Thanks for such a detailed comparison. I would like give some input on what I have found working with CISCO ASA.

Out-of-Band Management Interface: Cisco – No true out of band you would need an external out of band manager that you are using for the rest of your gear.

Browser-based GUI: Cisco – Java is a bummer but not a deployment killer. After you, VPN in you can manage via ASDM if you want.

In-Band Interface Management Profiles: Cisco – I think this give you better control, very few people should have access via a few interfaces.

Single Security Policy: I have worked with PA, and you have to set a new policy for every network you want to connect to. On a Cisco ASA, you simply do an OBJ and then control access via the ACL. You can do an ACL in the VPN if you want.

Zone-Based Security Policies: PA if you 20 networks you need twenty policies and if these networks need to talk to 10 on the other side that 200 policies. Cisco you just set up the OBJ and control via ACL. So much cleaner and faster.

Network Objects in Slash-Notation: I do not see this as a big deal some might.

Tags: That would be nice to have

Managing all Un-Committed Changes: Cisco – No you can make as many changes as you want then click apply. You will see the CLI lines that will be changed before they are deployed so you can double check your work. I may be missing your point.

Simple Renaming of almost Everything: This would be a nice to have. OBJ in the ASA cannot be renamed way to go Palo Alto.

Configuration Log: We Use Opmanager device expert for more than just who did what. You can set up AAA logging in the ASA then sent the logs to a log server so you have all your devices activates in one place. Cisco router have had this feature for years and I do not remember when I have ever used it.

Traffic Log Filtering: Cisco – This is super easy in a Cisco ASA.

Adjust Columns: Cisco Most columns are adjustable

Application Command Center: Cisco has had this since the Pix days. It is on the main dashboard of the ASDM, or you can do it via CLI.

Route-Based VPN: You can do route base with a router and encrypt the traffic via the ASA. There are other ways to make traffic selection if needed when the base IPSec does not suit your needs. NO GRE yet……

IKE Policy per VPN: Cisco – True on the IKE, but you can add or delete any protocol you want, and you can granularly control IPSEC for every tunnel.