|
Firewall Wizards
mailing list archives
Re: Palo Alto Networks
From: Paul Hutchings <paul () spamcop net>
Date: Fri, 9 Oct 2009 17:27:36 +0100
Thanks all.
Frank, We would only be looking at one unit so management shouldn't
be an issue. You mentioned "home grown apps" and giving them a
definition, this will hopefully all be clear once I have a units GUI
in front of me, but presumably if you need/want it to the PA boxes
can also act as dumb stateful firewalls i.e. "Simply allow port XYZ
from X to Y"?
Arkanoid, I've learned not to trust the marketing hence lurking on
technical forums and lists like this. Also (again may become clear
when in front of one) but how does the SSL inspection/MITM actually
work i.e. what would I need to change on my clients and could it also
be used to apply inspection to inbound SSL traffic to look for
nasties i.e. Outlook Web Access?
As a general question, what strategies are people taking these days
regards "layering" firewalls? We currently use a back to back
approach with a dumb stateful firewall at our perimeter almost as a
"doorman" so that only the ports we need to allow in get in, and then
we get a little smarter i.e. does it conform to RFCs etc. at the LAN
edge firewall. I'm wondering if the general consensus is that this
is still a sensible idea?
Paul
On 8 Oct 2009, at 20:47, Francois Yang wrote:
I've worked with them before and they're pretty good.
easy setup and maintenance, good integration with Active Directory,
good application detection engine.
Over all it's a good product, but you have to test it in your own
environment to see if it fits.
here are the draw backs that I can remember. all firewalls have some
kind of issues.
here are the issues I see and maybe they have been fixed by now. I
don't know it's been a while.
I remember it didn't have a central management, so having a few of
those boxes may be ok, but when you're looking at 20+ clusters, it
becomes time consuming to manage.
Application detection engine would automatically drop the traffic of
unknown apps into a low priority pool. So if you have home grown apps
which requires alot of bandwidth, you need to make sure you find it
and give it a definition or work with their team to create custom rule
otherwise it will crawl.
I'm sure there's more pros and cons, but that's all I can think of.
Let me know if you have more questions.
Frank
On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul () spamcop net>
wrote:
Getting one of their boxes on eval for a couple of weeks. Quite a
broad and
generic question I know, but does anyone have any experience(s)
they wish to
share?
Cheers,
Paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. — White House Cybersecurity
Advisor, Richard Clarke
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
