Educause Security Discussion mailing list archives
Palo Alto Firewalls
From: "T. Shayne Ghere" <sghere () FSMAIL BRADLEY EDU>
Date: Mon, 17 Mar 2014 19:30:29 -0500
Hello, I'm just putting this out there as a question for those that use the Palo Alto PA-5050 (or 5020) firewall appliance. We have been a complete Cisco shop since before I started 16 years ago, but times are changing and other solutions are being looked at. Right now we have two Cisco Firewall Service Modules (FWSM's) that are nearing end of life/service. We have two for failover capability and it's worked great for us since they have been in production. We have been given a PA-5050 to demo, and we're finding quite a few features that we like, however our only fear is that purchasing two for failover capability isn't cost effective at this time, but if you've moved from Cisco to Palo Alto, I'd really like to hear what your experience has been and any problems/limitations you've run into and if you ended up purchasing a secondary for failover reasons. We need a 99.999% uptime, so if the Palo Alto solution goes down, does it fail open or closed? We have yet to get an answer from them as of yet, and having a conference call with them about some of these questions. We have a Class B (/16) so 99% of all our IP addresses we don't nat. With that in mind, we advertise certain portions of our network segment(s) to certain Service Providers using BGP. We found that the Palo Alto doesn't support full BGP tables which was a shock to us because we've been doing this for years. But we can work around that. If you fall into this group of moving from the Cisco to Palo Alto, would you mind taking 5 minutes to answer the following questions? You can e-mail me directly if you prefer so this doesn't flood the listserv. 1.) How many Palo Alto Firewalls did you purchase? 2.) If you purchased just one, what do you have in place in case of a failure? 3.) If you purchased two for failover capability, are you using them active active, or active passive? 4.) If you advertise or use full BGP tables (routes), and Palo Alto doesn't support this, how did you solve this if you have multiple Service Providers? 5.) Did you look at any other vendors and why did you pick Palo Alto? I really appreciate any feedback that I receive. Like I said, you can e-mail me directly or post in the group if you wish. Thank you again Shayne ----------------------------- *Bradley University* T. Shayne Ghere, CCNA Network Engineer 1501 W. Bradley Ave. Morgan Hall, Suite 205 Peoria, IL 61625 sghere () bradley edu (309) 677-3094 ofc. (309) 677-3460 fax *Class 2011 FBI CA Graduate*
Current thread:
- Palo Alto Firewalls T. Shayne Ghere (Mar 17)
- Re: Palo Alto Firewalls Nathaniel Hall (Mar 17)
- Re: Palo Alto Firewalls Will Froning (Mar 17)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)
- Re: Palo Alto Firewalls Bradley, Stephen (Mar 18)
- Re: Palo Alto Firewalls Dan Brisson (Mar 18)
- Re: Palo Alto Firewalls Peter Setlak (Mar 18)
- Re: Palo Alto Firewalls Chris Golden (Mar 19)
- Re: Palo Alto Firewalls Robert Spellman (Mar 22)
- Re: Palo Alto Firewalls Julian Y Koh (Mar 22)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)