PA Daily Operations update – From The Trenches

Firewalls have been around for 25+ years and at this point to me is a firewall is a firewall no matter what the label on the box says. I am totally mystified why organizations randomly jump from one vendor to another based on technology alone. I know licensing costs soar, support sucks, platforms are unstable, etc. But in the end a firewall is a firewall and the grass doesn’t get much greener after you make the switch. You probably get 1 year of cheap hardware and kiss ass support before you swirl to the bottom of the toilet as the new vendor pulls in new customers and forgets all the fireworks they promised would fly from your behind.

So yes I am talking the PA vs. CP debacle. PA is a fine firewall (if you don’t turn on all the misc junk). CP is a fine firewall (if you don’t turn on all the misc. junk). PA is a massive marketing machine the earth has never before seen. CP has an incredible enterprise management and logging infrastructure that can’t sell snow to Eskimos.

I just spent 3 hours in a PA hands-on class. Been 5 years since touching one. My reaction : painful.  Why? Because from the marketing rah-rah I was expecting fireworks would fly from my behind. The reality is: Its just another firewall. The web interface reminds me of all the other freeware java/ajax shakey hope-to-god-this-works GUI firewall interfaces. Or maybe they hired a bunch of ex-Cisco CSM programmers and sent them to Web development school for 6 weeks.  I mean its OK, but primitive compared to CP for an enterprise environment. Their logging just sucks compared to SmartLog.

I just don’t get it, but kudos to their marketing machine.

I have friends at another  enterprise corp that spent millions and countless hours to switch. Years ago they had about 300-400 CP firewalls and ~5-10 firewall people. NOW:

  • ~50 firewall bodies
  • PA management and logging is OK but definitely not as good as CP
  • It is stable
  • App control is starting to be deployed and mostly works sometimes
  • Various 3rd party analysis tools don’t work like Tufin, Firemon, etc. so rule reviews are difficult
  • EXPENSIVE
  • Support is hot/cold

So millions were spent and countless hours were toiled and they went from Point A to Point A with 5x more bodies. How did that increase security? How did that lower costs?

Summary: Don’t drink the Kool-aid. Understand what your end goal is, don’t just go from Point A to Point A. Spend those funds on more important security projects that have a cost/benefit.

 

 

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • irom  On May 23, 2016 at 7:27 pm

    Generally I agree, one is not much better than another, both have their strengths and weaknesses. Regarding logs.., I prefer PA where I can easily send them to syslog and keep logs from all network devices consolidated. CP central management is hard to beat. But CP virtual firewall lacks all features available for single gateway. Plus none of CP gateways have API yet..(2016?!). But CP zero-day threat sandboxing capability is hard to beat too.

  • Daniel Husand  On May 24, 2016 at 5:52 am

    From R77.30 you can send out logs to syslog if you prefer. APIs are available (OPSEC) pre R80 but has been refreshed and greatly improved in R80 (REST)

  • phabean  On July 1, 2016 at 1:00 am

    hey dreezman, love the ” java/ajax shakey hope-to-god-this-works” comment, and laugh my … off with your hint at cisco. we just did a eval with the top4 fwl-vendors and came about to the same conclusion: firewall = firewall, CP mgmt still beats the heck out of everybody else for a complex environment (talking more than just 100 rules). event though every other vendor claims that they’re up to CP with the GUI, but hey no, not at all ! rule creation and editing from an operation perspective is still a huge issue and those web GUI’s just don’t cut it. Drag& Drop? Inline dropdown windows and thousend objects to srcoll through? No Section titles? C’mon even pfsense has that now, and that is a sweet GUI (for SOHO i suppose). I am biased, ok. But I gave “them others” a good chance, and everybody just failed and best thing: R80 is coming too and makes stuff even better!

    Great Blog – great insights, thanks a lot

    • Dreezman  On July 1, 2016 at 4:55 am

      R80. Rocks and I think they even tested it this time. mind blowing rocks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: