We just raised a $30M Series A: Read our story

Cisco ASA Firewall Competitors and Alternatives

Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: November 2021.
552,695 professionals have used our research since 2012.

Read reviews of Cisco ASA Firewall competitors and alternatives

Andy Dibble
IT Manager at Flare Technologies
Real User
Top 5
With VPN, any of our guys can log in to the system and effectively be on board; helps with our customers all over the world

Pros and Cons

  • "One thing we use quite a lot, as well, is the DHCP Server, because we do a lot of work where all our devices need to have static IP addresses. Rather than going around and configuring every box, we do it all through DHCP reservations. It's easier. We've got a record of it. We can manipulate it if we need to change something or change some hardware. It's all easy. Even guys who are not used to using it can pick it up quite quickly."
  • "There's also room for improvement in the Traffic Rules. We define networks to use a specific outgoing interface, say VSAT, shore, or marine WiFi, which is okay. But then all we have is a checkbox that says "Use other internet interfaces if this one is unavailable." What we would prefer would be to have a priority list. So if VSAT is unavailable, try to use 4G, etc. We haven't really found a reliable way of doing that in the current release."

What is our primary use case?

Our main customer base is superyachts, and they have the Kerio for traffic rules and bandwidth management of the various networks on board. They can optimize traffic for crew versus owners and guests, the VIPs that might be on board. They also use it for bandwidth sharing. They usually have a mixture of the VSAT satellite internet and 4G internet access. Sometimes they have WiFi, for example if they connect to a WiFi hotspot in a marina, as well as shoreline or fixed DSL. They use it to manipulate the internet traffic, so they can say the crew uses the slower VSAT and the guest gets the fast 4G or shoreline.

They also use it to see what's going on. If the boss complains that the internet's slow, they can quickly see if someone is downloading a load of updates or streaming Netflix and they can block them. They just want to have control, as the product name suggests, over the internet traffic.

In-house, we use the NG300, but because we are a partner, we use various hardware platforms. At the moment it's nearly all the NG series, the 100, 200, and 500. The most common that we use is the NG500. I'm interested in using the next-generation, which is due out in the next couple of months, but I've also used the virtual Kerio platform on a VMware hypervisor.

There's a virtual appliance, but also software installed on a Windows PC. We build our own virtual "guest" on a host, we've done a couple of those, and then attached it to a switch with VLANs, so we've covered all platforms.

We have these Kerios on anything from a 30-meter Sunseeker, with five or six crew members, four guest cabins, and a couple of master cabins, or a master and a VIP. They might have 20 guests so there would be a total of about 30 users and some 50 devices for those users. There is also all the AV equipment. And we've gone right up to a 120-meter superyacht, with 50 to 100 crew and space for about 200 guests. We've also got a couple of ski chalets, and a private island in Ibiza. A few hundred users is its top end, but as far as network-connected endpoints go, it could be in the few thousands of devices.

How has it helped my organization?

The way it improves the way our company functions is through the VPN, because we offer support services. Normally, we would have to rely on TeamViewer to a computer on board, or to get on the phone and tell somebody to take pictures or press buttons, where we can't see what's going on. 

In the last year or two, after setting up the VPN, any of our guys can log straight in to the system and they are effectively on board. That is a big help because our customers are all over the world. They could be in Ibiza one day, but then they're heading to the South of France and then they're going off to Greece or crossing the Atlantic. Sometimes it's difficult to send somebody out to them quickly. They might not want to pay for somebody to come out. It could be two or three days of round-trip travel for a half-hour job. The VPN makes it more efficient. We can jump in and see what's going on. We can mimic our engineer's being on board the vessel via the VPN. That's the biggest benefit. And it's instant. Someone rings me up and I've got a single VPN connection and I can get to their networks.

What is most valuable?

The most common feature is the Traffic Rules, so the users can define which network or which users access which internet interface. But bandwidth management and content filtering are also commonly used.

With the Traffic Rules we define all the different sources, such as various user groups or network interfaces for the crew. And we show them that if they want the guests to access 4G internet, this is how they do it. They're defining who gets what, in the Traffic Rules. 

If they've only got a single connection, and everyone's sharing it, then they would jump into bandwidth management and prioritize the boss, but also allow the crew a little bit of internet, just to get by, for WhatsApp messages and emails. 

Content filtering is to stop malicious content. They don't want people accessing the various categories in the filter. The default is usually pretty good for them, things like BitTorrent, downloads, and sharing, but also the more "adult" parts of the internet.

It gives our customers pretty much everything they need in one product, in terms of security features. It's a firewall, but generally for what they want, it works.

What our customers like about it is that it has a nice interface. It's been around in the yacht sector for a long time. I was introduced to Kerio by the yacht customers. They were saying they want this firewall and I hadn't really heard of it. They're usually comfortable with it because it's a familiar interface.

By default, the firewall stops everything coming in but allows everything going out. For everything we've needed, it's done the job. If we've needed to open something up or block something we've managed to do it.

We also use the VPN quite a lot. We have an NG500 in our data center and we actually create a VPN tunnel between and our data center and each of our current customers who have a Kerio. Technically, it's one-way because they don't talk to each other via VPN. All the customers are separate, but as a support company, we can VPN from our laptops to our data center and from there we can access all our customers' networks. That is handy for us because we can log on to their IT switches or their AV equipment to offer support. We also use it for delivering email for some customers, whereby because they don't always have a guaranteed fixed IP address, we give them one, in a sense. We have a pool of IPs in our data center. All the mail hits their assigned IP address and is sent over the VPN to their email servers on board.

We also have some third-party subcontractors and we can give them access to specific customers. We can give them an account on our firewall and through our own traffic rules we can allow them or deny them access to specific customers and specific parts of that customer's network. Because they're hitting the central point, we don't necessarily want them to access all our customers. The customers themselves don't often have a big, remote-work environment because the crew is either on board or off. But we have seen a small increase in customers wanting to use VPN to access files on board, and during the COVID outbreak some of the ETOs (electronic technical officers) and the technical guys have not actually been able to get to the yacht, physically. So we've set them up with VPN so they can actually continue to do certain work. When we first started using Kerio we never really used VPN. Now, pretty much every Kerio we supply gets on the VPN.

The ease of use of Kerio is very good. Everything's there, once you know where to go or how to find things. One thing we use quite a lot, as well, is the DHCP Server, because we do a lot of work where all our devices need to have static IP addresses. Rather than going around and configuring every box, we do it all through DHCP reservations. It's easier. We've got a record of it. We can manipulate it if we need to change something or change some hardware. It's all easy. Even guys who are not used to using it can pick it up quite quickly.

The learning curve is pretty quick. It helps if someone has a general IT understanding of networking, for certain aspects. What we don't always have on a customer's site is somebody who is familiar with all aspects of the Kerio, such as interfaces, VLANs, and IP subnetting. They don't always understand DHCP, what it is and how it works. They pick it up pretty quickly, but it usually helps if someone has at least some knowledge of IT and networking. Normally, though, we find it's quite a decent balance because they will do what they want to do after a little bit of training. Anything else they'll leave to us or they'll ask us the question, and then we can either do it or go and figure it out and then come back and do it.

What needs improvement?

Sometimes it might not be detailed enough, or it might have more details but the customers just don't know where to look. The issue is usually when it comes to specific packets. Sometimes they find it slightly difficult to see exactly what's going on.

For example, we had a customer who was using the content filter. They tried to block Facebook using the web filter categories, and in combination with that they wanted to always require that a user was authenticated before accessing web pages. What would happen was that even though they had the content filter enabled to block social networking — Facebook may even be a category — it still allowed them to get in through mobile apps. If they went to the website, it would prompt them for login and then it would deny it, but they would get into the app and they weren't even logged in. That might have been an HTTPS issue and the way that the app was talking, rather than an actual website or what page. We always managed to find a way around. They'll come to us with a question and then we'll figure it out and usually they're happy enough with that.

There's also room for improvement in the Traffic Rules. We define networks to use a specific outgoing interface, say VSAT, shore, or marine WiFi, which is okay. But then all we have is a checkbox that says "Use other internet interfaces if this one is unavailable." What we would prefer would be to have a priority list. So if VSAT is unavailable, try to use 4G, etc. We haven't really found a reliable way of doing that in the current release.

Finally, the customers sometimes want to use the VPN link for outbound traffic. But at the moment, it appears that there is an all-or-nothing solution, so either everything uses the VPN and breaks out at the remote site or nothing does. The simple example is for the email system we've put in. We can direct traffic in over the VPN, but we'd also like to send that same email traffic out of their server over the VPN to break out on a specific IP address in our data center. We would like to see a little bit of functionality in prioritizing of internet interfaces.

For how long have I used the solution?

I have been using Kerio Control for about 10 years. 

What do I think about the stability of the solution?

The stability is good. 

There have only been a couple of occasions where we've had high RAM usage of the Kerio, where it may be a more complex network. What we found is that over the course of a week or 10 days, the RAM utilization would slowly increase to a point where it would be 100 percent usage and then you couldn't do anything with the box. You would have to physically power it off. 

We do have cases open for Kerio with GFI and they're looking into it. Apparently there is going to be quite a big software update coming soon, which will change the backend workings. That's hopefully going to make a big difference, but the problem has only happened in one or two cases. Other than that, it's generally pretty solid.

What do I think about the scalability of the solution?

If you've got a hardware appliance, then you are generally limited to its own specifications, in terms of throughput and power. That's what you've got. If you start hitting that, then it's time for a new box, or you need to look for something else.

On the NG500 you can increase the RAM slightly and you can also increase the storage space.

But there is no way of changing processing power. So you have to specify the right box. You can increase physical network interfaces if you want to. You attach a switch to it and scale it that way if you need more physical interfaces. We haven't needed to do that. Or if you wanted to have fibre connections; you would have to attach it to something else. 

It would be nice to see SFP slots in new hardware, which I think is coming in one of the models. 

Overall, you'll hit a point with the box where you can't really scale any higher. But if you've got a virtual appliance, if you want to give it more processing power you can. If you want to give it loads of memory or storage, I would find it quite easy to really scale it up in terms of hardware resources.

How are customer service and technical support?

Technical support is pretty good. They're quick to respond. You get an answer straight away, although it might not be the final answer. 

I have learned a few things from contacting support, things that I probably wouldn't have ever found out just researching online or playing with it myself. 

At the moment, the particular questions we have are a bit more complicated than just, "How do I configure this traffic rule to do this job?" We've got a problem with RAM being utilized and we don't know why, and I had to send them system logs. I've had to do full system resets, complete erase and recovery. It's a bit tricky. It's more development-type work rather than user support. I think they're holding back from really getting involved with that because they are developing the new system. At the moment, our workaround is just to reboot the box every two weeks, which is inconvenient, but if they're going to solve this, then we just have to wait.

How was the initial setup?

The setup is straight out-of-the-box. Take it out of the box, run through the wizard, configure it with the settings that you should already know, and then it works and you get in online. That's the basic setup, because the Traffic Rules, by default, allow everything out and stop everything coming in. That's enough to just get online.

You then go to start defining your networks and your traffic rules. Putting multiple VLANs in there is easy. Even as it gets to be a more complex configuration, it's easy to do.

Sometimes it's time-consuming if it's a large configuration, but that's just what it is. It takes time to click boxes if it's a large network with lots of different scenarios, and to type in all the IP addresses.

But it's easy out-of-the-box for a basic configuration and still fairly easy if you've got that knowledge of the Kerio and networking. Just a little time-consuming. If there were some kind of import or bulk add, that would be nice, but that's on a wish list. It's really not that necessary.

If a customer just wants something out-of-the-box, we plug it in, make it work, and it probably takes a couple of hours, at the most. If it's a bit more complex, it might take a day. It might take longer if you don't know what you're doing.

I've always told customers that there is no fixed configuration. This thing will work and do what you want it to do. As time progresses, it evolves with the changing requirements. So we can give them a solution. They can give us some key config points telling us "Okay, we want this many networks and we want these users, and these particular rules," etc. We configure all that  in a day and test it the next day. After that, it's ongoing. They might decide, "Oh, we actually want to change the bandwidth allocation," or "We've got a new internet interface," or we want to block Facebook at a specific time. It's ongoing.

What was our ROI?

We have definitely seen return on investment with Kerio Control because it would take us a lot longer to fix something in a lot of support calls we get. We might be stuck on the phone for four hours just to try and talk someone through something that we could fix in 20 minutes, because they're not looking in the right place or they don't see something that is relevant. Whereas, we've been able to use the VPN through Kerio, so we can sometimes fix a problem before they've even finished describing it. It has definitely helped us a lot.

Kerio's VPN has easily saved us 50 percent, maybe more, in terms of time spent on support. We're connected in seconds. We can see things quickly. We can be connected to five different customers at once through a single connection.

What's my experience with pricing, setup cost, and licensing?

Pricing depends on the requirements. The more powerful boxes, like the NG500, are more expensive on licensing terms, depending on how you license them. At the moment, the NG500 doesn't have an unlimited user option. I believe they took it away, although I might be wrong. 

Figure out how many users you're going to need because there's no point in configuring or licensing it for 200 users "just in case," when you might only need 50. It's obviously going to cost you four times as much. 

There is an option to have GFI Unlimited, which is their all-in-one licensing model, which includes Kerio Control. It works for hardware boxes as well the software virtual appliances. Depending on the number of users, it might be more beneficial to go for GFI Unlimited. It can work out cheaper.

Which other solutions did I evaluate?

The other real experience I've had is with Cisco ASA, Palo Alto, and WatchGuard. 

The Cisco was more complicated and people didn't really like it because it was a more complicated interface or it seemed more complicated for them.

The WatchGuard and, from what I saw, the Palo Alto are good firewalls; some would say better as firewalls than Kerio. But they don't have all the other features and they didn't seem as easy. They may have more specific options you could set in the actual firewall rules; you could drill it down a bit further. But my experience has been pretty limited, so it might have just been that they looked like they did more, but in fact they just looked more complicated and only gave the impression they would do more. But these devices didn't have all the features of Kerio like the users, the groups, domain logins, bandwidth management, and content filters. They were just firewalls.

Generally, our customers are all small to medium, if you were to compare them with a typical business. They're not "enterprise" technically, even though they do run a lot of enterprise hardware, like full Cisco networks, etc. They just don't really have the same configuration. They've got the budget, but they just don't always want to spend it. I think Kerio could work in an enterprise. A lot of the time, it depends on who is running the security and what they prefer and what is approved by any governing bodies.

Kerio seems to have a reputation, for some people, not to be a true firewall. It's just a feeling that people get, but that's biased towards what they prefer to work with.

On the same price point, you can't compare them. If you're looking at a Kerio box that might be £3,000 a box plus a year's license every year, versus our £100,000 security system, you can't really compare them. But for devices and hardware/software in the same price range, I wouldn't knock it back for something else.

What other advice do I have?

Regardless of whether you get a box or virtual, the interface is nearly always the same. There are very few changes between versions. Research what you think you're going to need. Don't just buy the biggest box or the most expensive box because you think it's going to be better.

The biggest lesson I have learned from using this solution is that you don't always have to be onsite to fix something.

The malware and antivirus features are pretty good. We generally have other malware and antivirus protection as well. A lot of the time, things come in via email so we do have services from Symantec, which filters that out beforehand. Very occasionally I have seen a false positive, where it's blocking something that's actually allowed, but then I can usually figure it out and just allow it. When I've seen something has been blocked or someone has reported they're trying to do something and they can't access or download a file, I can quickly see in the logs that something has been blocked because of the antivirus detection. And I've managed to go from there, allow the file.

One feature we haven't used yet is the solution's high availability failover protection. It's something that I've not even tested myself. I was interested in it when it was first announced, but I was reading about it and a few people said that some of the early implementations were a little bit buggy. I have a feeling it's gotten better now. But I've not used it and no one has asked for it either.

Disclosure: My company has a business relationship with this vendor other than being a customer: Silver Partner with GFI
JL
Executive Cyber Security Consultant at a tech services company with 11-50 employees
Consultant
Top 20
An excellent solution for the right situations and businesses

Pros and Cons

  • "The Palo Alto VM-Series is nice because I can move the firewalls easily."
  • "It has excellent scalability."
  • "The product needs improvement in their Secure Access Service Edge."
  • "They made only a halfhearted attempt to put in DLP (Data Loss Prevention)."
  • "Palo Alto is that it is really bad when it comes to technical support."

What is our primary use case?

Palo Alto VM-Series is something we recommend as a firewall solution in certain situations for clients with particular requirements who have the budget leeway.  

What is most valuable?

The Palo Alto VM-Series is nice because I can move the firewalls easily. For instance, we once went from one cloud provider to another. The nice thing about that situation was that I could just move the VMs almost with a click of a button. It was really convenient and easy and an option that every firewall will not give you.  

What needs improvement?

We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID, employees were all sitting in the office at the location and the requirements for firewalls were a different thing.  

$180 billion a year is made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems that no one cared that there was COVID they just had to fulfill the contracts. When people claimed they had to work from home because it was safer for them, they ended up having to prove that they could work from home safely. That became a very interesting situation. Especially when you lack a key element, like the Secure Access Services.  

Palo Alto implemented SASE with Prisma. In my opinion, they made a halfhearted attempt to put in DLP (Data Loss Prevention), those things need to be fixed.  

For how long have I used the solution?

I have been using Palo Alto VM-Series for probably around two to three years.  

What do I think about the stability of the solution?

I think the stability of Palo Alto is good — leaning towards very good.  

What do I think about the scalability of the solution?

Palo Alto does a good job on the scalability. In my opinion, it has excellent scalability.  

How are customer service and technical support?

My experience with Palo Alto is that it is really bad when it comes to technical support. When we have a situation where we have to call them, we should be able to call them up, say, "I have a problem," and they should ask a series of questions to determine the severity and the nature of the problem. If you start with the question "Is the network down?" you are at least approaching prioritizing the call. If it is not down, they should be asking questions to determine how important the issue is. They need to know if it is high, medium, or low priority. Then we can get a callback from the appropriate technician.  

Do you want to know who does the vetting of priority really, well? Cisco. Cisco wins hands down when it comes to support. I do not understand that, for whatever reason, Palo Alto feels that they do not have a need to answer questions, or they just do not want to.  

It is not only that the support does not seem dedicated to resolving issues efficiently. I am a consultant, so I have a lot of clients. When I call up and talk to Palo Alto and ask something  like, "What is the client's password?" That is a general question. Or it might be something even less sensitive like "Can you send me instructions on how to configure [XYZ — whatever that XYZ is]?"  Their response will be something like, "Well, we need your customer number." They could just look it up because they know who I am. Then if I do not know my client's number, I have got to go back to the client and ask them. It is just terribly inefficient. Then depending on the customer number, I might get redirected to talk to Danny over there because I can not talk to Lisa or Ed over here.  

The tedium in the steps to get a simple answer just make it too complicated. When the question is as easy as: "Is the sky sunny in San Diego today?" they should not be worried about your customer representative, your customer number, or a whole bunch of information that they really do not use anyway. They know me, who I am, and the companies I deal with. I have been representing them for seven or eight years. I have a firewall right here, a PA-500. I got it about 11 years ago. They could easily be a lot more efficient.  

Which solution did I use previously and why did I switch?

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

  • I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
  • I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
  • I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
  • I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
  • I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

How was the initial setup?

Setting up Palo Alto is relatively quick. But I also have an absolute rockstar on our team for when it comes to Palo Alto installations. When he is setting it up, he knows what he is doing. The only thing he had to really learn was the difference between the VM-Series and the PA-Series.  

I lay out the architecture and I tell people doing the installations exactly what has to be there. I sit down and create the rule sets. Early on, the person actually doing the fingers-on-the-keyboard complained a little saying that the setup was a little bit more complicated than it should have been. I agree, generally speaking. I generally feel that Palo Alto is more complicated than it needs to be and they could make an effort to make the installations easier.  

But, installing Palo Alto is not as bad as installing Cisco. Cisco is either a language that you speak or a language that you do not. I mean, I can sit down and plot the firewall and get the firewall together about 45 minutes with a good set of rules and everything. But that is me and it is because I have experience doing it. Somebody who is not very well-versed in Cisco will take two or three days to do the same thing. It is just absolutely horrid. It is like speaking English. It is a horrid language.  

What's my experience with pricing, setup cost, and licensing?

I do not have to do budgets and I am thankful for that. I am just the guy in the chain who tells you what license you are going to need if you choose to go with Palo Alto VM-Series. How they negotiate the license and such is not my department. That is because I do not resell.  

I know what the costs might be and I know it is expensive in comparison to other solutions. I get my licenses from Palo Alto for free because they like me. I have proven to be good to them and good for them. When they have customers that are going to kick them out, I can go in and save the account.  

I will tell you, they do practice something close to price gouging with their pricing model, just like Cisco does. When I can go out and I can get an F5 for less than half of what I pay for Palo Alto, that is a pretty big price jump. An F5 is really a well-regarded firewall. When I can get a firewall that does twice what a Palo Alto does for less than half, that tells me something.  

Sophos decided that they were going to play with the big boys. So what they did is they went in and jacked up all their prices and all their customers are going to start running away now. The model is such that it is actually cheaper to buy a new firewall with a three-year license than it is to renew the Sophos license of the same size firewall for an older product. It sorta does not make sense.  

Which other solutions did I evaluate?

I make recommendations for clients so I have to be familiar with the firewalls that I work with. In essence, I evaluate them all the time.  

I work from home and I have two Cisco firewalls. I have a Fortinet. I have the Palo Alto 500 and I have a Palo Alto 5201. I have a Sophos. My F5 is out on loan. I usually have about eight or nine firewalls on hand. I never go to a client without firing up a firewall that I am going to recommend, testing it, and getting my fingers dirty again to make sure I have it fresh in my mind. I know my firewalls.  

The VM-Series are nice because you can push them into the cloud. The other nice thing is whether you are running a VM-Series or the PA-Series, we can manage it with one console. Not without hiccups, but it works really well. Not only that, we can push other systems out there. For instance, for VMware, we are pushing Prisma out to them. VMware and the Palo Alto VM-Series do really well with Prisma. The issue I have with it is — and this is where Palo Alto and I are going to disagree — they are not as good at SASE (Secure Access Service Edge). I do not care what Palo Alto says. They do a poor job of it and other products do it better.  

Palo Alto claims it is SASE capable, but even Gartner says that it is not. Gartner usually has the opinion that favors those who pay the most, and Palo Alto pays them well. So when Gartner even questions their Secure Access Service Edge, it is an issue. That is one of those places where you want the leader in the field.  

From my hands-on experience, Fortinet's secure access service edge just takes SASE hands down.  

What other advice do I have?

My first lesson when it comes to advice is a rule that I follow. When a new version comes out, we wait a month. If in that month we are not seeing any major complaints or issues with the Palo Alto firewall customer base, then we consider it safe. The client base is usually a pretty good barometer for announcing to the world that Palo Alto upgrades are not ready. When that happens, making the upgrade goes off our list until we hear better news. If we do not see any of those bad experiences, then we do the upgrade. That is the way we treat major revisions. It usually takes about a month, or a month-and-a-half before we commit. Minor revisions, we apply within two weeks.  

I am of the opinion right now that there are some features missing on Palo Alto that may or may not be important to particular organizations. What they have is what you have to look at. Sit down and be sure it is the right solution for what you need to do. I mean, if the organization is a PCI (Payment Card Industry) type service — in other words, they need to follow PCI regulations — Palo Alto works great. It is solid, and you do not have remote users. If you are a Department of Defense type organization, then there are some really strong arguments to look elsewhere. That is one of the few times where Cisco is kind of strong choice and I could make an argument for using them as a solution. That is really bad for me to say because I do not like Cisco firewalls.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the Palo Alto Networks VM-series as an eight-out-of-ten.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GH
CyberSecurity Network Engineer at a university with 5,001-10,000 employees
Real User
Top 20
Nice user interface, good support, stable, and has extensive logging capabilities

Pros and Cons

  • "When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus."
  • "From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible."

What is our primary use case?

We're slowly migrating our on-premises solutions to the cloud. We implemented the next largest size VM for the PA-7050s because we're using 7050s on-premises, due to the bandwidth requirement of 100 GBS.

After changing our firewalls to 7050s last year and this year, both our internal firewalls and our border firewalls are 7050s.

How has it helped my organization?

Having embedded machine learning in the core of the firewall to provide inline real-time attack prevention is something that will greatly enhance our abilities and some of the things that we're doing. We deal with it daily now, versus a time when an incident only occurred every so often. In fact, we see incidents all the time, which include things like phishing attacks. Having some of the functionality inside the firewall  

I would rate Palo Alto's machine learning capability, which secures our network against rapidly evolving threats, pretty high. We own a product that I want to get rid of by Cisco, called Stealthwatch. It generates alerts and it's really built for East-West traffic. Of the alerts that we get, 99.9% of them are already blocked by the firewall. I'm not really worried about my North-South traffic because Palo Alto is there. For what they have in the box and the different subscription models, I'm not worried because Palo Alto does such an excellent job of catching stuff.

The biggest improvement to our organization since implementing Palo Alto is that there are a lot of things I no longer have to worry about. There are a lot of things that I used to do, that I don't have to do anymore. For example, I don't have to worry about putting up a honeypot. It's superfluous now because I've got default deny and there is no sense in opening up the border to allow people to come onto my network just to go to the honeypot.

The basic IDS/IPS is taken care of, so I don't need to purchase a product like FireEye. I'm not worried about my core, critical systems.

This next-gen firewall platform has definitely helped us to eliminate security holes. Comparing it to Cisco, which is port-based, a port can be spoofed. This is something that we see every day. When going from a port-based paradigm to an application-based paradigm, there is no comparison. It is more granular, which allows me to be more specific about, for example, port 80 traffic. Port 80 has any number of applications that it can be but if I specify applications, I can pick up all of the port 80 traffic. This means that I can make sure that they cannot spoof an SSH connection as a port 80 connection.

As a growing shop, we have been trying to integrate and get something that we can use as a single pane of glass, and we're getting there. Palo Alto has helped a lot. For example, the new feature for us is the data lake, which allows us to send logs anywhere. This is something that we couldn't do before, so this solution has enabled us to do a little bit more and get rid of some tools.

I don't feel that there is much of a trade-off between security and network performance. Our layer-two network is very robust and I build around them. The architecture is based on what our networking can do, capacity-wise. We haven't had to adjust anything, even when we were running the smaller Palo Alto units, to make things function.

What is most valuable?

Wildfire has been a very good feature. It allowed us to get rid of our honeypot machines, as well as our IDS/IPS solution. When we put it on the border, it was blocking everything that we were getting ahead of time, and we weren't getting any hits. This includes URL filtering, spam prevention, and anti-virus.

We are using a data lake for our log storage. Because our Splunk license is only so large, we couldn't do a lot of logging. Palo Alto does not create small logs, like a Cisco box. In fact, with Palo Alto, you can't capture all of your logs.

From a layer three network perspective, Palo Alto is a workhorse that gives us the best value.

This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.

The user interface is beautiful. They've done their homework on UI design. There are small little tweaks but that's really a preference more than functionality.

What needs improvement?

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day.

Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck.

From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

For how long have I used the solution?

I have been using Palo Alto Networks NG Firewalls for between 10 and 15 years.

What do I think about the stability of the solution?

The stability is fire and forget. You don't have to worry about it. I've had to babysit Cisco devices in the past but I've never had to do the same with Palo Alto.

I've always had really good assets over the years and in all, they have changed perhaps two or three of them. Overall, they've been wonderful.

What do I think about the scalability of the solution?

The scalability is wonderful. In the last iteration that I did, I folded 12 different firewalls into one box, across campus, without any problems with network degradation.

Without our two boxes, we have 16 firewalls set up. There are two of us responsible for maintaining the system, and our job titles are cybersecurity network engineers. 

The way the interfaces are set up makes it really easy to use. Also, the different routing protocols that you can use within the box make life easy when it comes to setting them up. 

The product covers the entire university. We use it at the edge for one of the departments, and it acts as their edge firewall. They pay for their solution and we maintain it for them.

We have deployments in other campuses, as well.

As we segment the network, depending on the zoning, we will be adding new interfaces to do certain things, such as setting up DMZs.

How are customer service and support?

The support has been wonderful. I have not had any bad support that I can think of over the years. They've always been there.

Which solution did I use previously and why did I switch?

Prior to Palo Alto, we used a combination of solutions. This included honeypot machines, and products for IPS/IDS.

We used to be a Cisco shop and I'm glad that we are no longer one. I've been trying to get rid of Cisco for years. The problem with them is that it's unwieldy. It's an old-school way of doing things. For example, everything is port-based. They tried to get into the next-gen firewall space, but the way they grow is that they buy other companies and try to combine technologies to make them work. That doesn't work.

One thing that I've never liked about Cisco, and still don't like, is that if I did an OS upgrade, I was guaranteed that I would be there for at least three to five hours. This was for a simple OS upgrade. Palo Alto has made my life a lot easier from that perspective, which is something that I really appreciate.

Outside of the problem with the OS upgrade, security was becoming more prevalent at the time because of hackers. Cisco was just port-based, and we wanted to move to something that was mobile and more granular. We wanted something that would give us better security and Cisco just didn't have it. 

We don't use the DNS security capability with Palo Alto because we use Cisco Umbrella for that, and it works great.

How was the initial setup?

The initial setup is very easy. I can do it in my sleep. The process will take between 15 and 20 minutes for a new deployment. If it's an existing system that you're moving stuff over from, it depends on whether it's Palo to Palo or from something else to Palo. It can take between two and three hours, depending on how many rules there are, and the other things that you have to set up. Once you're up and running, it takes no time to debug it.

Comparing the initial setup to a Cisco device, Palo Alto is much easier. With Cisco, you can't do a simple reset to factory default settings without breaking it. The time I did this, it took me two weeks to finally get it up and running, and I had to call the Cisco SEs to come in and fix it. That's how bad it was. Setting up Cisco is a nightmare.

In comparison, setting up a Palo Alto is child's play. It's like ABCs versus a university course when it comes to getting something set up in Cisco. We have run into problems with Palo Alto in the past but for the most part, it's an easy process.

What about the implementation team?

When we first implemented Palo Alto, we hired a consultant, ProSys, to assist us. They know our network. They've been with us for years and they've got some Palo Alto experts. The reason we asked for their help is that we didn't know anything about Palo Alto until after we took the courses.

One of the problems at the university, in general, is that we don't do a lot of these processes every day. This makes it hard for most universities to be able to do a lot of these more complex setups on their own without getting outside help. The people who are in big businesses that deploy these things on a daily basis get to see this stuff all the time. Universities don't, so we normally have to rely on outside help.

Overall, our experience with ProSys was good. We like working with them.

What's my experience with pricing, setup cost, and licensing?

Palo Alto is not a cheap solution but it is competitive when it comes to subscriptions.

The hardware is something that you can buy all day long, regardless of the vendor. It's when you start adding in all of the subscriptions that it is either going to make or break the budget. All things considered, Palo Alto is comparable.

There are several extra features available and what you use depends on what you want to do with the firewall, and how it's going to be deployed. AV is an option, the Threat Prevention app is extra, along with URL filtering, and WildFire. You won't have all of the options on all of the servers. For example, the internal servers won't be doing any web surfing, so the requirements are a little bit different.

I'm more worried about my building to building, East-West traffic because I can't afford to put a Palo Alto in every building. Instead, I put a Palo Alto in front of me to deal with the North-South traffic.

Which other solutions did I evaluate?

We knew about Palo Alto and that's what we wanted, so we did not evaluate other vendors or products.

I've worked with my SE on this with at least four or five other schools that did not use Palo's, but since turned to use them. I speak with my SE often, and I also speak with my colleagues at other schools about my experiences. I generally explain what my experience with Palo Alto is compared to what I've had with other firewalls.

What other advice do I have?

I don't want to become a Palo Alto-centric shop. We can use certain cloud features that they have, such as SaaS products. However, I choose not to, so that we can have a little bit more flexibility in what we do.

When we were a pure Cisco shop, we saw the problems with doing that. Palo Alto does a really good job at everything they do but, I just want to make sure that from my university's perspective, we don't get stuck. If all of a sudden, somebody else comes out with another product, we don't want to be stuck with a specific vendor, unless they are definitely the best solution.

We use other products in addition to Palo Alto to help along the way. For example, we use Corelight from Bro Zeek, Terracotta, and other things that I can stream together and send to our SOC to look at. We also have XDR, although it's not a fully functional one because we don't have the endpoint component. That is what is killing a lot of EDUs because we just don't have the budget or the money to be able to go out and buy all of the products that help us to function the way we need to.

In the NSS Labs Test Report from July 2019 about Palo Alto NGFW, 100% of the evasions were blocked. For a C-level person, that's great news. They read those types of things. As a technical person, it's important to me because it makes my life easy.

Palo Alto sells a next-generation firewall called the PA-400 series, and depending on what a company's bandwidth needs are, it would be a good choice. For example, if they're not doing anywhere close to a gig worth of traffic, such as in a small office, home office, or small business, then it would be a good solution. It also depends on what the business does. If there isn't much traffic then a PA-400 would be fine.

If a colleague of mine at another company were to say that they are just looking for the cheapest and fastest firewall, based on my experience with Palo Alto, I would tell them that they get what they pay for. Palo Alto is not cheap but at the same time, their product is not really comparable with others. It's like comparing apples to oranges.

If you consider Fortinet, for example, they call themselves a next-generation firewall but they really aren't. They are what you call a GPO, which is related to policies. It is important that you look at what other people do and how they do it, but for the most part, there's not anybody out there doing what Palo Alto is. 

Another one is Cisco. They do the same thing that Palo Alto does, although it takes three Cisco boxes to do what a single Palo Alto box does.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PS
Principal Network and Security Consultant at a comms service provider with 10,001+ employees
Real User
Top 10
Central architecture means we can see an end-to-end picture of attacks

Pros and Cons

  • "Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use."
  • "The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay... where it needs improvement is where [SandBlast is] an appliance-based solution rather than a software or cloud-based solution."

What is our primary use case?

I support multiple clients within the UK, the EMEA region, the US, and now in Asia Pacific as well. I specialize in Check Point firewalls. I design and secure their data centers, their on-premises solutions, or their businesses security.

The firewalls are mostly on-premise because most of our clients are financial organizations and they have strict compliance requirements. They feel more secure and have more control when things are on-premise in the data center. However, there are use cases where I have helped them to deploy Check Point solutions in the cloud: AWS, Azure, and in Google as well. But cloud deployments are very much in the early stages for these clients, on a development or testing basis. Most of the production workloads are still on-premise in data centers.

Most of my customers are still using R77.30, and they are on track to upgrade from that to R80, which is the current proposed version by Check Point.

How has it helped my organization?

One of our customers has just recently been attacked by malware and internal DoS attacks, and they have a multi-vendor, multi-layer firewall approach. The internal firewalls are Check Point. The great thing about Check Point is that because of its central architecture, you can very quickly pinpoint where the attacks are coming from. It gives you comprehensive reporting when the attacks start and when they've stopped, so you can see the complete, end-to-end picture: where the point of attack is, at what time, and what host. They can track all of that.

However, in parallel, that customer is using other firewalls which have no visibility. One of the main advantages of having Check Point firewall is definitely that it gives you absolute in-depth visibility.

What is most valuable?

Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features.

One of the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely has a great architecture, where you can just enable the software blades and deploy a secure service. Overall, it provides ease of deployment and ease of use.

What needs improvement?

The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has Zero-day attack malware, sometimes it doesn't get analyzed properly or it's locked into the cloud. So there are various small issues with the product that need possible improvement.

The SandBlast product on its own is a very good concept, and it works absolutely brilliantly. However, when you integrate it with existing firewalls, it just doesn't play very well.

The cloud solution is quite straightforward because it seems the SandBlast solution was designed, initially, for cloud deployments, where you've got multiple clouds or multiple vendors, and you are receiving files from different points. And on the cloud edge, for example in AWS, if you have Check Point sitting there, it works very well if you're running a virtual firewall. However, if it's on-premise and it's a dedicated appliance, then the performance is slightly different and the way it works is very different. So where it needs improvement is where it's an appliance-based solution rather than a software or cloud-based solution.

If I am using SandBlast on a virtual appliance — for example, I've got Check Point virtual appliances in AWS, and Azure as well, for a customer — those virtual appliances work absolutely fine as a service, as does SandBlast as a service. However, if it's an appliance, if it's a dedicated firewall on-premise in a data center and you add SandBlast as a software service, the integration is not that straightforward, so the experience is very different. 

It seems like they were possibly built by different teams, independent of each other.

For how long have I used the solution?

I've been using Check Point firewalls for about 16 years. I am the main network or security lead and I have four other engineers who report to me. They also do design and deployment.

I work with approximately 40 companies that utilize Check Point.

What do I think about the stability of the solution?

Check Point firewalls are very stable. One good thing about Check Point is that they do rigorous testing internally before releasing updates, which is something I have not found with any other firewall products. With most of the other firewall products, when they release something, it's like the customer becomes the guinea pig for that particular version, whether a minor or a major update. However, with Check Point, you can see all the white papers and what ways they have tested a minor or major upgrade of the software version, and what the performance was like. What are their known issues and is somebody working on them or not?

So the software releases are very stable and you have visibility into how they operate and what the known issues are, so you know whether you should go ahead with them or not. And in case there is a problem, the support is excellent. You can reach out to Check Point and say, "Look, I've done the software upgrade and I'm experiencing these problems. How can I deal with them?" They are there to help you out.

There are times when we have problems in terms of software or hardware defects. We have sustained downtime, but most of the architecture I design is resilient, so if one device is down, the other one is working fine. Then in the background, I or my support team will deal with Check Point directly, to get a replacement. They're definitely quick to respond and very efficient. 

In the past, we had a lot of problems with licensing, specifically, but Check Point has redone the whole way they do licensing. It's very quick now, and very efficient.

What do I think about the scalability of the solution?

Check Point firewalls are extremely scalable. Recently, I deployed Check Point in an AWS cloud solution for one of my clients, and it's been absolutely excellent in handling growth. They've grown from 10,000 users to a million users. The way Check Point has advertised the product, it is supposed to be highly scalable, which means it grows as your demand grows, and that has been the case. 

Recently we have set up a test case where we are moving over management servers from on-premise to a Check Point-provided Infinity cloud solution. We are still at the testing phase but, overall, it's been a great experience so far.

How are customer service and technical support?

The teams we deal with within Check Point are extremely knowledgeable. They know how to understand the background of the problem, and they're very good about articulating how we deal with the issue, whether it's a minor software upgrade issue or it's a major failure of the hardware itself. They know where to look for the right stuff. The key point is they're very knowledgeable and very technical. And if somebody doesn't have the technical capability, they will definitely help you out to make sure you get to the bottom of the problem.

Which solution did I use previously and why did I switch?

In the past, most of the customers I've worked with have used different firewall vendors, such as Cisco, Palo Alto, and Juniper.

I've recently seen deployments where customers have tried to move from Cisco ASA to Cisco Firepower and the deployment has gone horribly wrong because the product has not been tested by Cisco very well and is not a mature product. I've gone in and reviewed their business requirements and technical requirements and, based on that, I've recommended Check Point and done the design and deployment. They've absolutely been happy with the solution, how secure and how capable it is.

We use Check Point across multiple types of customers, such as financials, retail, and various other public and private sector organizations. I review their security architecture, which is firewall specific and, based on that, I have recommended Check Point. In most cases, I've managed to convince them to go ahead with Check Point firewalls as a preferred secure firewall solution.

The main reason is that Check Point is far ahead in the game. They're definitely the market leader. They are visionaries when it comes to security. Another reason is that a lot of firewall architecture starts from the firewall itself, which is the local firewall. It can easily be hacked and manipulated. However, the Check Point architecture, out-of-the-box, is very secure. They have a central Management Server and all of the firewalls are managed through that one central point. So in case somebody breaks into your firewall, the firewall is encrypted; they will delete the database. The architecture is secure by default. The good thing is that other firewall vendors have realized this and they've started to copy the same system that Check Point has used for the past 20 years now.

How was the initial setup?

When working with the Check Point team on deployment, they're really helpful and very talented people. When you speak to other firewall vendors, they just think about the firewall from their point of view. The good thing about Check Point engineers, or technical staff, or even management staff, is that they understand what the requirements of business are and how they can improve or align the proposed solution. Overall, Check Point staff are very knowledgeable, they understand different industries, and they understand the product very well. That's definitely a competitive edge compared to other firewalls.

Once the design is done, for something simple the deployment can take half a day, whereas for a complex deployment in a data center it can take about five days.

Our implementation plan is divided into different phases. Phase One might be the physical cabling of the firewall device itself. Phase Two would be the logical setup, which means defining the interfaces and the virtual setup of the firewall itself. The final phase would be to bring it online in parallel with production, in a non-prod service, and test it to ensure it works as per the design.

What was our ROI?

A customer I'm working with right now was running with Check Point and they wanted to move to Fortinet firewalls. However, when I worked with them on the design to upgrade the existing Check Point firewalls, what we worked out was that even though the Fortinet might have seemed like a cheaper option, it didn't have the security capabilities that Check Point is offering. On that basis, the customer signed off on a project for upgrading their existing firewalls, on-premise and cloud, from R77.30 to R80.10.

What's my experience with pricing, setup cost, and licensing?

It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point you get all of that.

Which other solutions did I evaluate?

With Juniper, one of the biggest downsides is support. The support portal is slow and I won't say the staff is competent in terms of understanding. They're very disconnected internally. What I mean is that the team working on the software development of the firewall has no interface with the support teams that are handling day-to-day TAC cases. They definitely struggle when it comes to understanding challenges, problems, and incidents with the firewalls.

In the past, Juniper firewalls were good, but recently the security offering has just not been there. They don't have anything like SandBlast from Check Point. They don't have up-to-date Zero-day attacks control. They're still running a very old architecture. They can do things like antivirus and URL proxy, but those are very simple features. They have none of the advanced feature set that Check Point has.

Palo Alto is very competitive with Check Point when it comes to security. However, one of the challenges with Palo Alto is that, overall, the solution can be extremely complex and expensive. That is one thing I've heard from customers again and again. Either they have existing Palo Altos or they plan to go to Palo Alto, but when they do a comparison with Check Point, what they find is that the overall value with Check Point is much greater than with Palo Alto firewalls.

What other advice do I have?

If you're looking to implement Check Point as a security solution, definitely do your homework. Do some research, not just in terms of firewalls, but overall security architecture. Which ones are the leaders in the field? Which ones are there to deliver what they promise? And overall, how does the architecture work? Is it secure or not? And does it come from a team that understands how to support the solution itself? Are they consistent? Look at their track record for the past 10 or 15 years, or are they a new player? If they are, you don't know whether they're going to stay in the game or not. A good thing about Check Point is that its core product is security. They've been doing it day in and day out. You know they're there to stay in the game. You can trust them.

Check Point is a proven solution. A lot of customers and clients already rely on it. And for the Next Generation Firewalls, they're coming up with new features as security threats become known.

If somebody wants a secure and stable environment, Check Point is definitely the leader to go to; definitely the number-one choice. It's not only what it says on the box. In reality, I've worked with hundreds of banks and they're happy with the product because it works; in practice, it works. That's the main thing.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Shashidhara B N
Director - Technology Solutions & Services at Connectivity IT Services Private Limited
Real User
Top 10
This best in class Next-Gen firewall is elegant in its ease-of-use and architecture

Pros and Cons

  • "Juniper is one of the most powerful network security solutions while remaining simple to use, set up, and scale."
  • "It could have features that other products support like blade options and stand-alone endpoint security."

What is our primary use case?

For different customers, we use the product in different ways. In some cases, it is going to be an on-premises solution. In some cases, it is going to be a cloud-integrated solution. That is one of the best things about Juniper. We can use a single box and have the same unified policy structure if it is off the cloud or it is on-premises.  

Our primary use case is basically to use it like you would any other firewall. I do not call this a firewall anymore because it has functionality beyond what we traditionally think of as a firewall. Those days are gone where a firewall does just one thing. Today most of the firewall products are station firewalls. You have various options in each firewall station. In terms of comparison, you can compare Juniper with Cisco, with Fortinet, with Palo Alto and other leading products. It depends on what exactly you are planning to have it do.  

What is most valuable?

The most valuable feature for me over-all is that Juniper is simplified and can still do everything that is necessary to be effective. 

On the SRX box, it has what I call a one model concept for security. I work especially with hybrid environments. With an SRX we have a single management dashboard. We can manage the internal framework easily with the centralized management component. You can work with the threat prevention, you can work with the integration, you can work with traffic management. Another good part about SRX is that you have opportunities for automation. Another thing that is very good is that all the operating systems for all Juniper boxes are the same. You do not work on different operating systems using different boxes. 

It does user validation automatically and has automated threat detection and defense. It does threat analytics, which is integrated. So as a single box, it does not just address security, it does not just handle switching, it does not just work as a firewall. It addresses everything.  

What needs improvement?

I have not given a lot of thought as to what needs to be improved because so much of technology and capabilities are expanding.  

Probably Juniper could come up with their own dedicated endpoint security. Today they have an integration with Sophos. If you really look at what SRX has as far as antivirus capability, it is really only the integration with Sophos. Sophos is good, I am not saying Sophos is a bad solution. But Juniper having their own antivirus solution may be a batter idea to make it a stand-alone product.  

If you look at Check Point. They have a lot of experience in the area of security which is integrated with their product. In comparison, Juniper could start developing its own strong capabilities with antivirus and have its own security which may even surpass relying on Sophos. Sophos could improve more but it is definitely a wonderful architecture.  

For how long have I used the solution?

I have around 22 years of experience with various similar products. My experience for the last 10 years has been on Juniper. I have worked on Cisco, on Foundry, and on Xstream. And you can make comparisons with products like Fortinet and Palo Alto next-generation firewalls.  

What do I think about the stability of the solution?

I would rate stability on a scale of one to ten. If ten is best, I would rate a nine-point-five. I would not rate anything a ten in this industry in any case because nothing is perfect and there is always room for improvement. It is very robust. Because the product is robust and very agile that carries over well into the potential for reliability.  

What do I think about the scalability of the solution?

When it comes to scalability, basically Juniper is modular. The SRX architecture is very important. Say I am a small-time customer with 50 people in my company and I deploy on the SRX 300 Series. If my business grows exponentially and I now have 500 people in the company. My traffic has boosted significantly — say about ten times what it was. I do not have to really worry. Within one hour, I can just switch and get a new SRX box in place. Let's say I go with the 500 Series or the 4000 Series. This is my new capacity.

The change over is so simple, because the architecture is common. Whether you talk about SRX 300 or you talk about the service provider architecture, it is the same thing except for the capability to expand and handle the volume. That is very important from a technical perspective, which normally you only need one tech person to deploy.  

For mid-sized companies or even large-sized companies, you have a lot of clients from SRX 300 to SRX 5000 Series and the product line covers all the options. This is from a very basic server-level SRX box to the Next-Generation Firewall and advanced threat mitigation.  

But one thing that scalability should really take into account is that Juniper is an enterprise product. If you are really only talking about using the Sophos UTM or only want to use the product like a firewall, then you should consider a UTM box. If you then want to add an SD-WAN as an additional part of the architecture, the UTM is not the right choice. You just take an SRX box and you have SD-WAN on that. You can have a firewall on that. You can have a UTM on that. You can integrate with the cloud. You can integrate with Linux infrastructure. You can have network security.  

Today when we talk about Check Point, we talk about Next-Generation Firewalls. That includes the Palo Alto Next-Generation Firewall and Cisco Next-Generation. But no one talks about what the definition of Next-Gen is. The only difference about Next-Generation is that it has a staple firewall, by definition.  

If you are a small company and you only have five in your office, obviously you want a secure network. To do this you will buy a simple firewall. When you think of the most simple firewall, people buy a router. Then people buy a switch. Then people buy a firewall. Three devices. I would say, do not buy anything. Just buy one SRX box, which does all the three.  

Now I can also expand the same SRX 300 with a branch location. Let's say, I'm a bank customer. I have branches. Simple, I can now have the simplest of SRX 300 at all my branches or SRX 500. I just connect to my main SRX, let's say a 1500 Series with an SD-WAN topology. The project is done. Simple. I secure my network. I handle my routing. I handle my security. And I have an option for just enabling the license to get the latest threat mitigation.  

For comparison, let's take a very big enterprise network. Maybe I was the head of Informatica at APAC. I am in a situation where I have 6000 R&D developers in the organization. We monitor our total performance. Latency on the firewall should be as low as possible. This is especially critical with the current environment where people work from home. Everyone who is working from home now because of COVID has all their data still in the office and people come onto the network to get connected from home to the office.  

Imagine the load on my firewall in that situation. All the people from inside my organization are sitting outside of the office now accessing the data in the internal network through the firewall. Imagine all the data tracking is coming from all over like an external traffic base. You need to have the proper solution to handle the change in traffic and scalability is the most important factor in this case for successfully running a demanding environment.  

How are customer service and technical support?

Juniper support is very good. But more than the technical support, their documentation is awesome. You can just Google a solution right now by stating your problem. You get into the juniper.net and there is wonderful documentation. As a technical person, I have never seen any technical documentation that is as good. I would say it is awesome. Any person who has an interest to learn, who has the interest to scale his capability with the product, just has to go to the Juniper site and they will get all the information on every one of their products. I think that it is written well enough for a non-technical person to become technical.  

They have different levels of training available. They make it very easy and available for anybody to explore the solution. There are knowledgeable people available in the technical community. It is a very good solution overall.  

How was the initial setup?

I consider the setup for the product to be very easy. A basic technical person can do it. But, a person would need to know the capability of a robust box like SRX to make full use of the capabilities and the right choice of the product.  

You install the box, configure the hostname, a password, and set your IP address. By default, Juniper handles the basic configurations automatically. The control frame architecture is very nice. The whole platform architecture is very good. When you work with that box, you just divide the box into two layers: the top layer and the bottom layer. The top layer is exclusively made for the SRX box. The bottom layer is nothing but throughput where the packets get in and get out. We call it a packet forwarding engine, PFE.  

Initiating the routing packets actually go in the mapping connection between the top and the bottom, which is managed as with Oracle in an internal zone. The box is already secured when an attack happens. Nothing is 100% in the world. So, there is the possibility of an attack but at least the control center protects your network.  

The entire installation is just a couple of hours. It depends on the Oracle sizing. Let's say that you want to work on the agility of SRX, something you really need to understand is where you are deploying this product. It is different if you are comparing an SRX box or the cloud. When you are using an SRX box will it be deployed for a small enterprise, a mid-size enterprise, and a data center. You can have SRX boxes for a large data center. That is a difference in the agility of Juniper SRX compared to Cisco. For example, when I work with the cloud, I have an SRX virtual firewall, which is a high-performance network security in the virtual cloud. It is especially good for rapid deployments. It hardly takes hours to deploy on the cloud.  

When you have a container with a firewall, it is known as cSRX. Which is again, a highly available container firewall. These are used especially for microservices. When you start with a small enterprise you start with either the SRX 300 series or a 500 series, which is a next-generation firewall. It is comparable to the Cisco ASA. Probably the next good product to compare is Check Point. But the SRX product is easier to manage and deploy when compared to Check Point or Cisco.  

For the mid-size enterprise organization, we have the SRX 1400 Series or you can consider the 4000 Series. It is just an appliance. You just plug it in, switch it on, configure the network IP address, and then start configuring the protocols. You enable the licenses there, malware prevention, and all the other features you want by just adding on to the licenses.  

So it is just a matter of choosing the right appliance and from there it is practically plug-and-play. The challenge is not the initial setup and deployment, it is what you make use of.  

Which other solutions did I evaluate?

The main competitors for Juniper are Palo Alto, Check Point, and Cisco. Juniper has a lot of features that are good for engineering. Things like Fortinet and Cyberoam can not really compete with these others when it comes to these important features. Specifically, when you talk about Juniper SRX you talk about cloud deployment. You talk about malware remediation. You talk about reporting analytics. You talk about quarantining or threat intelligence (Unified Threat Management or UTM). You talk about data throttle, control prevention, email, web analysis, and integrated management. It can even just work as a router or assisting layer. It works best especially in large networks — like when you talk about service providers — where you have huge traffic flow. It is built to have flexibility and ease-of-use.  

What other advice do I have?

My advice to anyone considering Juniper as a solution would be to first understand that the product needs to be chosen to fit the environment. You want to get the one right box that has the capacity you need. You have everything you need in the model by just updating your license. You do not have to look for a new box when your traffic remains under the upper limits of the capacity. If you are under the limitations of the capacity, the traffic goes straight out, unimpeded.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Juniper SRX as a nine or even a nine-point-five overall. Additional features that could be added to make this solution a ten that other competitors have would technically make it the best product. For example, Check Point offers Blade Architecture. You just keep adding more and more blades. Because of this, Check Point — especially in the area of their security database — they are quite superior to Juniper. o there is room for improvement.  

When you really study on an enterprise level where Check Point stands out or where Juniper stands out, you have got to look into the way each product fits your needs. I mean Check Point is currently easy-to-use, and very good, global product. It also has quite a good rating from the industry over the past few years. Certainly, someone considering a purchase needs to consider options and trends.  

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Get our free report covering Fortinet, Cisco, Palo Alto Networks, and other competitors of Cisco ASA Firewall. Updated: November 2021.
552,695 professionals have used our research since 2012.