Firewalls: Checkpoint vs Pal Alto

Started by that1guy15, May 06, 2015, 09:38:01 AM

Previous topic - Next topic

NetworkGroover

#15
Quote from: Netwörkheäd on May 07, 2015, 08:16:41 AM
It's the long, slow deathtrap, actually. Look at McAfee.

Funny you mention that.  The same guy I was talking about who is purchasing the PAN pointed out to me his disgust with the McAfee firewall they have now, with an interesting story of how it got there without their approval.  Long story short - the network team grilled the McAfee SE during what was thought was an evaluation discussion to the point that he threw his hands up and literally said, "Why are you guys asking all these questions?  You already bought it." - the network team had no idea it was sitting on a pallet waiting for them to install...  :rofl:
Engineer by day, DJ by night, family first always

deanwebb

Oh. My. Gosh.

Yeah, we tested McAfee firewall and showed them the door soon thereafter.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability.  So people could only watch and listen. Never found something that would do exactly that.
:professorcat:

My Moral Fibers have been cut.

that1guy15

Quote from: ristau5741 on May 08, 2015, 07:11:19 AM
We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability.  So people could only watch and listen. Never found something that would do exactly that.

Huh, interesting. What speeds where trying to push through?
That1guy15
@that1guy_15
blog.movingonesandzeros.net

icecream-guy

#19
Quote from: that1guy15 on May 08, 2015, 08:16:17 AM
Quote from: ristau5741 on May 08, 2015, 07:11:19 AM
We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability.  So people could only watch and listen. Never found something that would do exactly that.

Huh, interesting. What speeds where trying to push through?

I stand corrected. we were testing Fortigate against the Palo Alto.  we saw a significant drop in throughput with SSL Connections (which would be expected due to the SSL decryption that would need to occur). I don't think we got far enough to test the throughput on the Palo Alto because it just couldn't do what we wanted it to do,  we had alot of other issues with the Palo Alto, looking through old email, them making promises that they couldn't deliver, as well crappy tech support, techs without a clue.
:professorcat:

My Moral Fibers have been cut.

that1guy15

Yeah multiple people have mentioned with the PAN to get a separate SSL off-loader or jump up one model to account for the performance decrease.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

Fred

With ASA's, everything feels like it's tacked on and overly complex. It's very difficult to review even a moderately complex policy, or even to figure out what a policy is accomplishing.This leaves lots of room for human error. I don't feel like they're a good fit for a modern network where heavy segmentation is the rule.

CheckPoints are good solid firewalls. I like them quite a bit. They've got a good, clean interface for managing security policies, and they're easy to work with. But they also feel like they've had a lot of features tacked on, so some things end up being difficult to configure, or some pieces just don't fit together quite as smoothly as they should. And their support leaves a lot to be desired, though they were starting to get better last time I used them (about 2 years ago).

Palo Alto, IMO, is basically CheckPoint rewritten from the ground up, and all those features that seem tacked on in CheckPoint are smoothly integrated. Identity based rules and application identification are just part of the ruleset, which makes it a little harder to learn, but a lot more powerful. I am finding some idiosyncracies with the active/active setup. Active/Active was a lot smoother in the checkpoint world, even if they did violate RFC's in the process (using a multicast mac address bound to a unicast IP).

that1guy15

Great feedback. Thanks!

I am still on the fence with my choice. I have support either way I go. Right now I am leaning more for PAN but can see multiple scenarios that could play out where I would choose Checkpoint. I still have a month or so before we decide and Im getting quotes built as we speak so that might help with the choice too for leadership.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

Fred

So one more differentiator:

Our Palo Alto reps have been very generous with demo or lab gear. You could probably talk to them and get a PA-200 to install at your desk or home. If they think you're serious enough, you may even get to keep it.

that1guy15

:)
I have been pushing every SA that sales PAN for 3+ years to get me a PA-200 for my home lab but still no dice.  Last time I purchased PAN was with GOV so I had to pay full price for the PA-200 for the lab.

That1guy15
@that1guy_15
blog.movingonesandzeros.net

killabee

A while back Check Point had a 3 day event around here where they'd give you a Check Point 600 appliance if you attended :-)