Firewalls: Checkpoint vs Pal Alto

NetworkGroover · May 07, 2015, 12:32:33 PM

Quote from: Netwörkheäd on May 07, 2015, 08:16:41 AM
It's the long, slow deathtrap, actually. Look at McAfee.

Funny you mention that. The same guy I was talking about who is purchasing the PAN pointed out to me his disgust with the McAfee firewall they have now, with an interesting story of how it got there without their approval. Long story short - the network team grilled the McAfee SE during what was thought was an evaluation discussion to the point that he threw his hands up and literally said, "Why are you guys asking all these questions? You already bought it." - the network team had no idea it was sitting on a pallet waiting for them to install...

deanwebb · May 07, 2015, 05:19:47 PM

Oh. My. Gosh.

Yeah, we tested McAfee firewall and showed them the door soon thereafter.

icecream-guy · May 08, 2015, 07:11:19 AM

We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability. So people could only watch and listen. Never found something that would do exactly that.

that1guy15 · May 08, 2015, 08:16:17 AM

Quote from: ristau5741 on May 08, 2015, 07:11:19 AM
We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability. So people could only watch and listen. Never found something that would do exactly that.

Huh, interesting. What speeds where trying to push through?

icecream-guy · May 08, 2015, 11:21:44 AM

Quote from: that1guy15 on May 08, 2015, 08:16:17 AM
Quote from: ristau5741 on May 08, 2015, 07:11:19 AM
We nixed Palo Alto, were looking at NG, using it for context filtering. couldn't do exactly what we wanted. plus the content filtering killed the firewall throughput to a large degree ( I don't remember what the exact numbers were, but it made the firewall fairly useless).

The exactly what we wanted was the ability to do WebEx like stuff, shutting down the desktop sharing capability, chat capability, file downloads, as well the presenter capability. So people could only watch and listen. Never found something that would do exactly that.

Huh, interesting. What speeds where trying to push through?

I stand corrected. we were testing Fortigate against the Palo Alto. we saw a significant drop in throughput with SSL Connections (which would be expected due to the SSL decryption that would need to occur). I don't think we got far enough to test the throughput on the Palo Alto because it just couldn't do what we wanted it to do, we had alot of other issues with the Palo Alto, looking through old email, them making promises that they couldn't deliver, as well crappy tech support, techs without a clue.

that1guy15 · May 08, 2015, 12:46:09 PM

Yeah multiple people have mentioned with the PAN to get a separate SSL off-loader or jump up one model to account for the performance decrease.

Fred · May 21, 2015, 08:36:52 PM

With ASA's, everything feels like it's tacked on and overly complex. It's very difficult to review even a moderately complex policy, or even to figure out what a policy is accomplishing.This leaves lots of room for human error. I don't feel like they're a good fit for a modern network where heavy segmentation is the rule.

CheckPoints are good solid firewalls. I like them quite a bit. They've got a good, clean interface for managing security policies, and they're easy to work with. But they also feel like they've had a lot of features tacked on, so some things end up being difficult to configure, or some pieces just don't fit together quite as smoothly as they should. And their support leaves a lot to be desired, though they were starting to get better last time I used them (about 2 years ago).

Palo Alto, IMO, is basically CheckPoint rewritten from the ground up, and all those features that seem tacked on in CheckPoint are smoothly integrated. Identity based rules and application identification are just part of the ruleset, which makes it a little harder to learn, but a lot more powerful. I am finding some idiosyncracies with the active/active setup. Active/Active was a lot smoother in the checkpoint world, even if they did violate RFC's in the process (using a multicast mac address bound to a unicast IP).

that1guy15 · May 21, 2015, 10:01:17 PM

Great feedback. Thanks!

I am still on the fence with my choice. I have support either way I go. Right now I am leaning more for PAN but can see multiple scenarios that could play out where I would choose Checkpoint. I still have a month or so before we decide and Im getting quotes built as we speak so that might help with the choice too for leadership.

Fred · May 22, 2015, 10:17:18 PM

So one more differentiator:

Our Palo Alto reps have been very generous with demo or lab gear. You could probably talk to them and get a PA-200 to install at your desk or home. If they think you're serious enough, you may even get to keep it.

that1guy15 · May 22, 2015, 10:37:45 PM

I have been pushing every SA that sales PAN for 3+ years to get me a PA-200 for my home lab but still no dice. Last time I purchased PAN was with GOV so I had to pay full price for the PA-200 for the lab.

killabee · May 23, 2015, 02:57:07 PM

A while back Check Point had a 3 day event around here where they'd give you a Check Point 600 appliance if you attended :-)