• Home
  • Meraki MX vs. Palo Alto Networks NG Firewalls

Meraki MX vs Palo Alto Networks NG Firewalls comparison

Cancel
You must select at least 2 products to compare!
Fortinet Logo
Fortinet FortiGate
Read 306 Fortinet FortiGate reviews
120,425 views|88,209 comparisons
90% willing to recommend
Cisco Logo
Meraki MX
Read 59 Meraki MX reviews
3,311 views|2,387 comparisons
93% willing to recommend
Palo Alto Networks Logo
Palo Alto Networks NG Firewalls
Read 164 Palo Alto Networks NG Firewalls reviews
25,488 views|16,293 comparisons
96% willing to recommend
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
Meraki MX vs. Palo Alto Networks NG Firewalls
May 2024
Executive Summary
Updated on May 30, 2022

We performed a comparison between Meraki MX and Palo Alto Networks based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Most Meraki MX users say that the initial setup is straightforward. Some Palo Alto Networks users say the initial setup is straightforward, while others say it is complex.
  • Features: Users of both products are happy with their performance, stability, and scalability. Meraki MX users praise its advanced filtering and write that it is flexible and easy to use. Several Meraki MX users mention that they would like better visibility. Palo Alto Networks users like its central dashboard and say that it is reliable with good integration options. Several Palo Alto Networks users would like to see the solution’s logging and reporting improved.

  • Pricing: Most Meraki MX users feel that it is reasonably priced. In contrast, Palo Alto Networks reviewers feel that it is an expensive product.
  • ROI: Users of both solutions report being satisfied with the ROI.
  • Service and Support: Reviewers of both products report being satisfied with the level of support they receive.

Comparison Results: Both products received high marks from users. Meraki MX has a slight edge in this comparison. According to its reviewers, it is easier to deploy and more reasonably priced than Palo Alto Networks.

To learn more, read our detailed Meraki MX vs. Palo Alto Networks NG Firewalls Report (Updated: May 2024).
Download the complete report
772,649 professionals have used our research since 2012.
Featured Review
James-Jiang
Researched Palo Alto Networks NG Firewalls but chose Fortinet FortiGate: Reduces our remediation time and our operational expenses
The visibility that FortiGate provides into our devices is crucial for network segmentation. I want to see the output in a specific way. The... Read more →
Thomas Davis
Offers simple cloud-based management in a stable, scalable solution with responsive technical support
The solution makes firewall management simple and easy, so other people in my organization can manage the firewalls, not just me.
Anonymous User
Provides a unified platform that natively integrates all security capabilities
It provides a unified platform that natively integrates all security capabilities. This communication between security devices or security... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The multi-tenancy feature is most valuable. It integrates very well with FortiManager and FortiAnalyzer.""User-friendly and affordable security solution that's recommended for SMB customers. This solution has good technical support.""The simplicity of the product is great. It's very easy to use, which is a compliment we get all the time in terms of feedback.""It has improved our organization with control data.""Its user interface is good, and it is always working fine.""Initial setup is straightforward. There weren't too many issues with setting it up. It takes one hour or so.""The technical support in our region is excellent.""Customers want to load balance more than eight lines or six internet lines. FortiGate is the only solution that can accomplish this."

More Fortinet FortiGate Pros →

"I like the automatic firmware updates. We use the Active Directory to authenticate VPN users.""What I like best about Meraki MX is that it's easy to deploy remotely. The product works. It has automatic updates. I also like that Meraki MX is a brilliant device. You turn it on, stick the key in there, activate it, and then you're done. Meraki MX does what my customers need at the end of the day, so I also like that.""Its ease of configuration and management is very useful for us and for other companies that don't have an onsite IT person. It is easy to configure and easy to manage. It is easy to configure the VPN with the Auto VPN feature.""A strong, reliable solution for small companies with little or no dedicated IT department.""MX is easy to manage, configure and install.""The solution is easy to set up.""Managed centrally over the web: You can manages all your Meraki devices in a single account.""The features we have found most valuable are the firewall and the monitoring tools."

More Meraki MX Pros →

"The user ID, Wildfire, UI, and management configuration are all great features.""The DNS sync code in your filtering is the most valuable feature of the Palo Alto Networks NG Firewalls.""You can easily integrate it with Active Directory, and you can use the GlobalProtect VPN for internal and external purposes. The URL Filtering is also clear and the application filtering is a plus. The application filtering is much better when you compare it to FortiGate or other firewall vendors.""One of the things I really like about it is that we have the same features and functions available on the entry-level device (PA-220), as do large corporations with much more costly appliances.""The solution is scalable""I like that it has high security.""DNS Security is a good feature because, in the real world with web threats, you can block all web threats and bad sites. DNS Security helps to prevent those threats. It's also very helpful with Zero-day attacks because DNS Security blocks all DNS requests before any antivirus would know that such requests contain a virus or a threat to your PC or your network.""I like the sandbox feature, and it's very good. It kills each malware deployment in the sense of signatures within five minutes. So, we can secure our network and infrastructure very well within the stipulated time. The WildFire functionality is very good because a few files are also getting blocked. It's critical as malware attacks are also getting ignored, and the logging is very well maintained in this firewall. The most valuable solutions in this field are application-based firewalls. That is the main criteria of the firewall and functionality. We can get all the logs related to this and each and every packet. I like that the firewall is working as an application. The application-based entity we have deployed is well maintained and working very well. We were able to find lots of vulnerabilities when we deployed it, but we could not disclose all. But there were vulnerabilities we could block by updating the firewall and taking actions on clientside machines. So, we got to know that we have lots of vulnerabilities inside the organization too, and we took lots of steps and resolved the number of vulnerabilities. Palo Alto Networks NG Firewalls is an all-in-one solution. It provides every entity log, which is a very good functionality of this firewall. It gives every packet and aspect that the firewall is performing through its logs, and it does it very well. This firewall's unified platform helped eliminate multiple network security tools. If anyone uses P2P sites, cryptocurrency websites, or any illegal sites, we can block it easily. It gives us a proper alert for these kinds of sites, and it properly secures our network. Monitoring is the best thing we are doing here, and we can block this kind of vulnerability as soon as it comes to us."

More Palo Alto Networks NG Firewalls Pros →

Cons
"Fortinet FortiGate could improve by adding enhancements to FortiMail, FortiSOAR, and FortiDeceptor.""Lacks training for new features.""You do need some IT knowledge in order to effectively work with the solution.""It would be a benefit if Fortinet would release a one-stop solution that is better integrated with other products and an automated emergency response system.""Fortinet FortiGate could improve if it had a cloud-managed solution.""The way everything is set up could be easier. Currently, people need a lot of experience and knowledge to administer it and to link it to devices.""In terms of what could be improved, the SD-WAN is quite difficult, because if you install the new box, 15 is okay, but if you change from an old configuration, if there is already configuration and a policy when you change to SD-WAN, you must change the whole policy that you see in the interface.""If they had better integration with security products, such as Cisco ISE or Rapid Threat Containment, then it would be an improvement."

More Fortinet FortiGate Cons →

"The security is not as strong as it could be""The product could incorporate tools like ThousandEyes into the system so we can see things directly.""More detail needed for configuration of the VPN.""We feel that Cisco provides smaller features, with fewer possibilities versus other solutions out there.""They need to improve the link between Meraki and Active Directory.""Expensive licensing and firewall stops immediately working if the license is not renewed at expiration date.""I do not have the kind of feature I need for SSL decryption in Meraki MX. It would be great to see the SSL decryption feature in Meraki MX.""The product is quite complex to set up."

More Meraki MX Cons →

"The solution could offer better pricing. We'd like it if it could be a bit more affordable for us.""They could improve their support and pricing and maybe integration. It's a little more expensive that Check Point but the quality is better. Integration with firewall endpoints could be better. Palo Alto does have very good malware or antivirus protection. I think they could improve on that front.""As things are evolving, we want to make sure that Palo Alto is able to keep up with what is going on outside. They should continue to do more intelligence-related enhancements and integrate with some of the other security tools. We want to have a more intelligent toolset down the road.""The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.""Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it.""Everything has been great. More machine learning would be something great to see, but I don't know if it's a priority for Palo Alto.""The solution doesn't support routing in virtual firewall creation, and we want that to be enabled.""The VPN connectors should be better. We had some challenges in terms of the VPN with Palo Alto Networks NG Firewall, and that's one of the main reasons why we moved to Sophos. Its load handling can also be improved. There were challenges when traffic was high. During peak business hours, it did not function very well. There was a lot of slowness, and the users used to complain, especially when they were connecting from outside. We even reported this to the support team. Their support should also be improved. Technical support was a bit of a concern while using this solution. We didn't get very good support from the Palo Alto team."

More Palo Alto Networks NG Firewalls Cons →

Pricing and Cost Advice
  • "Fortinet has one or two license types, and the VPN numbers are only limited by the hardware chassis make."
  • "These boxes are not that expensive compared to what they can do, their functionality, and the reporting you receive. Fortinet licensing is straightforward and less confusing compared to Cisco."
  • "Go for long term pricing negotiated at the time of purchase."
  • "Work through partners for the best pricing."
  • "The value is the capability of having multiple services with one unique license, not having the limitation per user licensing schema, like other vendors."
  • "Easy to understand licensing requirements."
  • "​We saved a bundle by not needing all the past appliances from an NGFW.​"
  • "The cost is too high... They have to focus on more features with less cost for the customer. If you see the market, where it's going, there are a lot of players offering more features for less cost."

    • More Fortinet FortiGate Pricing and Cost Advice →

  • "It can always improve pricewise regarding throughput."
  • "It is more expensive than other solutions, but it is a cloud-managed network solution and support is given at the moment you call. That give a very big plus."
  • "The Meraki UTM is excellent when you buy the Advanced Security license. If you buy a different license you lost all the valuable functions."
  • "Pricing varies as per the type of license."
  • "Meraki is also expensive, but it's a little bit less expensive and it's easier to configure than Cisco ASA."
  • "The price varies depending on the hardware platform as well as the type of license and whether you're adding security or not."
  • "The license cost depends on the box. We acquired a different product line. We are dealing with MX appliance now, that is, MX6, MX54, MX100, MX250, MX450. Every box has got an identity, and it has got its own specification. Every box has got a different license fee. We deployed Meraki MX in UAE when it was not a mature product. We took a risk, but we were successful. We saved a huge amount of money after implementing and removing all the MPLS and leased lines. We got a broadband connection because Meraki MX could work on a broadband connection. We have drastically saved a very good amount of money, which was one of the successful things apart from the successful solution."
  • "The price is slightly increased, but reasonable."

    • More Meraki MX Pricing and Cost Advice →

  • "Annually, the licensing costs are too much."
  • "Pricing is yearly, but it depends. You could pay on a yearly basis, or every three years. If you want to add a device or two, there would be an additional cost. Also, if you want to do an assessment, or other similar add-on, you have to pay accordingly for the additional service."
  • "It will be worth your time to hire a contractor to set it up and configure it for you, especially if you are not very knowledgeable with PA firewalls."
  • "Don't buy a device with more power than you really need, because licensing depends on the cost of the box you have."
  • "The licensing is annual, and there aren't any additional fees on top of that."
  • "The price of this product should be reduced."
  • "The pricing is competitive in the market."
  • "This is an expensive product, which is why some of our customers don't adopt it."

    • More Palo Alto Networks NG Firewalls Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Firewalls solutions are best for your needs.
    See Recommendations
    772,649 professionals have used our research since 2012.
    Questions from the Community
    Which is the better NGFW: Fortinet Fortigate or Cisco Firepower?
    Top Answer: When you compare these firewalls you can identify them with different features, advantages, practices and usage at… more »
    Read all 3 answers   →
    What is the biggest difference between Sophos XG and FortiGate?
    Top Answer:From my experience regarding both the Sophos and FortiGate firewalls, I personally would rather use FortiGate. I know… more »
    Read all 13 answers   →
    What are the biggest technical differences between Sophos UTM and Fortine...
    Top Answer:As a solution, Sophos UTM offers a lot of functionality, it scales well, and the stability and performance are quite… more »
    Read all 11 answers   →
    Fortigate 60d vs. Meraki MX67 for a small company without a dedicated IT ...
    Top Answer:We have Meraki Mx devices now, we are looking to replace them. But that is because the Meraki MX platform lacks SSL… more »
    Read all 4 answers   →
    Which is better - Meraki MX or Cisco ASA Firewall?
    Top Answer: Cisco Adaptive Security Appliance (ASA) software is the operating software for the Cisco ASA suite. It supports… more »
    Read all 2 answers   →
    What Is The Biggest Difference Between Fortinet FortiGate and Meraki MX F...
    Top Answer:Meraki equipment requires a current license in order to operate. This also gets you hardware replacement and tech… more »
    Read all 18 answers   →
    What is a better choice, Azure Firewall or Palo Alto Networks NG Firewalls?
    Top Answer:Azure Firewall Vs. Palo Alto Network NG Firewalls Both solutions provide stellar stability and security. Azure… more »
    Features comparison between Palo Alto and Fortinet firewalls
    Top Answer:In the best tradition of these questions, Feature-wise both are quite similar, but each has things it's better at, it… more »
    Read all 4 answers   →
    Which is better - Palo Alto Networks NG Firewalls or Sophos XG?
    Top Answer:Palo Alto Networks NG Firewalls have both great features and performance. I like that Palo Alto has regular threat… more »
    Read all 2 answers   →
    Comparisons
    Also Known As
    FortiGate 60b, FortiGate 60c, FortiGate 80c, FortiGate 50b, FortiGate 200b, FortiGate 110c, FortiGate
    MX64, MX64W, MX84, MX100, MX400, MX600
    Palo Alto NGFW, Palo Alto Networks Next-Generation Firewall
    Learn More
    Fortinet
    Cisco
    Video Not Available
    Palo Alto Networks
    Overview

    Fortinet FortiGate enhances network security, prevents unauthorized access, and offers robust firewall protection. Valued features include advanced threat protection, reliable performance, and a user-friendly interface. It improves efficiency, streamlines processes, and boosts collaboration, providing valuable insights for informed decision-making and growth.

    Cisco Meraki MX appliances are next-generation firewalls with all the advanced security services needed for today’s IT security. The appliances are ideal for organizations considering a unified threat management (UTM) solution for branch offices, data centers, distributed sites, or campuses. Since Meraki MX is 100% cloud-managed, installation and remote management are simple and zero-touch.

    Meraki MX’s hardware and virtual appliances are configurable in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform, and private cloud support is offered through Cisco NFVIS and Alibaba Cloud.

    Organizations of all sizes and across all industries rely on Meraki MX to deliver secure connectivity to hub locations or multi-cloud environments, as well as application quality of experience (QoE) through advanced analytics with machine learning.

    Cisco Meraki’s advanced QoE analytics offers:

    • End-to-end health of web applications at a glance across the LAN, WAN, and application server.
    • Autonomous machine-learned smart application thresholds applied to identify true anomalies that are based on past behavioral patterns.
    • Ability to monitor the health of all MX WAN links across an entire organization.
    • Ability to detail hop-by-hop VoIP performance analysis across all uplinks.

    Cisco Meraki’s SD-WAN offers:

    The Meraki MX’s SD-WAN is unique in that it can be easily extended to deliver optimized access to resources in public and private cloud environments with virtual MX appliances. Its SD-WAN lowers operational costs and improves the performance of remotely-accessed resources. Users can ensure the availability of the apps and services their employees use most through dynamic path selection, policy-based routing, support for application-layer profiles, and VPN.

    Meraki MX offers industry-leading cloud management that has template-based settings which can scale easily from small deployments to tens of thousands of devices. It features an intuitive web-based dashboard for managing mobile devices, united firewalls, switching, and wireless LAN. Users can also benefit from role-based administration, configurable email alerts for a variety of important events, and easily auditable change logs. Meraki MX is capable of producing summary reports with device, user, and application details archived in the cloud.

    Meraki MX Key Features

    MX has a robust suite of network services in an all-in-one device, which saves you money by eliminating the need for multiple appliances. These services include:

    • SD-WAN capabilities
    • SNORT®-based intrusion detection and prevention
    • Layer 7 fingerprinting
    • Web caching
    • Application-based firewalling
    • Anti-malware
    • Geo-based firewalling
    • Content filtering
    • Site-to-site auto VPN and client VPN
    • Web search filtering
    • Cisco Advanced Malware Protection (AMP)
    • 4G cellular failover
    • Dynamic path selection
    • Web application health and VoIP health

    Reviews from Real Users

    Meraki MX stands out among its competitors for a number of reasons. Two major ones are its easy management and its ability to be accessed remotely. Below is some feedback from PeerSpot users who are currently using Meraki MX as their firewall security solution.

    Craig B., a central services engineer at Liberty Technology, writes, “The web console for managing everything keeps everything on Meraki and keeps us from going somewhere else. It is why I think a lot of people like Meraki. Comparing it to SonicWall or even a different Cisco firewall, like traditional ASAs, managing Meraki is a thousand times easier because of fluidity. You don't have to rebuild a table just to change one rule. It's much more readable for a human.”

    Edgardo C., an IT director, notes,”By using the VPN, we can connect remotely. We have two offices, and we could connect them through the VPN. We could establish a network between two sites, and that has improved and increased communication and productivity. Our remote site is able to access the server remotely.”

    Palo Alto Networks NG Firewalls are next-generation firewalls used for security to protect networks from threats and attacks. It is used for perimeter security, data center protection, and managing secure access to environments. Users highlight the NGFW's effectiveness in providing comprehensive security without impacting network performance. Users appreciate its ease of use, particularly in setup and ongoing management, making it a favored choice for businesses looking to secure their cloud environments.

    The firewall provides application control, malware protection, scalability, stability, user-friendly interface, threat hunt capabilities, application visibility and awareness, URL filtering, traffic monitoring, machine learning for attack prevention, a unified platform for all security capabilities, DNS security, VPN, and embedded machine learning. Palo Alto Networks NG Firewalls is easy to manage, reliable, and balances security and network performance well. It also provides complete visibility through logs and alerting.

    Palo Alto Networks NG Firewalls Features

    Palo Alto Networks NG Firewalls has many valuable key features. Some of the most useful ones include:

    • Secure Application Enablement (App-ID, User-ID, Content-ID)
    • Malware Detection and Prevention (threat prevention service, buffer overflows and port scans, anti-malware capabilities, command-and-control protection, and WildFire)
    • DNS Security (URL filtering, predict and block malicious domains, signature-based protection, extensible cloud-based architecture)
    • Panorama Security Management (including graphical views and analytics, manage rules and dynamic updates, customizable application command center (ACC), log collection mode, physical or virtual appliance)
    • Threat Intelligence (high-fidelity threat intelligence, priority alerts, automatic extraction and sharing of prevention indicators, native integration with Palo Alto Networks products)

    Palo Alto Networks NG Firewalls Benefits

    There are several benefits to implementing Palo Alto Networks NG Firewalls. Some of the biggest advantages the solution offers include:

    • Dedicated management interface for managing and initial configuration of the device
    • Regular threat signatures and updates
    • Import addresses and URL objects from the external server
    • Configure and manage with REST API integration
    • Great throughput and connection speed is fair even in high traffic load
    • Deep visibility into the network activity through Application and Command Control
    • Easy to manage and very user friendly

    Reviews from Real Users

    Below are some reviews and helpful feedback written by Palo Alto Networks NG Firewalls users.

    A Solutions Architect at a communications service provider says, “The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us. An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications.”

    PeerSpot user Gerry H., CyberSecurity Network Engineer at a university, mentions that the solution has a “Nice user interface, good support, is stable, and has extensive logging capabilities.” He also adds, “Wildfire has been a very good feature. This solution provides a unified platform that natively integrates all security capabilities, which is 100% important to us. This is a great feature.”

    Eric S., Network Analyst at a recreational facilities/services company, states, "With its single pane of glass, it makes monitoring and troubleshooting a bit more homogeneous. We are not looking at multiple platforms and monitoring management tools. It is more efficient from that perspective. It is more of a common monitoring and control system for multiple aspects of what used to be different systems. It provides efficiency and time savings."

    Sample Customers
    1. Amazon Web Services 2. Microsoft 3. IBM 4. Cisco 5. Dell 6. HP 7. Oracle 8. Verizon 9. AT&T 10. T-Mobile 11. Sprint 12. Vodafone 13. Orange 14. BT Group 15. Telstra 16. Deutsche Telekom 17. Comcast 18. Time Warner Cable 19. CenturyLink 20. NTT Communications 21. Tata Communications 22. SoftBank 23. China Mobile 24. Singtel 25. Telus 26. Rogers Communications 27. Bell Canada 28. Telkom Indonesia 29. Telkom South Africa 30. Telmex 31. Telia Company 32. Telkom Kenya
    Hyatt, ONS
    SkiStar AB, Ada County, Global IT Services PSF, Southern Cross Hospitals, Verge Health, University of Portsmouth, Austrian Airlines, The Heinz Endowments
    Top Industries
    REVIEWERS
    Comms Service Provider16%
    Computer Software Company9%
    Financial Services Firm8%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Educational Organization20%
    Computer Software Company15%
    Comms Service Provider7%
    Manufacturing Company6%
    REVIEWERS
    Comms Service Provider25%
    Computer Software Company13%
    Financial Services Firm6%
    Non Tech Company6%
    VISITORS READING REVIEWS
    Educational Organization22%
    Computer Software Company16%
    Comms Service Provider5%
    Government5%
    REVIEWERS
    Comms Service Provider15%
    Financial Services Firm14%
    Computer Software Company13%
    Educational Organization9%
    VISITORS READING REVIEWS
    Computer Software Company16%
    Financial Services Firm9%
    Manufacturing Company7%
    Government7%
    Company Size
    REVIEWERS
    Small Business48%
    Midsize Enterprise23%
    Large Enterprise30%
    VISITORS READING REVIEWS
    Small Business28%
    Midsize Enterprise32%
    Large Enterprise40%
    REVIEWERS
    Small Business56%
    Midsize Enterprise26%
    Large Enterprise18%
    VISITORS READING REVIEWS
    Small Business30%
    Midsize Enterprise32%
    Large Enterprise38%
    REVIEWERS
    Small Business36%
    Midsize Enterprise27%
    Large Enterprise38%
    VISITORS READING REVIEWS
    Small Business25%
    Midsize Enterprise17%
    Large Enterprise58%
    Buyer's Guide
    Meraki MX vs. Palo Alto Networks NG Firewalls
    May 2024
    Free Report: Meraki MX vs. Palo Alto Networks NG Firewalls
    Find out what your peers are saying about Meraki MX vs. Palo Alto Networks NG Firewalls and other solutions. Updated: May 2024.
    DOWNLOAD NOW
    772,649 professionals have used our research since 2012.

    Meraki MX is ranked 2nd in Unified Threat Management (UTM) with 59 reviews while Palo Alto Networks NG Firewalls is ranked 6th in Firewalls with 164 reviews. Meraki MX is rated 8.2, while Palo Alto Networks NG Firewalls is rated 8.6. The top reviewer of Meraki MX writes "Cost-effective, simplified, easy to manage, and reliable with advanced security features and granular visibility". On the other hand, the top reviewer of Palo Alto Networks NG Firewalls writes "We get reports back from WildFire on a minute-by-minute basis". Meraki MX is most compared with Cisco Secure Firewall, Sophos XG, SonicWall TZ, Netgate pfSense and SonicWall NSa, whereas Palo Alto Networks NG Firewalls is most compared with Check Point NGFW, Azure Firewall, Sophos XG, Netgate pfSense and Cisco Secure Firewall. See our Meraki MX vs. Palo Alto Networks NG Firewalls report.

    See our list of best Firewalls vendors.

    We monitor all Firewalls reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.