If you need layer 7 features in the

If you need layer 7 features in the enterprise, you should definitely look into Palo Alto. I believe PAN has some of the best implementations for features like URL filtering and user identity if you need them in a high-end firewall. Personally, I don't think those features should ever be enabled in a high-end firewall, but management gets what management wants. That said, don't trust the marketing specs because you'll need a lot more hosepower. The central management for PAN is a straight-forward web-based interface. It's good for sharing objects and policies as well as config pieces. It is not nearly as user-friendly as Check Point. Support is very hit-or-miss with slower response times. Upgrades are easier than CP but not as easy as Cisco. If you get into the CLI, of a Palo Alto firewall, you will see a ripoff of the Junos CLI. I'm not sure how they got away with that, but it's actually a plus for PAN. VPN config is granular, similar to Junos. Clustering is easier than Cisco, but I wouldn't put it ahead of the other vendors. In the experience I've had with PAN, the main low points were in the limitations (always waiting on the next version for something you need), capacity, and stability. Those are symptoms of a younger vendor, and they may have improved in the last year or so.