Cisco – Palo Alto – What’s the big deal

ciscofirewallpalo-alto

Work got a couple of Palo Alto boxes that will be used for a customer. No real gameplan has been issued yet, but I was wondering what exactly sets these boxes apart from, say, an ASA?

It appears to me to just be a linux machine with their custom overlay. I'm sure there's a lot I'm not seeing as I haven't done much with them, but I can't help but be wary.

What I'm asking is:

  • What are the strengths of Palo Alto Firwalls(specifically the 3000 series)
  • In what cases would you use one over a Cisco ASA?

Best Answer

Most network vendor software (IOS included) is *nix based, I don't see why this is an issue.

Palo Alto has a number of strengths over an ASA primarily based on an application-based rather than TCP focus:

  • L7 Application awareness, allowing you to restrict application functions rather than just IPs and port numbers. This provides protection where applications (such as Skype) use dynamic ports.
  • Agent-free user awareness, allowing you to restrict access and functions based on a user's credentials and AD group membership for instance.
  • Comprehensive user directory support.
  • An advanced GUI
  • A virtual edition
  • A REST API
  • BGP Support
  • Data Loss Prevention features
  • Additional modes of operation (L1 transparent, Tap) that I don't believe the ASA provides

This Packetpushers Podcast provides a good overview and further information.

Related Topic