Palo Alto Panorama review and alternatives

Palo Alto Panorama lets you impose a standard setup on a fleet of firewalls at your business. The service can access a range of firewalls, but it is particularly suited to controlling the firewall services provided by Palo Alto Networks itself.

The key function of the Palo Alto Panorama package is its system of security policies. These set the rules that your firewalls operate by, and Panorama will propagate these settings to all of the firewalls you have included in its firewall management program.

About Palo Alto Networks

The founder of Palo Alto Networks is called Nir Zuk. Israeli Zuk began his interest in cyber security at the age of 16 when he worked out how to write viruses. The young hacker eventually decided to make a career out of blocking the viruses written by others and gave up his hacker activity.

With inside knowledge of how viruses work and how the people that write them think, Nir Zuk built a successful career at Check Point, where he designed the world’s first stateful firewall. The basis of this type of cyber security system is that it doesn’t just examine each packet as it passes through the firewall but records characteristics across packets, making this an Application Layer system.

Zuk moved on to the position of a principal developer at NetScreen Technologies, emigrating to the USA in 1997. He eventually decided to set up his own cybersecurity business. Palo Alto Networks began operations in 2005. It is still an independent company, and Nir Zuk is still involved with its management as Chief Technology Officer (CTO).

Palo Alto Networks firewalls

Although it was set up in 2005, Palo Alto Networks didn’t release its first product until 2007. This was a next-generation firewall, which Zuk claims were the first of its kind.

The next-generation firewall acts more like an intrusion detection system because it performs threat hunting, informed by a threat intelligence feed and anomaly detection based on machine learning (ML). The ML concept is an AI system. It involves linking data together to identify a sequence of characteristics to identify malware or malicious activity that wouldn’t be apparent under traditional packet-by-packet examination methods.

Palo Alto firewalls also implement deep packet inspection (DPI), which involves examining the contents of passing packets rather than just the headers. As the firewall is usually placed at the gateway between a private network and the internet, the majority of the traffic that it handles will be encrypted. Unfortunately, the encryption of packet content means that the firewall cannot examine it. However, Palo Alto has a way around that problem. The firewall assumes the responsibility for encrypting packets on behalf of all of the devices on the network. Thus, it gets access to the unencrypted packet contents.

A firewall can examine packets as they leave a network and when they enter it. This activity enables the firewall to block the transmission of sensitive data. In this mode, the security system acts as a reverse firewall and implements data loss prevention.

Palo Alto Panorama activities

The function of the reverse firewall checking for the unauthorized transfer of sensitive data is an example of a security policy. Your business has several security policies – data loss prevention could be one of them, and the banning of offensive websites could be another.

Whatever your security policies are, you need to implement them on your network security systems, and that includes your firewalls. You might have many firewalls operating in your business, and implementing your security policies on all of them can be time-consuming. Not only do you need to enter the policy as rules in your firewalls, but you need to monitor the activity on those systems. Ordinarily, that would involve logging into the management console of each firewall.

Palo Alto Panorama is designed for businesses that operate multiple firewall systems. It acts as a unified dashboard for all of those firewall instances, so you only have to set up your security policies in one place. In addition, you only need to use one dashboard to view all of the activities of all of the firewalls used by your enterprise.

The Panorama console offers a lot more than just firewall activity reports. The package can watch all traffic circulating on the network, not just packets moving in and out of the system. So, with this access, the Panorama dashboard can report on network activity. It shows which users are the most active, which endpoints on the network and remote IP addresses are involved in the most activity on the network, and which applications generate the most traffic.

As the Palo Alto Panorama system can identify malware and malicious activity, it can also report on that type of traffic, letting you see which accounts have been hijacked or which endpoints have been infected or occupied. Panorama provides a network-based intrusion detection system (NIDS) with this function.

Panorama firewall compatibility

Panorama is specifically designed to coordinate the activities of Palo Alto firewalls. The company produces many different deployment options for its next-generation firewalls, and Panorama can work with the following:

  • PA-series hardware firewalls
  • VM-series virtual network firewalls
  • CN-series containerized firewalls
  • Prisma Firewall-as-a-Service

The fleet of firewalls managed by Panorama doesn’t have to be all the same type. The package can manage up to 5,000 firewalls, and with the Panorama Interconnect plug-in, the system can be used to manage many other devices. With the Panorama Connect system, your firewall management transforms into an access rights management service, which can control devices used for all of your connected equipment and oversee user account capabilities and account activities.

Deployment options

The Panorama service can run on the same device as one of the firewalls that it is supervising. The deployment options for Panorama are:

  • On a physical device: M-200 or M-600 management appliance alongside the ML-Powered Next-Generation Firewall
  • As a virtual appliance: over VMware ESXi, Microsoft Hyper-V, Linux KVM, and vCloud Air
  • On a cloud platform: Amazon Web Services (AWS), AWS GovCloud, Microsoft Azure, Azure GovCloud, and Google Cloud Platform

Panorama can operate with several instances on the same coordinated system. With this option, you can dedicate each example to a specific responsibility. For example, the Panorama firewall manager can collect logs and record statuses, generate its log data, and manage the log messages from other systems. So, you can have one or many Panorama instances running as log servers while reserving one example as a security management console.

Palo Alto Panorama price

Palo Alto doesn’t publish its price list, and the price you pay for the Panorama system depends on which deployment option you choose. Another influencing factor on the unit price for a Panorama instance is whether the package is deployed with other Palo Alto services.

You can request a guided tour of the Palo Alto Panorama system and see how it works with other products by Palo Alto Networks.

Palo Alto Panorama strengths and weaknesses

Palo Alto Networks has exceptional experience in creating firewalls, and the company’s innovations have pushed firewall technology forward. One thing to keep in mind is that Palo Alto Panorama is not itself, a firewall; it coordinates the management of firewalls. So, you will still also have to buy the firewalls that the Panorama service will manage.

We have summarized the characteristics of Palo Alto Panorama and categorized them as good and bad.


  • Coordinates up to 5,000 firewalls instances
  • Implements intrusion detection
  • Identifies network traffic activity
  • Blocks data theft
  • Integrated access rights management


  • It doesn’t include the firewall software
  • It can be challenging to conceptualize

Palo Alto Panorama alternatives 

Although Panorama is an exciting service to coordinate your firewalls across your enterprise, it doesn’t include firewall software. Instead, it interfaces with other utilities to implement security. This means that the Panorama system is an added extra, and not all enterprises will afford to pay for procedures that run systems. However, other systems are available that perform the same type of service as Panorama. There are also cloud-based firewalls available that will cover your entire enterprise and all your sites without you having to buy two layers of products.

Whenever you buy any resource, it is always a good idea to examine several options before deciding on the best system for you. So, we have looked at the firewall and firewall management market to identify some opportunities.

Here is our list of the five best alternatives to Palo Alto Panorama.

  1. CrowdStrike Falcon Firewall Management This is an almost exact match for Palo Alto Panorama because it is a coordinator for multiple firewalls rather than an actual firewall. The package is a SaaS system and is resident in the Cloud. It reaches out to your firewalls in any location and unifies their settings from the security policies that you set up within its dashboard. Those firewalls don’t have to be network systems but can be resident on individual endpoints. That makes this a good service for protecting individual machines that might be residents in the homes of telecommuting employees. The Firewall Management service is part of a more comprehensive security systems platform that includes endpoint protection and response and network security. Falcon also offers managed security services, so you don’t need to have your security experts on your payroll.
  2. Zscaler Cloud Firewall This is a single layer of firewall software. However, it is based in the cloud and operates through local agents. SO, in many ways, it models the architecture of the Palo Alto Panorama architecture but with all of the modules bundled together in one subscription. This is a Fire-wall-as-a-Service (FWaaS), and it can protect endpoints and networks no matter where they are located. It can also be used to protect cloud-based assets. This is an exciting option for businesses with most of their staff constantly out in the field as consultants or sales staff or working from home. It is also a good firewall for implementing BYOD because all of the security processing takes place off the device on the Zscaler servers. Think of this as a hub or a proxy that filters all company traffic before forwarding it to individual devices.
  3. SecurityHQ Managed Firewall This managed security service provides all technicians to run your security system for you. Hence, you save on the cost of hiring security analysis and the office space that they would otherwise need. Operating from the Cloud, this firewall will protect all your sites and individual remote workers. While protecting your IT assets and data, this system offers data privacy standards compliance features to help you with PCI DSS, HIPAA, SOX, NERC, and CIP. In addition, SecurityHQ implements its service along with ITIL guidelines.
  4. Cato Networks FWaaS With the Cato Networks service, you get a virtual network that has a firewall and other security systems built into it. This is a firewall as a service, but because of all of the other network services built into the package, it is termed a Secure Access Edge Service (SASE). The service receives all your traffic, scans it for security risks, and then forwards it to each endpoint or local network. A great feature of this service is that it lets you include mobile devices on your protected network. In addition, the firewall consists of SSL offloading, which enables it to perform deep packet inspection of traffic contents before it implements encryption for transmission.
  5. Secucloud Firewall as a Service The machine learning system at the heart of this FWaaS is similar to the threat detection engine used by Palo Alto Networks in its next-generation firewalls. Being based in the Cloud, this service enables you to implement the same security policies on all your sites and include remote workers’ devices in the protection system. In addition, Secucloud operates a shared threat intelligence service and a blacklist, which speeds up the blocking of malicious traffic.