GlobalProtect is Palo Alto’s signature VPN solution within its comprehensive portfolio of enterprise cybersecurity products, but is it the right choice for your organization?
Remote working has been thrust into the forefront of every corporate mobile strategy over the course of the past few weeks. While many had contemplated implementing complex cloud, zero-trust, remote access solutions before these trying times, most have retreated to the safe and reliable VPN.
It hasn’t been a smooth journey, to say the least. Some of the most trusted names in VPN technology are some of the oldest and most traditional. Think Cisco AnyConnect, Pulse Secure, Microsoft Direct Access and yes, Palo Alto’s GlobalProtect.
These legacy VPNs were initially built as a way for select employees to access on-site resources from elsewhere in a secure fashion. They were designed in an era when remote access was done on a small scale in fixed environments.
Tunneling 100% of your workers’ traffic from a multitude of devices back to the home network is a very different challenge. Some VPNs are no match for the demands of today’s workers who are in most cases completing every aspect of their job outside of the office.
Palo Alto’s GlobalProtect
To assist in your journey to find the optimal remote access solution for your business, we’ve taken a deep dive into GlobalProtect to assess its merits and flaws.
Architecture
GlobalProtect is a small part of a much larger security ecosystem provided by Palo Alto. In fact, the solution requires the use of Palo Alto’s hardware-based firewall solution. If you’re already using this technology, you’re in luck, however if you must purchase it, you could be looking at significant delays due to the current disruptions in the supply chain.
Reliance on physical appliances also means challenges when scaling a VPN across an organization. Increasing capacity requires a significant infrastructure investment (it’s not a simple as just adding another server).
If fluctuations in workers requiring VPNs are expected, IT teams should instead look to software-based VPNs, which can be installed on any physical server or even in the cloud, such as in Azure or AWS, allowing for significantly more flexibility.
When to choose GlobalProtect
- GlobalProtect is best for organizations who are well-resourced with existing Palo Alto infrastructure. Companies who choose to use GlobalProtect should have a defined number of users that is unlikely change in the near future.
When to choose something better
- GlobalProtect is poorly suited for organizations with limited IT management resources, especially those that require simpler, quicker deployments and have unpredictable scaling requirements. Leaders should look for a software-based VPN solution instead.
Performance
GlobalProtect is at its heart a VPN designed to keep your enterprise mobile traffic secure. The technology however doesn’t, pay much attention to the user experience that comes along with this. As a result, GlobalProtect demonstrates many of the traditional pain points associated with legacy and hardware-based VPN solutions.
For instance, disconnects are inevitable. The technology does not persist sessions if a connection is lost, nor does it allow for seamless roaming between networks. It does not compress or optimize traffic effectively. On a perfect network, with an amazing connection, a typical user would be unaware of the drawbacks of GlobalProtect, however as soon as bandwidth deteriorates, the solution struggles.
In a closed testing environment, NetMotion was shown to perform 4x faster than Palo Alto using a degraded Wi-Fi connection.
When to choose GlobalProtect
- GlobalProtect works ideally in controlled environments where the speed and bandwidth of network connections is not an issue. Users should not have to move around very much in their environments or rely on more than one network or source of connectivity.
When to choose something better
- Palo Alto’s VPN is not optimized for environments where networks can be unreliable or slow. If a user is dependent on multiple networks or is mobile whilst working, GlobalProtect will likely result in time wasted re-authenticating and managing lost connections. Leaders should look for a mobile-first, optimized VPN that improves the employee experience.
Visibility and control
GlobalProtect makes a point of providing admins with an aesthetically pleasing console for them to visualize and monitor network connections. A plethora of data is available, however limited information is available when it comes to remote devices. Exploring the dashboards, only one view is available for devices located outside of the four walls of the office.
When it comes to policy controls, GlobalProtect markets “extending consistent security policies to all users while eliminating remote access blind spots to strengthen your security.” While it does have the ability to implement policy controls, this functionality is almost non-existent for remote connections. Palo Alto doesn’t have the flexibility to implement dynamic policies. Any policy that is utilized is a generic one used for network traffic going through the firewall.
When to choose GlobalProtect
- GlobalProtect works for organizations who don’t need to implement mobile policy for specific situations or devices. It is best for IT teams who would like to implement a ‘one size fits all strategy’ and who don’t rely on visibility for networks they don’t own to ensure mission-critical tasks get done.
When to choose something better
- GlobalProtect is not the optimal solution for those teams who want complete, granular visibility into the mobile workforce to diagnose and resolve issues efficiently. Those organizations who find compliance and controls especially important should not rely on GlobalProtect to implement granular policy actions. IT leaders should seek a solution that includes more a powerful, context-aware policy engine.
Setup & support
When it comes to setup and configuration, there are a wealth of resources online for Palo Alto’s GlobalProtect. A simple google search brings up a long list of YouTube videos and user forums.
Taking a closer look however, there appear to be many instances of users having issues with installation and configuration. With over 30 steps to complete, it seems to be fairly easy to get confused and even brought to a standstill.
Per some user reviews, connecting with an actual Palo Alto support agent can be tricky and sometimes an unhelpful experience overall. Some helpdesk agents also appear to be outsourced, or located offshore, meaning getting back in touch with someone you’ve spoken to before is near impossible.
When to choose GlobalProtect
- GlobalProtect works for IT teams with an abundance of resources who don’t mind spending the time required to troubleshoot with a helpdesk during configuration or when issues arise. Always-on connectivity should not be a must-have for those organizations who opt to use this VPN solution.
When to choose something better
- GlobalProtect doesn’t work well for teams who require consistent connectivity and immediate helpdesk support when issues arise. Companies with teams who will be working remote for an extended period of time may wish to leverage a solution that provides a simplified configuration process as well as real-time support.
To sum up
GlobalProtect has and will continue to be a standard, straight-forward choice for organizations requiring VPN solutions, especially those with existing Palo Alto infrastructure. For a number of companies, this technology has simply worked for them thus far, and they’re happy with the value being derived from their investment.
As the dependence on remote work continues to grow however, some organizations are expressing a need to deploy a simplified, scalable, secure, VPN solution that gives them visibility and control over the mobile workforce.
They’re not only looking for security, but for a solution that will ensure their employees will be able to stay productive while working remotely. That’s where solutions like NetMotion start to make more sense.
NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly important. It today supports over 3000 organizations and one million workers that cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.
