Palo Alto vs SonicWall, what am I missing?

So my company is replacing firewalls. In our EU HQ, they went with Palo Alto 2020 models to take the place of Cisco PIX and an IBM IDS box.

However, as I'm responsible for the US branch, I'm re-evaluating their decision for our office. We currently have a Cisco 5510 and the same IBM IDS box behind it. Everything works, so I'm wondering if a PA device is worth the upgrade cost, but on the other hand, you can't really put a price on security. The application control, IPS, anti-virus, etc etc are all cool features that might be worth implementing now.

My questions is - why is PAN so expensive? As an example, Sonicwall's NSA 3500 with similar specs are coming in at 1/3 the price for the same feature set, and lower yearly cost. I've seen the demos, and the interfaces are both pretty slick - at least compared to what I have now. The all have the gateway security features and Deep Packet Inspection

So what am I missing? I know PAN is all the rage right now in the networking world, but it seems like they're somewhat riding the fanaticism from their marketing teams - similar to Apple customers.

We could also debate the differences between what's marketed as UTMs and NGFWs, but from the "black box" perspective (what comes in, what goes out) - aren't they more similar than different?

If I ran the office, I'd also look at Untanged and other vendors, but my boss wants something with a little more brand recognition. Anyway - I'm asking the Horde what's up since I'm not a networking guy by trade - more sys admin - but this office is my responsibility.

If you're looking for a device to do just NAT, then there isn't a difference.

The PA is infinitely better than the SonicWall at screening and blocking threats. The URL filtering is better and more customizable. The reporting is better integrated and easier to use. Its an all around better product.

We've been running a SonicWall NSA 5000 for a few years and have been consistently unhappy. We're finally ordering a pair of PA 3050s to replace.

PA is on another level, I'm surprised something like Sonicwall would be cross-shopped.

I'd go along with the powers above, if something happened at your location and they blamed it on the Sonicwalls that could be bad, bad news for you. If something bad happens and they go with their choice, you can say 'I told you so'.

I have never worked with a sonic wall but do have some experience with PA's.

One thing that I saw missing from the sonic wall was basing policies off of users/groups. If you take the time you can really narrow down someones network access by using their user name instead of IP for obvious reasons.

I am not sure how sonic wall deals with apps but again PA can get pretty granular here as well. IE allow facebook but no fb apps. I am not sure if the sonic wall just identifies the app as a whole or can tell the difference in the apps. Also if you have some custom apps you can get with palo and get them added to your firewall instead of just the bypass that you initially setup.

its a good product but i think its still young. worked on multiple customer boxes where instability was noticed however this was in lower end gear pa200 and 500 running code 4.1.6 and below so perhaps that has been straightened out by now. They are pretty quick to update signatures on the IPS side. For example when all the zero day java stuff came out they had a patch out within a day or two however, you will manually have to log into the firewall and update it if your in between your weekly upgrade. customer service was ok but i dont really like the support portal they have for searching kb's.

I was kinda neutral on their cli as some things can differ between different versions of code but I do like the hierarchy layout and being similar to junos. They mainly push the gui tho as thats what they want you to use.

Sonicwall are great I use them in larger scale networks.

There are indeed users and groups, it has great app filtering, content filtering etc. I use the LDAP integration to have users automatically assign to the right filtering zone based on their computer logon.
There is a down side with LDAP integration you can't have nested groups so You will always have to keep up shadow groups. Also it requires a DC with an sonicwall agent installed on it to pull info. Also you will need to disable Firewalls on the individual workstation (you could prolly figured out what can be opened I just keep it opened)

App filtering works great, you can also define custom ones but the ones they have pretty well much includes everything under the sun. All updates are automatic. Out of the 900+ machines I get like a viral infection maybe once or twice a month.

As for reports they are a bit lacking but if you install Viewpoint (Free) it will generate lots of things. Now they are deprecating viewpoint to a new monitoring system but that does extra licencing.. BS imho. I just hope Dell doesn't fuck shit up.

I honestly would call dell and ask for a demo unit.

If you want to know anything about sonicwalls PM me. I have about 170 devices in production everything from a NSA3500 down to tz100

PA is expensive because they stuff everything on a box and let you look at everything in real time with no third party software. - Overpriced

Sonicwalls are stupid and are far to complex, anything that stores rules in 3 different subsets is just stupid. Please do not make a rule on your own!!! Use our wizturd. - No better than and Untangle box and will only save you money going with untangle, plus it will probably have better support unless you pay for the premium support.

Guess what everyone I do not care if you like Sonicwall, its garbage. (No, I do not want to hear how much anyone likes Sonicwall and how great it is but thank you!)

Barracuda just recently bought a company in the UK and has two new firewalls the X series and NG, they are both pretty good the NG is a more advanced firewall, it would be comparable to a CheckPoint, Juniper, Secure Computing (No McAfee), or CISCO. The X series firewall would be like a PA, Untangle, Sonicwall, etc....

They are very affordable though, however I wouldn't get an NG unless you have a high level technical experience with firewalls.

I guess my best advice would be just buy something you have heard of. All of these firewalls have so many features that you probably won't use most and you might as well use something the rest of the world is using because it will be easier to support because more than likely someone else had the same problems you are experience, if you experience any.

At the end of the day a firewall is a firewall and a UTM is a box full of magical beans that do not always work right even if you buy them

I'm going to have to agree with Wrench00 and Tee. We have a Sonicwall NSA5000. It does all the things mentioned; CFS by AD credentials, "Layer 7 control and visibility," AV, IDS, etc.

That said, it all is just terrible. The AD connector gets overwhelmed, nobody can surf the web. The L7 rules make little sense. The visibility is marginal. The UI is pretty bad to begin with. It blocks all kinds of stuff for no reason and the log is impossible to reign in. Probably not relevant but I took the CSSA training to have "Direct access to Tier 2 support" they just make the level one guys in India as level 2 skill level......for everyone. So granted they can usually solve a problem, but come on...that's not what I want.

I have been in a few PA webinars now, the UI looks more complicated but as I understand is way more effective. If your options are between these two, PA hands down.

Ok, that said, I am finding UTMs to be a crock. They do a bunch of stuff that is useless or at least not as good as other standalone products. IMO the use case for a UTM is if you have an IT staff that has no idea how to manage network equipment and want something easy that they can say is protecting them but they really have no idea. I would stick with your ASA and expand in specific areas, IE get a web filter, or get a IDS/IPS.

Thanks for your replies. The feedback, as expected, is always mixed - but it's good to get 1st hand anecdotes. It's always fine and dandy with whatever the sales rep tells you, but it's hard to get a real sense of how things work until you get your hands on them. "Grass is always greener on the other side" is something that also always pops up in IT.

For those of you who have switched or are going to Palo Alto - it'd be good to get your feedback after as well. From what I've heard, a few people have qualms about those too, but overall it's still a good product.

PA is expensive because of their software, which is their secret sauce. Basic firewalling and whatnot is basically the same as other devices...but with PA, you aren't looking for the same as other devices.

Rules for adding internet access are something like:
trusted zone --> untrusted zone....and then you select applications to have access for this rule:
DNS
HTTP
SSL
FLASH
etc....or
Allow Youtube, but not Youtube Upload/Submit.

The PA will scan all ports for services....not just saying allow HTTP on port 80.

We play on the higher end of the 5000 series for ours.

I would like to play with one of these but they are magnitude more expensive then a Sonicwall. The VM appliance looks yummy tho.

Wrench00 said:

I would like to play with one of these but they are magnitude more expensive then a Sonicwall. The VM appliance looks yummy tho.

Click to expand...

Any serious potential customer can always get an eval. I would go a step farther and suggest that any serious customers engage in a bake off between at least the top two contenders on your list.. It is up to the customer to make the vendors earn the sale.