Palo Alto Networks is an enterprise cybersecurity platform that offers network security, endpoint protection, cloud security, and various security services delivered in the cloud. Palo Alto uses a one-way architecture, which enables us to inspect and protect traffic at high rates. While most firewalls will be affected by performance degradation when more security capabilities are enabled and traffic is blocked, Users of the Palo Alto Next-Generation Firewall do not need to exchange speeds for security. So many organizations choose Palo Alto creating many job opportunities in this area. Palo Alto training can advance your career. Let us go through the pros and cons of Palo Alto Networks' SASE platform in this post.
When we want to buy a SASE (Secure Access Service Edge) platform, feature comparison is the simplest part. The greatest challenge in choosing a SASE platform is to understand the packaging of these capabilities. A well-designed comparative chart and a little honesty of the vendor, or buyer frustration, will give you a snapshot of the capabilities of the different SASE vendors. The simple fact of having the capabilities does not make the company technology an offer. It is essential to determine to what extent those capabilities are integrated and implemented. This is the problem with Palo Alto Networks. There is no question that Palo Alto will provide companies with a complete safety package. And there is no doubt that purchasers can get a robust software-defined WAN offer from Palo Alto too. The issue for all those looking at Palo Alto is the integration and packaging of its numerous features.
SD-WAN did not become a serious offer for Palo Alto until 2020, when CloudGenix was acquired. From that time, the company has purchased The Crypsis Group for Expanse for attack surface management technology and incident response, all this to become a provider of SASE. The product range introduces complexity, and this is the curse to the operational simplicity SASE principle. In addition, the absence of a private network means that the business has to depend on the public Internet for site-to-site connectivity. Maybe it's not a problem for small businesses or even regional businesses, but it must be a wake-up call for any global business.
Before diving into the SASE platform of Palo Alto, let's take a look at what SASE is. Gartner introduced SASE in 2019, primarily due to the complexity and cost of existing business networks. SASE is an architecture that converts the capabilities of network services and security points towards a global, unified, cloud-native service that connects and secures every corner of the enterprise: remote users, sites, public cloud applications, IoT devices and cloud data centres. It is the junction of security, networks, backbone and cloud, which makes SASE very unique.
Prisma Access SASE from Palo Alto uses CloudGenix software-defined WAN appliances to connect websites and virtual equivalents to cloud data centres. Palo Alto's built-in next-generation firewalls protect data centres, while Palo Alto's firewall as a service will protect branches. VPN options cover Secure Sockets Layer/IPsec, IPsec and client-free VPN to connect networks and users. Prisma Access zero-trust network access allows the users to access the data centres or applications they require remotely.
Along with Firewall as a Service, the security layer of Palo Alto includes:
cloud secure web gateway for blocking malicious websites;
DNS security for protection from threats within DNS traffic;
preventing threats aimed at blocking exploits, malware and command and control traffic;
Cloud Access Security Broker that will add data governance and classification to end threats
preventing data loss which categorizes sensitive data and implements access control policies
Prisma Access needs Cortex Data Lake's subscription to store network logs produced and utilized by security products. Prisma Access supports a couple of management options. The first option, Panorama Network Security Management of Palo Alto, offers central administration through Palo Alto Prisma Access and NGFWs. The second option avoids Panorama and uses an application with fewer features in Prisma Access.
From a functional perspective, Palo Alto Networks selects several right boxes with Prisma Access. The security package is extensive, and its SD-WAN is complete. The biggest problem with Palo Alto is that it is not an actual cloud service. Rather than a single, native cloud, multi-tenant processing engine, Palo Alto deals with packages and security in distinct appliances: Cloud-based virtual firewall instances manage the security enforcement; SD-WAN devices deal with traffic routing and processing. With separate equipment for inspecting and processing traffic, Palo Alto SASE is just a little bit different from everything we have been doing all along, deploying and integrating different devices. This also means that latency increases because packages have to go through each serial function.
To attain SD-WAN connectivity, clients need CloudGenix Instant-On Network to be deployed from on-premise and cloud devices. These devices have a basic built-in firewall, but customers are also required to deploy an NGFW Palo Alto in these locations if this is not enough. There are two types of firewalls that need various management options. They are Panorama and Prisma SD-WAN. If the client needs high availability, the devices should be duplicated at each location. Complexity increases with every demand of the client. This configuration is not flexible and long-lasting because it cannot change and grow according to the customers' requirements.
A private backbone is missing in Palo Alto, rather than building its points of presence on the third-party cloud platforms, which are AWS and Google Cloud Platform. This directly conflicts with Gartner's recommendation that SASE vendors should not build their offering over someone else's cloud. Not having the underlying cloud infrastructure restricts the vendor's control over routing and expansion to meet the geographic needs of its users. This also means that clients should not expect to replace a predictable overall MPLS network by Palo Alto.
According to Palo Alto's marketing documents, the supplier has over 100 POPs in over 75 countries, but this is misleading. A PoP for Palo Alto is a place where clients connect their peripherals to the SASE supplier. However, the processing of this traffic takes place in an independent cloud computing location. Business traffic has to be traced to this location first, adding latency and impacting performance. At present, the GCP has only 24 calculation locations, referred to as regions, worldwide.
Palo Alto says it provides optimization for SaaS applications, but it only covers a few applications where peering is available in GCP. Once again, it adds latency to numerous cloud-based applications, making the user experience poor.
The Prisma Access SASE from Palo Alto sounds good on paper. It comes from a firm with a secure pedigree with functionality-rich components. But it is precise because these products have been developed as stand-alone services that purchasers should carefully consider whether Palo Alto's SASE is suitable for them.
In this post, we have gone through the pros and cons of Palo Alto Networks' SASE platform. I hope you found this information helpful.