Educause Security Discussion mailing list archives
Re: Palo Alto.
From: Will Froning <will.froning () GMAIL COM>
Date: Wed, 21 Apr 2010 11:46:31 +0400
Hello Matt, We have been on it since June 09, PA-4050 cluster. I'll start off with the bad. * Can be really hard for old school FW admins to change their mindset to application-based instead of port-based ACLs. * The PAN permits some amount of traffic into itself in order to identify the application (gotta get up the ladder to L7 to figure it out). * No OSX SSL VPN client (is targeted for this year supposedly). * Is much more complicated to troubleshoot network oddities (tcpdumps directly off the PAN sometimes don't contain all the packets because of the path packets take internally). * 3.0.x has Malware/AV, Threat DB and AppDB all rolled into one download. So if you don't like the behavior of the new http decoder, but you need the new AV release you gotta upgrade to 3.1. * Sophos Enterprise AV messes with the PAN agent since it shows up so often in the AD auth logs. Now the good parts. * Reporting tools rock. I have a school-based daily report sent to IT on application usage. * We use URL filtering and it is much quicker than using UAE's proxy filter for content. * No per-user license for anything (SSL VPN, URL filtering, ...). * If you use fiber connections the failover time is very fast. * AppID! * 3.1 has policy-based forwarding which we are considering for a secondary cheaper link to send out unwanted apps (bittorrent). * QOS looks nice, but we are still using a separate packet prioritization product (Exinda). This summer I will investigate the possibility of using just the PAN. * Is great for controlling guest wireless access. We prevent nearly everything from our guest wireless to push students onto the more open access, but authenticated SID. * Support is very good. There are plenty of other great things, but those are the ones that come to mind. If there's anything else you want to know about just ask. Thanks, Will On Tue, Apr 20, 2010 at 7:56 PM, O'Callaghan, Daniel <Daniel.OCallaghan () sinclair edu> wrote:
We have been using the Palo Alto firewalls for a couple of years and really like them. We initially piloted in 'tap only' mode in conjunction with our primary CheckPoint FWs, and gradually turned on blocking rules and controls of the PA as threats were identified. We recently migrated to using the PA as primary. They provide excellent visibility into Internet/network traffic and permit really granular control over applications and protocols, and the still support 'traditional' FW rules. The A-V/Malware blocking has significantly helped to reduce compromised machines. We have had a couple of false positive threats detected, but PA support has been easy to work with and very responsive. The one area we would like PA to improve is in offering education/training. The 'next generation' technology offers a lot of potential (DLP, secure social networking, PCI security zones, WAF, UTM), but there is little 'how to' documentation and training sessions have been mostly limited to their Sunnyvale, CA location. It does appear that PA's training offerings at other locations are beginning to increase. ___________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP, GCFA Chief Information Security Officer Sinclair Community College 444 W Third St, 13-000F Dayton, OH 45402 937-372-3005 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie Sent: Tuesday, April 20, 2010 9:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Palo Alto. We're looking at adding a Palo Alto firewall to our network in the near future - if anyone has experiences, good or bad, that they'd be willing to share I would appreciate it. -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
-- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Palo Alto. Matthew Gracie (Apr 20)
- <Possible follow-ups>
- Re: Palo Alto. O'Callaghan, Daniel (Apr 20)
- Re: Palo Alto. Will Froning (Apr 21)
- Re: Palo Alto. Matthew Giannetto (Apr 21)