Educause Security Discussion mailing list archives
Re: Palo Alto Firewalls
From: "King, Ronald A." <raking () NSU EDU>
Date: Tue, 18 Mar 2014 07:56:04 -0400
1.) How many Palo Alto Firewalls did you purchase? - We purchased 2 5060s last quarter of 2012. 2.) If you purchased just one, what do you have in place in case of a failure? - I don't know if we ever considered just one. We had a pair of Cisco ASAs, so, a pair was considered from the start. I will say that a pair has been quite a benefit when other gear fails and/or for PANOS upgrades. If you need the nines, a pair is a must. If we were corporate, I would say the lack of downtime has paid for the second firewall. 3.) If you purchased two for failover capability, are you using them active active, or active passive? - Active/Passive, as mentioned in a previous post, we too are concerned with the potential issues that may arise from A/A. 4.) If you advertise or use full BGP tables (routes), and Palo Alto doesn't support this, how did you solve this if you have multiple Service Providers? - Nope. No BGP on the PANs. We have a pair of routers at the edge. 5.) Did you look at any other vendors and why did you pick Palo Alto? - Yes, we compared a demo unit from PAN with demo units from Barracuda and Sonicwall (Dell) and our existing Cisco ASAs. PAN was the first choice, hands down. Got a Phish (email)? Forward it to abuse () nsu edu <mailto:abuse () nsu edu> ! Ronald King Security Engineer Norfolk State University http://security.nsu.edu <http://security.nsu.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of T. Shayne Ghere Sent: Monday, March 17, 2014 8:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Palo Alto Firewalls Hello, I'm just putting this out there as a question for those that use the Palo Alto PA-5050 (or 5020) firewall appliance. We have been a complete Cisco shop since before I started 16 years ago, but times are changing and other solutions are being looked at. Right now we have two Cisco Firewall Service Modules (FWSM's) that are nearing end of life/service. We have two for failover capability and it's worked great for us since they have been in production. We have been given a PA-5050 to demo, and we're finding quite a few features that we like, however our only fear is that purchasing two for failover capability isn't cost effective at this time, but if you've moved from Cisco to Palo Alto, I'd really like to hear what your experience has been and any problems/limitations you've run into and if you ended up purchasing a secondary for failover reasons. We need a 99.999% uptime, so if the Palo Alto solution goes down, does it fail open or closed? We have yet to get an answer from them as of yet, and having a conference call with them about some of these questions. We have a Class B (/16) so 99% of all our IP addresses we don't nat. With that in mind, we advertise certain portions of our network segment(s) to certain Service Providers using BGP. We found that the Palo Alto doesn't support full BGP tables which was a shock to us because we've been doing this for years. But we can work around that. If you fall into this group of moving from the Cisco to Palo Alto, would you mind taking 5 minutes to answer the following questions? You can e-mail me directly if you prefer so this doesn't flood the listserv. 1.) How many Palo Alto Firewalls did you purchase? 2.) If you purchased just one, what do you have in place in case of a failure? 3.) If you purchased two for failover capability, are you using them active active, or active passive? 4.) If you advertise or use full BGP tables (routes), and Palo Alto doesn't support this, how did you solve this if you have multiple Service Providers? 5.) Did you look at any other vendors and why did you pick Palo Alto? I really appreciate any feedback that I receive. Like I said, you can e-mail me directly or post in the group if you wish. Thank you again Shayne ----------------------------- Bradley University T. Shayne Ghere, CCNA Network Engineer 1501 W. Bradley Ave. Morgan Hall, Suite 205 Peoria, IL 61625 sghere () bradley edu <mailto:sghere () bradley edu> (309) 677-3094 ofc. (309) 677-3460 fax Class 2011 FBI CA Graduate
Attachment:
smime.p7s
Description:
Current thread:
- Palo Alto Firewalls T. Shayne Ghere (Mar 17)
- Re: Palo Alto Firewalls Nathaniel Hall (Mar 17)
- Re: Palo Alto Firewalls Will Froning (Mar 17)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)
- Re: Palo Alto Firewalls Bradley, Stephen (Mar 18)
- Re: Palo Alto Firewalls Dan Brisson (Mar 18)
- Re: Palo Alto Firewalls Peter Setlak (Mar 18)
- Re: Palo Alto Firewalls Chris Golden (Mar 19)
- Re: Palo Alto Firewalls Robert Spellman (Mar 22)
- Re: Palo Alto Firewalls Julian Y Koh (Mar 22)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)