Anyone have info on a pros/cons/comparison between zscalar and PAN Global Protect?

[Frennzy]

I've been tasked with doing a high-level analysis on the two products in the thread title.

For now, this is only related to replacing GP with Zscalar. Has anyone done this? I have found a lot of marketing hype, but I would truly like some real-world input.

For example and items I'm interested in:

Cost? (how did you compare?)
Ease of installation (SE/ProServ, licensing, and continuing care and feeding)
Ease of administration.
Basic deployment model? (cloud/on prem/hybrid)
Performance and scalability.
modularity (think building out additional tools on the simple remote access I spoke about above....add and remove features at will)
any noticeable client impact? (or no client?)
Any other items you might think would be relevant and/or helpful.

Have a mentioned that you all look quite marvelous today?

 

[Paladin]

Sadly I have never had a chance to use either though I have have worked with customers that used both (well one that used one and one that used the other). They had typical customer experiences "They suck because they require additional thought and understanding on my part." Basically no one likes anything that makes them understand anything, especially if it creates any kind of roadblock for them. :/

I've used a Cato Networks and found it to be an adequate kind of SDWAN type service with security features, I am not sure how it compares to either of the ones you are looking at.

 

[sryan2k1]

We've been ZIA+ZPA Customers for ~4 years, roughly 600 users mostly in the Midwest USA but various other regions/countries. I'm about to head out but I'll write up something longer later.

tldr it's not perfect but after some initial bumps and better training on our end it's pretty much "Just worked"(TM)

 

[Frennzy]

Thanks sryan2k1. That alone is enough to get me started. One last question though: would you do ZIA without ZPA or vice versa? I'm fairly sure my satellite overlords haven't considered that they may want/need both.

 

[ajpope85]

We've have constant problems with zscaler but I'm about 99% sure it's because the proxy team didn't know how to set it up properly and didn't work with the network team. All the traffic being directed through our inet connections absolutely choke them pretty much from 9 to 5, and since we're using an sdwan solution for our branches, it's been screwing up the branch traffic that's going over the Internet as well.

 

[sryan2k1]

Still planning on a big writeup but that sounds like incompetence on your end.

 

[Paladin]

Yeah if that were me, I would be on the phone with Zscalar to get that figured out, I could never live with that kind of daily frustration and uncertainty whether it was my fault or theirs, etc.

 

[Danger Mouse]

I think the better comparison rather than GP-Protect is actually PA's Prisma Access, since that is how PA positions their product.

Prisma Access vs. Zscaler

Prisma Access vs. Zscaler. Compare the different approaches to Zero Trust Network Access and decide which one you need to keep your apps and data secure.

www.paloaltonetworks.com

PA GP is more your traditional product like ye olde Cisco ASA + Cisco VPN + whatever ISP you have.

 

[Frennzy]

I think the better comparison rather than GP-Protect is actually PA's Prisma Access, since that is how PA positions their product.

Prisma Access vs. Zscaler

Prisma Access vs. Zscaler. Compare the different approaches to Zero Trust Network Access and decide which one you need to keep your apps and data secure.

www.paloaltonetworks.com

PA GP is more your traditional product like ye olde Cisco ASA + Cisco VPN + whatever ISP you have.

Which would be applicable if were on that platform at the moment, but we aren't. We're still on Branded GP. (Hence the comparison...upgrade, or shift)

 

[pasorrijer]

As an end user, we use Zscalar and however IT set it up, it Just Works(Tm) and has been pretty seemless.

Realize that's not the analysis you may be looking for but it beats a lot of other options I've used.

 

[Pervis]

One last question though: would you do ZIA without ZPA or vice versa?

It depends where your users are and what they need to access. If you need an always on cloud-hosted FWaaS to access public hosted applications and protect Internet access then all you need is ZIA. If you need to provide remote access to internally hosted resources, then you need ZPA. Practically speaking, you’re probably going to need both unless 100% of your internal infrastructure is managed in the cloud.

I’ve got about 2 years experience in the Zscaler ecosystem. Despite the marketing hype, Zscaler is in no way ready to effectively replace an SD-WAN.

 

[ajpope85]

Yeah if that were me, I would be on the phone with Zscalar to get that figured out, I could never live with that kind of daily frustration and uncertainty whether it was my fault or theirs, etc.

Not just with zscaler but with other internal teams as well. We're highly siloed and after five years of experience, I've finally realized that means that security, network, and proxy all have their own shit to deal with and you can't assume that everyone did their due diligence ESPECIALLY the app teams.

No one asks network and security if we can handle an additional ten gigs on a ten gig inet connection that's already 80% utilized going through a pair of security devices with a combined throughput of 20 gigs, also with a utilization above 50%.

Shockingly, the answer is no.

 

[ajpope85]

It depends where your users are and what they need to access. If you need an always on cloud-hosted FWaaS to access public hosted applications and protect Internet access then all you need is ZIA. If you need to provide remote access to internally hosted resources, then you need ZPA. Practically speaking, you’re probably going to need both unless 100% of your internal infrastructure is managed in the cloud.

I’ve got about 2 years experience in the Zscaler ecosystem. Despite the marketing hype, Zscaler is in no way ready to effectively replace an SD-WAN.

Replace an sdwan? What does that mean? Is zscaler trying to say they're going to figure out your routes and priorities for you? I don't have much experience yet in this kind of stuff but that kinda sounds like technomagic.