Re: Palo Alto Firewalls

["King, Ronald A." <raking () NSU EDU>]

1.)     How many Palo Alto Firewalls did you purchase? - We purchased 2
5060s last quarter of 2012.

2.)    If you purchased just one, what do you have in place in case of a
failure? - I don't know if we ever considered just one.  We had a pair of
Cisco ASAs, so, a pair was considered from the start.  I will say that a
pair has been quite a benefit when other gear fails and/or for PANOS
upgrades.  If you need the nines, a pair is a must.  If we were corporate, I
would say the lack of downtime has paid for the second firewall.

3.)    If you purchased two for failover capability, are you using them
active active, or active passive? - Active/Passive, as mentioned in a
previous post, we too are concerned with the potential issues that may arise
from A/A. 

4.)    If you advertise or use full BGP tables (routes), and Palo Alto
doesn't support this, how did you solve this if you have multiple Service
Providers? - Nope.  No BGP on the PANs.  We have a pair of routers at the
edge.

5.)    Did you look at any other vendors and why did you pick Palo Alto? -
Yes, we compared a demo unit from PAN with demo units from Barracuda and
Sonicwall (Dell) and our existing Cisco ASAs.  PAN was the first choice,
hands down.

 

 

Got a Phish (email)? Forward it to abuse () nsu edu <mailto:abuse () nsu edu> !

 

Ronald King

Security Engineer

Norfolk State University

http://security.nsu.edu <http://security.nsu.edu/> 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of T. Shayne Ghere
Sent: Monday, March 17, 2014 8:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Palo Alto Firewalls

 

Hello,

 

I'm just putting this out there as a question for those that use the Palo
Alto PA-5050 (or 5020) firewall appliance.  We have been a complete Cisco
shop since before I started 16 years ago, but times are changing and other
solutions are being looked at.  Right now we have two Cisco Firewall Service
Modules (FWSM's) that are nearing end of life/service.  We have two for
failover capability and it's worked great for us since they have been in
production.

 

We have been given a PA-5050 to demo, and we're finding quite a few features
that we like, however our only fear is that purchasing two for failover
capability isn't cost effective at this time, but if you've moved from Cisco
to Palo Alto, I'd really like to hear what your experience has been and any
problems/limitations you've run into and if you ended up purchasing a
secondary for failover reasons.  We need a 99.999% uptime, so if the Palo
Alto solution goes down, does it fail open or closed?  We have yet to get an
answer from them as of yet, and having a conference call with them about
some of these questions.

 

We have a Class B (/16) so 99% of all our IP addresses we don't nat.  With
that in mind, we advertise certain portions of our network segment(s) to
certain Service Providers using BGP.  We found that the Palo Alto doesn't
support full BGP tables which was a shock to us because we've been doing
this for years.  But we can work around that.

 

If you fall into this group of moving from the Cisco to Palo Alto, would you
mind taking 5 minutes to answer the following questions?  You can e-mail me
directly if you prefer so this doesn't flood the listserv.

 

1.)     How many Palo Alto Firewalls did you purchase?

2.)    If you purchased just one, what do you have in place in case of a
failure?

3.)    If you purchased two for failover capability, are you using them
active active, or active passive?

4.)    If you advertise or use full BGP tables (routes), and Palo Alto
doesn't support this, how did you solve this if you have multiple Service
Providers?

5.)    Did you look at any other vendors and why did you pick Palo Alto?

 

I really appreciate any feedback that I receive.  Like I said, you can
e-mail me directly or post in the group if you wish.  

 

Thank you again

Shayne

 

-----------------------------

Bradley University

T. Shayne Ghere, CCNA

Network Engineer

1501 W. Bradley Ave.

Morgan Hall, Suite 205

Peoria, IL  61625

sghere () bradley edu <mailto:sghere () bradley edu> 

(309) 677-3094  ofc.

(309) 677-3460 fax

Class 2011 FBI CA Graduate

Attachment: smime.p7s
Description: