Firewalls: Checkpoint vs Pal Alto

[that1guy15]

So I am in the middle of a WAN edge refresh and have been back and forth with both our VAR and my corporate office on firewall selection and am looking for feedback about both Palo Alto and Checkpoint.

Little background:

Currently run two pair of ASAs

Edge will be split into two separate pairs of firewalls vendor connections (B2B VPN) and Internet/remote-access. All remote-access and application portals will be handled by F5 along with the various other services F5 will provide. The firewall for this block will just handle standard firewall functions for Internet and traffic control. The vendor pari will just terminate onsite vendors and B2B tunnels.

I have used Palo Alto in the past and like it for its simplicity and clean GUI. I also love how rules and policies are constructed. Checkpoint I have always heard negative about but Im starting to hear people say they are going that way.

My biggest concern with either solution is transition for my team and ease of use.

Thanks guys!

[NetworkGroover]

So I am in the middle of a WAN edge refresh and have been back and forth with both our VAR and my corporate office on firewall selection and am looking for feedback about both Palo Alto and Checkpoint.

Little background:

Currently run two pair of ASAs

Edge will be split into two separate pairs of firewalls vendor connections (B2B VPN) and Internet/remote-access. All remote-access and application portals will be handled by F5 along with the various other services F5 will provide. The firewall for this block will just handle standard firewall functions for Internet and traffic control. The vendor pari will just terminate onsite vendors and B2B tunnels.

I have used Palo Alto in the past and like it for its simplicity and clean GUI. I also love how rules and policies are constructed. Checkpoint I have always heard negative about but Im starting to hear people say they are going that way.

My biggest concern with either solution is transition for my team and ease of use.

Thanks guys!

I can tell you the larger entities are going Palo Alto mostly.  I'm not a firewall vendor so I don't know all the intricacies, but I hear Palo Alto more than anything else.  Arista Networks considers them a "best-of-breed" partner. My two cents...

[routerdork]

I interviewed with a company awhile back that was dumping Palo Alto for Cisco. Not sure exactly what the issues were but they weren't happy with them after two years.

My last job used ASA's for the B2B stuff and Checkpoint for the Internet piece. I had limited exposure to the Checkpoint's since we had dedicated security guys but from what I did do I liked it. Though my only exposure was through the GUI and with the ASA I prefer the CLI when possible.

[Netwörkheäd]

Cisco with SourceFire can provide a good price point and a lot of boxes checked on features. That makes them attractive to guys doing budgets.

I hear a lot of buzz about both Cisco and SourceFire as well as Palo Alto. The usefulness of either as a NG firewall will depend on the staff using it.

[that1guy15]

My last job I ran through this about ~4 years ago and PA was the hands down winner. Checkpoint was discussed and considered but the feedback I got was its overly complex and has a larger learning curve than normal. This to me is big when your team is all generalist and no one is really a dedicated firewall admin.

PA at the time also was easily the best solution for "next gen" features. I also loved the simplicity of configuration.

But now as Im running through it again Checkpoint (in the eye of the community) seems to be picking up steam. Or Im just hanging out with a skewed crowd

Love the feedback everyone!!

[SimonV]

Palo Alto is very intuitive to work with, and the logging with filter statements is great once you know the syntax. The user-id doesn't work as easy and reliable as they make it out to be in a large enterprise with complicated AD structure. Also, making firewall rules on user and application level requires more work, and also takes some patience if you have a strict change control process - even when you're sure that changing something will not have impact.

Checkpoint, I like the flexibility when creating the firewall rules with it but I don't like it for VPN. Haven't done any URL filtering or NGFW stuff on it though. Also not a fan of the central management server concept. Plus, they ask 600$ for their CCSA books, which I got from my colleague and is like 150 pages Seems they aren't all too generous with information.

[AnthonyC]

So I am in the middle of a WAN edge refresh and have been back and forth with both our VAR and my corporate office on firewall selection and am looking for feedback about both Palo Alto and Checkpoint.

Little background:

Currently run two pair of ASAs

Edge will be split into two separate pairs of firewalls vendor connections (B2B VPN) and Internet/remote-access. All remote-access and application portals will be handled by F5 along with the various other services F5 will provide. The firewall for this block will just handle standard firewall functions for Internet and traffic control. The vendor pari will just terminate onsite vendors and B2B tunnels.

I have used Palo Alto in the past and like it for its simplicity and clean GUI. I also love how rules and policies are constructed. Checkpoint I have always heard negative about but Im starting to hear people say they are going that way.

My biggest concern with either solution is transition for my team and ease of use.

Thanks guys!

Slightly off-topic, but are you using the F5 in front of the firewalls?  (see https://devcentral.f5.com/questions/using-the-f5-in-front-of-the-dmz-firewall).
F5 with the AFM/APM/ASM can almost replace a traditional firewall, biggest exception is probably the DPI functionality which would be needed for an Internet edge.  Also I'd consider offloading the SSL at the F5 (if you weren't already) as that would reduce the sizing requirement for the FW/IDS.

[that1guy15]

Palo Alto is very intuitive to work with, and the logging with filter statements is great once you know the syntax. The user-id doesn't work as easy and reliable as they make it out to be in a large enterprise with complicated AD structure. Also, making firewall rules on user and application level requires more work, and also takes some patience if you have a strict change control process - even when you're sure that changing something will not have impact.

Checkpoint, I like the flexibility when creating the firewall rules with it but I don't like it for VPN. Haven't done any URL filtering or NGFW stuff on it though. Also not a fan of the central management server concept. Plus, they ask 600$ for their CCSA books, which I got from my colleague and is like 150 pages Seems they aren't all too generous with information.

Great info! Thanks dude.

[that1guy15]

So I am in the middle of a WAN edge refresh and have been back and forth with both our VAR and my corporate office on firewall selection and am looking for feedback about both Palo Alto and Checkpoint.

Little background:

Currently run two pair of ASAs

Edge will be split into two separate pairs of firewalls vendor connections (B2B VPN) and Internet/remote-access. All remote-access and application portals will be handled by F5 along with the various other services F5 will provide. The firewall for this block will just handle standard firewall functions for Internet and traffic control. The vendor pari will just terminate onsite vendors and B2B tunnels.

I have used Palo Alto in the past and like it for its simplicity and clean GUI. I also love how rules and policies are constructed. Checkpoint I have always heard negative about but Im starting to hear people say they are going that way.

My biggest concern with either solution is transition for my team and ease of use.

Thanks guys!

Slightly off-topic, but are you using the F5 in front of the firewalls?  (see https://devcentral.f5.com/questions/using-the-f5-in-front-of-the-dmz-firewall).
F5 with the AFM/APM/ASM can almost replace a traditional firewall, biggest exception is probably the DPI functionality which would be needed for an Internet edge.  Also I'd consider offloading the SSL at the F5 (if you weren't already) as that would reduce the sizing requirement for the FW/IDS.

We are still working through design. All takes have been to have the F5s behind the firewalls. Yeah SSL offloading is on the plate. Not sure how that will happen as we have not gone that deep in the design.

[NetworkGroover]

To shed a little additional light, and I can't discuss the "who", but a group I was visiting just bought the ... and forgive me if I'm mauling the details... but just bought the big what was it.. the big PA-7050 for 100G... one thing he said he liked about it was something to do with the ability of having flexible interface roles?  Something like that.... sorry I can't remember the details and it was only mentioned in a sidebar conversation, but he seemed to be a fan.

[AnthonyC]

To shed a little additional light, and I can't discuss the "who", but a group I was visiting just bought the ... and forgive me if I'm mauling the details... but just bought the big what was it.. the big PA-7050 for 100G... one thing he said he liked about it was something to do with the ability of having flexible interface roles?  Something like that.... sorry I can't remember the details and it was only mentioned in a sidebar conversation, but he seemed to be a fan.

Nice, the PA-7050 has more than 400 core.  Haven't deployed 100G myself even though some clients has gear that can run them.

[killabee]

I cast my vote for Palo Alto.  We're slowly migrating off Check Points to Palo Altos and we aren't looking back.  Just make sure you get the 3050 models or higher.  Other than the 2020 series having a poor architecture (and making us suffer), we've had no issues with them.  We use them for firewalling, NATing, URL filtering, application inspection, IPS, and malware inspection.

As for Check Point...
Their issues span so many domains it's not even funny. 

We had our CPs configured with multiple subinterfaces/DMZs, DHCP relay on some subinterfaces, OSPF, and all the same features listed above and it was buggy and breaking all the time.  In migrating, we've since stripped it down to two subinterfaces, no DHCP relay, still running OPSF, and only FWing and NATing and haven't had any issues.  Sure, you could say that was expected because the more features you turn on, the more likelihood of issues you could have...but there's also issues with their TAC being very incompetent, with their patches just not working, with the way they handle patches/hotfixes, their software version control, their support KBs....etc.  All vendors have some degree of issues with those areas, but not to the extent I saw with CP. 

One thing I really liked about CP was they were a one-stop-shop for standard security and they have a good model: management server, standalone firewalls, centralized firewall policies, sophisticated logging and reporting, central software update engine, solutions for endpoints and mobile devices, etc.  But for now I think CP is too focused on releasing new products and looking good for Gartner, and not enough time on stabilizing the product and improving their internal processes. 

I would go with the popular kid on the block and go with Palo Alto.

Since you're also a member on reddit, there's also several threads on this same topic you might want to look at. 

[NetworkGroover]

But for now I think CP is too focused on releasing new products and looking good for Gartner, and not enough time on stabilizing the product and improving their internal processes. 

You mention an interesting truth - how external factors drive product quality.  It's a damn shame that greed gets in the way and companies lose vision and/or ignore the "roots of their tree" - the customers.  Shareholders and groups like Gartner as you mentioned become more important, and then these vendors lose focus on what really should be at the center of their attention, until it bites them in the rear and are only then reminded that, "Oh yeah, if customers don't buy our stuff, we'll lose the shareholders anyway", etc etc.  I don't get how many of these vendors still have this issue with all the lessons learned from previous failures... or maybe they do and are just stuck in some political/financial deathtrap... sad.

[Netwörkheäd]

It's the long, slow deathtrap, actually. Look at McAfee.

[that1guy15]

Since you're also a member on reddit, there's also several threads on this same topic you might want to look at.

Great idea! I never think to search there. To close the circle here are the recent threads covering this topic.
http://www.reddit.com/r/networking/comments/2li4s0/palo_alto_or_checkpoint/
http://www.reddit.com/r/AskNetsec/comments/2poqpi/checkpoint_vs_palo_alto/