Palo Alto PA-200 mini review

October 25, 2014 at 5:47 pm 7 comments

I was very happy to get a lab licensed PA-200 in the mail early this week.  If you don’t know, it’s the lowest-end model firewall from Palo Alto Networks.  According to the Gartner report, Palo Alto and CheckPoint are locked in an epic battle for #1 in the enterprise firewall space.  I’ve got a good bit of experience with CheckPoint, so I was eager to see what this competitor brought to the party.

The Palo Alto is not without a learning curve.  Coming from a CheckPoint background, I had plenty of experience with firewalls, but the way things are done is just different in the Palo Alto world.  First, the concept of Zones is something that Palo Alto embraces.  This lets you group interfaces together, put them in the same zone, and traffic between those interfaces is routed without any firewall in the path.

With the large CheckPoint firewalls, we manage them using Smart Dashboard.  To manage a PA firewall?  It’s all in the WebGUI.  Everything from configuration to looking at logs, it’s all right there.  This is nice, as I once connected via my iPhone and was able to make a firewall change, though I don’t recommend doing that often!  But you absolutely can’t do that on the large CheckPoint firewalls.  Don’t get me wrong, there are tradeoffs with a Web interface, but I really do like the fact that there is no need to load a client to manage it.

One thing that is a little difficult to get used to with the PA series is that they are all the same!  I’m used to having CheckPoints for small business, and for Enterprise having completely different feature sets.  Then you have to worry about what blades to get.  With Palo Alto, the highest end firewall has the same user interface as the low end.  So, if you get the smallest firewall for your lab, you’ll be able to see how the high-end units will operate (the higher-end units are much faster at committing config changes, of course).  Palo Alto does have a few subscription features, but it includes quite a bit of functionality in the base price.

So far, I’ve enabled decryption for a few devices on my lab network.  This involved creating certificates and distributing them to the devices that will have their traffic be decrypted.  For most sites, this seems to work very well, but I have ran across a few that it balks on.  I think the issue may be that the root cert those sites use isn’t trusted by the Palo Alto, but I’ve not checked too deep into it yet.  For the most part, the PA-200 effectively does a man-in-the-middle with your SSL traffic.  Having this enabled didn’t seem to actually slow things down much, if at all.  I don’t know if any malware is using SSL today (my guess is that it is), so being able to see inside the traffic and spot the bad actors is a good thing.  I’m also running with Vulnerability Protection, Anti-Spyware, URL Filtering, and WildFire enabled.  I did have AntiVirus scanning enabled, but did see a noticeable decrease in performance with that turned on, so it was disabled.  On their higher end firewalls, you can probably safely run AV without a significant drop in performance, but it did not  appear to be the case for the PA-200.

Update 3/2/2016:  I turned A/V back on much later, and did not see the big slowdown.  I’ve been running with A/V enabled for probably a year now.

I have a number of devices including a NAS attached to the trusted network segment.  Many of these devices are running static DHCP addresses.  Setting them up was easy, but one thing that struck me was you could only put the MAC and an IP into the configuration.  There was no way to mark which IP address was which device.  If I had my way, this would be built into an Address object, so there would be a name associated with the DHCP reservation.  Ideally, you’d simply add an object with the MAC address, and it would add the static reservation for you.  Even better would be if they could figure out some way to tie it into their DNS proxy, so these objects are automatically in DNS.  These are features that are mainly useful for a small office environment, probably not the market PA is gunning for, but they would make nice additions.

I do like the flexibility of the DNS Proxy.  You configure it to forward everything to a pair of DNS servers.  There are options to add your own static FQDN entries for individual names, plus the ability to have entire zones forwarded to specific DNS servers.  You can also have multiple DNS proxies, listening on different interfaces, if you desire.

I have the PA-200 attached to a Cable Modem, pulling a DHCP address., something that complicates things if you wish to use GlobalProtect to run an SSL VPN.  Late last night, I spent about 2 hours putting together documentation from several sources to come up with a configuration that works for SSL-VPN on a DHCP address.  So far I’ve only tested it with the iPhones built-in VPN client (IPsec), but it worked great.  I plan to test it with Windows and Mac clients in the next few days.

I found it refreshing that the PA SSL VPN solution is not based on Java.  This means they have to have three individual clients (32 bit Windows, 64 bit Windows, and a combined 32/64 bit Mac OS X client).  The CheckPoint SSL VPN product is based on Java.  When I first installed it on my Mac, it worked well, but it has been giving me problems as Java or OS X has upgraded.  CheckPoint doesn’t seem to put much energy in keeping that client up-to-date, but PA seems to.

There is a QOS feature built-in.  I added a single QOS rule, placing traffic from a VoIP device into Queue 1, which is the “Real Time” priority queue.  I talked on it for almost an hour as a test, and it worked beautifully the entire time.  The caller on the other end reported that it sounded like I was right there with her.

Anyhow, that’s about all I have to report at this point.


Entry filed under: Mac, Networking.

AT&T shows their true colors SSL VPN on a Palo Alto with DHCP WAN address

7 Comments Add your own

  • 1. Mondo Egis  |  June 30, 2015 at 10:56 am

    Hello, can you tell me the steps to obtain the hardware for Palo Alto lab gear ?

    • 2. ptaylor  |  June 30, 2015 at 5:24 pm

      Our Palo Alto sales rep offered a 2 or 3 day cloud-based class, and if I completed it, they would send me a PA-200, so I did. I know they are very willing to send out 30 day demo boxes too.

  • 3. Bill  |  March 24, 2016 at 6:42 pm

    Thanks for the review. I too am a Checkpoint guy, but our company seems to be integrating more PA devices in our enterprise. I maintain a home lab environment as well and was just about to pull the trigger on a Checkpoint 2200, but you’ve got me more interested in trying out the PA-200. I’m hoping the licensing model isn’t as difficult to get your hands around as Checkpoint. Thanks again!

    • 4. ptaylor  |  March 24, 2016 at 7:43 pm

      For production units, you can get a Threat subscription (A/V, IPS), URL filtering subscription, Global Protect subscription (sort of advanced VPN support), and Wildfire (their cloud sandboxing service). You can do SSL VPN without getting the Global Protect sub, but mobile devices can’t VPN in without the subscription, and I don’t think Windows/Macs can do deep host checking (Verify A/V is present, etc upon making a VPN connection). If you are buying it yourself (or even if your company is paying) look for a lab licensed PA-200. The lab licensed units are about half the list price and come with all the subscriptions for a year. After that, renewing the lab unit subscription is relatively inexpensive.

      • 5. Bill  |  March 30, 2016 at 7:20 pm

        Thanks for the suggestions! I was able to work with our company’s re-seller to get the “lab licensed” version as you suggested! Went with the PA-500 2GB model. The only thing I noticed with the PA units is that performance (compared to a Checkpoint 2200 for instance) is pretty low. Since I will be using it here at home and plan on working with threat prevention and such, I didn’t want have throughput issues with my internet connection (100 Mbps). Looked like the PA-200 was limited to 50 Mbps. The PA-500 shows 100 Mb throughput, so I’m assuming that would be good. Heck, I can’t afford a beefier model than that! O_o I’m looking forward to getting it set up and going though. Thanks again for your post!

  • 6. Trev Codner M0TCA (@trevcodner)  |  April 21, 2016 at 7:17 am

    Hello Guys, what is a ball park cost for the PA-200 Lab license model? I have sent emails to a few suppliers all to no avail so far.

    • 7. ptaylor  |  April 21, 2016 at 4:35 pm

      I think it’s in the neighborhood of $1K. Check with CDW, I am pretty sure they sell them.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


October 2014
« Sep   Nov »

Most Recent Posts

%d bloggers like this: