Re: Palo Alto.

[Will Froning <will.froning () GMAIL COM>]

Hello Matt,

We have been on it since June 09, PA-4050 cluster.  I'll start off with the bad.

   * Can be really hard for old school FW admins to change their
mindset to application-based instead of port-based ACLs.
   * The PAN permits some amount of traffic into itself in order to
identify the application (gotta get up the ladder to L7 to figure it
out).
   * No OSX SSL VPN client (is targeted for this year supposedly).
   * Is much more complicated to troubleshoot network oddities
(tcpdumps directly off the PAN sometimes don't contain all the packets
because of the path packets take internally).
   * 3.0.x has Malware/AV, Threat DB and AppDB all rolled into one
download.  So if you don't like the behavior of the new http decoder,
but you need the new AV release you gotta upgrade to 3.1.
   * Sophos Enterprise AV messes with the PAN agent since it shows up
so often in the AD auth logs.

Now the good parts.

   * Reporting tools rock.  I have a school-based daily report sent to
IT on application usage.
   * We use URL filtering and it is much quicker than using UAE's
proxy filter for content.
   * No per-user license for anything (SSL VPN, URL filtering, ...).
   * If you use fiber connections the failover time is very fast.
   * AppID!
   * 3.1 has policy-based forwarding which we are considering for a
secondary cheaper link to send out unwanted apps (bittorrent).
   * QOS looks nice, but we are still using a separate packet
prioritization product (Exinda).  This summer I will investigate the
possibility of using just the PAN.
   * Is great for controlling guest wireless access.  We prevent
nearly everything from our guest wireless to push students onto the
more open access, but authenticated SID.
   * Support is very good.

There are plenty of other great things, but those are the ones that
come to mind.  If there's anything else you want to know about just
ask.

Thanks,
Will


On Tue, Apr 20, 2010 at 7:56 PM, O'Callaghan, Daniel
<Daniel.OCallaghan () sinclair edu> wrote:
> We have been using the Palo Alto firewalls for a couple of years and
> really like them. We initially piloted in 'tap only' mode in conjunction
> with our primary CheckPoint FWs, and gradually turned on blocking rules
> and controls of the PA as threats were identified.  We recently migrated
> to using the PA as primary. They provide excellent visibility into
> Internet/network traffic and permit really granular control over
> applications and protocols, and the still support 'traditional' FW
> rules.
> The A-V/Malware blocking has significantly helped to reduce compromised
> machines. We have had a couple of false positive threats detected, but
> PA support has been easy to work with and very responsive.
>
> The one area we would like PA to improve is in offering
> education/training. The 'next generation' technology offers a lot of
> potential (DLP, secure social networking, PCI security zones, WAF, UTM),
> but there is little 'how to' documentation and training sessions have
> been mostly limited to their Sunnyvale, CA location. It does appear that
> PA's training offerings at other locations are beginning to increase.
>
> ___________________________________
> Daniel V. O'Callaghan, Jr., MBA, CISSP, GCFA
> Chief Information Security Officer
> Sinclair Community College
> 444 W Third St, 13-000F
> Dayton, OH 45402
> 937-372-3005
>
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
> Sent: Tuesday, April 20, 2010 9:10 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Palo Alto.
>
> We're looking at adding a Palo Alto firewall to our network in the near
> future - if anyone has experiences, good or bad, that they'd be willing
> to share I would appreciate it.
>
> --
> Matt Gracie                         (716) 888-8378
> Information Security Administrator  graciem () canisius edu
> Canisius College ITS                Buffalo, NY
> http://www2.canisius.edu/~graciem/graciem_public_key.gpg



-- 
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning