Palo Alto Networks has no illusions that a product on the market less than a year is going to have the feature set and depth that enterprise competitors Check Point, Cisco, and Juniper are offering. And, because most of the staff from Palo Alto are veterans from Check Point, Cisco and Juniper, they were careful to design the PA-4020 so that it could be put behind (or in front) of an existing firewall at either layer 2 or layer 3.

But the reality is that if this device is going to play in the enterprise with the three big cheeses, it has to offer enterprise firewall features. Customers with lots of money to spend might find they can afford a PA-4020 and their existing firewall, but the PA-4020 is going to have to stand on its own to succeed in order to be worth its asking price.

We found — unsurprisingly — that the PA-4020 doesn't have the feature set and depth that enterprise competitors do. The basics are definitely in place, and the PA-4020 has a strong showing out of the gate. Features such as virtual LANs, a combination of layer 2 and layer 3 firewall in the same device, built-in captive portal, and virtual systems all go into the advanced feature bin.

But other basic firewall features, such as network address translation, VPN, dynamic routing and high-availability options are all fairly primitive in this initial implementation on the PA-4020. For example, simple and very common NAT policies like "translate everything leaving this interface to the address of the interface" have to be worked around and can't be put into place easily. On the other hand, complex NAT and virtual IP policies are also equally difficult to put into place and configure.

Similarly, the VPN is missing configuration features that will let it interoperate with all other standards-based IPSec implementations. This last complaint is a bigger deal than it sounds, because you wouldn't put a Palo Alto box at a branch office — the smallest system it sells is a 500Mbps device, not really competitive with small-office devices from Check Point, Cisco, Juniper or SonicWall. So VPN interoperability is important if this is to be a central firewall.

These deficits underscore that, at this stage, the PA-4020 is not designed or capable of being a central firewall. What the PA-4020 is designed for is being a user-protective firewall — one placed in front of hundreds or thousands of end users, typically trying to go to the Internet. Palo Alto has sacrificed some of the central site features it would take to replace a mammoth Check Point/Nokia system by focusing in an area where the competition doesn't go very well: user control and protection.