Hey there - we are a shop of about 5k users and need a solution to help us through a recent acquisition. We are acquiring a business unit that’s been divested from another org, so it’s a little different than traditional acquisitions.
Anyone have experience deploying either solution? Zscaler flaunts their ability to assist with acquiring companies more so than PAN does. The other thing is we currently use PAN FWs and am hopeful we could just use the same policies for prisma, thus making an integration with prisma easier than a new solution like Zscaler.
If you’re using PANW firewalls, Prisma is a no brainer.
Zscaler makes their customers share infrastructure among each other. So the public ip could change day to day. This could become an issue when working with SaaS application.
Also, Prisma access, you can manage policies for private applications and internet with the same rule stack. Zscaler will make you have ZPA and ZIA.
As someone who has done a couple of swg/casb/ztna projects now I’ll offer my two cents. The reason we are seeing so many people in this thread have such visceral reactions to the product that was put in at their org is because this project is hard. It is fucking hard.
You will need buyin and cooperation from so many teams to get this right. You will need to refactor applications, you will need to reverse engineer how some applications work. You will need to understand how your users work.
Don’t get me wrong, it is certainly achievable and the results are worth it, but depending on how mature your org is, this will be a tough slog.
We operate Prisma exceeding > 10k users (across different customers). Integration/Rule-management with Panorama is neat and works together with the on-prem large PA-boxes.
“in general” Prisma is ok & consistent, but we have seen some issues in the past, latencies for certain protocols that cannot yet be explained (case still open btw)
Deployement is “fairly” easy once you understand the steps to take
Reseller/PS here… Had a customer that used zscaler PS to do the deployment and that was quite expensive.
A panorama managed Prisma deployment might fit the bill here. We have done it and had to remediate another customers deployment recently. Price will depend on actual number of users (tiered per user pricing).
Most people have voted prisma and I’d also recommend the same. The only thing I’d add about Zscaler’s ZPA is that it doesn’t do any threat inspection. After the user and device is validated it’s basically direct access (other than some basic HTTP vulnerability checks). Apps are also defined at layer 4 (IP and port), and it doesn’t support server side or DC initiated traffic back to users.
If you aren’t using palo firewalls, avoid prisma like the plague. I’ve never regretted a Saas solution more in my entire career than going with prisma access. Their new interface is garbage.
I just moved my company over to Twingate and I LOVE it.
Check out Palo’s ZTNA connector. It’s a product they came up with to compete with Zscaler’s ZPA (app) connector. I have used Zscaler’s app connector to quickly establish connectivity to an acquired site and IP overlap is not a concern. Palo’s connector works about the same from what I’ve seen.
While I haven’t worked with prisma I have worked with zscaler. Stay away from zscaler we had so many just random little issues and it’s super expensive. I’ve worked with plenty of PAN devices and would probably go the route of prisma over zscaler
Edited because it looked like a two year old wrote it
Like everything else, each has its pros and cons. Prisma is much more expensive in my experience.
Zscaler is more refined and miles ahead of Prisma when it comes to reporting.
Cloud manage sucks, but is slowly getting better.
Palo won’t let you deploy Prisma unless you’re a partner and you have a PCNSE, take the Prisma class (Edu-318 I think) and purchase the deployment assistance add on.
You likely will need different policies for an acquired organization anyway. Do they need access to all of the same internal applications? Are those firewalls for external public ranges or for internal segmentation? I see most customers have little overlap in policies between firewall and VPN, and many people have very few policies limiting VPN access by user.
If you compete the solutions, you’ll probably end up with better pricing anyway.
If you’re using Pan now then Prisma is a no brainer. It’s expensive but you have a decent user base it would make sense. It’s complicated to setup and has its kinks imo but for the most part, is not bad.
Thanks for the reply. Can we use the same policies as the FWs? Won’t we have to update those as we shift to the SASE/Zero Trust architecture? I should also mention, we are pretty traditional in terms of architecture, have about 100 sites and we backhaul all that traffic to our main DC… MPLS getting expensive and VPN is not liked in our org.
The plan would be to have ZIA and ZPA anyways in the long run, so that wouldn’t be a problem for this initial M&A challenges were facing.
This is the only truly useful answer in this thread. Especially about understanding how applications work - end-to-end. Unless you’re already using very micro-segmented firewall policies, your approach to policy creation on firewalls has probably not prepared you for what it takes to develop policies on either of these apps that wills a satisfy both your risk mgmt goals and your end-user experience goals.