Palo Alto Networks Firewall and Stateful Inspection - Get a Clue Check Point

This is absolutely driving me crazy. Check Point has a website dedicated to presenting “facts” about how Check Point’s firewalls compare to those made by Palo Alto Networks. One of the supposed “facts” is that using a Palo Alto Networks firewall could cause you to fail your next PCI audit. It includes this passive-aggressive gem:

It would be very unfortunate for an organization to fail a PCI audit because it made a bad firewall choice.

Vendors often sling mud at each other with their cherry-picked competitive reports, but I have personally heard representatives from several firewall vendors parrot the nonsense included in this Check Point website.

Anyone claiming a Palo Alto Networks firewall is not stateful, is either ignorant or lying. Anyone who has used a PAN firewall knows it is stateful.

Let’s take an example related to PCI: An external client connecting to a web server to purchase some item.

A good PAN rule is going to have a logic along the lines of:

  • From the “untrusted” zone to the “dmz” zone
  • From any source, destined for the web server
  • From any TCP port, destined for ports 80/TCP and 443/TCP
  • Using the applications “ssl” and “web-browsing”
  • Permit the traffic

If someone connects to port 8080 on the web server, the firewall will drop the packet before even doing any sort of lookup, for the port is not allowed. Additionally, if the connection is not in the session table and does not have the SYN flag set, the firewall will drop it. Lastly, if a connection is on port 80/TCP or 443 TCP, but is not detected by App-ID to be either “ssl” or “web-browsing”, it will be dropped.

Here is even a screenshot from a Palo Alto Networks document titled, “PAN-OS: Day in the life of a packet: Packet flow sequence in PAN-OS” (red arrows are mine):

PAN-OS is stateful

How can Check Point honestly make the claim that PAN’s firewall is not stateful and will thus fail PCI audits? The fact that others believe Check Point’s nonsense is depressing.

To repeat: Despite what Check Point and other NGFW wannabes claim, Palo Alto Networks’ firewall is stateful.