Palo Alto Threat Detection review from the trenches

So I have a friend of mine XXX who has been through several iterations/implementations of IPS, DLP, Firewalls, Threat Detection because someone drank Vendor YYYY cool-aid. XXX is much like me — dealing with CheckPoint can sometimes be a pain and its getting real old but CP management and logging (SmartLog) keeps us with the home team.

XXX’s mgt drank the Palo Alto kool-aid so XXX brought me up to date on the good/bad/ugly of PA’s threat detection environment.

So here it is in my words with XXX’s review:


  • Scoping for objects/rules is great: firewall,zone,global. Wish Checkpoint had this
  • Licensing is easier
  • Solid as a rock, good quality
  • IPS between Palo and CheckPoint is about the same


  • Logging cannot compare to SmartLog. Some cryptic form of regex
  • Trying to correlate logs in centralized logging is very difficult – each log type Firewall, URL, Threat, etc has its own log item and the only way to tie them together is session ID which is reused about every 2 weeks.  Very difficult when there are multiple firewalls that use the same session id.
  • They don’t even have a true DLP it is called Data Filtering.  It will not take full regex entries therefore false positive rate is very high for SSN and CC
  • Wildfire only scans specific file types and is far less than FireEye.  It also will only scan a file that is 10 mb or lower so some files can get through.  [Getting exact numbers from FireEye.]
  • Rules are easy to enter where it becomes difficult is if you want split responsibilities between network and security.  In order to enable URL filtering, IPS, data filtering they need to be added to a rule.
  • no “Where Used” function until last release
  • Expensive!
  • Checkpoint has more of a true DLP, Palo has data filtering
  • Support has been poor
  • FYI: XXX LOVES!!! FireEye. Every firm I’ve worked with has said the same. What SmartLog is to me, They feel about FireEye

Summary: Detection systems are weak and forensics capabilities (Log searches/correlation) is even weaker.

Post a comment or leave a trackback: Trackback URL.


  • Heather Lewis  On February 19, 2016 at 9:58 am

    Hi Michael,

    How do we obtain the password?



    From: DreezSecurityBlog Reply-To: DreezSecurityBlog Date: Friday, February 19, 2016 at 10:36 AM To: Heather Lewis Subject: [New post] Palo Alto review from the trenches

  • Rick Weaver  On February 19, 2016 at 10:37 am


    What’s the process to reset our password?

    Thx for the great content.


    From the iPhone


  • Martin  On March 9, 2016 at 9:03 am

    Hi Dreez,

    Been following your blog for years and happy to see you blogging again.
    Excellent stuff ! My compliments !
    I would love to read the password protected stuff about NSX Firewalling as I am looking into choosing a SDN platform at the moment.

    How do I apply ?


    • Dreezman  On March 9, 2016 at 9:43 am

      Its not ready yet, I’m just keeping notes. I have to verify if its true or not.

      But NSX DFW is not ready for enterprise use.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.

%d bloggers like this: