Palo Alto Firewall review and alternatives

Palo Alto NGFW is a next-generation firewall that uses AI-based processes to protect networks fully. Palo Alto Networks has always been at the forefront of innovation in the security software market, so its aid in applying AI to detect malicious activity should come as no surprise.

The NGFW explicitly uses machine learning, which is a discipline of AI. This helps the system detect zero-day threats for which the Palo Alto technicians have prepared no solution. With this innovation, each implementation can act autonomously and spot threats even if this is the first time the attack has been launched. But, unfortunately, fewer responses, no security analysts have seen yet.

About Palo Alto Networks

Palo Alto Networks was started in 2005 by a cyber security expert called Nir Zuk. Working at Check Point and NetScreen, Zuk achieved a reputation as an innovator and industry guru throughout his career. He started in IT as a 16-year-old, writing viruses. This background gave Zuk an insight into how malware works, which enabled him to work out new ways to block viruses when he began his career in cyber security.

Zuk emigrated from Israel to the USA in 1997, which brought him closer to the world of venture capital and enabled him to launch Palo Alto Networks. By the time he became an entrepreneur, Zuk had become a well-known name in the cybersecurity field. Zuk is still involved with the company as its Chief Technology Officer.

The next-generation firewall is the core product of Palo Alto Networks. It was the company’s first product, which was launched in 2007. This is an excellent product to anchor to a security tool producer because a firewall can be adapted to work in different locations – endpoints, network boundary, or cloud.

The fact that all traffic entering the protected system first has to be processed by the firewall gives the creator of the firewall plenty of opportunities to diversify into other products. For example, a reverse firewall creates a data loss prevention service, and a cloud-based firewall can offer DDoS protection, load balancing, and continuity services. Palo Alto has seized the potential for expansion by following all of these variations on firewall technology, even extending to creating SD-WANs and other virtual networking services. As a result, Palo Alto Networks is now a leader in the market for edge services.

Palo Alto NGFW

As Palo Alto specializes in next-generation firewalls, the company has created several different packages around the technology. The core NGFW system is available in six different configurations. Although the main functionality of the NGFW runs through all of these versions, there are some differences to account for the location of the software and how it accesses the protected system.

Palo Alto firewall features

The key feature of the NGFW is that it doesn’t just examine incoming packets searching for specific character patterns. Instead, it uses a range of techniques to identify traffic as suspicious, and the Machine Learning techniques created by Palo Alto form the distinctive feature of these products.

The Palo Alto system operates at the Application Layer because it examines traffic across packets. Thus, it doesn’t limit its detection processes to just the headers of each packet.

Features of the firewall include:

  • SSL offloading
  • DDoS protection
  • Microsegmentation of network protection
  • Data loss prevention
  • Anomaly-based threat detection
  • Blacklisting and whitelisting

Each of these features adds extra layers of security that traditional firewalls cannot provide. However, not all features are available in all deployment options.

SSL Offloading

Deep packet inspection involves reading the contents of packets as they pass through the firewall. However, traffic intended for remote destinations and incoming internet traffic is almost always encrypted. This state makes DPI impossible. To circumvent the problem of encrypted data, the Palo Alto firewall assumes the responsibility for SSL management.

The firewall acts as the destination for all internet-bound traffic, engaging in key exchange with the endpoint within the network and acting as the connection’s originator in communications with the remote server. As traffic goes out, the firewall decrypts packets, implements its security checks, and then encrypts them with the key agreed upon with the remote server. Likewise, responses are decrypted, checked, and then encrypted with the key decided upon with the local endpoint for delivery.

As well as making content available for inspection, this strategy centralizes the responsibility for connection security and reduces the risk of a local machine’s SSL certificate becoming compromised. On cloud-based implementations of this service, the endpoint to the firewall leg of the journey is protected by a VPN.

DDoS protection

The fact that the firewall receives all traffic before it arrives at any company device, including the hosts of email and Web servers, means that the firewall has the opportunity to absorb excessive connection attempts that form DDoS attacks. With self-hosted implementations of the NGFW, the capacity of the host is down to the individual business. So, DDoS protection is not automatically included. In the FWaaS version of the NGFW, however, traffic volume absorption is part of the service.

Microsegmentation of network protection

Microsegmentation is a difficult concept to visualize. However, network segmentation allows subnet addressing. It also enables firebreak controls to be put in place, creating different levels of traffic protection for different segments – the classic example of this strategy is the demilitarized zone (DMZ). Palo Alto takes this concept one stage further and implements its NGFW protection per device or application.

Security policies can also be applied per resource, such as files, and controlled through user access rights management within the firewall console. This is particularly important in the case of sensitive data management. In addition, the Palo Alto NGFW can extend extra measures to protect data stores that hold data that is subject to usage controls by legislation or industry standards.

The parlance of the Palo Alto system refers to network segments as “trust zones”. Enforcing these involves setting security policies that enable different user groups to access additional data stores for other purposes. This is, essentially, file integrity monitoring and sensitive data management implemented by the firewall.

The Palo Alto NGFW effectively implements SD-WAN procedures on the local network, requiring all traffic to bounce through the firewall rather than just those communications intended for connections with the outside world.

Data loss prevention

While guarding the gateway to the internet, the NGFW can check on outgoing traffic and incoming packets. With this position, the system can enforce security policies about the movement of sensitive data. Moreover, the controls over data movements are limited to file transfers because the system can also examine email contents and attachments. However, activities onto attached storage devices from endpoints aren’t tracked by the NGFW service.

Anomaly-based threat detection

The threat detection system in the Palo Alto NGFW is its secret weapon. This is the part of the system that relies on machine learning. The ML feature of the tool is part of an AV function that can be applied to application activity or user monitoring. It applies scrutiny to the requested entity by checking the files involved in the action, looking for known malicious files taken from a hit list circulated by Palo Alto. It will also look for files that have specific characteristics, which enables the system to identify new attacks that security analysts have not yet identified.

Not every unknown file will turn out to be malicious, so the system focuses on the movements of these files. Machine learning is also applied to URL filtering rules, which search for specific texts and strategies in email or attachments. Such a hacker strategy could be linked within the email, leading to infected or fake Web pages.

Blacklisting and whitelisting

The discoveries of the anomaly detection process result in blocking actions when an intrusion or a phishing attempt is discovered. The firewall bans all communication with that destination by placing an IP address or URL in the blacklist. IP addresses on the network can also be added to the blacklist in response to the suspicion of an infected endpoint. In addition, it is possible to upload or feed in a blacklist derived from external sources.

The whitelisting system creates exceptions to general rules that block access to acceptable sites or IP addresses.

Palo Alto NGFW deployment options

Palo Alto offers its NGFW in six formats:

  • PA series A range of network appliances
  • VM series A virtual network that secures a software-defines network operated with VMWare NSX
  • CN series A container-based firewall system
  • Panorama A network security package that includes performance monitoring
  • CDSS Cloud-delivered security services, which are edge services based around a Firewall-as-a-Service (FWaaS)
  • PAN-OS A Palo Alto proprietary virtual appliance framework

Palo Alto firewall prices

The price you pay for the Palo Alto NGFW and the charging structure depends entirely on which deployment option you choose. Unfortunately, Palo Alto Networks doesn’t publish its price list. However, you can start a dialog with the sales team by requesting a firewall demo.

Palo Alto firewall strengths and weaknesses

Palo Alto Networks offers many options for its firewall services. For example, you can combine the firewall with other services that work well within the same architecture. You can even extend the firewall to provide network performance and security monitoring, adding endpoint protection and sensitive data access tracking. After examining the Palo Alto NGFW, we have identified several positive and negative points to consider.


  • Comprehensive services that combine well together
  • Flexible deployment options
  • A dashboard that can be customized and gives detailed reports on user activity
  • Options to manage access rights from within the firewall console
  • Zero-day attack identification


  • All of the options can be confusing
  • Palo Alto is trying to present a complete network management and system administration system
  • Identifying an option for just a firewall is difficult

Alternatives to the Palo Alto firewall

Working out the exact boundaries of the firewall system from Palo Alto Networks is almost impossible. It becomes clear that they want to capture your business for all of the products they sell. If you just want a firewall, you will struggle to fend off their sales pitches for other products.

Other firewalls compete very well in the FWaaS market and have on-site options for next-generation firewalls.

Here is our list of the best alternatives to the Palo Alto Firewall service:

  1. Perimeter 81 Firewall as a Service This FWaaS is similar to the concept offered by Palo Alto. It can be bundled in with several other edge services that complement each other. With this cloud-based system, you can centralize the gateway for distributed sites and even protect the devices of home-based staff. In addition, the division between the subscriptions for the Perimeter 81 modules is much clearer in the company’s presentation, so you can be sure exactly how much kit you are signing up for.
  2. Fortinet FortiGate This is a range of network appliances that competes well with the PA series offered by Palo Alto. The central component of the appliance is a next-generation firewall, but it can be loaded up with additional features from the Fortinet stable. If you don’t want to commit to a piece of hardware, you can install the firewall software as a virtual appliance.
  3. Zscaler Cloud Firewall This is a cloud solution ideal for businesses that use a lot of home-based staff. It can unify a distributed team by channeling all of your traffic to its FWaaS platform and then routing packets on to workers, wherever they may be. So, as well as offering security, this system creates a virtual network.
  4. Forcepoint NGFW This network appliance provides failover services for the entire workforce and protection for the network. The package for this device includes an SD-WAN creation and management service, so even though it is a physical appliance that you house on your site, it acts as a cloud system. Features include ML-based malware detection and SSL offloading.
  5. Cato Networks SASE This cloud-based system integrates both network virtualization and security. Create an SD-WAN to combine your sites and centralize security and performance management. Complimentary services include managed threat detection and response and an intrusion prevention system. Include home0-based workers and even roaming reps on mobile devices into your virtual network with this security protection.