What is still missing or needs to be improved in PA Next Generation Firewalls ?

Reply
Highlighted
L7 Applicator

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

jared181920 wrote:

Palo Alto really should create an upgrade kit for the PA-500's. 

PAN-PA-500-UPG-2GB is a 2GB RAM Upgrade kit for the PA-500s.  

Highlighted
L0 Member

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

I did not know this!

Does it actually make a noticeable improvement in commit times and overall responsiveness of the device?  It should in theory, but just wondering if there's a real-world difference.

Highlighted
L7 Applicator

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

I haven't had the chance to compare both 1GB and 2GB models under similar loads. There are some discussions here in the forum talking about experiences with the upgrade:

https://live.paloaltonetworks.com/message/24991#24991

Highlighted
L1 Bithead

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

  • SPEED.  Five minutes to COMMIT a URL to a filter?  Twenty minutes to reboot?  My Microsoft ISA 2004 booted faster.  A URL filter took ten seconds at most.
  • Same request as others: Better documentation with real examples.
  • Better logging for VPN!  I want to know when user JSmith logged on and when she logged off the VPN.
  • REDUNDANT POWER SUPPLIES!!!  Over 99% of my servers have dual power supplies.  Edge switches have dual power supplies. Minimum is to have a modular power supply design with a secondary empty slot.  Those that don't need/want the supply simply don't order it.
  • Solid State Hard Drives would be a good idea.
  • Better interface into Active Directory.  The PAN-AGENT sucks.  If there are multiple users on a computer I cannot get reliable logs for Internet monitoring.
L1 Bithead

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

For 'A'

We use the 2000 series firewalls with 4.0.x code. The web based interface is so slooooooooooooooow it is painful and doing a commit takes 10 minutes.

For 'B'

We were also unlucky to have three DOA firewalls (2 had failed disks), you do not supply kit with solid state disks and would not entertain it, so again would like to see this included.

I would also second the post from TNaami.

Highlighted
L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

I would like to have something more to organize the view on ruleset, because the more rules we get the more difficult it is keeping the overwiew. We are using zones, tags and webgui but it is to less.

Highlighted
L3 Networker

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

  • SPEED.  Five minutes to COMMIT a URL to a filter?  Twenty minutes to reboot?  My Microsoft ISA 2004 booted faster.  A URL filter took ten seconds at most.
  • Same request as others: Better documentation with real examples.
  • Better logging for VPN!  I want to know when user JSmith logged on and when she logged off the VPN.
  • REDUNDANT POWER SUPPLIES!!!  Over 99% of my servers have dual power supplies.  Edge switches have dual power supplies. Minimum is to have a modular power supply design with a secondary empty slot.  Those that don't need/want the supply simply don't order it.
  • Better interface into Active Directory.  The PAN-AGENT sucks.  If there are multiple users on a computer I cannot get reliable logs for Internet monitoring.

Great comments!!

Documentation needs real examples in every section. Tired of searching on Communities.....

PAN-AGENT sucks. Multiple users confuses it badly.....

Highlighted
L4 Transporter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

egearhart wrote:


but please for the love of packets improve your QA process! Test all the features in the product! Test all the features when every major release comes out!

I love your turn of phrase, and 100% agree with your sentiment.

QA of late has *sucked*. Documentation and QA are my two biggest bugbears with PAN.

Highlighted
L6 Presenter

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

IPSEC VPN  IKEv2


IPSEC VPN Phase-1 Authentication RSA-Signature


Throughput report backwards from directly Paloalto (not any snmp, etc)


embryonic/half-open tcp session values on zone protection / DDOS rule


QOS with Link aggregation


802.1x support


Highlighted
L3 Networker

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Nice to have: Ability to select the threat action from a threat log message - i.e. If a threat is logged ("alert"), the administrator can open the threat log and select a new action such as "block" or "reset" etc. The new action is updated in the corresponding threat profile.

MUST HAVE: SSD's for the win!!! :smileycool: all models

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!