The pros and cons of Palo Alto Networks' SASE platform

Palo Alto Networks is commonly mentioned in SASE discussions. While the vendor has strong security capabilities, it also brings integration complexities and PoP limitations.

Editor's note: This article is part one in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.

When buying a Secure Access Service Edge platform, comparing features is the easiest part of the purchasing process. A well-designed comparison table and a bit of vendor honesty -- or exasperation on the buyer's part -- will provide an overview of the various SASE vendors' capabilities.

The bigger challenge in selecting a SASE platform is understanding the packaging of those capabilities. As we've long seen with Cisco, simply having the capabilities doesn't make an enterprise technology offering. How well those capabilities are packaged, integrated together and delivered is essential.

Such is the challenge with Palo Alto Networks. No doubt, Palo Alto will provide enterprises with a comprehensive security offering. And there's no question buyers can get a solid software-defined WAN (SD-WAN) offering from Palo Alto as well. The question for anyone considering Palo Alto is the packaging and integration of its many features.

SD-WAN only became a serious offering for Palo Alto in 2020 with the acquisition of CloudGenix. Since then, the company has acquired The Crypsis Group for incident response and Expanse for attack surface management technology, all in an effort to become a SASE vendor. The range of products introduces complexity, which is anathema to the SASE principle of operational simplicity. What's more, the lack of a private backbone means the company must rely on the public internet for site-to-site connectivity. This might not be an issue with small or even regional companies, but it should be a warning to any global enterprise.

Prisma Access: Palo Alto's SASE service

Before we dive into the Palo Alto SASE platform, let's level-set on what SASE is. SASE was introduced by Gartner in 2019, largely in response to the cost and complexity of legacy enterprise networks. SASE is an architecture that converges the functions of network and security point services into a unified, global, cloud-native service connecting and securing all enterprise edges -- sites, remote users, public cloud applications, cloud data centers and IoT devices. It's this convergence of networking, security, backbone and cloud that makes SASE so unique.

Palo Alto's Prisma Access SASE service uses CloudGenix SD-WAN appliances, recently renamed Prisma SD-WAN, to connect sites and virtual equivalents for cloud data centers. Integrated Palo Alto next-generation firewalls (NGFWs) protect data centers, and Palo Alto's firewall as a service (FWaaS) protects branches. VPN options include IPsec, Secure Sockets Layer/IPsec and clientless VPN for connecting users and networks. Prisma Access zero-trust network access (ZTNA) can also provide access for remote users to data centers or applications they need.

Palo Alto's biggest problem is it's not a true cloud service.

In addition to FWaaS, Palo Alto's security layer includes the following:

  • DNS security to protect against threats in DNS traffic;
  • threat prevention to block exploits, malware and command-and-control traffic;
  • cloud secure web gateway to block malicious websites;
  • data loss prevention that categorizes sensitive data and applies policies to control access; and
  • cloud access security broker, which adds governance and data classification to stop threats.

Prisma Access requires a subscription to Cortex Data Lake to store network logs generated and used by the security products.

Prisma Access supports two management options. The first option, Palo Alto's Panorama network security management, provides centralized administration across Palo Alto NGFWs and Prisma Access. A second option eschews Panorama and uses a less feature-rich application in Prisma Access.

Palo Alto Networks SASE platform diagram
Complexity can creep into Palo Alto's SASE configurations, due to the deployment of separate appliances for SD-WAN and firewalls.

Prisma Access analysis

Functionally, Palo Alto Networks ticks many of the right boxes with Prisma Access. The security suite is broad, and its SD-WAN is comprehensive. Palo Alto's biggest problem, though, is it's not a true cloud service. Instead of a single, multi-tenant, cloud-native processing engine, Palo Alto processes packets and security in separate appliances: Virtual firewall instances in the cloud handle security enforcement; SD-WAN devices handle traffic routing and processing. With separate appliances handling traffic inspection and processing, Palo Alto SASE is only marginally different than what we've always done -- deploy and integrate different appliances. It also means latency grows, as packets must pass through each function serially.

Complex configurations are hard to manage

To achieve SD-WAN connectivity, customers must deploy CloudGenix Instant-On Network, or ION, appliances at sites and in the cloud. These appliances have a basic built-in firewall, but if that isn't sufficient, customers must also deploy a Palo Alto NGFW in these edge locations. The two types of firewalls require different management options: Prisma SD-WAN and Panorama. If the customer requires high availability, the appliances must be duplicated at each site. Complexity grows with each customer requirement. This configuration is not flexible and future-proof, as it is unable to change and grow with the customer's needs.

No private backbone -- third-party clouds host PoPs

Palo Alto lacks a private backbone, instead building its points of presence (PoPs) on third-party cloud platforms, namely AWS and Google Cloud Platform (GCP). This is in direct conflict with Gartner's recommendation that SASE providers shouldn't build their offering on someone else's cloud. Failing to own the underlying cloud infrastructure limits the provider's control over routing and its ability to expand to match the geographic requirements of its users. It also means customers shouldn't expect to replace a predictable, global MPLS network with Palo Alto.

Palo Alto's marketing materials say the vendor has more than 100 PoPs in more than 75 countries, but that's misleading. A PoP for Palo Alto is a point where customers connect their edge sites to the SASE provider, but the processing of that traffic occurs in a separate, third-party cloud compute location. Enterprise traffic must first be backhauled to that location, which adds latency and affects performance. Currently, GCP only has 24 compute locations, called regions, in the world.

Optimization is limited

Palo Alto says it offers optimization for SaaS applications, but this covers only a handful of applications where peering is available in GCP. Again, this adds latency to many cloud-hosted applications, which makes for poor UX.

Strong security but complex integration

Palo Alto's Prisma Access SASE looks good on paper. It comes from a company with a strong pedigree in security with feature-rich components. But it's precisely because these products were built as standalone services that buyers should carefully consider if Palo Alto's SASE is a good fit for them.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center