PA=SmartDashboard+MDM

So, had a peek at Palo Alto today. I would say very very nice.   PA = SmartDashboard + MDM : That’s what PA is. It has all the features of SmartDashboard and P1 put together in 1 GUI. What I like about it is that conceptually they have the concepts of centralized enterprise management designed correctly from the top down. All the other firewalls on the market never got this right. They would design firewalls from the hardware up and then try and throw a centralized manager on top of the mess as a last thought (Cisco, Juniper, Sonicwall, Sidewinder). I should know, this is what I did at Secure Computing working on the Sidewinder.

Here are some of the other features I noted that support centralized management:

They have 3 levels of policies and objects that make it great to manage:

  1. Global – Like MDM
  2. Device Group – Group several firewalls into one group. Somewhat like a Domain/CMA
  3. Local – Local to device. Like a standalone Domain/CMA

These 3 levels of scoping applies to both objects and policies. The GUI does a great job of highlighting the different scopes in different colors so its easy to mix and match. This flexibility allows one to build both enterprise and local objects and rules and manage them effectively.

Another feature which is nice is instead of SmartDashboard tabs of functions like IPS, AV across the top, they have one rulebase, and each rule you can specify if you want AV, IPS, MALWARE, etc on it. There are icons on the right and you drag them onto the rules that you wish to apply IPS on.

The SE stated that it has a cool feature to detect dial back control connections from internal zombies. He said it impresses clients when they do demos when they identify these connections real time. Probably similar to anti-malware bot from CP.

They have a global monitoring environment somewhat like Indeni. You can see all the logs, SNMP, etc all in one panel or individually. You can build filters to determine what you see. Very nice. I have been begging CP to include this feature for years.

SE claimed they have a global provisioning environment that works. I did not see it so can’t comment much. But you can set passwords and dates, etc across the whole environment. Somewhat like SmartProvisioning but on a global environment.

No SmartLog capability that I saw, but you can view all firewalls in one log and build filters. Not sure how fast it is compared to SmartLog.

Everything is GUI based which is OK, not sure how it works on HUGE rulesets.

At the local level the hardware is custom??? chips that maps to their policy enforcement? DIdn’t get this part. FYI, you do enforce policy on a per interface basis like Juniper and Cisco. Not sure I like that but OK.

It is application based ruleset but can also do port numbers, but you lead with applications and users access to applications.  I hope their IA works better than CP’s IA – I’ve experienced flaky IA behavior.

The CLI is all from the management station with a GAIA like interface. You can’t get to Unix which I absolutely don’t like. I guess you can’t log onto the firewalls themselves?

The SE state about several ways to do port mirroring?? I didn’t get all of that.

Summary:

  1.  Is PA a better centralized management  product: Definitely yes
  2.  Is it more secure: Basically the same as CP
  3.  Is it easier to manage: From the little I saw yes. One GUI, one ruleset, one global monitoring and logging and provisioning
  4.  Is the management scalable: From the little I saw conceptually yes but I haven’t seen it in huge environments
  5. Is it worth converting to a new firewall: This is the crux question. The product is sexy, but in the end what do you get? What is the delta? Is the delta big enough? The answer is linear. If you have a small environment possibly yes. If you have a large environment..I think the cost/benefit is not there at this point. The conversion and training and support costs are so huge and the delta is so small.

CONS:

  1. Will the GUI support huge environments? This has always been the breaking point for similar products.
  2. Performance in real environments? Unknown
  3. Application control and Identity Awareness issues? New concepts always have new bugs especially when they scale
  4. Not software based so very difficult to build labs to do testing in VMware.  Huge for me personally.
  5. Can’t log into the CLI with Unix. Huge for me personally for debugging. I hate going through 10 layers of software to debug, you never know where the real problem lies.
  6. Is the delta worth it when you consider the conversion costs, etc? No for huge shops.
  7. What is their support like? Unknown

I would say PA is the best thing that every happened to CP. CP has been sitting on its laurels for far too long and now the pressure of a true competitor exists to update MDM into a true single centralized management platform.  I’m hearing rumors that CP has a new MDM in the making. Hopefully it can rise to the challenge.

Still an MDM nut,

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Arjun Kanuri  On May 3, 2013 at 8:02 am

    I’m not sure exactly why but this weblog is loading extremely slow for me. Is anyone else having this issue or is it a problem on my end? I’ll check back later
    and see if the problem still exists.

  • Jason  On April 18, 2014 at 3:16 am

    I know this is old Dreez, but we had a meeting with a CP engineer a couple of months ago, and one of things they introduced us two was R80. They described it much in the same way you describe the PA product and especially the concept of policy layers. I am pretty sure we have the opportunity to check it out before release, I’ll try to pass along some details if you don’t have any already.

    • Dreezman  On April 20, 2014 at 6:07 pm

      Oh yeah baby! Either post here or update me private PM. THanks!!!

      Will you be at CPX, we should get together.

      dreez

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: