Palo Alto Networks Cisco (FW + IPS)

Primary traffic classification

mechanism
App-ID enables comprehensive visibility and
fine-grained control
Applications adhere to neither port nor
protocol associations. Classification by port
is ineffective, offers no visibility and poor
control.
Primary security policy element The actual identity of the application is
used in policy: e.g., allow Gmail, block
BitTorrent and UltraSurf
Allow port 80, block port 5605. Effectively,
this policy blocks nothing because ports
can no longer enable appropriate levels of
control.
Application identity visibility The application identity what it does, how it
works, and who is using it is the primary
policy element
Log viewing is an after the fact exercise
providing data too late. The data is
incomplete, because it only reflects the
applications expressly searched for.
Application control model Employees are given more application freedom,
with IT ensuring safe enablement to improve
the company bottom line while protecting the
network
Coarse-grained model forces IT admins to
say No too often.
Enterprise directory services integration Able to enable applications is based on
users and groups in addition to, or
regardless of, IP address
Using IP addresses in lieu of users and
groups makes positive control of
applications nearly impossible.
Visibility and control of SSL traffic (inbound
and outbound)
Incorporates policy-based decryption and
inspection of SSL traffic (both inbound and
outbound), ensuring total visibility
Typically, all SSL traffic is uncontrolled, un-
scanned, and invisible to traditional security
infrastructure and IT administrators.
Product Comparison
Cisco Firewall v Palo Alto Networks Next-Generation Firewall

Firewall Market Background
Next-generation firewalls combine the capabilities of traditional firewalls with QoS functionality and features including intrusion
prevention, SSL and SSH inspection, as well as application awareness.

The superior features of the Next-generation firewall make it suitable for securing enterprise corporate networks.

Palo Alto Networks is widely recognised as the worldwide leader for Next-generation firewalls by industry analysts such as Gartner,
IDC and Frost & Sullivan.

Why buy Cisco
o Entrenchment in network infrastructure makes it easy for
Cisco trained staff to support Cisco security solutions
o Seen as a safe bet due to the strength of the Cisco brand


Why buy Palo Alto Networks
o Cisco ASA solutions lack much of the functionality required
to protect against modern threats
o Gartner rates Palo Alto as having superior completeness of
vision and ability to execute compared to Cisco in its 2014
Magic Quadrant for Enterprise Network Firewalls
o Would you use a security vendor to provide your network
infrastructure? Why use a networking vendor for your
security?