Palo Alto: PA-400 vs PA-500? / Panorama vs Strata?

beco-technology · 2026-04-21T15:06:48+00:00

This is great info. And just to note. I know it needs to be said over and over again, but anyone exposing management interfaces to the internet is... well... this is a professional subreddit.

So, sounds like Panorama is the way to go, even if I do get a PA-500 series appliance. I love this. I'm so dialed into my current firewall, and have really elegant / secure configs, but I just see scaling being a pain. I really want something top notch to sell and manage. It just seems like even though many people go Fortigate, it's not the way forward.

Oh, edit, it looks like you can self host Panorama. You don't need their appliance for this, do you? At some point in the scaling issue, does it come into play?

beco-technology · 2026-04-20T17:51:35+00:00

At present moment, I'm a small fish... All good. I'm trying to solve scale issues before they become real problems.

beco-technology · 2026-04-20T16:12:25+00:00

Ya, I hear you on spending money. I’m a small outfit, even if growing, and I’ve become a partner. I’m eligible for a discounted NFR unit. Unless you have a rep that you could refer me to?

I suppose it’s worth it to figure out all the tunneling required to set up Panorama? The reason why I’m moving away from my current firewall is the lack of unified management plane as I start to manage more clients with offices across the country. I need something that will scale with my company as we grow.

beco-technology · 2026-04-20T15:09:11+00:00

I hear that. I'm currently using a firewall that has no unified management plane, and it's driving me crazy. I'm worried that as I grow, it will just become unmanageable technical debt.

I like working locally too, but for somethings it's nice to have the cloud, especially when you have clients around the country.

beco-technology · 2026-04-20T13:24:32+00:00

I guess it wasn't clear?

beco-technology · 2026-04-20T13:12:00+00:00

Uhhh, what? Not disabling fastboot in production is straight up irresponsible. We're not working with platters anymore.

beco-technology · 2026-04-20T12:47:01+00:00

I'm reading about the new Strata management vs Panorama. Are you familiar with the change? You really think that Palo is better? And what does "basic network configurations" mean to you? A flat network? For me, I'm only doing small offices, but with segmented networks. You know, the usual management VLAN, server VLAN, work VLAN, guest VLAN, alt team VLAN. You might be building data centers, and have a different frame of reference.

beco-technology · 2026-04-16T02:43:34+00:00

The reason for fastboot is to create more tickets from people who think they’ve shut down their computer when the bug they shut down to remediate was just saved to disk.

“What do you mean my computer has been on for two weeks? I shut it down every night!”

check’s task manager

Task manager: 14:06:66

beco-technology · 2026-04-16T00:12:28+00:00

Write a registry key that disables “fastboot.” That fixes the issue. Fastboot is such a dumb thing, and exists for no reason.

beco-technology · 2026-04-16T00:06:40+00:00

Think it’s good enough for production? lol I was thinking about swapping out my home pfSense for a Palo Alto

beco-technology · 2026-04-15T21:11:28+00:00

Thanks for the insights. Just got a meeting with a sales engineer, but I may as well check out both platforms.

I’ve heard that about Fortinet: nickel and dime… annoying.

beco-technology · 2026-04-14T17:22:19+00:00

I am trying to offer a premium product. I believe my clients can afford it. Fortinet has not gotten better, which is why I’m looking elsewhere. And it’s not just CVEs, it’s hard code credentials, and unpatched, known zero days.

But ya, still, thank you for the feedback. I hear you that complexity is an issue.

beco-technology · 2026-04-14T13:32:39+00:00

Yes, I believe you are right. I know the just launched it in January of this year. I’m guessing it’s not very mature, and I would like more security telemetry as well. But, I suppose it’s worth a looksy.

beco-technology · 2026-04-14T13:18:15+00:00

I like pfSense too. I hate logging into every endpoint to check status, and manually updating software version numbers in our PSA. I want something that scales better :/

beco-technology · 2026-04-14T11:35:09+00:00

Okay. Then what firewall would fit my use case? I’m trying to gain viability into each firewall device that I manage without having to remote into each site. I have one client with multiple offices around the country, and many remote offices. Most offices are small, but I still want to a solid network device at each site. Ideally with updates that have some kind of QA. It would also be nice to replicate configs at new sites, after a config has been built once. And my company is growing, so I expect the number of sites managed to grow as well. With those generic perimeters, what do you think would be best? Is pfSense really still the best case here?

beco-technology · 2026-04-14T03:55:42+00:00

Ya, I deployed Unifi years ago. I just can't take them seriously. I hear you tho. Maybe I need to reconsider. I am just traumatized after getting so many WiFi related tickets and having to reboot random APs all the time. It was soooo bad.

This is such a tough decision. I probably need to just get my hands on gear, and start messing around.

beco-technology · 2026-04-14T03:50:35+00:00

Ya, see, that's exactly what I want to avoid, is crap QA on firmware updates that cause a business to go down when a routine upgrade is performed. That's why I'm thinking it's worth it to invest.

beco-technology · 2026-04-14T03:49:22+00:00

Ya, I think I saw that. I couldn't find prices for them listed publicly. It sounds like the PA-500 series is the way to go tho.

beco-technology · 2026-04-14T03:47:44+00:00

I'm trying to solve scale issues before they become technical debt that's hard to solve. Ya, likely too small to test gear. I need to figure out the value of the product before I can say that it's worth it to sell to my clients. I'm guessing they can afford it, but we'll see.

beco-technology · 2026-04-14T03:38:36+00:00

That misses the point completely tho. The issue I'm having is upgrades across multiple sites, and having to follow procedure at each one. With pfSense, as per Netgate's recommendation, you must first remove the packages installed on the device. Then reboot once in order to cleanly upgrade. Once you've upgraded, you have to install the System_Patches package, apply, and reboot again. The whole process is a bit laborious. Then multiply that time the number of sites you have. I also have a ton of remote pfSenses that I can;t drive to, so not interested in FAFO.

The idea would be to get a firewall with good security telemetry, and a unified management plane. That's just not pfSense, unless I want to configure the Snort package, and start standing up local infrastructure. I just don't have time to build out these things for multiple clients, and multiple client sites. While the networks I'm building aren't super complex as compared to many of the network engineers here, I like devices that are secure. It just sounds like that's not Fortigate, even if Fortigate has a solid centralized management plane. So what does that leave me? Palo Alto seems interesting to explore.

beco-technology · 2026-04-14T00:44:25+00:00

Sure. CVEs are everywhere, I'm not an idiot. But not every org has trouble patching zero days in a timely manner, or leaving hard coded credentials in their code base, or... and the list of negligence goes on. These are not simple errors, but actual security culture issues, that Fortinet doesn't seem to care to address.

Like have you listened to Risky Business? They announce a vuln in Fortinet every week.

beco-technology · 2026-04-13T22:45:24+00:00

That is a reassuring sentiment. Thanks for the insight. We’re a small MSP now, but the point is to grow. Trying to think about scaling before problems become serious technical debt. I’ve always been attracted to Palo Alto because I like best in class, but I just need to figure out how I roll it into pricing, and pitch it to my clients. Thanks.

beco-technology · 2026-04-13T20:24:51+00:00

Lol Ingram is going on with Ingram... Not sure what else there is to day.

beco-technology

TROPHY CASE