Paid $1200 for a next-gen firewall and it caused more outages than it blocked

I got a Palo Alto PA-440 last quarter thinking it would lock things down tight, but the first week we had three false positive blocks on legit traffic that took hours to untangle. The security team loves the reporting, but the ops guys are ready to throw it out a window. Anyone else have a big purchase that saved you or burned you hard?

2 comments

2 Comments

abby_martin2816d ago

Was it the default threat prevention profiles that did it, or did you try to tune the custom rules and still hit those false positives? The PA-440 has a lot of deep inspection stuff that can nuke VoIP or random legitimate API calls if you don't whitelist them first. Just wondering if you found a specific app or protocol that was the main culprit.

spencer_wood16d ago

Custom rules worked better for me but it took a few rounds of tweaking. Biggest issue was SIP traffic getting flagged as an exploit because the inspection engine didn't like some handshake patterns from our VoIP provider. Whitelisted their source IPs and specific ports for RTP and that cut the false positives down to almost nothing. The default profiles are a good starting point but they're way too aggressive out of the box for anything that isn't basic web browsing. You really have to sit with the logs for a day or two and see what's getting caught.