Exponential Economist Meets Finite Physicist

What the heck is it with Palo Alto Networks? I have said before they seem more like a cult than a firewall manufacturer. I have observed reasonable companies spend two to four times what a comparable Juniper, Cisco or Fortinet would cost, so they can have that special Palo Alto love. I have seen people adamantly refuse to even look at competing products once they get a taste of those sweet Palo Alto boxes. Palo Alto Networks seems to walk on water and deliver unto the faithful the warming glow of a super cool firewall.

While my hands on experience with their devices has been mostly positive, I am skeptical of any technology that seems “too popular.” Palo Alto’s rise up the firewall stack is rather baffling. Moreover, the buzz around them is downright scary. Are these people going to be relocating to a jungle compound soon? Will they be handing out Kool-Aid soon? (Maybe it will be Kool-ID.)

Let’s start with the raw specifications. Their devices pass traffic and have decent throughput speeds. They scale from small to large with reasonable ease. They do IPS and web filtering, and all the normal unified threat management (UTM) type of stuff (or Next Generation Firewall, NGFW, in their parlance). Okay, cool. They also tout their AppID stuff which let’s them pick out applications among network traffic, okay that is cool. But it’s not unique. Lots of other products do that. They can inspect SSL traffic, cool, so can a Fortinet or a Blue Coat for that matter. Hmmm, technically they have good specs, but nothing unique.

Okay, so in the raw specs, they’re a UTM / NGFW. Great. So what makes people spend 2X for them?

Let’s take a look at the company. Solid people and investors. Nir Zuk is a smart guy, if a little self-absorbed. But who isn’t. The board is all seasoned people. They have Greylock, Sequoia, and Globespan. All good investment firms with respectable portfolios. But again, nothing earth shattering there.

Then I read this on their web site…and it all became clear:

Here are some of the unique capabilities available only in next generation firewalls from Palo Alto Networks.

• The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
• The only firewall to identify, control and inspect SSL encrypted traffic and applications.