Thanks. Are you feeling any of the effects of PAN not being built in the cloud originally? Also, have you run into scalability or performance issues?
By the way, there are also server-side Connectors that allow server-to-client connections for specific use cases as well. Not sure if you just haven’t touched it in a while or are working with a partner that isn’t up-to-date.
This is incorrect. ZPA has inspection capabilities through ZIA. Palo terminates everything on a firewall, whereas the Zscaler architecture is a proxy and lighter weight. Both can be effective depending on your needs.
I think your best bet is to use posture enforcement for clients connecting with Zscaler Client Connector. Must be assigned at the access policy. But I agree this is a concern for me too.
Can you expand for us all what about it you don’t like?
Solves the same use case. Different architectures.
When we looked the costs were very similar. Just make sure you compare like-for-like licensing. Our Zscaler rep tried to sell us the lowest tier license to make them look cheaper
I bet they want $100+ per user per year.
Have deployed both at 5000+ companies, and both can work with the right implementation. From my experience, there were FAR more scalability and performance issues with PAN. PAN was not born in the cloud, and even with PAN firewalls we had major issues with Prisma. We are cloud centric and Zscaler was very effective - ZIA and ZPA. We did an exhaustive architecture review for both, and since we are cloud-first Zscaler came ahead by miles. I’d say it’s hands down zscaler if you are cloud-first or planning to go full cloud and data center free. For us Zscaler came ahead in cost as well, but I imagine this will vary depending on existing contracts. Just my two cents.
ZScaler would work okay if you’re already backhauling in. Honestly the biggest issue with ZScaler is for ZPA that they charge by number of VMs but last I was keeping count they “had no way to enforce it”.
Moving your existing arch to Prisma though and continuing to do M&A would be a breeze, especially if you’re using iBGP for routing. It’s my exact strategy here with 2-3 a year.
PRISMA will make you have to setup all of the same crap as traditional firewalls. It’s just PAN firewalls in GCP. You will still be dealing with all of the routing configs and issues like overlapping IP combined with the lovely security issues due to lateral movement that is possible when you join the networks.
ZPA and ZIA have different UIs for policy management.
Probably just my company implementation of it - i’m constantly dropping connection and forced to re-auth. It also routes me to CA servers before connecting back to VA, rather than other locations in between UT and VA. HUGE slowdowns. I have 1gbit internet (tested on other computers) but it reduces my speed to 60mbit on that laptop. Zscaler couldnt figure it out and told me “oh well” basically.
Palo has made some improvements on their side for sure over the time that we use it…I remember that several tickets have been opened concerning performance in the beginning, then suddenly various updates occured across the POP’s etc.
It is/remains off course some sort of “black box” and you will never know the nifty details they “tweak” on their end. Location is not US or something, the service is consumed in EU
I wasn’t aware of that thanks. Sounds kind of messy routing ZPA traffic through ZIA though - does that mean you have to manage policy in two places?
Not sure I’d call proxies light weight - but even if that is true, what’s the real world implication? Better performance? In our POC testing we didn’t notice any benefit
Yeah posture enforcement is still great don’t get me wrong. But if we’re talking about Zero Trust we can’t really stop there.
I think the folks commenting on here have made most of the points.
- you cannot have redundancy to a site without having a palo OR paying for an extra service connection.
- as I mentioned, the portal is horrendous and I say that because they changed it completely 6 months in.
- getting a new install up and running if you work in a tech org was a nightmare. Engineers using nonstandard ports getting their connections blocked unless you go in and customize policies.
- we were using Okta at the time which means a license for the Cloud Identity Engine.
- if a user signs into global protect before they’re assigned the right group in okta they would lose all internet connectivity completely. Until you add the individual user to the policy. Support could NOT fix this and it was going on the entire time we used the solution.
Fuck prisma access. It was a thorn in my shoe the entire time. I’m gonna just keep using Twingate and enjoying my time doing other aspects of my job.
Thanks for your interest in posting to this subreddit. To combat spam, new accounts can’t post or comment within 24 hours of account creation.
Please DO NOT message the mods requesting your post be approved.
You are welcome to resubmit your thread or comment in ~24 hrs or so.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
From my experience, that’s definitely due to implementation.
Yes, in some cases, better performance and less cost. Traffic goes to whichever Connector is closest to an application. User doesn’t know otherwise. Connectors are much lighter weight than firewalls. Can place them in VPCs or VNets at a fraction of cost without having to use hub.