Comparing Cisco vs Palo Alto Networks NGFW Firewalls

We've come to the third and final post related to Palo Alto technologies. In the first two articles, we have discussed the reasons to use Palo Alto solutions and the company's certification opportunities for network engineers. In discussing certifications, we talked about the potential career synergies in becoming accredited in both selected Cisco and Palo Alto networking and cybersecurity domains. In this post, we'll move on to the products themselves and compare the next-generation firewall technologies of these two leading vendors.

In general, next-generation firewalls typically have the capabilities of traditional firewalls, plus features such as intrusion prevention, advanced threat protection, deep packet inspection, and application-layer control. Both Palo Alto and Cisco boast a full range of next-gen firewall appliances with both physical and virtual versions.

Palo Alto & Cisco Next-Gen Firewall Product Suites

Cisco's next-generation firewalls are known by the Firepower brand. Cisco Firepower hardware firewall appliances scale from small business and small branch protection (Firepower 1000) solutions, to support for large branches, campuses, and data centers (Firepower 2100 and Firepower 4100), all the way to firewall solutions for service providers and high-performance data centers (Firepower 9300).

Similarly, Palo Alto offers their own PA Series physical firewalls, which provide protection for a wide range of enterprise and business operations such as branch and retail store networks and medium-sized enterprises (PA-200, PA-400, and PA-800), internet gateways (PA-3200), medium to large service providers and high-performance data centers (PA-5200 and PA-7000).

Both companies also have virtual appliances in their firewall arsenal. Cisco has virtual versions of their traditional ASA firewall, as well as the Firepower next-generation firewall. The Firepower firewall offering for both public and private clouds — formerly known as FTDv and as NGFWv — is now known as Cisco Secure Firewall Threat Defense Virtual.  For their part, Palo Alto offers their next-gen firewall in their VM-Series for virtual environments and CN-Series cloud-native applications in containerized Kubernetes environments.

Comparing Palo Alto and Cisco Virtual Next-Gen Firewalls

For this post, we're going to do a head-to-head comparison of Palo Alto VM-Series and Cisco Secure Firewall Threat Defense Virtual, looking at their features, advantages/disadvantages, and reported performance. In both cases, these products are virtual implementations of the vendor's physical firewall solution. Let's start by looking at each virtual firewall in turn.

Cisco Secure Firewall Threat Defense Virtual (FTDv)

Cisco's virtual NGFW incorporates the features of their proven ASA firewall technology, augmented with next-generation intrusion prevention capabilities, including:

• Integrated intrusion detection and prevention using the Snort IPS detection engine,

• URL filtering to control user access to specific website content and help block malware and phishing attacks from malicious websites,

• Application visibility and control (AVC) service management based on deep packet inspection (DPI),

• Advanced malware protection to help repel break-in attempts by viruses, worms, trojans, and the like.

• Cisco's Security Intelligence Operations (SIO) providing automated updates of threat risk ratings and reputation scores via the world's largest real-time threat monitoring and intelligence, and

• Centralized firewall management, via the on-premises Cisco Secure Firewall Management Center, or the cloud-based Cisco Defense Orchestrator.

The Secure Firewall Threat Defense Virtual can protect public, private, and hybrid clouds:

• Public: Amazon Web Services (AWS), Google Cloud (GCP) Microsoft Azure, and Oracle Cloud Infrastructure (OCI),

• Private: VMware, Microsoft Hyper-V, KVM, and others.

Depending on the hosted environment and the features deployed (firewall, AVC, IPS), Cisco claims that their Firewall Threat Defense Virtual can securely handle a throughput of up to 15.5 Gbps, up to 2 million concurrent sessions, up to 130,000 new connections per second, and up to 10,000 VPN peers.

One of the advantages of the Cisco virtual firewall solution is that it is also fully manageable via premises and cloud-based versions of Cisco's Firewall Management Center (FMC) and Cisco Defense Orchestrator management platforms. FMC is offered in both physical and virtual appliance implementations, while Defense Orchestrator is a cloud-based application.

Palo Alto VM-Series Virtual Firewall

VM-Series is a virtual implementation of Palo Alto's machine learning-based, single-pass architecture, in which traffic is scanned once for threats. So, unlike other, traditional firewalls, VM-Series incorporates vulnerability protection, anti-malware, and anti-spyware into a single threat detection and prevention service. VM-Series features include:

• Advanced threat detection and prevention capability that combines URL filtering, DNS security, malware prevention, IoT security to inspect traffic for threats and block known vulnerabilities, malware, exploits, spyware, and command-and-control (C2) attacks,

• WildFire threat intelligence service identification of unknown advanced persistent threats (APTs) in near real-time,

• Policy-Based Control using Palo Alto's unique App-ID, User-ID, and Content-ID traffic classification engines, and

• Panorama, an easy-to-use, centralized security management platform, provides enterprise-wide monitoring, provisioning, policy management, and reporting over large numbers of deployed physical and virtual firewall appliances.

Traditional firewalls are easy to bypass through port hopping, port 80 incursions, and SSL, and SSH attacks. For that reason, Palo Alto developed their unique patented App-ID traffic classification system that determines the identity of applications entering and crossing the network. This helps identify and fend off apps that are posing as legitimate traffic.

Another VM-Series point of differentiation is its integrated machine learning technology which Palo Alto claims prevents up to 95% of new threats—stopping malicious scripts and files and protecting IoT devices without the need for additional hardware.

VM-Series can protect public, private, and hybrid clouds:

• Public: AWS, Google, Oracle, Azure, and Alibaba Cloud.

• Private: VMware, Microsoft Hyper-V, KVM, and Nutanix.

According to Palo Alto, the VM-Series firewall has a threat prevention throughput of up to 14 Gbps and App-ID throughput of 28 Gbps. It can also handle up to 10 million concurrent IPv4 or IPv6 sessions and up to 120,000 connections per second.

The Panorama centralized management system can be deployed as a physical appliance, as a virtual appliance on VMware, KVM, and Microsoft Hyper-V, or in the AWS, Google, or Azure clouds.

Head-to-Head Comparison

While they come to the market from different perspectives — Cisco from networking and Palo Alto from security — both vendors offer a set of virtual next-gen firewall solutions that are generally on a par.

As would be expected, Palo Alto has an edge in pure security technology, as evidenced by their position as a Leader in the Gartner Group's Magic Quadrant for Network Firewalls, whereas Gartner sees Cisco as a Challenger, with a powerful set of capabilities. While customers value Palo Alto's VM-Series for its technical capabilities, it's fair to say that their view of Secure Firewall Threat Defense Virtual is closely linked to Cisco's enterprise networking presence. This extends to both their commercial relationship with Cisco and their loyalty to Cisco's powerful technical support network.

While customers see a clear, unified roadmap for Palo Alto's hardware and virtual firewall solutions, the same is not true for Cisco. The dual availability of ASA and FTD firewall appliances — as well as their inconsistent support by the Firewall Management Center (FMC) and Cisco Defense Orchestrator (CDO) — can be confusing and complicated customer management of their Cisco firewalls. A positive step in this area is the recent availability of a tool to assist in the migration of legacy ASA firewalls to the new FTD appliances.

Price comparisons between these two virtual appliance suites. Anecdotally, Palo Alto firewalls have a significantly higher total cost of ownership than other firewall solutions including Cisco Secure Firewall Threat Defense Virtual.

Final Thoughts

There are pros and cons for enterprises to select either of the Palo Alto or Cisco virtual next-gen firewall solutions. Enterprises make their decisions based on their own particular operational, technological, and financial situation.  Your certification path will also depend on your situation and the opportunity you see before you.

The two vendors lead the pack in market share, so whichever path you chose, there's lots of career opportunity in being accredited with either — or both — vendor's cybersecurity offerings. In either case, CBT Nuggets has the online training that you need.  

On the Palo Alto front, you can begin with the Cybersecurity Entry-level Technician (PCCET) certification course, before going on to your choice of Network Security Administrator (PCNSA) or Network Security Engineer (PCNSE) training. For the Cisco path, you could start with Cisco's associate- and professional-level CyberOps certifications, before moving to the more advanced CCNP Security. If Cisco is your chosen direction, then check out our CyberOps Associate and CCNP Security online certification training.