topic Re: What is still missing or needs to be improved in PA Next Generation Firewalls ? in General Topics

What is still missing or needs to be improved in PA Next Generation Firewalls ?

mario.chancay — Mon, 16 May 2011 22:56:07 GMT

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

stanislavm — Tue, 17 May 2011 14:02:39 GMT

plz, make your docs more clear! and add detailed overview for var options and settings!

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

migration — Tue, 17 May 2011 17:39:56 GMT

I couldn't agree more on the documentation side of things. There is the admin guide which shows you how to configure common options and services but doesn't actually tell you what you are doing or what the not so common options are.. Then you have the CLI reference which is nothing more than a command tree of the CLI. They are missing the part that descibes the options and the settings.

I would also like to see better troubleshooting of sessions and why they were terminated. Currently from a looking back sort of perspective it is impossible to tell why a particualr session ended which as caused a lot of issues in my deployment.

Oh and I would also like the bug in the 4.0.x of the PA-5000 series for packet filters to be fixed. I currently can't do any packet level troubleshooting because filters don't work at all.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

thesa — Thu, 19 May 2011 10:23:03 GMT

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

A: Better QA, we have had 3 x DOA boxes

B: Solid state hard disks across the whole product range

C: When adding a device to Panorama, the ability to import the firewall configuration.

But the ACE t-shirts are cool -) So don't stop that -)

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

pjswiderski — Thu, 19 May 2011 13:32:44 GMT

More DLP features. Even a default set of predefined filters (SSN, Credit Card #, etc) would be a nice start.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

wayne_webner — Fri, 20 May 2011 18:18:06 GMT

Ideally following would be nice, some background>

Situation:

When ever i get malware infected client (missed by PA and most of us are SSL decrypted) the one common link i can see is that the user unwittingly (lets hope) downloaded a .EXE file from an unknown ( URL filter classification) source. Id like to be able to link the file blocking profile ( with all its derivatives) to the URL classification profile so that if a user goes to a site which falls in the "unknown" category then they will be able to browse only .. not download .EXE and other type extensions.

Suggestion:

URL filtering is compliance based / not really security. Threat management (Malware engine in the instance) on the PA (security based) has all but stopped a handful of virus's in recent time, i need the latter two to work together linked to File blocking profile to be more effective.

The logic exists between APPID and file blocking... lets extend that to include URL filtering.

Ps, im sure my regional service rep is sick of me asking for this..:-)

( and if i understand PANOS 4 "drive by downloading" feature then this req is not really the same, i may be wrong )

cheers

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

zanonibs — Sat, 21 May 2011 15:55:23 GMT

Required:

Better DLP support (quite bad right now) and integration with outbound email control & block
SSLVPN portal for clientless connection. A client for mobile (Iphone/Android) and linux is also quite useful.
A deeper integration between rules/applications and URL filtering

Useful in the future:

Seamless user notification when policies are violated.
Large log & monitoring SSD for all devices
Packet Fowing test section in order to verify rules, nat, profile group, url filtering. Cisco and Websense have a section like this and is great for troubleshooting & quick deployment.

PA has now a great product and with other imporvements may become the real leader of network security firewall.

Keep the good job!

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

shadowpeak — Sun, 22 May 2011 04:27:30 GMT

Must Have:

- Better integration between the wealth of documents in KnowledgePoint and the PAN-OS Administration Guide. As an example the "How to Set Up and Configure High Availability PANOS 3.1" should be referenced/hyperlinked right in the "Setting Up High Availability" section of the Administration Guide.

- Ability to verify speed/duplex of an interface from the web GUI

Nice to Have:

- The option to execute at least some elements of the test command ("test security-policy-match", "test routing", "test nat-policy-match") against the candidate configuration instead of the running configuration. Would be very handy to verify behavior of a new rule/route prior to a commit.

- Ability to delete an old saved config from the web GUI

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

migration — Mon, 23 May 2011 12:51:27 GMT

Must have:

- separated reporting and logging per Device Groups/Access Domain in Panorama environment. Currently I can only choose between VSYS, nothing else and is a bit frustrating compared to FortiAnalyzer 🙂

- Better quality (and always updated) documentation on ALL available features whit a lot of case studies/real scenario (a la Juniper, for istance)

- Better filter group in Vulnerability Protection profile and an improved management feature related to Vuln Profile.

- AV, Vulnerability, AntiSpyware Exception by IP address (is totally unuseful by ID, because I can exclude a server not affected but not the entire signature and working with many profile and many rules is not a clean way)

Nice to have:

- MLPS/OSPF/BGP inspection. i.e what's inside an MPLS tunnel? Many customer are asking me this feature (not simple solution..)

- a series more little then 500. Many Italian customers asking for some firewall up to 100 Mbps, to better compete with Fortinet (also in terms of pricing)

Thanks

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

dagibbs — Tue, 24 May 2011 05:48:49 GMT

mario.chancay wrote:

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

Documentation, Documentation, Documentation.

Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it.

Support, Support, Support.

I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!).

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

dieter_b — Mon, 30 May 2011 06:58:51 GMT

Must have:

Security policies: column with number indicating processing order.

And closely related: ability to sort policies on other colums.

Nice to have:

Security profiles/groups in security policies window should be displayed by name, not logo. If you have several profiles/groups they're all the same icon.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

rapoint_person — Mon, 30 May 2011 09:10:20 GMT

Nice to see I'm not the only one that is complaining about:

-Documentation with proper real-life scenarios/examples. Detailed explanation what different settings does and why they should be used or not.

-QA has been mentioned. I agree as well.

I'd like to see:

-The ability to block/act on ongoing attacks directly from the session browser and log (traffic/threat). IE, block offending IP for X hours.

-Better exceptions for Threats. I'd like to be able to create an exception for a particular threat in conjunction with a source and/or destination IP.

-If possible, Better reporting/logging for DDoS/Zone protection.

-commit timer. I'd like to be able to commit with a timer value. If a second commit hasn't been performed within the specified time, the box automaticaly reverts to the previous version.

-Multiple Captive Portal "profiles"

-Bulk set security profiles in CLI, (example: set rulebase security * from trust to untrust profile-setting profile ......) This helps making changes in large rulebases.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

User_333 — Mon, 30 May 2011 09:45:10 GMT

Must have:

- Documentation Cleanup...E.g. There is an "official" Documentation (PA-4.0_Administrators_Guide.pdf) and a Lot of "How To" Guides (How to Configure HA on PANOS 3.1.2.pdf, Active Active Techz Note-2.pdf, ...). I don't like to have that many documents. Especially if they talk about the same topic and one File doesn't have all the info.

- Easy Access to "show system state" information by Script (for Monitoring). E.g. accessible by SNMP or XML-API

Nice to have:

- Since the newest PanOS supports active/active. It would be nice to have a "active/passive"-per-VirtualSystem possibility. Its a lot easier to debug if you know, this hole V-Sys is processed by this cluster node. And there is no asymmetric routing within this setup.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

migration — Tue, 31 May 2011 14:41:19 GMT

I agree with the Documentation needs discussed thus far.

Must Have's:

1. Make filters applied to Logs, sticky, so that you can switch logs and then return to the same filter you applied earlier

2. Add ability for administrators to EXCLUDE users/groups/objects in a policy rule.

Nice to Have's:

- Colored Allow/Deny entries in logs. For example, green for allowed rules and red for denied. Users should be able to choose from a palette of colors to set their own colors.

- Faster scrolling of log traffic. ~1 second would be great.

- Customizable columns in the logs. Ability to re-arrange columns. Ability to choose which columns are displayed. Make these changes sticky so they stay when leaving the log page you are viewing.

- That the “Resolve” check box only applies to the log window in which you check it.

- Ability to perform text search within Logs, Rules, Users, Threats, etc…

- Add/show the appropriate “Rule” being applied in the URL, Threat and Data Filtering logs

- ACC Panel:

a. For entries of the “Insufficient Data” type, include the Protocol and port number when viewing the Application Information about it. May help an administrator to define a custom or in-house application if they can see what protocols and ports are being accessed.

- Make sticky the number of rows chosen to display in the logs.

- For all Logs, reference each row by row numbers and allow them to be sortable.

- For all Logs, include/declare total number of rows retrieved when a filter is applied, at bottom of page.

- Add the ability to be able to listen for URL headers from external clients and not just IP addresses, for internally published servers/websites.

- Sorting. Throughout the user interface are many instances of Columns that should have the ability to be sorted. (I.E. Objects tab>Name and Address columns)

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

friento — Tue, 31 May 2011 15:26:56 GMT

Ability for user to authenticate to firewall and get the allow rule then sign-off when done troubleshooting an issue. I know it can be done now but in a "hack" kinda way.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

jakub_gniazdowski — Wed, 03 Oct 2012 08:39:27 GMT

Nice to Have : cisco integration with Filtering Service on Palo Alto, like websense or SurfControl

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

oschuler — Tue, 04 Dec 2012 07:24:33 GMT

Nice to have: Applipedia should include the information if a specific application requires an exclusion for SSL decryption in order to work. E.g. dropbox

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

BobW — Wed, 05 Dec 2012 05:36:09 GMT

Ability to define and fold up groups of security rules. The tags are very cool but a way to fold up groups of rules to a single line would be nice.

Longer captive portal, ability to put in length of captive portal based on user/group and/or timeout and/or native client etc. Bottom line is BYOD is here.

Free copy of Panorama for small rollouts. Why? Word of mouth for larger installations, ability to gain experience with Panorama.

Real world examples of implementation, rules etc. It is a different way of thinking and honestly is difficult to get a grip on it for complex situations.

Graphical interface for schedules.

Bob

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

JanisM — Wed, 05 Dec 2012 07:16:42 GMT

What i really would like to see in PA device is usable DLP. A few days ago i powered up old fortigate device and damn their DLP is quite nice to work with. They even had a chance to search for keywords in mail subject or body.

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

dlopez — Wed, 05 Dec 2012 15:41:59 GMT

The ability to import user and group information periodically, and the ability to use those imported objects to create groups on the box. Our management does not like the fact that I need to rely on our IT group for firewall ACL's. Nor do they want to create another process in which we have to monitor more group memberships/changes to AD.