In this article we are going to briefly go through the differences between the two firewall types at a high level. We won’t be doing a deep dive into the individual feature comparison or extremely low-level technical differences. The bottom line is both firewalls are exceptional and are miles ahead of the older legacy firewalls.
Next-Generation Firewall Expertise
Regardless of which firewall you choose for your organization, the most crucial factor has nothing to do with the decision at all! Rather, it comes down to the engineers that will be deploying, managing, and monitoring the solution. The best firewall in the world has no value if the security features are not implemented properly. Sadly, this is all too common in the real world.
There was a time when you upgraded your ASA to a newer model, and there really wasn’t much to think about. You did a copy/paste from the old firewall, change an interface name or two, and off you go. Childs play. However, that time has changed, but many in the industry did not change with it. There are several reasons for this:
Risk: The enemy of security is unreasonable and/or irrational expectations on availability. If you are going to fire an engineer because security policy blocked something, the result will be the most permissive firewall policy in the history of the earth.
Lazy: The old ASA has 4,000 lines of configuration; there are two options:
Go through them all, make sure they are still valid, make sure they are secure, update to application-based filtering, add features such as user-id, monitor closely, and make many changes as logs are generated.
Run the 4,000 lines through an automated tool, blast the output into the new firewall, and guarantee Happy Hour starts early.
Uninformed: If the engineer simply doesn’t understand the new features, security in general, etc.…This comes up far more often than it should.
Budget: Consulting companies don’t like to give their customers sticker shock, but that is really what is required. Of course, the last firewall refresh was much cheaper, but you are simply not comparing apples and apples. You are comparing a cut/paste to a complete and absolute change to the entire security posture of the organization. In other words, you overpaid last time, not this time. This is not really the fault of the engineer, as most of us do the best we can with the constraints placed on us.
All the Above: There may be a little bit of everything in a poorly designed and deployed firewall.
The point is, I’d spend time ensuring you get the right engineer rather than the right firewall!
Engineer/Architect/Sales Bias
Humans prefer what we are good at. I’ve been a Cisco guy since birth and if you ask me what kind of switch you should buy, the answer will be Cisco. The fact is, if I will be the person responsible for the switch deployment, it makes sense choosing the product that is most aligned with my skillset.
Simply, there is nothing I have not come across on a Cisco switch. However, that doesn't really mean Cisco is superior to Arista in every way. Nor does it mean the deployment of Arista switches (with or without me), won’t be the smoothest project in the history of network engineering. Both products are exceptional, and I have do have significant Arista experience. Just not as much as Cisco😊.
Bias can also come from financial concerns. If my consulting company earns more profit from one or the other, I’d likely have some reason to pick one or the other. The same is true for something as simple as engineer availability, if I have engineers on the bench with PA expertise, I may have an incentive to choose PA.
Finally, the most common bias is ignorance. I know that sounded a bit harsh, but that doesn’t mean it isn’t true. It’s not uncommon at all to read a Reddit post saying something like “Firepower is the worst product on earth, NAT doesn’t work at all!.” In this case, you must ask yourself what is more likely to be true – A $50B company has an 8-year-old product that can’t do the most basic firewall functions or the engineer trying to configure NAT did not have the required knowledge?
Palo Alto vs Firepower Features
I’m not going to deep dive into which has a better IPS or malware engine. Again, this is seldom relevant in the real world and chances are that one could have a slight advantage on any given day. The same is true for application filtering, either one may have a slight advantage, but it’s not worth the effort to figure out which one. The same is true for any number of standard features such as: NAT, Routing, HA, Etc. Again, the list of features that are virtually identical is longer than the list where one has a clear advantage over the other.
Palo Alto Advantages over Firepower
Here are a few relatively clear advantages Palo Alto has over Firepower:
Management: In my opinion, the PA front end is a little cleaner and easier to use. You will have very little trouble finding what you are looking for. This is also true when migrating from a legacy firewall to a next generation, the PA has several tools to make this a bit easier (It’s never easy, just easier😊).
SSL/TLS Decryption: This was extremely easy to set up on the Palo Alto and the performance is superior to Firepower.
Interface Control: Another large advantage is PA can filter, control, and monitor traffic going to a data interface, where Firepower does not (at least not intuitively). Firepower focuses exclusively on traffic going through the firewall, while PA can filter traffic going through or to the firewall.
Support: While I haven’t used Palo Alto support frequently or for anything difficult, I was impressed. Many engineers feel Cisco TAC has fallen off a bit over the past 5 years or so, and sadly, I agree. Cisco TAC used to be the gold standard in support, now, not so much.
Firepower Advantages over Palo Alto
Here is a quick list of advantages Firepower has over PA.
Logging/Monitoring: The FMC logging and monitoring functions are superior. It is extremely easy to find the traffic you are looking for, obtaining an overview of your entire firewall, etc.…
Integration: If you have a Cisco shop, the Firepower system provides more opportunities to allow all security tools to work together. PA is certainly catching up, but it is not quite there yet.
Granularity: The FMC frontend can do pretty much anything on the firewall, either out-of-the-box or via “Flex Config). This tends to get a bad wrap as it is not very intuitive, but the ability to have absolute control is valuable. Even when that control comes at the price of anger, frustration, etc.
The Bottom Line
The most crucial factor, without question, is the expertise of your engineers. If you have an experienced team familiar with Firepower, that may be the best choice. However, for those migrating from legacy platforms, decisions can be made based on factors like cost and features. The reality is today’s security tools are incredibly advanced across the board. I know that is not a popular opinion, but it is truer today than it has ever been. The tools are obviously only as good as the operator – Don’t blame the hammer, blame the carpenter.
If you are doing a greenfield implementation or have no need for fancy integrations, Palo Alto likely wins the day. On the other hand, if you capture Identity from ISE or have an existing TrustSec network or do not want to re-train your employees away from AnyConnect VPN, Firepower is probably the better option.
If you need assistance with network security, our team of skilled professionals is here to help. Whether you’re implementing a greenfield solution or fine-tuning an existing system, we have the expertise to ensure your network is secure and optimized. Contact us today to discuss how we can support your network security needs.
Comments