Hi Everyone - my company currently uses a “Traditional” client vpn solution and we are focusing on Prisma Access and Zscaler as a replacement. I like the idea of the service connections for Prisma, the connectors that run on a VM/container for Zscaler was unexpected, but I do like what they are capabale of doing.
We are heavy on all workstation OSs - windows, macos and linux.
Also, the environment consists of public/private clouds.
Any annoyances that have come up for you or clear improvements for your team and employees?
Big one - if you have apps with server to client connections, like voice/video calling, the ZPA doesn’t really work (but Prisma Access should be fine).
We have about 5500 users on ZIA/ZPA. I like that we can use Conditional Access to hook our cloud apps in so that if a user turns ZIA off, they can’t get into 365 and the like.
The initial setup for per-host access was a bit tedious, but it’s kicking butt so far. And we’re a Zoom house, not seeing any issues with chat, video or phone calls.
I work for a fintech 2.6K+ concurrent zscaler ZPA users. We’ve had very little issue with the product, and the issues we did have were nitpicking. Did a proof of value for ZIA and it was terrible so we passed on that. Nice thing about zscaler is that they run their own datacenters and not reliant on aws like twingate.
We use Palo Alto for our firewall (PA3,5k) and sdwan (prisma). When we were doing the “Gen 1” zero trust products we thought prisma was still too much like traditional vpn and weren’t a fans of global protect.
During the eval we looked at twingate and something else. We didn’t eval cloudflare or the okta product as they didn’t meet the requirements at the time.
We’re a Mac shop mostly with 10% pc with app connectors in aws and in prem. Overall pretty happy with the product.
Also look at cloudflare zero trust, we initially looked at zscaler but cloudflare had interesting pricing and a nice solution.
It integrates nicely with your IAM allowing you to give network access depending on department / role. The zelf hosted application policies are also really handy, in 2 minutes i have published an internal app with VPN client requirement and https encryption with a nice domainname.
I did a full PoC for Prisma Access for remote access and can honestly say I enjoyed the experience. Integration with our existing on-prem datacenters was simple, and I was up and functional within a few days.
There were a few hang ups that may be resolved by now (AD integration and no ability for on-prem Panorama management). This was gauged to replace multiple standalone Pulse Connect Secure VMs staggered across on-prem datacenters, but the stakeholder driving the use case left the company.
The pros far outweighed the cons, but it was not the cheapest option (like everything with Palo Alto).
Zscaler doesn’t provide consistent protection between ZIA and ZPA, so as long as you don’t need malware protection/DLP on your private apps, it should do fine and usually cheaper than Prisma.
Cloudflare, iboss and Cato Networks are also worth a look.
well, we are a bit too far into this to start evaluating other products. This is a client vpn replacement for users that are primarily remote in a corporate/enterprise environment. I’m hoping to get some replies from engineers that are or were in a similar situation with these 2 products, both look promising so far.
No, it was a shortcoming of their product at the time. This was pre COVID. We had to use their panorama in their cloud to manage Prisma Access, and our on-prem to manage on-prem. Sounds like that shortcoming was indeed corrected (as I alluded to).
I’ve looked at both but have spent much more time with Zscaler.
Both are good products. A few things that spring to mine are: Zscaler has loads of management portals, PAN has much less. Zscaler logs are not good, PANs are much better. With Zscaler you really need to export to a SIEM for decent logs which may be an additional license. Zscaler are a more mature product so it has a bunch of little things that PAN doesn’t and there are some good UBA based dynamic policy stuff roadmapped. Zscaler cloud is much larger than PANs. Zscaler client is better than PANs imo and there is the machine tunnels which are very useful. Zscaler can be a painful company to work with so go through a reseller instead if you can.
I’ve tested both pretty heavily. They are pretty standard for VPNs (or rather this new flavor of VPN). Zscaler has some nits with their certificates if you’re using their inspection capabilities. They also have some quirks with routing, DNS, etc but hard to tell what issues you’ll run into without knowing more about your set up. Whatever you do, I’d just make sure to heavily test it again your target workflows and employees to see if you “discover” any issues.
They are solid products but are pretty heavyweight and their support is pretty lackluster (at least in my experience as a smaller company, but YMMV).
If you have the time, I second the suggestion to tinker with a few other products. Twingate, Cloudflare, etc all have free tiers so it’s no cost and easy to get up and running. I tested a bunch of these in my homelab for months. Twingate is really slick and what most my buddies are looking vs ZS and PAN if you’re just looking to provide network access and not interested in the filtering, inspection, etc.