As our company grows we have discovered a need to have our VPN gateways distributed closer to our users to connect to. We currently use Palo Alto GlobalProtect and we have quotes to use Prisma, but I want to look into some alternatives to be able to compare pricing and features to. I am wondering what some of you all might recommend or are already using.
Cloudflare Zero Trust might be a good option as well - they do have the ability to allow access to networks (instead of a pure Zero-Trust per-app access) just like a full-blown VPN.
Cato Networks. POPs all over, zero configuration required for regional POP selection.
Build your own if you’re that way inclined or Cloudflare.
Cato Networks
Why?
Because you get security included (with Zero Trust), and in all directions, e.g. Northbound and east/westbound. You also get network optimization through TCP acceleration. On a global scale, the benefit can be huge. Did I mention it’s stupid simple to manage and operate as well?
By comparison, Netskope and Zscaler have no real threat prevention for east/west traffic. They just perform “Zero Trust”. They bank on the trust of the user and endpoint as enough of a qualification for them. They don’t care about inspecting the traffic itself…or they tell you to go get another firewall (e.g. Palo Alto) to stick in front of your apps for that protection. Why do that when solutions like Cato have that protection builtin “inline” already?
Palo Prisma is a different issue all together. Prisma really only has 30+ service locations (these are the locations/PoPs that actually inspect your traffic), even though they market as though they have 100+. They call the vast majority “edge” locations and they are supposed to be providing you route optimization to the service locations. In reality, they really need those edge locations to help out because their service locations can be quite far away. To make matters worse, each of their 30+ service locations don’t actually provide all their inspection services. Some provide SWG. Some provide CASB. Some provide DEM. etc. So if your requirements include multiple layers of inspection it’s quite possible your packets could traverse a couple continents before reaching the final destination.
With all 3 of the vendors above, network performance and optimization is not a priority. They do nothing to optimize or accelerate traffic flow. It’s just not their business.
When we looked at both Prisma Access & Zscaler, PA was much cheaper.
AppGate - it does multi-tunneling and is zero trust centric.
Azure VPN does decently for us!
This sounds like a University question… Prisma will be cheaper if you are already a Palo shop, or plan to be.
How about Ziti?
It’s a zero trust overlay network which removes the need for VPNs, public DNS, inbound ports and more. It comes in open source (OpenZiti - What is OpenZiti? | OpenZiti) or SaaS (CloudZiti, with a free tier to test - https://netfoundry.io/pricing/).
I work for the company behind it and can share a comparison vs PA Prisma if you like.
check out Appgate SDP. many benefits over any of the other products mentioned here.
This. You can start it off as a “traditional” VPN, then transition to zero trust of your choice. Theirs is solid but you can use others in combination.
You just can’t beat Cloudflare’s footprint if that is what you want.
I just learned about and implemented my first set of ZPAs. Let me tell ya - nothing like not having to VPN in to visit an internal webpage.
This doesn’t answer the users request.
ZPA tunnels you to one of their sites, then to your company’s site. So essentially going through 2 VPN tunnels.
They would’ve been better off just tunneling direct to the site like they had been with Palo GlobalProtect unless somehow they had better routing to Zscaler, and Zscaler had better routing to the site.
OP just needs to be more sassy.
weird, our experience was the opposite. by like 18%
Anything but Fortinet. Have you seen how often they have remotely exploitable vulnerabilities in their VPN software?
What about other services like network shares?
That depends entirely upon their needs. If OP is growing the way he’s suggesting, there may be an effort to not home-run all user traffic to the PAN, and split-tunnel in the cloud.
We paid for the basic ZPA so only http(s). Our entire company is SaaS based so no SMB shares.