Educause Security Discussion mailing list archives

Re: Palo Alto Firewalls

From: Aaron Smith <csmith6 () SWARTHMORE EDU>
Date: Tue, 18 Mar 2014 08:53:28 -0400

A very timely question.  We just last week went live on a pair of 5020's.

1.)     How many Palo Alto Firewalls did you purchase?

Two Palo Alto 5020's replacing an aging pair of Cisco ASA 5550's.

2.)    If you purchased just one, what do you have in place in case of a failure?
3.)    If you purchased two for failover capability, are you using them active active, or active passive?

Active/passive.

4.)    If you advertise or use full BGP tables (routes), and Palo Alto doesn’t support this, how did you solve this if 
you have multiple Service Providers?

Edge routers (Juniper MX40's) are used instead of the Palo Alto's for BGP to our pair of ISPs.

5.)    Did you look at any other vendors and why did you pick Palo Alto?

More than I care to think about.  Last Spring was very busy but we only brought two in for extended demo's, Palo Alto 
and Fortinet.  The PA was a better fit for the rest of the security infrastructure/tools.  The Fortinet also had some 
BGP problems, which lead us to separate out the router and firewall functions.  We never tried setting up BGP on the 
Palo Alto.
 
Good luck!

Aaron Smith
Network Engineer
ITS
Swarthmore College

Current thread:

Re: Palo Alto Firewalls, (continued)
- Re: Palo Alto Firewalls Nathaniel Hall (Mar 17)
- Re: Palo Alto Firewalls Will Froning (Mar 17)
  - Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)
    - Re: Palo Alto Firewalls Bradley, Stephen (Mar 18)
    - Re: Palo Alto Firewalls Dan Brisson (Mar 18)
    - Re: Palo Alto Firewalls Peter Setlak (Mar 18)
    - Re: Palo Alto Firewalls Chris Golden (Mar 19)
    - Re: Palo Alto Firewalls Robert Spellman (Mar 22)
    - Re: Palo Alto Firewalls Julian Y Koh (Mar 22)
- Re: Palo Alto Firewalls King, Ronald A. (Mar 18)
- Re: Palo Alto Firewalls Aaron Smith (Mar 18)