What is still missing or needs to be improved in PA Next Generation Firewalls ?

Reply
L2 Linker

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

I would like to see a fat client for Log review.   Maybe a QT based executable.   Develop it once and compile for Windows, Mac, and Linux.   I would think such a feature would be exponentially faster than the Flash based log viewer I'm currently saddled with.

L1 Bithead

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Must have:

B. Ability to quarantine malicious or infected devices/computers for a given period of time e.g. TippingPoint which blocks access.

When the time duration has expired access is granted until another threat is triggered.

(For DHCP clients the IP address can change to another device that is clean.)

This forces users with infected systems to call the HelpDesk for assistance.

Blocking access only on malicious activity does not resolve the root cause on a protected LAN.

L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Must Have:

1) Ability to have collapsible tags/groups in Policies.  When we have dozens of Tags, it would be nice to be able to view them ALL at a higher level.

2) Better QA from Palo Alto.  We seem to find bugs in the software way more than we would like to.

Not applicable

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Well said TCPDump would be much less cumbersome than current approach.  BPF filter support would be nice too.

L6 Presenter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Nice to have:

1) Create rules based on MachineID as described in https://live.paloaltonetworks.com/thread/6589

L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

gfowler: we feed our PAs into a SIEM via syslog and it works wonderfully... I almost never have to log in to the appliance itself for the usual day to day log review.

On the cheaper side, you could have your PA feed into something like rsyslog or Splunk (up to 500 megs a day is free with Splunk!) and review logs that way

L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Better Quality Assurance


It is honestly insane how many bug report tickets we have filed with PA for their devices... it seems like every time we go to take advantage of one of Palo Alto's many firewall features we are bitten by some bug or another. I like PA, I like the product line, I like the approach the company is taking, heck I like the smaller company atmosphere that seems to prevail there, but please for the love of packets improve your QA process! Test all the features in the product! Test all the features when every major release comes out!


And please test and improve GlobalProtect until it is to the point where it is rock solid!


Anyways, that's my .02 cents

Highlighted
L0 Member

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Palo Alto really should create an upgrade kit for the PA-500's. 

The amount of time that a commit takes to be processed is just ridiculous at this point.  We've had commits take upwards of 5 minutes at some points. 

This is not good when you need to suddenly make a change to revert a commit or tweak something.

Just put together a kit with some SSD storage, and more RAM and all would be well.  There have been plenty of threads on the slowness of the PA-500's, and while PA themselves admit it's because it's older hardware, they haven't really done much to rectify that. 

L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

5 minutes would be an "okay" time for a commit on our side. We're using a PA-2050 active/passive cluster and it usually takes 10 minutes to commit a change :-(

L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

We recently did a hardware refresh - replacing our 2050s with 3050s.  Our commits were also close to 10 minutes on the 2050s.  They are now about 10 seconds on the 3050s.

Cheers,

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!