Re: [fw-wiz] Palo Alto Networks
- From: Paul Hutchings <paul@xxxxxxxxxxx>
- Date: Fri, 9 Oct 2009 17:27:36 +0100
Thanks all.
Frank, We would only be looking at one unit so management shouldn't be an issue. You mentioned "home grown apps" and giving them a definition, this will hopefully all be clear once I have a units GUI in front of me, but presumably if you need/want it to the PA boxes can also act as dumb stateful firewalls i.e. "Simply allow port XYZ from X to Y"?
Arkanoid, I've learned not to trust the marketing hence lurking on technical forums and lists like this. Also (again may become clear when in front of one) but how does the SSL inspection/MITM actually work i.e. what would I need to change on my clients and could it also be used to apply inspection to inbound SSL traffic to look for nasties i.e. Outlook Web Access?
As a general question, what strategies are people taking these days regards "layering" firewalls? We currently use a back to back approach with a dumb stateful firewall at our perimeter almost as a "doorman" so that only the ports we need to allow in get in, and then we get a little smarter i.e. does it conform to RFCs etc. at the LAN edge firewall. I'm wondering if the general consensus is that this is still a sensible idea?
Paul
On 8 Oct 2009, at 20:47, Francois Yang wrote:
I've worked with them before and they're pretty good._______________________________________________
easy setup and maintenance, good integration with Active Directory,
good application detection engine.
Over all it's a good product, but you have to test it in your own
environment to see if it fits.
here are the draw backs that I can remember. all firewalls have some
kind of issues.
here are the issues I see and maybe they have been fixed by now. I
don't know it's been a while.
I remember it didn't have a central management, so having a few of
those boxes may be ok, but when you're looking at 20+ clusters, it
becomes time consuming to manage.
Application detection engine would automatically drop the traffic of
unknown apps into a low priority pool. So if you have home grown apps
which requires alot of bandwidth, you need to make sure you find it
and give it a definition or work with their team to create custom rule
otherwise it will crawl.
I'm sure there's more pros and cons, but that's all I can think of.
Let me know if you have more questions.
Frank
On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul@xxxxxxxxxxx> wrote:Getting one of their boxes on eval for a couple of weeks. Quite a broad and
generic question I know, but does anyone have any experience(s) they wish to
share?
Cheers,
Paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. — White House Cybersecurity
Advisor, Richard Clarke
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] Palo Alto Networks
- From: Paul Hutchings
- Re: [fw-wiz] Palo Alto Networks
- From: Francois Yang
- [fw-wiz] Palo Alto Networks
- Prev by Date: Re: [fw-wiz] Slow FTP transfers
- Next by Date: Re: [fw-wiz] Palo Alto Networks
- Previous by thread: Re: [fw-wiz] Palo Alto Networks
- Next by thread: Re: [fw-wiz] Palo Alto Networks
- Index(es):
Relevant Pages
|
