Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-07-2018
02:00 PM
- last edited on
10-07-2020
08:08 AM
by
BPry
Hi community
In a lot of topics there are discussions and questions about PAN-OS enhancements and missing (not yet implemented) features. So far the PaloAlto Feature Request list isn't available to the public but in a lot of these existing topics feature request IDs (FR ID) are mentionned. Even knowing that PAN-OS is already a feature rich firewall operating system, there is always room for improvement, so I thought it might be helpful for others (and myself) to collect these existing public available FR IDs and summarize them in one topic.
| ID | Description | Additional Information/Workaround | Implemented in |
| 130 | Filter Logs by Adress Groups | - | - |
| 204 | Automatic rollback to last "good" configuration | - | - |
| 241 | SMTP authentication in Email server profile | - | - |
| 339 | Add negate function to all security policy columns | ||
| 776 | increase custom report limit beyound Top 500 | Also in FR ID 1636 and 1693 | - |
| 889 | Mac Address as match criteria in security policy | - | - |
| 913 | Preview response pages directly in the WebUI without having to download them | - | - |
| 919 | Support for ICAP (Internet Content Adaption Protocol) | - | - |
| 986 | Custom Reports for System logs | - | - |
| 1172 | Ignore usergroup from User-ID | - | - |
| 1225 | Participation of PA firewalls in Spannin Tree | - | - |
| 1370 | URL column length limit in Reports | - | - |
| 1696 | Include Interface IP in SNMP MIB | - | - |
| 2153 | Terminal Server Agent for Linux | - | - |
| 2287 | Different ACLs for https, snmp, ... | - | - |
| 2666 | VRRP Support for clusters between PA and other devices | - | - |
| 2924 | Optain Global Protect IP from DHCP Server | - | - |
| 3051 | User Activity Report Enhancement (detailed web-browsing statistics including time spent) | - | - |
| 3060 | DHCPv6 client support | - | - |
| 3495 | Custom reports for system Logs | - | - |
| 3591 | /31 subnetmask support for HA1 link | - | - |
| 4035 | Dedicated Log category for Global Protect | - | - |
| 4443 | Support for USB modems (3G/4G/5G ...) | - | - |
| 4454 | gray out policies with expired schedules | - | - |
| 4507 | Show current interface bandwidth in a dashboard widget and log over time. | - | Not a dashboard widget but throughbut statistics and other device health metrics are implemented in PAN-OS 8.1 |
| 4603 | Concurrent GP VPN session limit per User | - | - |
| 4669 | Generate system log upon schedule end | - | - |
| 4670 | Proactive notification for policies with soon expiring scheduled | - | - |
| 4788 | Block emails based on domains in "to", "cc" or "bcc", also log these in addition to only "to" and reply with smtp 541 when blocked | - | - |
| 4920 | Display SFP, SFP+ and QSFP serial number | - | - |
| 5000 | SCEP Server integrated in the firewall | - | - |
| 5078 | per-IP Traffic shaping | - | - |
| 5357 | Global Protect Agent Uninstall Password | - | - |
| 5612 | Automatically disable and remove policies with expired schedules | - | - |
| 5678 | Log the TLS version of websites and enable reporting about this | - | - |
| 5686 | DHCP Client Class-ID Setting | - | - |
| 5844 | BGP SNMP monitorings | - | - |
| 6186 | Log and report search keywords | - | - |
| 6548 | Customizable SMTP Response for Vulnerability Protection | - | - |
| 6609 | Add "Threat Email" to email subject when something malicious was detected and also log "cc" and "bcc" | - | - |
| 7365 | DHCPv6 Server support | - | - |
| 7654 | Support of DIPP with non-strict recognition by devices (Cisco ASA like) | - | - |
| 7832 | User-ID for Azure-AD authenticated users | - | - |
| 9113 | Integrated addressobjects for well-known cloud services | - | - |
| 9195 | OCSP stapling support for inbound decryption | - | - |
| 9285 | Custom configrable MFA integration | - | - |
| 9509 | DoH (DNS over HTTPS)/DoT (DNS over TLS) Support for DNS Sinkhole Feature | - | - |
| 9522 | App-ID for DoH (DNS over HTTPS) / DoT (DNS over TLS) | Custom App-ID for DoH | - |
| 9563 | Configurable Time when Global Protect Captive Portal Notification should be shown | Captive Portal Notification Delay | GlobalProtect 4.1 |
| 9958 | Azure Information Protection (AIP) Tag support for Data Filtering | Release Notes Content Version 8129 | PAN-OS 8.0 starting with Content Update 8129 |
| 10173 | Automatically open browser when Global Protects a Captive Portal and opens a configurable website | Automatically Launch Webpage in Default Browser Upon Captive Portal Detection | Global Protect 5.0.4 starting with Content Update 8181 |
| 10931 | use logd disk space (33%) for elasric search in Panorama | Panorama disk space allocation | - |
| 11012 | Windows Server 2019 Support for User-ID Agent | - | User-ID Agent/PAN-OS 9.0.2 |
| 11153 | Completely remove Global Protect 4.0 Design out of Global Protect 5+ | - | - |
| 11211 | Forced Global Protect network rediscover after IP change | - | - |
| 11251 | Panorama High Availability: MFA using SAML (Okta) | - | - |
| 11524 | Use FIB for route monitoring instead of gateway of the route itself | - | - |
| 11763 | Include the username in the csv with the URL logs when running a user activity report | Download thelogs directly from the URL logs | - |
| 11764 | Allow for more "User Activity Report" customization - pie charts, different bar charts, color, tables, etc. | - | - |
| 11765 | WebUI Color/Theme changes (Dark mode) | already possible with some browser extensions (or maybe even directly in the browser) by modifying the css | - |
| 12264 | Reporting based on HIP match failures, specially which failed items | - | - |
| 12783 | Log E-Mail links forwarded to Wildfire | - | - |
| 13046 | Support gMSA accounts for User-IP-Mappings | - | - |
| 13414 | Negate source User | - | - |
| 15246 | Import/Export ACC and Dashboard Widgets. | - | - |
So far I found a few and I'll try to update this topic regularly. If you also know about existing requests, please write them here.
Regards,
Remo
04-11-2018 06:47 AM
From what I've seen from my SE, it appears to be a pretty clunky system; likely one of the reasons that Palo has chosen to keep it away form the public.
04-11-2018 12:18 PM
I think there are also other and probably even financial reasons why this list isn't public. This list completely public may cause wrong expectations as there is absolutely no guearantee that anything on that list will be implemented. And even when PaloAlto decides to implement a feature from that list - the first time this information becomes public is when a new PAN-OS is released. So even when you created a feature request you won't be notified when the decision is made for the implementation. And the financial reason might be something that it could prevent new deals because customers see that list, pick some IDs and then decides to wait for buying that product until this feature is included.
Yes, personally it would be cool to see that list but not really more. And from a conpany view I am sure this list will never be public.
With this post I simply tried to summarize the information that already made it to the public.
05-30-2018 11:31 PM
Addes FR ID 9195 - OCSP stapling support for inbound decryption
05-31-2018 02:38 AM
Addes FR ID 9285 - Custom configurable MFA integration
07-25-2018 10:08 AM
Added FR ID 986 - Custom Reports for System logs
Added FR ID 9113 - Integrated addressobjects for well-known cloud services
07-26-2018 08:24 AM
For 986 I will also add at least 5 companies 😉
The only reason I haven't done this since I know about this FR is that I was thinking about placing a new FR for a completely new Global Protect log category. What do you think?
07-26-2018 12:12 PM
I woudl agree 100%. Maybe even a ACC dashboard item?
07-26-2018 01:11 PM
@Brandon_Wertz wrote:I woudl agree 100%. Maybe even a ACC dashboard item?
Exactly. Once global protect logs are in their own category, I think PaloAlto has a lot more flexibility to do whatever with these logs: ACC, Custom Reports, dedicated menuentries in the monitor tab, correlation events, ...
07-31-2018 03:04 PM - edited 08-04-2018 01:47 AM
Added FR ID 2153 - Terminal Server Agent for Linux
Added FR ID 4035 - Dedicated Log category for Global Protect
Added FR ID 9509 - DoH (DNS over HTTPS)/DoT (DNS over TLS) Support for DNS Sinkhole Feature
08-04-2018 01:50 AM
Added FR ID 9522 - App-ID for DoH (DNS over HTTPS) / DoT (DNS over TLS)
08-05-2018 12:44 PM
We opened one at some point for DIPP NAT options some time ago:
FR ID: 7654
Requesting support of DIPP with non-strict recognition by devices.
This was basically to request features to allow DIPP NAT to be used more like the ASA's implementation of PAT (best effor port usage and sticky NAT).
08-06-2018 01:08 PM
@jsalmans wrote:We opened one at some point for DIPP NAT options some time ago:
FR ID: 7654
Requesting support of DIPP with non-strict recognition by devices.
This was basically to request features to allow DIPP NAT to be used more like the ASA's implementation of PAT (best effor port usage and sticky NAT).
Thanks, FR ID 7654 is added to the list
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
