Palo Alto Networks boasts a long history of innovation and strong independent test scores, earning our rating as the top overall cybersecurity company. Enterprise security buyers might pay a premium for Palo Alto products, but they can typically buy with confidence.
That said, the next-generation firewall (NGFW) market — where we also list Palo Alto as a leader — has gotten tougher in recent years, with low-cost competitors like Versa Networks and Sangfor offering good firewalls at lower cost. Forcepoint and Fortinet have made an effort to compete on price too, and Check Point remains strong at the high end, so there’s no room for any vendor to rest on their laurels. With nearly $7 billion in annual revenue and a 20%+ growth rate, Palo Alto (PANW) has the resources to stay competitive in the network security market.
We’ll discuss Palo Alto’s wide-ranging firewall lineup, including features, performance and security — and a surprising recent development — plus buying considerations and alternatives.
See our full list of the Top Next-Generation Firewalls (NGFWs)
Jump ahead to:
- Palo Alto Firewall Ratings
- Palo Alto’s Firewall Product Lineup
- Pricing and Performance
- Cloud Features
- Management and Implementation
- Palo Alto Firewall Alternatives
- Bottom Line: Palo Alto Firewalls
Palo Alto Firewall Ratings
We’ve rated Palo Alto firewalls in a number of key areas. We go into detail below, but here’s an overview of our review findings.
|Palo Alto Network Firewalls Rated
|Firewall Product Lineup
|High-end features even in low-cost products
|Pricing and Performance
|Great features come at a cost
|A recent hiccup in a great long-term track record
|Support for many use cases
|Management and Implementation
|Surprisingly ease to deploy and use
|Room for improvement
Palo Alto’s Firewall Product Lineup
Palo Alto remains a clear leader in the NGFW market it invented. Gartner placed Palo Alto in the Leaders quadrant and gave it the highest ratings in its latest next-generation firewall Magic Quadrant (MQ). It was also named a Leader in a Forrester Wave for Enterprise Firewalls.
Palo Alto NGFW appliances range from the low-end PA-220 to the high-end PA-7000, plus virtual, cloud, and container firewalls and SD-WAN options. The firewalls run on Pan-OS and the Panorama centralized management console.
Palo Alto boasts a single-pass architecture to maximize performance and security (image below), with full Layer 7 protection, machine learning-based inline prevention, and centralized user identity and access control.
Even low-cost Palo Alto firewall appliances include advanced features like ML-based detection, AIOps policy recommendations, behavioral analysis, IoT device detection, application classification, and adaptive policies for users and groups regardless of device or location.
Pricing and Performance
Pricing for Palo Alto Networks NGFWs starts at around $1,000 for the PA-220, while the high-end PA-7000 starts around $200,000 and goes up from there. Threat prevention throughput for the ruggedized PA-220R can hit 320Mbps, while the high-end PA-7080 can reach 300Gbps and 6 million new sessions per second.
Pricing for Palo Alto firewalls tends toward the higher range of the market, but users give high ratings to the firewalls’ capabilities, not surprising when you consider that the PA-220R contains many features of the high-end models. In recent testing, CyberRatings rated Palo Alto at the upper end of the market in price per Mbps (chart below).
By comparison, the very high-end Check Point Maestro Hyperscale Orchestrator 28600 can start at around $500,000 and scale to 1.5Tbps.
This is where it gets interesting, as we hinted earlier. Palo Alto has a long string of top independent security tests going back at least five years, so it’s noteworthy that the company’s CyberRatings firewall tests released recently came in toward the bottom of the tested solutions.
That said, many of the misses came in just two evasion techniques — http obfuscation and compression (see chart below) — so the issues identified by CyberRatings in the PA-3220 v10.2.3 are fixable. We maintain our high ratings on Palo Alto’s security given the company’s long history of top scores in MITRE, CyberRatings, NSS Labs and other evaluations, and props to CyberRatings for their extensive firewall testing.
Management and Implementation
To their credit, Palo Alto engineers have built a high-end firewall that offers user-friendly implementation and management.
Here’s a typical comment from a banking IT manager, who calls the firewalls “incredibly easy to deploy.” The IT manager says the management interface is “intuitive and easy to navigate.”
The Exploration mission tool makes it easy to transfer existing policy to a zone-based policy that can be loaded onto the firewall. Other management features getting high marks include FQDN address objects, External Dynamic Lists (EDL), rule-based log forwarding, and management of apps, customers, and content from a single interface.
Another user, a network security engineer in the transportation industry, noted that while plug-and-play features may be great for the unsophisticated, security pros seeking to customize the firewalls will have to work for it.
The engineer said Palo Alto firewalls are “awesome for somebody who just wants to unpack the box, connect it to network and leave it with default settings. But if you need something more and start to dig in, you will discover lots of bugs and limitations. On the other hand, all bugs can be fixed and all missing features can be added sometime in the future.”
Support for cloud environments is an area where Palo Alto shines. With virtual firewalls and support for Azure, AWS, 5G and containers, Palo Alto’s NGFW lineup is far ahead of most competitors.
With strong branch office, campus and data center offerings, Palo Alto firewalls are particularly appealing for enterprises with a range of use cases.
This is the one area Palo Alto could do better in. There are plenty of instances where Palo Alto firewall customers are happy with the support they receive, but it’s also the area users complain about the most, with a number of criticisms of the cost, timeliness and effectiveness of support. Both Gartner Peer reviewers and G2 reviewers give Palo Alto below average ratings for firewall support.
Palo Alto Firewall Alternatives
The market for next-generation firewalls is one of the best-served markets in cybersecurity, with offerings ranging from very low-cost to very high-end.
Among alternatives, Fortinet, Versa and Forcepoint offer good security and performance at lower cost, while Palo Alto’s most formidable high-end competitor is Check Point.
Whichever firewall you choose, evaluate product features carefully to make sure you get the firewall that best meets your needs.
AppTrana is a fully managed Web application firewall, that includes Web application scanning for getting visibility of application-layer vulnerabilities; instant and managed Risk-based protection with its WAF, Managed DDOS and Bot Mitigation service, and Web site acceleration with a bundled CDN or can integrate with existing CDN. All of this backed with a 24×7 Managed Security Expert service to provide custom rules and policy updates with zero false positive guarantee and promise.
Bottom Line: Palo Alto Firewalls
Palo Alto Networks has been a leader in the market for next-generation firewalls since the company coined the term in 2008, now 15 years ago. Buyers looking for advanced features even at the lowest price points will find much to like in Palo Alto firewalls, and those buying at the high end of the market have few alternatives. But the rise of strong competition in the low-end and midrange markets means the company will have to work to stay on top of the firewall market.
Read next: Network Protection: How to Secure a Network
Drew Robb contributed to this product review and analysis
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.