Re: Palo Alto Networks

[Paul Hutchings <paul () spamcop net>]

Thanks all.

Frank, We would only be looking at one unit so management shouldn't  
be an issue.  You mentioned "home grown apps" and giving them a  
definition, this will hopefully all be clear once I have a units GUI  
in front of me, but presumably if you need/want it to the PA boxes  
can also act as dumb stateful firewalls i.e. "Simply allow port XYZ  
from X to Y"?

Arkanoid, I've learned not to trust the marketing hence lurking on  
technical forums and lists like this.  Also (again may become clear  
when in front of one) but how does the SSL inspection/MITM actually  
work i.e. what would I need to change on my clients and could it also  
be used to apply inspection to inbound SSL traffic to look for  
nasties i.e. Outlook Web Access?

As a general question, what strategies are people taking these days  
regards "layering" firewalls?  We currently use a back to back  
approach with a dumb stateful firewall at our perimeter almost as a  
"doorman" so that only the ports we need to allow in get in, and then  
we get a little smarter i.e. does it conform to RFCs etc. at the LAN  
edge firewall.  I'm wondering if the general consensus is that this  
is still a sensible idea?

Paul

On 8 Oct 2009, at 20:47, Francois Yang wrote:

> I've worked with them before and they're pretty good.
> easy setup and maintenance, good integration with Active Directory,
> good application detection engine.
> Over all it's a good product, but you have to test it in your own
> environment to see if it fits.
> here are the draw backs that I can remember. all firewalls have some
> kind of issues.
> here are the issues I see and maybe they have been fixed by now. I
> don't know it's been a while.
> I remember it didn't have a central management, so having a few of
> those boxes may be ok, but when you're looking at 20+ clusters, it
> becomes time consuming to manage.
> Application detection engine would automatically drop the traffic of
> unknown apps into a low priority pool. So if you have home grown apps
> which requires alot of bandwidth, you need to make sure you find it
> and give it a definition or work with their team to create custom rule
> otherwise it will crawl.
> I'm sure there's more pros and cons, but that's all I can think of.
> Let me know if you have more questions.
>
> Frank
>
>
>
> On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul () spamcop net>  
> wrote:
> > Getting one of their boxes on eval for a couple of weeks.  Quite a  
> > broad and
> > generic question I know, but does anyone have any experience(s)  
> > they wish to
> > share?
> >
> > Cheers,
> > Paul
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
> --
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked. — White House Cybersecurity
> Advisor, Richard Clarke
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards