Download our free Firewall Vendor Report based on nearly 500 real user experiences.
Cisco’s and Palo Alto Networks’ next-generation firewalls (NGFWs) both appear on eSecurity Planet’s list of the top 10 NGFW vendors, and both are well qualified to meet enterprise security demands. Each solution has distinct strengths and weaknesses, however – what follows is a look at each offering’s key features, as well as the differences between them.
The Bottom Line
Cisco and Palo Alto both get high marks from customers and industry analysts, but there are important differences between the two. Cisco is a particularly good fit for companies seeking a broad range of security services that integrate with the firewall, and customers give the company strong marks for support. Palo Alto is a good fit when performance and advanced features are more heavily weighted than price.
Recent NSS Labs testing found that Palo Alto’s PA-5220 firewall was more cost-efficient than Cisco’s, at a total cost of ownership (TCO) per protected Mbps of $7 compared to $28 for the Cisco Firepower 4120. The rating is due largely to the Cisco Firepower’s inability to block three of 190 evasion techniques tested by NSS. Palo Alto also came out on top in performance.
Cisco Product Highlights
Overview: Cisco’s Firepower NGFWs are designed to provide deep visibility into telemetry and any potentially malicious file activity across users, hosts, networks and infrastructure, all in a single view via the Firepower Management Center. Cisco Talos threat intelligence and rule sets are automatically updated to the Cisco NGFW, and the solution’s automated policy application and enforcement lets users focus on higher priority tasks.
Recent developments: Recent updates to Cisco’s Firepower Device Manager have added several enhancements, including device APIs for automation and orchestration, SSL decryption in software for encrypted traffic, and IPS signature-tuning for false positives. A new Firepower Migration Tool has also been introduced to help customers upgrade from Cisco ASA firewalls to NGFWs.
Analysts’ take: Gartner says Cisco is a good shortlist candidate for most enterprise use cases, particularly when enterprises want to deploy a broad set of security services that interact with the firewall. Still, some customers complain about the increased complexity of having to use Cisco Security Manager for some older firewalls and the Firepower Management Center for newer ones, and customers have also said complex and confusing licensing is an ongoing issue.
Palo Alto Product Highlights
Overview: Palo Alto Networks’ NGFWs inspect all traffic, including applications, threats and content, and tie it to the user, regardless of location or device type. The aim is to manage applications, users and content by classifying all traffic, determining the business use case, and assigning policies to protect access to relevant applications and block threats. The company’s NGFWs are available in purpose-built hardware appliances, and as virtual appliances supporting a wide range of cloud environments.
Recent developments: Palo Alto recently released version 8.1 of its PAN-OS operating system, which adds more than 60 new features, including expanded SSL decryption capabilities and more granular control of SaaS applications. New hardware appliances from Palo Alto include the rugged PA-220R, the PA-3200 Series, and the PA-5280.
Analysts’ take: Gartner says Palo Alto is visible on shortlists across all industries and is a particularly solid contender when features, management and performance are weighed more heavily than price. Still, some clients have expressed concern about the pace of firmware releases, saying they’d prefer to see small batches of features instead of large updates that take more time to stabilize. Some customers also say Palo Alto’s Panorama management system can become slow when managing a large number of appliances.
NGFW Product Ratings
Here are eSecurity Planet’s ratings of each solution’s key features.
Security: In NSS Labs’ recent tests, Palo Alto’s PA-5220 got a 98.7 percent security effectiveness rating, while the Cisco Firepower 4120 got 71.8 percent, due largely to its failure to block three out of 190 evasion techniques tested by NSS.
Performance: Palo Alto topped all firewalls tested by NSS Labs with 7,888 Mbps performance, while Cisco posted a solid 5,291 Mbps. Notably, NSS rated the performance of both devices lower than the vendors claimed, with Palo Alto claiming 9,000 Mbps and Cisco claiming 15,000 Mbps.
Value: NSS Labs views Palo Alto as the more cost-effective solution, with a TCO of $7 per protected Mbps, compared to $28 for Cisco.
Implementation and Management: “Ease of use” is a phrase you won’t hear often about either product, but they make up for it in enterprise-class security features. Several Cisco users cite the UI as a key strength of the solution despite the product’s complexity; integration with endpoint security, network traffic analysis, web gateway, email security, and network access control are among Cisco’s broad strengths. Palo Alto users cite stability and reliability as positives, but a few complain about the sluggishness of Palo Alto’s Panorama interface when managing a large number of appliances. Palo Alto’s advanced features, like application visibility, make it worth the learning curve.
Support: While customers of both companies give positive reviews for vendor support, Gartner reports that the Cisco support network is so strong that it’s often cited as a key justification for loyalty to the company’s products.
Cloud Features: Both solutions are strong in an area where many NGFWs lack, with virtual appliances and a range of cloud functionality.
Cisco’s NGFWs are available as hardware appliances, with the Firepower Defense Manager on-box solution or the Firepower Management Center for centralized management. Virtual and public cloud solutions are also available with the Firepower NGFW Virtual (NGFWv).
Palo Alto’s NGFWs are available as hardware appliances (PA Series), as well as the VM Series for use in a virtualized or cloud environment.
Cisco’s firewalls start at under $1,000, with pricing as low as $35 per month with Cisco EasyPay leasing. The Firepower 4120 tested by NSS sells for approximately $100,000.
Palo Alto Networks’ most recently released appliances, the PA-220R, PA-3200 Series and PA-5280, range in price from $2,900 to $200,000. The 220 offers 100 Mbps VPN throughput and 64,000 sessions; the 5280 offers 24 Gbps VPN throughput and 64 million sessions. The PA-5220 tested by NSS sells for around $70,000, with support packages extra.