If you have $0 to spend, you are not getting cisco.
Pfsence, snort, alienvault, and quad 9 dns. When you set them up right you end up with a much better security posture.
That said, his org is likely rife with local admin accounts, and heuristic based AV, so it’s only a matter of time till they get crypto’ed.
tell your boss that the task is a bit over your head for now, but that you can come up with something in 6 months. it’ll be good for you to have a North Star so to speak in terms of pushing yourself to learn something
Honestly, if you don’t have a firewall protecting your network, AD is the least of your worries. If your company is that small, I’m not even sure I would recommend implementing AD at all where you are right now. Get your general security baseline in a better place first. I’d start looking at simpler device management systems/services. Whether you use Microsoft (InTune) or someone else doesn’t matter as long as it fits your budget and your needs. Then (or simultaneously) start looking at identity management. Again, there’s numerous options. Some require far less time to manage than others. I’ll take properly managed jumpCloud over a poorly managed AD every day.
A PA-440 would be plenty for the OP. These are not expensive.
Or the opposite deny all then add allows 
in this context there is no firewall so better than nothing right?
I worked with a senior network engineer who had 5000 rules in the firewall,
allow this port UDP/TCP this IP, that IP on and on and on, then bottom of the list… allow all any any - Genius!
Took me about a year to reduce that down to 500 rules.
Seriously? The “one year of support left” on a recommendation of a device that is probably old enough to vote wasn’t enough to convey sarcasm?
Definitely. I suspect the 800s must be getting an update soon with how hard the new 400s are cutting their lunch.
If they don’t have AD to start with I wouldn’t bother implementing it now. I’d go direct to AAD and Intune.
why do you suggest Azure AD over implementing an on prem AD now?
PANs are ridiculously complex. The guy would be calling support or a consultant every time they need to upgrade firmware or Global Protect. They have nothing right now, they need a basic firewall appliance not the Cadillac of firewalls that requires a dedicated engineer just to manage the things Meraki literally does automatically or at the click of a button (talking about config backups, firmware updates, Internet circuit failover, site to site VPNs, etc.etc.). Just no.
Agreed… Almost the same thing I said
You’re missing the point - you’re going to find a lot more techs capable of correct designing, implementing, and administering a Cisco, Fortigate, etc. in the SMB space - because of that, unless you plan to stay with the company forever and never take vacations - the wiser financial choice for the company is a more expensive retail solution.
Also the all-in-one UTM, VPN, et al. functionality.
a senior network engineer
allow all any any
WTF…
AD is a legacy technology, in fairness onprem anything is legacy these days. If anyone even suggests putting in a new local AD environment I’d question their sanity and technical competence. Cloud IDPs and management aren’t the future they are the now.
Doing simple things with PA firewalls is no more difficult than any other enterprise-grade appliance, and in some ways are far simpler than doing an equivalent action on a Cisco. For example, the whole concept of security zones makes crafting policy much easier to understand for the layperson, as opposed to Cisco’s ACL-based plus security-level based approach. PA’s inspection logic also allows you to simple start out with a default permissive policy, then as the device operates, you can identify and classify traffic and create rules as you go. Good luck doing that with Cisco.
Why do i need these “all-in-one” guys who can only work with stupid and expensive stuff, while any sysadmin with his hands and brain working correctly can save lots of money for company, especially if it’s small business. You know man, these guys jumping from job to job are also bad choice. I won’t invest in expensive allinone shit just to make specialists comfortable.
yep, needless to say he didnt last…
AD is not legacy, and onprem servers are not legacy. We implement new ADs frequently for existing companies, depending on their needs. We also have clients that are purely AAD. It just depends is the right answer.
We have been moving some users into an Azure AD environment, we do use office 365 and recently are moving users here onto the new windows 365 cloud VM’s so they can do all of their work on there and we can monitor it through azure AD.
You’re the one who just encouraged OP to take the same approach. How do you think that any any got there? It was “temporary”.
Never trust the department to give a shit about helping you refine security while everything is working. If you want them to care, get permission to lock something down, even if it’s just one user’s workstation. That guy becomes your best friend in reverse engineering all the rules.
Unless, you know, the application’s network requirements are actually documented accurately someplace. And money rains from the sky.
I’m sure there are limited scenarios where a new local AD still makes sense, I can’t think of any though. Are you servicing some niche markets?