long as you have the licenses and support with Palo Alto. You can implement the firewalls in high-availability mode or use the cloud functionality as well. For scalability, Palo Alto is optimized.

We have 30-plus sites around the world with more than 4,000 users.

Palo Alto has very good support. When you have a valid license, they can replace a device with a new one. They have the CSP portal and you can log in and see all the firewalls listed. You can raise TAC cases with a priority of low, medium, or high, and, based on the priority, they will send an email to you. They have live support as well. In case of an issue, you can call them directly and they will provide the required support.

Positive

Earlier, we were using many vendors' firewalls, per their suitability for our clients. Apart from Palo Alto, we were using Cisco ASA, Check Point, and Juniper. The network grew over the years and each site had its own set of firewalls. The issue was that we had to standardize things across the network. There was also a gradual change in the technology and features available. Our security team thought we needed a better implementation, for optimization and troubleshooting, and something that was friendly for daily operations.

We have both private cloud and hybrid. Some of the services are on the cloud and some are on-prem in our data center. Setting up Palo Alto firewalls is quite easy compared to other vendors.

Migrating our old infrastructure to Palo Alto took four to six months. 

We did some pilot project testing with Palo Alto. If, for example, we want to migrate from XYZ vendor to Palo Alto, the very first thing we had to do was capture all the existing security and NAC policies and all the NGFW functionality. Palo Alto has specific features. For example, you can capture the logs in an inline environment, such as what traffic is going to the network, what security policies are there, et cetera. We deployed the Palo Alto firewalls in that way to only capture the traffic. We then analyzed the traffic, and we worked with Palo Alto TAC to understand the security policies and the exact throughput to determine the hardware we were going to use. We monitored all of that for a few months and then we started the migration from other vendors to Palo Alto.

We had 10 engineers involved in the deployment, but each on-site location had its own team as well. Three were senior network architects and the other seven were staff network engineers.

If you want to keep up to date in the network, it requires quite a bit of patching. It has many features, like Unified Threat Management and antivirus that can be auto-updated by scheduling an update for them. But the major patching has to be done manually. In our organization, we do it quarterly.

It is worth the cost.

Palo Alto Networks VM-Series is notably cheaper than other firewall vendors, except Fortigate. Fortigate is number one in terms of pricing.

Our security team tested various firewalls and it came down to FortiGate and Palo Alto and they found Palo Alto was quite suitable for the network.

Everything is moving to the cloud and we need a solution that can support all the multi-vendor platforms and the new technologies as well. That is quite important for any enterprise organization or service provider nowadays. If we talk about moving existing loads from our own data centers or enterprise sites to the cloud, we need a solution that can take care of everything, such as security compliance, and that is easy to use. Palo Alto is good in those terms.

With the introduction of Prisma Cloud, Palo Alto is encouraging clients to migrate their infrastructure, such as VPN and security solutions to Prisma Cloud. It has been highly optimized compared to Panorama. Palo Alto is promoting it and asking their clients to use Prisma Cloud to improve their security infrastructure.

I would advise, when you deploy a new site, to manage it from the centralized Panorama solution. With Panorama, you have a local login, so even if the internet is down you have access to the firewall management.

We had a situation, when performing patching, where the firewall lost the remote connection via the internet and it had not been onboarded to Panorama. That mean we lost connectivity and we had to involve the onsite technicians. To avoid that scenario, all firewalls should be centrally managed by Panorama.

And for troubleshooting, each firewall should have syslog profiles activated.