Palo Alto Networks
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
Palo Alto Networks
by Paul Hutchings-2
::
Rate this Message:
Getting one of their boxes on eval for a couple of weeks. Quite a
broad and generic question I know, but does anyone have any experience (s) they wish to share? Cheers, Paul _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Palo Alto Networks
by Francois Yang
::
Rate this Message:
I've worked with them before and they're pretty good.
easy setup and maintenance, good integration with Active Directory, good application detection engine. Over all it's a good product, but you have to test it in your own environment to see if it fits. here are the draw backs that I can remember. all firewalls have some kind of issues. here are the issues I see and maybe they have been fixed by now. I don't know it's been a while. I remember it didn't have a central management, so having a few of those boxes may be ok, but when you're looking at 20+ clusters, it becomes time consuming to manage. Application detection engine would automatically drop the traffic of unknown apps into a low priority pool. So if you have home grown apps which requires alot of bandwidth, you need to make sure you find it and give it a definition or work with their team to create custom rule otherwise it will crawl. I'm sure there's more pros and cons, but that's all I can think of. Let me know if you have more questions. Frank On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul@...> wrote: > Getting one of their boxes on eval for a couple of weeks. Quite a broad and > generic question I know, but does anyone have any experience(s) they wish to > share? > > Cheers, > Paul > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > -- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
|
|
Re: Palo Alto Networks
by ArkanoiD
::
Rate this Message:
The idea itself is quite good for some cases (do not rely on port numbers, use
traffic signatures *instead*). Though it sounds much as "giving up application control" ;-) The marketing bullshit is awful, though. There is a dozen whitepapers with amazingly little useful technology details but too many buzzwords about "next generation". Despite that, it seems to be quite decent product with (still DPI-driven) L7 inspection, (quite basic) DLP functionality builtin (still much better than nothing), data fingerprinting and reasonable performance (though i am strongly against justifying firewalls by performance). On Thu, Oct 08, 2009 at 06:00:54PM +0100, Paul Hutchings wrote: > Getting one of their boxes on eval for a couple of weeks. Quite a > broad and generic question I know, but does anyone have any experience > (s) they wish to share? > > Cheers, > Paul > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Palo Alto Networks
by ArkanoiD
::
Rate this Message:
Ah, and it does SSL MITM as well. I do not have any hands-on experience, though.
(going to publish a whitepaper on "benevolent" SSL MITM proxy soon which fixes several SSL security problems ;-) On Thu, Oct 08, 2009 at 06:00:54PM +0100, Paul Hutchings wrote: > Getting one of their boxes on eval for a couple of weeks. Quite a > broad and generic question I know, but does anyone have any experience > (s) they wish to share? > > Cheers, > Paul > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Palo Alto Networks
by Paul Hutchings-2
::
Rate this Message:
Thanks all.
Frank, We would only be looking at one unit so management shouldn't be an issue. You mentioned "home grown apps" and giving them a definition, this will hopefully all be clear once I have a units GUI in front of me, but presumably if you need/want it to the PA boxes can also act as dumb stateful firewalls i.e. "Simply allow port XYZ from X to Y"? Arkanoid, I've learned not to trust the marketing hence lurking on technical forums and lists like this. Also (again may become clear when in front of one) but how does the SSL inspection/MITM actually work i.e. what would I need to change on my clients and could it also be used to apply inspection to inbound SSL traffic to look for nasties i.e. Outlook Web Access? As a general question, what strategies are people taking these days regards "layering" firewalls? We currently use a back to back approach with a dumb stateful firewall at our perimeter almost as a "doorman" so that only the ports we need to allow in get in, and then we get a little smarter i.e. does it conform to RFCs etc. at the LAN edge firewall. I'm wondering if the general consensus is that this is still a sensible idea? Paul On 8 Oct 2009, at 20:47, Francois Yang wrote: > I've worked with them before and they're pretty good. > easy setup and maintenance, good integration with Active Directory, > good application detection engine. > Over all it's a good product, but you have to test it in your own > environment to see if it fits. > here are the draw backs that I can remember. all firewalls have some > kind of issues. > here are the issues I see and maybe they have been fixed by now. I > don't know it's been a while. > I remember it didn't have a central management, so having a few of > those boxes may be ok, but when you're looking at 20+ clusters, it > becomes time consuming to manage. > Application detection engine would automatically drop the traffic of > unknown apps into a low priority pool. So if you have home grown apps > which requires alot of bandwidth, you need to make sure you find it > and give it a definition or work with their team to create custom rule > otherwise it will crawl. > I'm sure there's more pros and cons, but that's all I can think of. > Let me know if you have more questions. > > Frank > > > > On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul@...> > wrote: >> Getting one of their boxes on eval for a couple of weeks. Quite a >> broad and >> generic question I know, but does anyone have any experience(s) >> they wish to >> share? >> >> Cheers, >> Paul >> _______________________________________________ >> firewall-wizards mailing list >> firewall-wizards@... >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards >> > > > > -- > If you spend more on coffee than on IT security, you will be hacked. > What's more, you deserve to be hacked. — White House Cybersecurity > Advisor, Richard Clarke > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Palo Alto Networks
by Cassell, Damon Z.
::
Rate this Message:
> I remember it didn't have a central management, so having a few of
> those boxes may be ok, but when you're looking at 20+ clusters, it > becomes time consuming to manage. Palo Alto does have central management by using an additional product called Panorama. http://www.paloaltonetworks.com/products/panorama.html One observation on the topic of management; the Palo Alto logging scheme seemed clunky, especially with a lot of logging enabled. If you are a frequent user of, say, Check Point SmartView Tracker then you might be annoyed with a web-based viewer and have some trouble with the query capabilities. Maybe the experience improves when you spend more time with the product, but it was an initial concern. Look at this in your own environment if logs are important to you... Again, this may have changed with PanOS 3. Damon _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
