CISCO MERAKI VS.

PALO ALTO NETWORKS

Appliance Overview
Overview
Cisco Meraki offers wireless, switching, security, enterprise
OVERVIEW AND

mobility management, and security camera products, all centrally Appliance Interfaces* Throughput** List Price
­CHALLENGES

managed from the cloud without a local UI. Meraki’s strength is MX64/65 200 Mbps $600 / $1K
its focus on ease of use with cloud management and zero-touch 5x GbE, 12x GbE
provisioning, integrated Wi-Fi/3G/4G, and basic SD-WAN MX67/68 300 Mbps $700 / $1K
capabilities. Its weaknesses are limited security features, lack of MX84 10x GbE, 2x SFP 320 Mbps $2K
integration with other (even Cisco) security products, and limited
MX100 9x GbE, 2x SFP 650 Mbps $5K
configuration options.
MX250 2× 10G SFP+ 2,000 Mbps $10K
Cisco acquired Meraki in 2012, and it remains an independent 8× GbE RJ45
business unit. 8× GbE SFP
MX450 4,000 Mbps $20K
8× 10GbE SFP+

* All models support 3G/4G via USB modem. MX64-68 can be ordered with a Wi-Fi option.
** “Advanced Security Throughput” according to datasheet.

Sales Plays Leading Questions

Start with Ease of Use and Zero-Touch Deployment
Cisco Meraki will not lead a customer conversation with security.
Their story revolves around the cloud-managed WLAN and switch- CIOs, CISOs Directors of IT/InfoSec Security Manager
ing capabilities. The Meraki Dashboard demo resonates well with
customers and can easily be flipped from a demo to a sale. As your organization ex- Can your security vendor Does your vendor meet your
pands, how will you ­a­ddress cover data center, branch, and enterprise requirements
Counter by steering the conversation toward security features. its increasing ­security mobile workforce use cases? and allow granular control
Force the Meraki team to bring in Firepower Threat Defense. needs? over your next-­generation
Only FTD can provide enterprise-grade security features, but it firewalls?
SALES PLAYS

still struggles with stability and maturity. Show how easily our
Next-Generation Firewall integrates with the rest of our Security
Operating Platform. Is your existing ­cybersecurity How will you ensure full Does your vendor
Position Meraki Instead of Firepower Threat Defense ­prepared for the move to the visibility and consistent ­automatically integrate your
cloud? ­security across networks, next-­generation firewalls into
Cisco Security sales teams like to bring in Meraki into deals because cloud (­including SaaS), and their security architecture?
of their ease-of-use story and to avoid a proof of concept with FTD. endpoint?
Counter by showing Meraki’s poor security features, which are
not enterprise ready. Nobody in the industry still uses a negative Do you have a ­security plat- How much time do you Does your sandbox product
enforcement model and separate L3/L7 policies (see “How to form that delivers consistent spend on integrating stand- support Windows 10, ­macOS,
­Compete” on the other side). Force them to bring in FTD for a security across all deployment alone security products? and Linux to prevent unknown
bake-off. scenarios? malware?

© 2019 Palo Alto Networks, Inc. | Cisco Meraki vs. Palo Alto Networks | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
CISCO MERAKI VS. PALO ALTO NETWORKS
Cisco Meraki Is Not Enterprise Ready Feature Comparison Matrix
Meraki MX lacks important enterprise features and limits configuration options to the bare minimum. Basic
security features, such as intrusion prevention, antivirus, and URL filtering, are not part of the “Enterprise Feature PAN-OS 9.0 Cisco Meraki MX15*
License.” Advanced security features, such as credential theft prevention or threat feed integration, are not
available at all. The lack of IPv6 support and SSL decryption capabilities results in severely reduced visibility. Positive
Negative (default to
Enforcement model (default to deny
Cisco Meraki Is Not Integrated with the Larger Cisco Security Ecosystem allow all)
all)
Meraki uses its own application identification database and a third-party URL database instead of SenderBase, No (limited AMP,
which is used by Umbrella, FTD, and IronPort. Existing integrations require additional licenses (e.g., Threat Grid, Natively engineered
HOW TO COMPETE

­ mbrella [DNS only],

U
Umbrella). The Meraki Dashboard can only manage Meraki devices. This necessitates separate cybersecurity Yes
security platform and Threat Grid [HTTP
approaches for data centers, SaaS applications, endpoints, and cloud deployments. All of this reduces threat only] integration)
information sharing and automation, reducing visibility and increasing the cost of security operations.
Identification based
Application Natively
Cisco Meraki Does Not Offer On-Premises or On-Box Firewall Management only on IP and domain;
­identification ­supported
Meraki firewalls are constantly connected to the central cloud management (the Meraki Dashboard). The no ­granularity
two-way communication between firewall and Meraki’s management cloud is encrypted and cannot be Limited to three
inspected by customers. The same tunnel is used for troubleshooting by Meraki Support. Several customers Intrusion prevention Fully ­ resets; no customiza-
p
share a given slice of the cloud management, and it’s possible for one customer to crash the whole slice, system c­ ustomizable tion beyond whitelisting
resulting in an outage for all customers on that slice, during which none of the firewalls can be accessed of signatures
because there is no local interface or web UI.
Supported OS for
Windows,
Cisco Meraki Is Prone to Misconfiguration sandbox malware Windows only
­macOS, Linux
analysis
Meraki MX has separate Layer 3 and Layer 7 firewall policies and implements a negative enforcement model.
Having L3 (port/protocol) rules separate from the L7 (application) rules makes the firewall prone to misconfig- No (only hash lookup
Natively
uration. In addition, every ruleset has a built-in static rule at the bottom that allows any traffic to and from any In-line antivirus with AMP and a limited
s­ upported
port. Unless explicitly denied in the L3 or L7 policies, all traffic will be allowed. It is a best practice to deny all set of file types)
traffic and selectively enable applications allowed in the corporate environment.
SSL decryption Yes No visibility into HTTPS

“Palo Alto Networks is difficult to use.” Natively Third party

URL filtering
­supported ­(BrightCloud)
OBJECTION HANDLING

Cisco Meraki emphasizes ease-of-use, but this comes at the expense of enterprise-grade security features
and configuration options. What is good enough for small businesses is not suitable for the complex threat Multi-dimensional
Yes No
landscape of enterprises. Only a Meraki-exclusive environment benefits from the simple Meraki Dashboard, URL filtering
but every customer will need additional security controls. This increases complexity and operational costs. Credential theft
Yes No
“Nobody gets fired for buying Cisco.” prevention
Cisco has a strong brand reputation in routing/switching, and customers expect the same level of quality Integration of
Yes (via
in Cisco’s cybersecurity products. In reality, Cisco is struggling to build a comprehensive, intuitive, and third-party threat No
MineMeld)
effective cybersecurity platform based on various acquisitions. Meraki is an independent business unit, and intelligence
the integration with other Cisco security products is minimal. Firepower Threat Defense and Meraki use * MX15 is a release candidate. As of July 2019, MX13 is the stable release,
different application ID databases, URL databases, and management interfaces. There is no integration with but Cisco will sell on features contained in the latest beta release.
Talos besides the ability to submit Windows malware samples via Threat Grid or the hash-based lookup of
known threats with AMP. For more competitive information go to
­compete.paloaltonetworks.com or your NextWave Partner Portal.

© 2019 Palo Alto Networks, Inc. | Cisco Meraki vs. Palo Alto Networks | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2