Compare Palo Alto with Checkpoint from Checkpoint website based on NSS Labs results:
Palo Alto vs. Checkpoint – Gartner 2013 Quadrant Review | Ensign  Communications

Palo Alto Check Point
NSS Labs Results – Protects Against HTML Evasions* 33% 100%
NSS Labs Results – Overall Protection** 93% 98%
File Sharing Applications 170 531
Total Applications 1,511 4,733
Application Social Network Widgets 0 240,000+
URL Filtering 20 million on box 100 million cloud based
Data Loss Prevention 9 file types and regular expression match 532 file types plus file attributes, document templates, dictionaries, keywords and scripting language match
Anti-Bot < 1 million protections (signatures/ DNS/ URLs/ IPs) 250 million addresses analyzed for bot discovery
Reputation based protection Unique multi-tier detection engine (reputation, signatures, mail activity and behavior based) with real-time security intelligence through ThreatCloud
* NSS Labs NGFW Test, 2012
** NSS Labs IPS Test, 2012

Palo Alto Networks ignores Standard OSI Model - focused on the application layer

PAN is focused on the
application layer

The seven layers of the Open Systems Interconnection model divide networking and security into discrete manageable components. The SANS Institute and other leading security organizations realize that we must comprehend all layers to deliver complete security.
Palo Alto Networks’ focus on the application layer can lead to more security exposures for their customers. Check Point’s balanced approach recognizes the importance of considering both the application and networks layers to assess all risks and deliver strong security.

It is only when we can see our networks as individual
components that we can adequately secure these levels.
SANS Institute

Palo Alto Networks defaults to open ports, leaving organizations exposed to attacks

Palo Alto Networks’ single pass architecture defaults to open all ports, leaving organizations exposed to attacks. Why? Because its App-ID needs to interact with the application so it can be identified and classified. For security, this is a big problem.
Why would you want to provide attackers an advantage as they prepare a targeted attack? Attackers scan ports to discover vulnerabilities. Because of Palo Alto’s focus on application inspection and App-ID, it must first allow a connection to identify the application to enforce policy. This insecurity allows a port scan to divulge details to the attacker about your configurations, devices and security. App-ID focuses on identifying the application first, so it risks unnecessary security exposures.
The Palo Alto approach requires that traffic be allowed to determine the application, something the Network World Clear Choice test noted “could easily result in unintended consequences and insecure configurations – a valid concern.

Palto Alto Networks may cause you to blow your PCI audit

Palo Alto Networks’ focus on its next generation firewall and the application layer also raises a serious issue for compliance with the PCI Data Security Standard. Organizations spend enormous resources preparing for pass-or-fail PCI audits. One of the clearly stated requirements in the PCI DSS specification is for the organization to deploy “stateful inspection” in the firewall. According to Palo Alto, stateful inspection is being replaced with what they call “new core technology called App-ID.” It would be very unfortunate for an organization to fail a PCI audit because it made a bad firewall choice.

PCI DSS Requirements Testing Procedures
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) 1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a perviously established session.)

Stateful inspection is being replaced with our new core technology called App-ID, which identifies and classifies applications on the network regardless of port, protocol, evasive tactic or SSL encryption.
CTO, Palo Alto Networks

How Palo Alto Networks can be bypassed with cache poisoning

SIP traffic gets past PAN FW as HTTP traffic
Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation Protocol (SIP) or any other protocol connection can be used as a channel for attacking a company’s internal networks. The SIP session could initially be blocked accurately, but by taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo Alto firewall. The vulnerability could be exploited as follows:

  1. HTTP is allowed with firewall policy
  2. Opening a SIP session typically used with VoIP communications is correctly blocked
  3. Generating HTTP traffic that causes the cache to hit its threshold – meaning traffic continues going through the cache but is no longer inspected by the firewall
  4. Switching the HTTP connection to SIP, which is then allowed – and exposes you to risk

Strong security products do not allow cache poisoning, and a strong firewall will never stop inspecting network traffic.

Defcon 2011, Brad Woodberg, Juniper Networks


Check Point protects against 100% of evasion techniques tested by NSS Labs

Product IP Packet Fragmentation TCP Stream Segmentation RPC Fragmentation URL Obfuscation HTML Evasion FTP Evasion Total
Check Point 100% 100% 100% 100% 100% 100% 100%
Source: NSS Labs NGFW Test, 2012
Product Client Protection Server Protection Overall Protection
Check Point 99% 97% 98.3%
Source: NSS Labs IPS Test, 2012

NSS Labs has released the results of its 2012 IPS Group Test that reviewed Intrusion Prevention System products from eight vendors. Once again, the Check Point IPS performed exceptionally well in the tests, demonstrating top-ranked IPS protection. The Check Point 12600 Appliance IPS protected against 100% of the evasion techniques attempted by NSS Labs.
“Resistance to known evasion techniques was perfect… IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion all failed to trick the product into ignoring valid attacks. Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately.”
The Check Point IPS scored an overall protection rating of 98.3%, improving its 97.3% overall protection rating from the 2011 NSS Labs IPS test.
Highlights of Check Point’s performance in the NSS IPS Group Test include:

  • Superior Security
  • Top of the pack with overall protection score of 98.3%
  • Strong security with 100% coverage of evasion techniques
  • A top score for server protection, 97%
  • Best in Class management system that is robust and granular

The App Gap

  • Check Point tracks more than 531 file sharing apps (a critical application category for enterprises), Palo Alto tracks 170.
  • Check Point tracks more than 4,733 total apps, Palo Alto tracks 1,511.
  • Check Point tracks almost a quarter million widgets, Palo Alto tracks 0.
Check Point tracks more apps, and provides extra granularity of protection because attacks on widgets and configurations go after the individual or specific capabilities of some applications. Palo Alto is supposed to be an “application security expert,” so wouldn’t you expect its focus on the application layer to provide a complete solution? Consider three prominent examples, such as Poison Ivy, Access Remote PC and Anyplace Control. Check Point has application controls for all three; Palo Alto has none.
The numbers tell the story. Unfortunately, business owners using Palo Alto are left on their own to figure out what to do with untracked apps.
Palo Alto’s limited application coverage is a visibility and security issue.


Palo Alto Networks has limited visibility of risk

NO examination of data in PDF—only 9 file formats are supported
NO identification of non-English characters in .docx (Office 2007 and above documents)
NO protection for customer list or any dictionary larger than 350 items
NO protection for personally identifiable information other than US SSN & CCN
NO protection for HIPAA, GLBA, SEC filings
NO protection for source code, CAD-CAM, ASIC or FPGA designs, patent filings
NO validation for IBAN, tax numbers, service request numbers, etc.

The Palo Alto solution provides incomplete visibility for protecting information and inspecting content. Its technology has limited abilities to deeply inspect a variety of file formats and data types beyond the basics. Why risk your critical corporate data or intellectual property with Palo Alto Networks? Check Point provides you with complete visibility and comprehensive protection.

We found that the file blocking was easily fooled. For example, putting a file into a zip archive effectively hid the file type, as did changing the first few bytes of the file (by adding blank lines) and, in one case, changing the filename—which we didn’t expect to work.
 August 2011

PAN’s promised functionality does not translate to reality in real-world deployments.
Leading Online Investment Firm

PAN’s solution is full of holes.
International Film School


Palo Alto Networks has weak management capabilities

Palo Alto Networks has no built-in central monitoring tools for VPN configuration.
With Palo Alto Networks, each tunnel is configured separately.
A mesh of 30 gateways requires manual set-up of 870 tunnels!
Here’s one example of a gap in Palo Alto’s security management: its configuration and management of Virtual Private Networks. When setting up VPNs, tunnels must be defined for the VPN connectivity. When configuring Palo Alto VPNs, you are required to manually configure gateways for each tunnel. For 30 security gateways, this would require 870 tunnels. You would need to manually configure each one and develop scripts to stitch them together. Palo Alto does not have built-in centralized monitoring tools for VPN configuration.

Obviously, the manual effort required by Palo Alto will make large deployments very difficult. As noted in its latest Next Generation Firewall product review by Network World: “Large VPN deployments will not want to move to Palo Alto…any large deployment would have to be built entirely by hand“.
Check Point offers 1-click VPN configuration, which automates the process and improves your productivity. With Check Point, there is no need to manually build and configure 870 individual VPN tunnels! And our SmartView Monitor provides complete visibility into online tunnel status and VPN counters.

Large VPN deployments will not want to move to Palo Alto… any large deployment would have to be built entirely by hand.
NetworkWorld August 2011

Palo Alto Networks doesn’t have anything comparable to Check Point Multi-Domain Management.
Major Energy Company

By Jon

One thought on “Palo Alto for NGFW facts from Checkpoint view”
  1. Hi сolleagueѕ, іtѕ impressіve post
    concеrning teachingand fullу dеfined, keep it up all the tіme.
    [url=]ρayday loаnѕ[/url]

    payday loans
    Also visit my homepage ; payday loan

Leave a Reply to AnonymousCancel reply