We are reaching near the EoL on our current VPN solution and I’m looking at alternatives. I typically like to set it up as VPN concentrator to keep it separate from the firewall. I really wanted to go zero trust, but I’ve read about of lot of VOIP issues, and we have a soft phone that is already painful enough over a standard VPN.
I’ve got about 8 year’s experience managing ASAs and maybe 2 years with Anyconnect. I moved away from Cisco 5-6 years ago though because I didn’t want to mess with Firepower.
I’m thinking it would be somewhat easy to purchase a smaller FTD with asa code for 100 VPN users with anyconnect. My issue is I really haven’t had good experiences dealing with Cisco. I think it’s mainly because we were such a small customer. But even the website and portals I just don’t like. I also have some concern if less technical staff could manage the VPN after the initial setup.
The other option I was thinking was buying a smaller Palo FW just for client VPN and do the same thing as I would have with anyconnect with Global Protect. At some point in the next couple years, I would like to replace all of our current firewalls with Palo so I’m thinking this might be a good step to get familiar with it. Does that sound crazy?
Does anyone have good experiences with Global Protect? Anyconnect seems to be pretty much all I ever see at other orgs.
I come from a similar background, starting with Cisco Pix, then ASA, then avoided firepower.
Right now I still have a couple of ASA firewalls doing limited duty that are slated to be replaced with Fortigates. I have several fortigates and two Palo Altos I am supporting now.
The Fortigates lost in a head to head comparison against the Palo Altos. The fortinet client was buggy and inconsistent. GlobalProtect and the Palo Altos have been rock solid.
If you have a lot of time, do it yourself, but there will be a big learning curve getting familiar with the Palo Altos. If you need to get it up and running quickly, hire a consultant to do the initial setup, then you can learn it at your own pace and possibly bring that consultant back when you hit a wall on something.
But once deployed, GlobalProtect has been very reliable with almost no end-user support issues over 5+ years.
Most of my customers use GlobalProtect if not on a ZTNA solution. Idk what your budget is of course but i’ve sold a lot of PA-400 series because they’re so well-priced.
I use Global Protect and it’s great, but the the beauty of going Palo is you’ll get all the unmatched benefits of the PAN platform. You’ll never want to go back after building 7 policies. Decryption is also an option if you’re willing to deal with the growing pains .
I could gush for hours about Palo. I can’t see myself ever going back.
I’m using a self-managed openVPN for roughly 300 Users (only up to 50 online at any given Time). Every user has their own certificate and there’s a second authentication against their AD account.
We still run ASA code on Firepower hardware. We only use them for client VPN. No one has come along with a client VPN solution so much better that would warrant the absolutely massive task of us changing VPN clients. Sure ASA isn’t perfect, but we get basically zero help desk / support tickets about AnyConnect/Secure Client issues with many thousands of users, so that’s a major plus. It also supports basically all platforms.
We opted to replace both the firewall when the requirement for VPN came up, and we switched from a Watchguard to a Palo Alto. The other option was a seperate appliance, and we got offered the (then) Pulse Secure appliance. Other firewall options were Fortigate, but their SSL vpn has quite the reddit posts. Later also VPN CVE’s. So we got lucky so far.
We currently have a fleet of about 600 laptops roaming about, although it also supports iOS and Android, Linux. Because it has User-ID we also do firewall rules related to AD groups (because it is also a firewall).
What made the case for us is the extensive features of what you want and do not want to have the VPN traverse. It also does SAML/SSO with Entra ID without much fuss. Helpdesk gets very few calls, except 0.5% during upgrades, which are easily remediated.
Does dual stack v4 and v6, PAN-OS is pretty complete in the UI for that as well. The VPNs prefer IPsec over SSL which means that firewall failover or upgrade is seamless for the all the clients which is really good. Performance from home (1 gig) to work is about 400mbit which is pretty good for a VPN all things considerd like reduced MTU and whatnot.
Management is solid, and during upgrade you failover the member and can then test the new release which is very helpful
Dynamic routing OSPF supports all the features we need (but so does Fortigate 7.0).
I‘m in the same boat right now. Looking to get rid of ASA and anyconnect.
We were testing ZPA from zScaler but that was just painful and won’t work for VoIP.
Ive heard that checkpoint just bought perimeter81 which seems to do a solid cloud VPN based on wireguard. I’ll be looking at that pretty soon. But if you go the Palo route Ive heard good things about them as well.