Palo Alto Networks is the culprit behind Cisco's -8.4% FY11 security sales decline
Fri, 8/12/11 - 2:25pm    View comments

Update 8-22-11:

Network World confirms Dual CCIE #18532 Security/R&S - George Morton was correct in his assessment that Palo Alto Networks is the culprit behind Cisco's security sales decline:

"Palo Alto Networks has injected excitement and innovation into the firewall market with its 'next-generation' appliances that combine traditional firewalls, threat mitigation technologies such as anti-malware and intrusion prevention, and the new magic dust of application identification."

Palo Alto earns short list status
 

Cisco reported a respectable +7.9% net sales increase for FY11.

Additionally, 6 of Cisco's 9 sales product reporting categories had robust average FY11 sales increases of +22.9%.

Anxiously though, 2 of those 9 product categories, switches and video connected home (representing 41% of Cisco's total FY11 net sales), had slight to negligible sales declines of less than -1%.

However, what really caught my attention was the unusual -8.4% drop in Cisco's FY11 security sales.

So why would that specifically catch my attention?

Well, mostly because 25-days ago, security vendor Check Point Software Technologies reported a 2nd Quarter Y/Y (Year-over-Year) sales increase of +15%.

Meanwhile by comparison this week, Cisco reported that its 4th Quarter Y/Y (Year-over-Year) security sales dropped a worrisome -21%.

Wow I thought, so I put in a call to my Cisco security expert, Dual CCIE #18532 Security/R&S - George Morton, to find out why Cisco's security sales were in such a steep decline.

Naturally, I expected Morton to blame the well known Check Point as the "culprit" in Cisco's security sales misfortune, but I was quite surprised to learn that according to Morton it was tiny little-known firewall vendor Palo Alto Networks causing the Cisco security sales decline.

Heck, even though I'm already familiar with Palo Alto Networks because of previous blog stories that I've posted, I'm still surprised.

I mean, what possibly could tiny little Palo Alto be doing to upstage the mighty Cisco?

Well, Morton basically confirmed what Palo Alto Networks stated in its press release August 1st:

"We are rapidly replacing the firewalls the incumbent vendors have sold to enterprises over the past 15 years."

However Cisco security expert, Dual CCIE #18532 Security/R&S - George Morton, added a slight twist:

"Palo Alto Networks is taking your firewall services from 1995 and moving them to 2012."

View the Palo Alto Networks online product demo.
 

Gartner Magic Quandrant for Enterprise Network Firewalls - March 15, 2010
 

Gartner's take on Cisco Systems:

Although marketed otherwise, Cisco security products do not require Cisco networking equipment to be present, nor does having Cisco networking equipment mandate Cisco security products.

Through its acquisition of IronPort, Cisco has strong product offerings across the network security, Web security and email security tiers. Cisco has continued to consolidate its security products into a single business unit. Gartner believes that Cisco is in a strong position to launce "security as a service" and data-center-specific security offerings.

Cisco firewalls have not seen any noteworthy changes in 2009; however, Gartner forecasts that changes within the Cisco security unit will be realized with increased competitiveness from 2H10 through 2011.

Cisco is assessed as a challenger for enterprises because we do not see it continuously displacing leaders based on vision or feature, but instead through sales/channel execution or aggressive discounting for large Cisco networks when firewall features are not in high demand.

Gartner's cautions about Cisco:

1. Where Cisco firewalls were shortlisted, but not selected, quality and usability of the management console, Cisco Security Manager (CSM), were consistently the factors most often cited.
2. Two products, usually CSM (Cisco Security Manager) and CS-MARS (Cisco Security Monitoring, Analysis and Response System) are required for most management functions, whereareas competitors have a single product.
3. Cisco firewall and security products continue to have one of the highest rates of published product vulnerabilities. Although Cisco is a high-profile target, security products must have a higher level of assurance than general-pupose products.
4. The ASA line is becoming somewhat dated and, although Gartner expects Cisco to introduce new models. Cisco often is excluded from placements with high throughput. Cisco's Firewall Services Module (FWSM) and ISR have been on a separate firewall development stream (closer to the PIX code base) and haven't benefited from ASA advances.
5. The requirement to add a hardware module (the AIP-SSM) to add IPS capability to the ASA firewall appliance remains a barrier to deployment and a competitive disadvantage for branch-office deployments. The add-in module does, however, provide processing help with the deep inspection load. If the SSM module is used for IPS, then it cannot be used for other content inspection.
6. Cisco remains elusive on competitive firewall shortlists by Gartner customers. Cisco firewall products are selected more often when security offerings are added to Cisco's infrastructure, rather than when there is a shortlist with competing firewall appliances. Cisco was listed by competitors as the product they most replace. This is likely to change as the PIX replacement cycle ebbs. This is not a strong caution, given Cisco's market share.

1. The Cisco support network is a strong positive for larger customers.
2. The vendor has strong channels, broad geographic support and the availability of other security products.
3. The integration of reputation features across Cisco security products is a highly significant feature differentiator that is often missed in enterprise selections.
4. Its Adaptive Security Appliance (ASA) has the option to add an IPS module (AIP-SSM) to replace a stand-alone IPS. The ASA is available in four editions, which clearly define what safeguards are being purchased.
5. Cisco offers a wide choice in firewall platforms. The primary offering is the stand-alone firewall/VPN ASA, with firewalls also available via the Firewall Services Module blade for Catalyst switches, and on Cisco's IOS-based Intergrated Services Router (ISR).
6. Cisco has significant market share in security (including having the largest market share for firewall appliances), has wide geographic support and is viewed as a significant (second-highest)enterprise competitive threat by the vendors we surveyed.

Gartner's take on Palo Alto Networks:

Palo Alto Networks has been selling firewalls since approximately 2007. Although essentially a startup, Palo Alto Networks is not a typical startup, because the company is well backed, including first-tier venture capitalists; the founders are alumni from other firewall companies; and the CTO invented stateful protocol inspection. The company's application ID feature was one of the first in the firewall market to categorize applications within HTTP/HTTPS.

Palo Alto Networks is highly disruptive within the firewall market because the product has been designed as a next-generation firewall and has competitors being forced to change road maps and sell defensively.

Palo Alto Networks is assessed as a visionary vendor mostly due to its next-generation firewall design, redirection of the market along the next-generation firewall path, and market disruption forcing leaders to react.

Gartner's cautions about Palo Alto Networks:

1. Palo Alto Networks has a limited number of models (PA-500 Series, PA-2000 Series, PA-4000 Series, PA-5000 Series).
2. Palo Alto Networks has limited geographic support, with almost all sales in North America, although its international channel is growing.
3. Opportunistic selling into the SWG and URL-filtering market can confuse some customers that Palo Alto Networks is not a firewall company.
4. The PA series of firewalls does not yet have the third-party certifications that are important to this market, such as Common Criteria for Information Technology Security Evaluation and FIPS.

1. Gartner customers report that Palo Alto Networks' appliance performance is good.
2. Palo Alto Networks generated the most firewall inquiries among Gartner customers in 2009.
3. Active Directory integration allows for firewall rules based on user and resource roles, rather than IP addresses.
4. The firewall and IPS are closely integrated, with App ID implemented within the firewall, obviating unnecessary IPS deep inspection.
5. Palo Alto Networks often enters enterprises via URL-filtering selections, where its per-box charge does better than most competitors that charge a per-user fee.
6. The company has also linked the Application ID feature to Active Directory, meaning that reporting and setting the application policy can be by name and organization, rather than by IP address alone.
7. Palo Alto Networks was early to introduce effective application identification (App ID), allowing for categorizing, blocking and rate-shaping of applications, primarily within HTTP and HTTPS, and it generally leads in application categorization.

Unconfirmed rumor Cisco offered $2.5 billion to buy Palo Alto Networks and was turned down

View the insiders cashing in IPO shares at Palo Alto Networks

Palo Alto earns short list status

Download for FREE - Enterprise Application Firewalls for Dummies

What's the biggest firewall issue for enterprises?

Quarterly unrecognized revenue cash receipts from Cisco's two-tier distributors dropped -21% Y/Y

Cisco's Q4'FY11 operating cash flow, product gross margin and router sales sequentially declined

What's your take?

Subscribe to Brad Reese speaks out

1. Cisco's Q4'FY11 operating cash flow, product gross margin and router sales sequentially declined
2. 1,826 Cisco WebEx and collaboration employees guillotined by Tandberg executives
3. Cisco discounts Nexus 7000 switch -76% to win Purdue University's Hansen Cluster bid
4. New management structure of Cisco CEO John Chambers: The Cloud
5. Cisco insight series: Expendable Cisco business units and employees
6. Discord between Cisco engineers and Cisco technical marketing appears rampant
7. How Cisco defeats HP in blade server deals
8. Brian Schipper senior vice president of human resources bolts Cisco
9. Cisco CCIE R&S count dropped a staggering -1,052 in only ten months
10. First 2 Cisco Certified Architects (CCAr) jump to HP Networking
11. Cisco CEO John Chambers ranked 10th in restricted stock grant compensation among the 350 biggest public company CEOs
12. Cisco's restructuring embeds operating committee, councils, boards and working groups deeper into Cisco's new management structure
13. Cisco's 2011 voluntary enhanced early retirement program (EER)
14. Cisco Nexus 5010 and 5020 vs. Arista 7124S and 7148SX competitive lab test
15. Cisco's CRS-3 flexible packet transport vs. Juniper's T series, JCS1200 and PTX series
16. Why Cisco CEO John Chambers has got to go!
17. Did Brad Reese tee up Cisco CEO John Chambers as a defendant in a new insider trading class action lawsuit?
18. Cisco Nexus 5548P vs. Arista 7148SX, IBM BNT G8264 and Juniper EX4500 competitive lab test
19. Cisco vice president Inder Singh named in insider trading scandal
20. View archive of Brad Reese speaks out