Palo Alto next-gen firewall stacks up well

Palo Alto Networks has bet everything on being a next-generation firewall. Without the next-generation hook, Palo Alto has little chance at breaking into the established world of firewalls, and they've done a good job at defining the category on their own terms.

In our initial foray into testing next generation firewalls last August, we looked at Palo Alto's PA-5060 by itself, so it's only logical to consider how Palo Alto stacks up against the four vendors in this test.

Next-gen firewalls: Off to a good start

We used a different methodology to test application identification between the two tests, so we can't make a head-to-head comparison Palo Alto's PA-5060 had a higher identification rate when we passed canned applications, but we can't generalize from that. However, in areas such as management of application firewall rules, we'd put them at the top. Likewise, the Palo Alto PA-5060 had a good design for what to do once application traffic matches, again putting them at the top, with Check Point's Security Gateway.

Since Palo Alto didn't have to carry any legacy GUI baggage with them, they were able to design their management from the beginning to handle the integrated application identification and threat mitigation features, all at once. On the other hand, Palo Alto has a ways to go with the performance of their management system, which is frustratingly slow when applying changes.

Visibility, showing you what is happening on your network, is another area where Palo Alto's PA-5060 shined in our test. Starting from scratch with the goal of next generation visibility gave Palo Alto a big leg up, and the PA-5060 came out of the starting gate with an outstanding visibility tool, setting the standard for this category. While Check Point has some great features in SmartEvent, the prize for accessible visibility has to go to Palo Alto.

We didn't test the PA-5060's SSL decryption capabilities as systematically as we did the products in this test, but because the PA-5060 has an architecture more like SonicWall, with virtually unlimited SSL decryption, we expect it would have also landed at the top of the list with SonicWall.

When it comes to UTM features, the Palo Alto PA-5060 can be compared more closely to the products we tested. When it comes to IPS coverage, the PA-5060 turned in scores in the low 90% range, putting it up near the high scorers in our IPS testing. For the anti-virus/anti-malware testing, the PA-5060 fit more in the bottom of the range of our testing.

We stand by our original PA-5060 test headline back in August: "Palo Alto earns short list status." If you are considering replacing your firewall to gain next generation features, Palo Alto remains a credible contender.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)