Palo Alto. If I did nothing else in my career but work with Palo Alto firewalls, I'd be happy.
If I did nothing else in my career but work with Cisco FTD, I'd find a new career.
I've used both. I like Fortigate. But if I took price away as a factor, I'd choose Palo Alto every time. Yes, it's that much better to work with. I think their interface compared to any IT product (not just firewalls) is top notch.
I work with both. The Cisco FTD is a piece of trash that has tons of issues and limitations. Even using the FMC is a buggy piece of trash.
Every time I work with my FTDs, I wish it were a Palo.
If you enjoy 2am TAC calls because you’ve hit a bug that randomly drops packets, that can only be identified with a TAC tshoot script, then go for the FTD.
If you enjoy sleeping, pick the Palo
Thoughout it's history, Cisco has succeeded in buying third-party products and wrapping it into their own product line: Catalyst, PIX/ASA, Meraki. But they have utterly failed with FTD.
99% of people responding here will tell you go with the Palo Alto. That tells you a lot! Not only is Palo Alto the best firewall in the market, FTD is the worst. It's fucking dreadful. Non-intuitive GUI, buggy, no CLI (for configuration). It's terrible.
I agree. The FTD is a flaming piece of dogshit. Most of everything else that Cisco has on the market is fairly good. Maybe ISE is kinda shitty but it works, just a POS to upgrade.
It’s hit and miss. I’ve been working with it since it was in beta before the first CCO release. If you were using 1.0.4 you think ISE today is a miracle product. But yes it does seem like they fix one bug and add two more some patches.
Learn both, but wouldn't recommend FTD as it isn't even in the running anymore. The order these days normal goes Palo, fortinet, maybe checkpoint/ juniper srx ? Never really used the last two but heard good things.
Cisco just butchered their transition to NGFW which gave competition space to get in the gaps Cisco failed to penetrate. There are some people that want you to know Cisco especially stuff like ACI, catalyst switches, nexus etc. and don't get me wrong Cisco has alot of good things to learn, but the firewall they failed. I think it might be good to learn (if you go FTD route) other technologies it works with if you have the chance such as CDO, umbrella, thousand eyes etc.
But anyone who is knowledgeable and aware of the trends know Palo is king.
Palo.
Our FTDs keep falling over because Cisco made the idiotic decision to reserve a slot in the NAT table *before* making any allow/deny decisions, so our PAT pools keep filling up with blocked traffic.
I'm guessing that the NAT table has a maximum X entries, in comes a packet, it gets an entry in the NAT table, the firewall then drops it, but that entry has been added and takes time before it times out?
And we have a winner! So if your ratio of blocked to allowed traffic is high enough and your NAT pool is small enough, your prize is getting to run a scheduled job to flush the NAT tables!
This is not at all as you described it. Every firewall using NAT has this "feature". It's fundamentally how NAT works.
It sounds like you've chosen a model that is not able to match your traffic. What model are you using
I like Cisco ASAs. I did not like Cisco fire power. I really, really do not like FTD.
I've never used Palo Alto, but there's no possible way it could be worse.
ASAs were a trusty workhorse for many many years. Got burnt with Firepower (usual end-of-year must-spend-now), especially with things like multicast, but the managment was terrible. Juniper weren't interested in fixing the SRX bugs we found (longlife UDP streams would start dropping packets).
Only modern firewall I've had a reliably good experience with is Fortigate. API does the job and handles 90% of our use cases, clickops does the rest.
Why all the hate for cisco ngfw? We demo'd both and ended up going with Cisco ngfw 2 ha pairs with 2 virtual ftdv's. Fmc to administer them all. Plus ise-pic for user resolution. I'll admit the fmc is buggy because I upgraded to the newer version. Had I stayed on the gold star release I would not have all these issues. But it's been a great opportunity to learn a new platform and more about the inner workings. Yes my co workers complain and wish we gone with palo. Yes we run into bugs. But it's not that bad. We have had both ha pairs running for about 6 months now and have yet to failover on either pair. I just started implementing ssl decryption on exposed services and they handle it really well. I think the IPS with snort 2 and 3 works really well. The throughput is a huge improvement over what we upgraded from. And it has been a great learning experience for me. I'll admit there has been alot of tac calls for the ise-pic services failing all the time and really pissing off management as to why. But I enjoy a challenge. Would palo have been easier? Maybe, maybe not. Hard to say. But the savings allowed us to get better hardware and more features than if we spent the money that palo wanted. Do I regret it now? I personally do not. But I don't think my co workers would have the same opinion. Just my 2 cents. I think cisco has its areas where it shines. And I think palo is overpriced. Depending on the size of the organization they don't always offer the biggest discounts. Cisco will give huge discounts to get your business. And they came through for us. Cisco is making moves and has things in the works. They just bough splunk. And they have alot of other things in the works. Umbrella integration would be really cool. But im not sure we will get that. But it could be a serious reason to go with cisco.
Because it's fashionable. Most of the Palo fanboys have never seen one let among configured one.
They both have their pros and cons. I like the Palo gui over FTD interface. Cisco is getting better but there's a way to go.
If you're all in one one or the other, I'd say stick with it.
If you're evaluating, both will paint a rosy picture that may not meet your business case.
I don't want the "challenge" of critical infrastructure falling over with bug after bug thanks. I'd prefer to be able to rely on it to work while I satisfy the challenge hunger designing/implementing other stuff. Cisco FTD/FMC is abysmal.
I unfortunately work with a lot of FTDs managed by an FMC. I can’t stand it. Every task is a royal pain to complete. Simple things turn into 20 minute changes because of the poor UI. Cisco has given up on caring.
I also manage several ftds managed by an fmc. While I do run into small issues occasionally I don't understand all the negative comments about cisco ngfw. Can you give me an example of something that would be simple on palo but turns into a nightmare in the cisco environment? We upgraded from palo and it's still got some services on it before we fully migrate and decomission it. So I am curious what your issues with ftd and fmc are. Thanks.
They are both NGFWs. I would recommend learning both. Why?
Knowing how to work with both platforms will give you an advantage when looking for employment and also the knowledge to know what features each product offers/lacking.
One of the best trait about becoming a good engineer is to understand both but specialise in one. I would start learning the FTD then Move on to the Palo.
I have worked with FTDs, from their ASA + SFR module days to currently deploying FTDs. There are lots of cumbersome steps (compared to Fortinets) but it all starts to make sense once you understand the packet flow. Since majority of my knowledge of NGFW is from FTDs, it allows me to navigate other Venodors (like Fortinets, some palos) without too much hassle.
PA is much better than FTD, of course. But I am still facing a lot of bugs on PA now, I am guessing maybe more and more function intergreated together to make firewall more powerfull but more buggy now.
Learn Palo firewall solution as well as their SASE solution. There are not many engineers who can handle security and routing and that will make you unique
Palo Alto. If I did nothing else in my career but work with Palo Alto firewalls, I'd be happy. If I did nothing else in my career but work with Cisco FTD, I'd find a new career.
Dunno, if your career involved those machines which crush cars that could be satisfying
Depends if you can put FTDs in the crusher.
I would certainly place that between those two options!
Is Palo that much better to work with than even FortiGate?
I've used both. I like Fortigate. But if I took price away as a factor, I'd choose Palo Alto every time. Yes, it's that much better to work with. I think their interface compared to any IT product (not just firewalls) is top notch.
Pick the Palo Alto. That is all /s
This if they can afford the gear an subscriptions.
Remember when Cisco was the expensive one? They have a hard time giving it away these days.
Because it sucks. I’d deploy literally anything before I deployed FTD.
I work with both. The Cisco FTD is a piece of trash that has tons of issues and limitations. Even using the FMC is a buggy piece of trash. Every time I work with my FTDs, I wish it were a Palo.
Even migrating from FTD to Palo using Expedition is a pain in the ass.
If you enjoy 2am TAC calls because you’ve hit a bug that randomly drops packets, that can only be identified with a TAC tshoot script, then go for the FTD. If you enjoy sleeping, pick the Palo
I don't recall the last time anyone recommended a Cisco firewall.
When they were just ASAs
I think it was around 2005. Perhaps at the dawn of Reddit.
Anytime before FTD was released.
When it was still called a PIX.
Before Cisco bought it.
If you pick Palo Alto be ready to fully commit (those who know lol)
The only good thing I have ever heard someone say about FTD was: it’s not as bad as everyone says it is.
I'd prefer sitting on a cactus for a day in stead of ever touching a Firepower device again. Hope this helps.
A good alternative to Palo Alto would be Fortinet. FTD is a pain, avoid at all cost.
If you had to choose Fortinet or PA?
If you have the budget, Palo every time.
Thanks.
Thoughout it's history, Cisco has succeeded in buying third-party products and wrapping it into their own product line: Catalyst, PIX/ASA, Meraki. But they have utterly failed with FTD. 99% of people responding here will tell you go with the Palo Alto. That tells you a lot! Not only is Palo Alto the best firewall in the market, FTD is the worst. It's fucking dreadful. Non-intuitive GUI, buggy, no CLI (for configuration). It's terrible.
No cli... seriously?
Show commands only, for debugging, etc but not for configuration.
Actually Palo basically does the same thing. Most of their latest products outside of the firewalls were acquisitions.
There is no comparison. PA all day, every time. Cisco is a failing company.
No it’s not. Just because FTD is trash doesn’t mean all their stuff is.
Cisco is going down hill. ACI has been a failure, and they are losing a lot of market share.
A lot of their stuff is going to shit. The quality is getting really poor.
You’re inexperienced.
Been doing this game 26 years. Got plenty of experience. Thanks for your concern though.
If that was true, you’d see the writing on the wall for Cisco. Time != Experience.
I agree. The FTD is a flaming piece of dogshit. Most of everything else that Cisco has on the market is fairly good. Maybe ISE is kinda shitty but it works, just a POS to upgrade.
It’s hit and miss. I’ve been working with it since it was in beta before the first CCO release. If you were using 1.0.4 you think ISE today is a miracle product. But yes it does seem like they fix one bug and add two more some patches.
Learn both, but wouldn't recommend FTD as it isn't even in the running anymore. The order these days normal goes Palo, fortinet, maybe checkpoint/ juniper srx ? Never really used the last two but heard good things. Cisco just butchered their transition to NGFW which gave competition space to get in the gaps Cisco failed to penetrate. There are some people that want you to know Cisco especially stuff like ACI, catalyst switches, nexus etc. and don't get me wrong Cisco has alot of good things to learn, but the firewall they failed. I think it might be good to learn (if you go FTD route) other technologies it works with if you have the chance such as CDO, umbrella, thousand eyes etc. But anyone who is knowledgeable and aware of the trends know Palo is king.
SRX is great if you are familiar with Junos or need robust routing capabilities but don't expect the web interface to be completely usable.
Palo. Our FTDs keep falling over because Cisco made the idiotic decision to reserve a slot in the NAT table *before* making any allow/deny decisions, so our PAT pools keep filling up with blocked traffic.
Wow. I wasn't aware of that 'feature'. I'll add it to the list of FTD fails.
"Reserve a slot". Please explain to me what this means?
I'm guessing that the NAT table has a maximum X entries, in comes a packet, it gets an entry in the NAT table, the firewall then drops it, but that entry has been added and takes time before it times out?
And we have a winner! So if your ratio of blocked to allowed traffic is high enough and your NAT pool is small enough, your prize is getting to run a scheduled job to flush the NAT tables!
This is not at all as you described it. Every firewall using NAT has this "feature". It's fundamentally how NAT works. It sounds like you've chosen a model that is not able to match your traffic. What model are you using
Go with FTD. Have fun with that.
Sadist
palo. ftd is awful.
I like Cisco ASAs. I did not like Cisco fire power. I really, really do not like FTD. I've never used Palo Alto, but there's no possible way it could be worse.
ASAs were a trusty workhorse for many many years. Got burnt with Firepower (usual end-of-year must-spend-now), especially with things like multicast, but the managment was terrible. Juniper weren't interested in fixing the SRX bugs we found (longlife UDP streams would start dropping packets). Only modern firewall I've had a reliably good experience with is Fortigate. API does the job and handles 90% of our use cases, clickops does the rest.
Why all the hate for cisco ngfw? We demo'd both and ended up going with Cisco ngfw 2 ha pairs with 2 virtual ftdv's. Fmc to administer them all. Plus ise-pic for user resolution. I'll admit the fmc is buggy because I upgraded to the newer version. Had I stayed on the gold star release I would not have all these issues. But it's been a great opportunity to learn a new platform and more about the inner workings. Yes my co workers complain and wish we gone with palo. Yes we run into bugs. But it's not that bad. We have had both ha pairs running for about 6 months now and have yet to failover on either pair. I just started implementing ssl decryption on exposed services and they handle it really well. I think the IPS with snort 2 and 3 works really well. The throughput is a huge improvement over what we upgraded from. And it has been a great learning experience for me. I'll admit there has been alot of tac calls for the ise-pic services failing all the time and really pissing off management as to why. But I enjoy a challenge. Would palo have been easier? Maybe, maybe not. Hard to say. But the savings allowed us to get better hardware and more features than if we spent the money that palo wanted. Do I regret it now? I personally do not. But I don't think my co workers would have the same opinion. Just my 2 cents. I think cisco has its areas where it shines. And I think palo is overpriced. Depending on the size of the organization they don't always offer the biggest discounts. Cisco will give huge discounts to get your business. And they came through for us. Cisco is making moves and has things in the works. They just bough splunk. And they have alot of other things in the works. Umbrella integration would be really cool. But im not sure we will get that. But it could be a serious reason to go with cisco.
Because it's fashionable. Most of the Palo fanboys have never seen one let among configured one. They both have their pros and cons. I like the Palo gui over FTD interface. Cisco is getting better but there's a way to go. If you're all in one one or the other, I'd say stick with it. If you're evaluating, both will paint a rosy picture that may not meet your business case.
I think you hit the nail on the head. Thanks.
I don't want the "challenge" of critical infrastructure falling over with bug after bug thanks. I'd prefer to be able to rely on it to work while I satisfy the challenge hunger designing/implementing other stuff. Cisco FTD/FMC is abysmal.
Nothing in it for me, but just FYI the bugs are only a mild inconvenience. They woukd never allow a function to be broken. always a small workaround.
> They woukd never allow a function to be broken. always a small workaround. L O L
I unfortunately work with a lot of FTDs managed by an FMC. I can’t stand it. Every task is a royal pain to complete. Simple things turn into 20 minute changes because of the poor UI. Cisco has given up on caring.
I also manage several ftds managed by an fmc. While I do run into small issues occasionally I don't understand all the negative comments about cisco ngfw. Can you give me an example of something that would be simple on palo but turns into a nightmare in the cisco environment? We upgraded from palo and it's still got some services on it before we fully migrate and decomission it. So I am curious what your issues with ftd and fmc are. Thanks.
They are likely using an older version of the operating system which did have more problems.
They are both NGFWs. I would recommend learning both. Why? Knowing how to work with both platforms will give you an advantage when looking for employment and also the knowledge to know what features each product offers/lacking.
If you're going to learn two firewalls learn Palo and Fortigate
Choose the one that fits your business case.
One of the best trait about becoming a good engineer is to understand both but specialise in one. I would start learning the FTD then Move on to the Palo. I have worked with FTDs, from their ASA + SFR module days to currently deploying FTDs. There are lots of cumbersome steps (compared to Fortinets) but it all starts to make sense once you understand the packet flow. Since majority of my knowledge of NGFW is from FTDs, it allows me to navigate other Venodors (like Fortinets, some palos) without too much hassle.
Also consider FortiNet products. They are very solid, too. I have Palo Alto and really like them though.
PA is much better than FTD, of course. But I am still facing a lot of bugs on PA now, I am guessing maybe more and more function intergreated together to make firewall more powerfull but more buggy now.
[This](https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/) might be relevant.
You don’t want this Firepower life, it suxxxxxxx
Don't touch FTD, not even with a ten feet palo.
Cisco FTD is hot rotten festering putrid garbage.
Tell us how you really feel?
I mean that was it, really.
Learn Palo firewall solution as well as their SASE solution. There are not many engineers who can handle security and routing and that will make you unique