We use Palo Alto Networks VM-Series for our company's customers, especially those who use Azure Firewall to secure their environment but still want a third-party firewall from companies like Fortinet FortiGate and Palo Alto in their environment. Whenever our company's customers want to opt for a third-party firewall, we suggest firewall products from companies like Fortinet FortiGate and Palo Alto. There have been cases where our company's customer who already uses firewall products from Fortinet FortiGate and Palo Alto deployed on an on-premises model want to shift the same product to the cloud, going on the good experience they have had with the products. If our company's customers are not interested in purchasing a third-party firewall, my company suggests the cloud-native firewall provided by Azure, specifically for their landing zone environment.

Regarding Palo Alto, my company normally does a high availability configuration for our customers, which are active-active and active-passive. There are multiple add-on packages a customer can choose from in Palo Alto, including antivirus, web filtering, IDS, and IPS solutions.

Considering Azure, some customers may purchase Palo Alto Networks VM-300. Considering the pricing perspective, customers want multiple NIC types because they might have different spokes, and they may like to extend it with different interfaces on different spokes. Considering VM-Series on Azure Virtual Machines, since there is a limitation when it comes to Azure VM-300 as it supports only four cores, there may be some modifications made to support more cores.

I have been using Palo Alto Networks VM-Series for three to four years. My company functions as a managed service provider and an integrator for Palo Alto Networks.

Palo Alto Networks VM-Series can be made more stable. I have seen some bugs in the solution. After deployment with an API call, you can use an HA solution in two scenarios, namely, as a load balancer and for API calls. I see that in the Palo Alto Networks VM-Series, there are some delays when it comes to an API call configuration.

It is a scalable tool. Considering the licensing part of the solution, it may not seem scalable, especially when you want to move from Palo Alto Networks VM-300 to Palo Alto Networks VM-500 since, for such a procedure, the virtual machines will have to be brought down and registered again with a different license, which is challenging.

My company's customers who use the solution are mostly enterprise-sized businesses.

The solution's technical support has been good. I rate the technical support a seven and a half to eight out of ten.

There are some delays that I have observed when my company communicates with Palo Alto's support engineers. There are also some problems related to the understanding of our company's issues with the product by Palo Alto's support team.

Positive

Users are provided with templates to go ahead with the deployment phase of Azure. There are already prepared templates available for installation, which users can use during installation.

Suppose our company's discussions with the customers are completed, and the design has been frozen. Considering the aforementioned case, the Palo Alto Networks VM-Series installation phase can be completed in a couple of hours, while the only time-consuming task is the creation of policies.

Palo Alto Networks VM-Series is easy to maintain.

From a security point of view, I find Palo Alto Networks VM-Series to be a better product compared to the other solutions in the market.

I rate the overall product a ten out of ten.

The tool's cloud version makes application migration easy. 

Palo Alto Networks VM-Series needs to improve its order process. 

I have been working with the solution for two years. 

I rate the solution's stability a nine out of ten. 

I rate the product's scalability a nine out of ten. 

Palo Alto Networks VM-Series' deployment is not difficult. 

The solution is expensive. I rate its pricing a three out of ten. 

Palo Alto Networks VM-Series is an enterprise product because it is costly. I rate it an eight out of ten. 

We use Palo Alto Networks VM-Series primarily for security purposes. It helps us with URL filtering, domain blocking, threat analysis, and detecting vulnerabilities.

We can monitor the traffic manually and detect threats. Additionally, we can block different IP addresses and URLs.

There could be dynamic DNS features similar to Fortinet in the product.

We have been using Palo Alto Networks VM-Series for six years.

I rate the product's stability a nine out of ten.

I rate the product's stability a seven out of ten. It could be better. We have four users for it at the moment. We plan to increase the number of devices.

We receive technical support from a local partner rather than directly from the vendor. The support team requires more training.

Positive

We have used Cisco Adaptive Security Appliance (ASA) before. Compared to Palo Alto, Cisco devices are not feasible regarding hardware. They are very slow and complicated to find the granular level of results. Sometimes, even a technical expert is unable to fetch a proper report.

I rate the initial setup process an eight out of ten. It takes eight hours to complete and requires one security engineer to execute the process. The deployment involves setting up security policies. The on-premise installation is simple. However, VM installation is complicated in terms of the network interface.

It is an expensive product. I rate the pricing an eight out of ten. We purchased a three-year license for it.

I rate Palo Alto Networks VM-Series an eight out of ten.

We use the product to mitigate vulnerabilities for the applications running on particular VMs.

The product's most valuable feature is pricing.

Compared to Azure Firewall, the product could be better in terms of performance.

We have been using Palo Alto Networks VM-Series for three years.

The product is stable.

It is an easy-to-scale product and suitable for enterprises.

Palo Alto's support is good. Whenever I raise a ticket, they immediately look into it and make a Zoom call.

Positive

I have used Cisco's Next-Generation Firewall before. It works better than Palo Alto.

Palo Alto's installation process is easy because we use Panorama tool to manage it. We can communicate and implement traffic policies, filtering, and other specific options with its help.

It requires two to three engineers and takes two days to complete the deployment. For maintenance, it requires a team of two engineers.

It's good to work with Palo Alto Networks VM-Series. I recommend it to others and rate it an eight out of ten.

The main concern is VPN. If you're using Azure Firewall, you still need a VPN gateway to terminate your VPN connection. Azure Firewall doesn't remove the need for another VPN gateway, especially for point-to-site VPN. So you have to use another VPN appliance. With Palo Alto and FortiGate, for example, you can have an all-in-one solution. The VPN gateway and all the other features are available.

Palo Alto Networks VM-Series has everything centralized. You have the VPN solution, firewall, routing, UDR, flexibility, updates, and full visibility of your traffic. You can also perform log debugging. It provides all the things that Azure's firewall doesn't offer. Plus, you have full ownership of your device.

Firstly, Palo Alto should update their documentation to make it more readable and provide easier-to-follow instructions through videos. This would help people learn and deploy the product more easily. Even if the product itself is excellent, lacking proper documentation and troubleshooting guidance renders it less useful. It won't be helpful even if it's rock solid but lacks sufficient information and tutorials.

I've been using Palo Alto as a VM for about three months. I use the latest version.

It is a stable solution. I would rate the stability a ten out of ten.

It is a scalable solution. We have more than 20 entities using this solution. 

Customer service and support are great. The response time is good. My experience with them was very good. 

I used Azure Firewall for a while, but then I removed it and installed Palo Alto.

The setup requires professional people to work on it. It's not straightforward. Knowledge is needed to adapt it to your platform. 

So, it's not an entry-level solution; it requires professional and expert-level skills.

I deployed the solution myself. The deployment process took about three to four days. It depends on your production environment because I had to migrate production.

Only one person is required for deployment and maintenance. 

I can't make a suggestion because it depends on the specific needs they have. They can consider using the entry-level version or opt for the expert lab, depending on their workload.

Overall, I would rate the solution a nine out of ten. 

Ours is an enterprise environment and some of the services are hosted in our private data centers and some of the servers are hosted on Azure. We have the IPSec tunnels from the firewalls to our own data centers and from the firewall to the cloud as well. It depends on the type of application being hosted.

We are using Panorama for centralized management of all our firewalls around the world, as well as for centralized management of security policies and network settings. We have not completely migrated to the cloud. We are in transit.

Palo Alto has many features for troubleshooting real-time scenarios. The troubleshooting, compared to other firewalls has been optimized in a way that saves a lot of time.

I like the UI. Most things are accessible from the user interface and it is quite user-friendly. With respect to both VM-based firewalls and physical firewalls, it's easy to create updates.

They have a centralized Palo Alto Customer Support Portal and if we require any licenses, such as a next-generation firewall license, we can easily download and integrate them with this solution. We can also schedule periodic updates. That is quite user-friendly.

In terms of functionality, we are using IPSec tunneling and Palo Alto's WildFire feature. We use the security policies, Panorama, and Prisma Cloud as well.

We use Panorama to manage our security policy model across on-prem and public cloud environments. It plays a key role with respect to centralized management, for physical enterprise firewalls and cloud-based firewalls. It gives you centralized control over all the infrastructure. Unified policies can be pushed from that centralized place with templates.

When you deploy VM-Series Firewalls, they are quite flexible. You just have to select the instances, storage, security policies, and firewall rules. Within minutes, you can deploy the firewalls.

We are also able to adjust firewall sizing on the fly, which is important. Initially, we decided on a firewall based on the throughput assumptions. But in peak hours or during a peak month for traffic, we need to scale the firewalls. That should be automatically done. AWS and Azure provide very good features and, by using them, within a second it automatically scales, based on the incoming traffic.

Palo Alto has launched different products, such as physical firewalls as well as cloud and VM-based firewalls. Recently, they introduced their Prisma Cloud solution. Compared to the previous technologies, like Panorama, which is used for centralized firewall management, or even individual firewalls, it's a bit challenging to integrate the traditional firewall policies into Prisma Cloud. And the Prisma Cloud interface isn't very user-friendly. 

Our organization has been using Palo Alto Networks VM-Series for more than five years, and I have worked on this solution for two years.

The solution is certainly stable. I have worked with many vendors' firewalls and Palo Alto's are definitely stable.

Obviously, it is scalable as long as you have the licenses and support with Palo Alto. You can implement the firewalls in high-availability mode or use the cloud functionality as well. For scalability, Palo Alto is optimized.

We have 30-plus sites around the world with more than 4,000 users.

Palo Alto has very good support. When you have a valid license, they can replace a device with a new one. They have the CSP portal and you can log in and see all the firewalls listed. You can raise TAC cases with a priority of low, medium, or high, and, based on the priority, they will send an email to you. They have live support as well. In case of an issue, you can call them directly and they will provide the required support.

Positive

Earlier, we were using many vendors' firewalls, per their suitability for our clients. Apart from Palo Alto, we were using Cisco ASA, Check Point, and Juniper. The network grew over the years and each site had its own set of firewalls. The issue was that we had to standardize things across the network. There was also a gradual change in the technology and features available. Our security team thought we needed a better implementation, for optimization and troubleshooting, and something that was friendly for daily operations.

We have both private cloud and hybrid. Some of the services are on the cloud and some are on-prem in our data center. Setting up Palo Alto firewalls is quite easy compared to other vendors.

Migrating our old infrastructure to Palo Alto took four to six months. 

We did some pilot project testing with Palo Alto. If, for example, we want to migrate from XYZ vendor to Palo Alto, the very first thing we had to do was capture all the existing security and NAC policies and all the NGFW functionality. Palo Alto has specific features. For example, you can capture the logs in an inline environment, such as what traffic is going to the network, what security policies are there, et cetera. We deployed the Palo Alto firewalls in that way to only capture the traffic. We then analyzed the traffic, and we worked with Palo Alto TAC to understand the security policies and the exact throughput to determine the hardware we were going to use. We monitored all of that for a few months and then we started the migration from other vendors to Palo Alto.

We had 10 engineers involved in the deployment, but each on-site location had its own team as well. Three were senior network architects and the other seven were staff network engineers.

If you want to keep up to date in the network, it requires quite a bit of patching. It has many features, like Unified Threat Management and antivirus that can be auto-updated by scheduling an update for them. But the major patching has to be done manually. In our organization, we do it quarterly.

It is worth the cost.

Palo Alto Networks VM-Series is notably cheaper than other firewall vendors, except Fortigate. Fortigate is number one in terms of pricing.

Our security team tested various firewalls and it came down to FortiGate and Palo Alto and they found Palo Alto was quite suitable for the network.

Everything is moving to the cloud and we need a solution that can support all the multi-vendor platforms and the new technologies as well. That is quite important for any enterprise organization or service provider nowadays. If we talk about moving existing loads from our own data centers or enterprise sites to the cloud, we need a solution that can take care of everything, such as security compliance, and that is easy to use. Palo Alto is good in those terms.

With the introduction of Prisma Cloud, Palo Alto is encouraging clients to migrate their infrastructure, such as VPN and security solutions to Prisma Cloud. It has been highly optimized compared to Panorama. Palo Alto is promoting it and asking their clients to use Prisma Cloud to improve their security infrastructure.

I would advise, when you deploy a new site, to manage it from the centralized Panorama solution. With Panorama, you have a local login, so even if the internet is down you have access to the firewall management.

We had a situation, when performing patching, where the firewall lost the remote connection via the internet and it had not been onboarded to Panorama. That mean we lost connectivity and we had to involve the onsite technicians. To avoid that scenario, all firewalls should be centrally managed by Panorama.

And for troubleshooting, each firewall should have syslog profiles activated.