PALO ALTO NETWORKS PANORAMA VS.

CISCO FMC
PANORAMA OVERVIEW Leading Questions
CIO, CISO Director of IT or InfoSec Security Managers
Panorama™ network security management reduces network complexity with logical
device groups; simplifies management with easy, global policy control; and reduces Does your vendor meet
As your organization Can your security vendor
network dwell time for threats by highlighting critical information for response priori- your requirements and
­ xpands, how will you
e cover data center, branch,
allow granular control
tization. Industry-­leading automated threat correlation enables detection of advanced address growing security and mobile workforce use
over your NGFW
threats that would otherwise go unnoticed by connecting the dots between indicators management needs? cases?
d­eployment?
of compromise (IOCs) across your entire network.
How will you ensure full Does your vendor
Panorama also helps you automate threat responses through policy-based actions and Is your security manage-
visibility and security across automatically integrate
API-based integrations with third-party systems that would otherwise need manual ment product prepared for
networks, clouds (incl. your NGFW into their
the move to the cloud?
intervention. SaaS), and endpoints? security architecture?

Panorama offers the same look and feel as any Palo Alto Networks Next-Generation Do you have a platform
Firewall (NGFW) PAN-OS® management interface, so you’re up and running with that delivers consistent
Panorama in no time. security across all deploy-
ment scenarios with unified
management?
Look and feel:
How much time do you
spend trying to integrate
separate security products?
Does your security
management reduce
operational complexity,
configuration errors, and
opex costs?

Panorama Highlights
• Intuitive, powerful policy control with
PAN-0S a single security rule base.

• Enterprise-class management
c­ apabilities, hierarchical device groups,
template stacks, and more.

• Actionable traffic and threat insights

with the powerful Application
­Command Center (ACC).

Panorama • Scalable and flexible deployment

options.

• Aggregated logging and event correla-

tion across NGFWs, the Cortex™ suite, Sample ACC Widget
and Prisma™ Access.

© 2020 Palo Alto Networks, Inc. | Palo Alto Networks Panorama vs. Cisco FMC | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
PALO ALTO NETWORKS PANORAMA VS. CISCO FMC

Through 2020, 99% of firewall breaches will be caused by simple m

­ isconfigurations, not flaws.1

FIREPOWER MANAGEMENT CENTER OVERVIEW FIREPOWER CENTRAL MANAGEMENT

• Legacy in Sourcefire 3D Defense Center for IPS. Not designed for NGFWs. Paired with a lot of
technical debt, this results in performance issues even on the largest models.
• Limited to former Sourcefire products. Only light integration with AMP, Umbrella. No integra-
tion with Meraki, Viptela, Duo Security, Stealthwatch. Or

• Mutually exclusive to local UI. Switching between local and central wipes all configuration.
• Will probably be replaced with cloud-based CDO, but this has been in development since
2017. Both are mutually exclusive, and the firewall needs to be migrated from the central FMC Cisco Defense Orchestrator Firepower Management Center
Cloud-hosted management Re
qui
­management to the local FDM management. (1,000, 2,100 only; 4,100/9,300 planned) res

• Local config of the firewall is not stored on FMC.

• Only recently added to Cisco Threat Response, but still limited data sharing with the cloud.
• Still the most feature-complete management UI compared to CDO and FDM. No feature parity
between UIs. FDM, for example, was not able to reboot the appliance until FTD 6.5.
• Migrations between FMCs are only supported from lower to higher models. Migration from
KVM or Microsoft Azure® is not supported.
Adaptive Security Device Manager (ASDM) Firepower Device Manager
(ASA configuration of ASA+Firepower Local management
on 5585-X) (not on 5585-X)
Admin Interface Description Required For

Interface and clustering setup

Firepower Chassis Manager
FXOS GUI on 4100 and 9300; • CDO/FDM and FMC are mutually exclusive
(FCM)
ASA licensing
• ASDM and FMC are both required for ASA+Firepower devices
Firepower Device Manager Local UI for FTD (FDM and Local device management;
• CDO and FDM are still in early stages of development
(FDM) FMC are mutually exclusive) connection to CDO
• No feature parity between any of the user interfaces (GUI or CLI)
Policy configuration; device
Firepower Management Center
Central UI for FTD management; visualization and • Most customers will require a mix of these UIs depending on use case
(FMC)
reporting; FTD licensing

Cisco Defense Orchestrator Cloud-based UI (CDO and FMC Cloud-based management of

(CDO) are mutually exclusive) 1000, 2100, 4100, and 9300

1. “Technology Insight for Network Security Policy Management,” Gartner, February 21, 2019.

© 2020 Palo Alto Networks, Inc. | Palo Alto Networks Panorama vs. Cisco FMC | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2
PALO ALTO NETWORKS PANORAMA VS. CISCO FMC
HOW TO COMPETE Feature Comparison Matrix
Firepower Management
Panorama Does Commits in Parallel Feature Panorama 9.1 Center 6.5
FMC does commits in a serial fashion, resulting in long commit times. If a single commit
takes 10 minutes (not unusual), then pushing a policy out to 500 firewalls with FMC takes Up to 5K per appliance/ Up to 750 on largest
Max. managed
80+ hours. VM, and 50K+ w/ Panorama ­appliance, but closer to
­firewalls
Interconnect 100 in reality
Panorama Is Easy to Troubleshoot
FTD, ASA+Firepower
Generic error messages like “Commit failed, call Cisco TAC” are not uncommon with (FP part only), NGIPS
Firepower. FMC leverages several different web and database technologies under the hood, Supported firewalls All
Not supported: ASA, Meraki,
each of which are additional points of failure that require their own troubleshooting. Viptela, Duo, Stealthwatch
Panorama Is the Only Central Management for Palo Alto Networks NGFWs
NOC/SOC view (IOC/
FMC is only one of five different ways to manage Firepower devices. Each admin interface Yes, configurable Application Yes, static widgets with
network activity/apps/
has its own capabilities, and many of them are needed on a daily basis. Command Center (included) long load times
patterns)
Logging
Correlation engine Yes No
FMC was designed as an IPS management system, not built to deal with the considerably
larger event volumes generated by firewalls. Customer typically have only one day of log Limited; logs are typically
storage on the box and quickly have to offload events to log collectors or SIEM systems. Logging Yes
offloaded
Database crashes on FMC regularly require TAC intervention, involving custom SQL
commands, to repair one or more databases. Rule usage/audit Natively supported No

Embedded L4 to L7
Yes (Policy Optimizer) No
­policy migration
OBJECTIONS
Yes, but only between same
“Panorama is expensive.” High availability Natively supported hardware; failover requires
Cisco gives FMC away for $350, but any potential savings on the capex side are reversed manual interaction
by the higher opex expenses. FMC has many limitations that require labor-intensive
workarounds. Hypervisor support VMware, AWS, Azure, GCP VMware, KVM, AWS, Azure

“Panorama is complex.”
Look, touch, feel, and workflow are unified with PAN-OS. Customers with hybrid environ- ADDITIONAL RESOURCES
ments of ASA, ASA+Firepower, and FTD need to know multiple admin interfaces, such as
ASDM for ASA, FMC or FDM/CDO for FTD, and various command lines (CLIsh, FXOS). Competitive intel (internal only):
There is no feature parity between any of the GUIs. compete.paloaltonetworks.com
Partners:
paloaltonetworks.com/partners/nextwave-partner-portal/­­help-me-sell/competitive

© 2020 Palo Alto Networks, Inc. | Palo Alto Networks Panorama vs. Cisco FMC | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 3