Educause Security Discussion mailing list archives
Re: Palo Alto Firewalls
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Mon, 17 Mar 2014 20:19:40 -0500
Shayne, I previously worked as a consultant for a Palo Alto vendor and in education, so I understand your battle between money and redundancy. That said, I have a few comments. If you need 99.999% uptime, I would not recommend *any* solution without a failover device. Sometimes you have to reboot a device. If you need to perform a device upgrade, your 99.999% uptime is shot because it takes longer than 5 minutes to boot. Get the failover device. I personally don't know of any firewall that fails closed, but I guess there might be some. If you are using a firewall then I am assuming you are trying to protect something. If the firewall is your protection from the Internet, do you really want it to fail closed with 0 protection or would you rather it fail open and despite not passing any traffic it is still providing protection? I've worked with quite a few companies over the last couple of years and from their experience, my experience, and the experience of my former coworkers, don't run firewalls in active/active mode. You'll run into a lot of trouble if you do. I am currently working with a company that uses BGP religiously throughout their network and have multiple providers. I'm not aware of them having any issues with it. -- Nathaniel Hall, GSEC GPPA GCIA GCIH GCFA CNSE On 3/17/2014 7:30 PM, T. Shayne Ghere wrote:
We have been given a PA-5050 to demo, and we’re finding quite a few features that we like, however our only fear is that purchasing two for failover capability isn’t cost effective at this time, but if you’ve moved from Cisco to Palo Alto, I’d really like to hear what your experience has been and any problems/limitations you’ve run into and if you ended up purchasing a secondary for failover reasons. We need a 99.999% uptime, so if the Palo Alto solution goes down, does it fail open or closed? We have yet to get an answer from them as of yet, and having a conference call with them about some of these questions.
If you fall into this group of moving from the Cisco to Palo Alto, would you mind taking 5 minutes to answer the following questions? You can e-mail me directly if you prefer so this doesn’t flood the listserv. 1.) How many Palo Alto Firewalls did you purchase? 2.) If you purchased just one, what do you have in place in case of a failure? 3.) If you purchased two for failover capability, are you using them active active, or active passive? 4.) If you advertise or use full BGP tables (routes), and Palo Alto doesn’t support this, how did you solve this if you have multiple Service Providers? 5.) Did you look at any other vendors and why did you pick Palo Alto?
Current thread:
- Palo Alto Firewalls T. Shayne Ghere (Mar 17)
- Re: Palo Alto Firewalls Nathaniel Hall (Mar 17)
- Re: Palo Alto Firewalls Will Froning (Mar 17)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)
- Re: Palo Alto Firewalls Bradley, Stephen (Mar 18)
- Re: Palo Alto Firewalls Dan Brisson (Mar 18)
- Re: Palo Alto Firewalls Peter Setlak (Mar 18)
- Re: Palo Alto Firewalls Chris Golden (Mar 19)
- Re: Palo Alto Firewalls Robert Spellman (Mar 22)
- Re: Palo Alto Firewalls Julian Y Koh (Mar 22)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)