Palo Alto Threat Detection review from the trenches

So I have a friend of mine XXX who has been through several iterations/implementations of IPS, DLP, Firewalls, Threat Detection because someone drank Vendor YYYY cool-aid. XXX is much like me — dealing with CheckPoint can sometimes be a pain and its getting real old but CP management and logging (SmartLog) keeps us with the home team.

XXX’s mgt drank the Palo Alto kool-aid so XXX brought me up to date on the good/bad/ugly of PA’s threat detection environment.

So here it is in my words with XXX’s review:

PROS:

  • Scoping for objects/rules is great: firewall,zone,global. Wish Checkpoint had this
  • Licensing is easier
  • Solid as a rock, good quality
  • IPS between Palo and CheckPoint is about the same

CONS:

  • Logging cannot compare to SmartLog. Some cryptic form of regex
  • Trying to correlate logs in centralized logging is very difficult – each log type Firewall, URL, Threat, etc has its own log item and the only way to tie them together is session ID which is reused about every 2 weeks.  Very difficult when there are multiple firewalls that use the same session id.
  • They don’t even have a true DLP it is called Data Filtering.  It will not take full regex entries therefore false positive rate is very high for SSN and CC
  • Wildfire only scans specific file types and is far less than FireEye.  It also will only scan a file that is 10 mb or lower so some files can get through.  [Getting exact numbers from FireEye.]
  • Rules are easy to enter where it becomes difficult is if you want split responsibilities between network and security.  In order to enable URL filtering, IPS, data filtering they need to be added to a rule.
  • no “Where Used” function until last release
  • Expensive!
  • Checkpoint has more of a true DLP, Palo has data filtering
  • Support has been poor
  • FYI: XXX LOVES!!! FireEye. Every firm I’ve worked with has said the same. What SmartLog is to me, They feel about FireEye

Summary: Detection systems are weak and forensics capabilities (Log searches/correlation) is even weaker.

By Dreezman, on February 18, 2016 at 8:49 am, under Product Review. 5 Comments
Post a comment or leave a trackback: Trackback URL.

Comments

  • Heather Lewis  On February 19, 2016 at 9:58 am
    Permalink | Reply

    Hi Michael,

    How do we obtain the password?

    Thanks,

    Heather

    From: DreezSecurityBlog Reply-To: DreezSecurityBlog Date: Friday, February 19, 2016 at 10:36 AM To: Heather Lewis Subject: [New post] Palo Alto review from the trenches

    WordPress.com

  • Rick Weaver  On February 19, 2016 at 10:37 am
    Permalink | Reply

    Hello,

    What’s the process to reset our password?

    Thx for the great content.

    Rick

    From the iPhone

    >

  • Martin  On March 9, 2016 at 9:03 am
    Permalink | Reply

    Hi Dreez,

    Been following your blog for years and happy to see you blogging again.
    Excellent stuff ! My compliments !
    I would love to read the password protected stuff about NSX Firewalling as I am looking into choosing a SDN platform at the moment.

    How do I apply ?

    Regards,
    Martin

    • Dreezman  On March 9, 2016 at 9:43 am
      Permalink | Reply

      Its not ready yet, I’m just keeping notes. I have to verify if its true or not.

      But NSX DFW is not ready for enterprise use.

Leave a reply to Heather Lewis Cancel reply

Helen's Loom

"The most difficult thing is the decision to act, the rest is merely tenacity." -Amelia Earhart

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.