Firewalls have been around for 25+ years and at this point to me is a firewall is a firewall no matter what the label on the box says. I am totally mystified why organizations randomly jump from one vendor to another based on technology alone. I know licensing costs soar, support sucks, platforms are unstable, etc. But in the end a firewall is a firewall and the grass doesn’t get much greener after you make the switch. You probably get 1 year of cheap hardware and kiss ass support before you swirl to the bottom of the toilet as the new vendor pulls in new customers and forgets all the fireworks they promised would fly from your behind.
So yes I am talking the PA vs. CP debacle. PA is a fine firewall (if you don’t turn on all the misc junk). CP is a fine firewall (if you don’t turn on all the misc. junk). PA is a massive marketing machine the earth has never before seen. CP has an incredible enterprise management and logging infrastructure that can’t sell snow to Eskimos.
I just spent 3 hours in a PA hands-on class. Been 5 years since touching one. My reaction : painful. Why? Because from the marketing rah-rah I was expecting fireworks would fly from my behind. The reality is: Its just another firewall. The web interface reminds me of all the other freeware java/ajax shakey hope-to-god-this-works GUI firewall interfaces. Or maybe they hired a bunch of ex-Cisco CSM programmers and sent them to Web development school for 6 weeks. I mean its OK, but primitive compared to CP for an enterprise environment. Their logging just sucks compared to SmartLog.
I just don’t get it, but kudos to their marketing machine.
I have friends at another enterprise corp that spent millions and countless hours to switch. Years ago they had about 300-400 CP firewalls and ~5-10 firewall people. NOW:
- ~50 firewall bodies
- PA management and logging is OK but definitely not as good as CP
- It is stable
- App control is starting to be deployed and mostly works sometimes
- Various 3rd party analysis tools don’t work like Tufin, Firemon, etc. so rule reviews are difficult
- EXPENSIVE
- Support is hot/cold
So millions were spent and countless hours were toiled and they went from Point A to Point A with 5x more bodies. How did that increase security? How did that lower costs?
Summary: Don’t drink the Kool-aid. Understand what your end goal is, don’t just go from Point A to Point A. Spend those funds on more important security projects that have a cost/benefit.
DreezSecurityBlog 
Comments
Generally I agree, one is not much better than another, both have their strengths and weaknesses. Regarding logs.., I prefer PA where I can easily send them to syslog and keep logs from all network devices consolidated. CP central management is hard to beat. But CP virtual firewall lacks all features available for single gateway. Plus none of CP gateways have API yet..(2016?!). But CP zero-day threat sandboxing capability is hard to beat too.
Love these type of comments keep them coming.
From R77.30 you can send out logs to syslog if you prefer. APIs are available (OPSEC) pre R80 but has been refreshed and greatly improved in R80 (REST)
hey dreezman, love the ” java/ajax shakey hope-to-god-this-works” comment, and laugh my … off with your hint at cisco. we just did a eval with the top4 fwl-vendors and came about to the same conclusion: firewall = firewall, CP mgmt still beats the heck out of everybody else for a complex environment (talking more than just 100 rules). event though every other vendor claims that they’re up to CP with the GUI, but hey no, not at all ! rule creation and editing from an operation perspective is still a huge issue and those web GUI’s just don’t cut it. Drag& Drop? Inline dropdown windows and thousend objects to srcoll through? No Section titles? C’mon even pfsense has that now, and that is a sweet GUI (for SOHO i suppose). I am biased, ok. But I gave “them others” a good chance, and everybody just failed and best thing: R80 is coming too and makes stuff even better!
Great Blog – great insights, thanks a lot
R80. Rocks and I think they even tested it this time. mind blowing rocks.