- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-07-2018 02:00 PM - last edited on 10-07-2020 08:08 AM by BPry
Hi community
In a lot of topics there are discussions and questions about PAN-OS enhancements and missing (not yet implemented) features. So far the PaloAlto Feature Request list isn't available to the public but in a lot of these existing topics feature request IDs (FR ID) are mentionned. Even knowing that PAN-OS is already a feature rich firewall operating system, there is always room for improvement, so I thought it might be helpful for others (and myself) to collect these existing public available FR IDs and summarize them in one topic.
ID | Description | Additional Information/Workaround | Implemented in |
130 | Filter Logs by Adress Groups | - | - |
204 | Automatic rollback to last "good" configuration | - | - |
241 | SMTP authentication in Email server profile | - | - |
339 | Add negate function to all security policy columns | ||
776 | increase custom report limit beyound Top 500 | Also in FR ID 1636 and 1693 | - |
889 | Mac Address as match criteria in security policy | - | - |
913 | Preview response pages directly in the WebUI without having to download them | - | - |
919 | Support for ICAP (Internet Content Adaption Protocol) | - | - |
986 | Custom Reports for System logs | - | - |
1172 | Ignore usergroup from User-ID | - | - |
1225 | Participation of PA firewalls in Spannin Tree | - | - |
1370 | URL column length limit in Reports | - | - |
1696 | Include Interface IP in SNMP MIB | - | - |
2153 | Terminal Server Agent for Linux | - | - |
2287 | Different ACLs for https, snmp, ... | - | - |
2666 | VRRP Support for clusters between PA and other devices | - | - |
2924 | Optain Global Protect IP from DHCP Server | - | - |
3051 | User Activity Report Enhancement (detailed web-browsing statistics including time spent) | - | - |
3060 | DHCPv6 client support | - | - |
3495 | Custom reports for system Logs | - | - |
3591 | /31 subnetmask support for HA1 link | - | - |
4035 | Dedicated Log category for Global Protect | - | - |
4443 | Support for USB modems (3G/4G/5G ...) | - | - |
4454 | gray out policies with expired schedules | - | - |
4507 | Show current interface bandwidth in a dashboard widget and log over time. | - | Not a dashboard widget but throughbut statistics and other device health metrics are implemented in PAN-OS 8.1 |
4603 | Concurrent GP VPN session limit per User | - | - |
4669 | Generate system log upon schedule end | - | - |
4670 | Proactive notification for policies with soon expiring scheduled | - | - |
4788 | Block emails based on domains in "to", "cc" or "bcc", also log these in addition to only "to" and reply with smtp 541 when blocked | - | - |
4920 | Display SFP, SFP+ and QSFP serial number | - | - |
5000 | SCEP Server integrated in the firewall | - | - |
5078 | per-IP Traffic shaping | - | - |
5357 | Global Protect Agent Uninstall Password | - | - |
5612 | Automatically disable and remove policies with expired schedules | - | - |
5678 | Log the TLS version of websites and enable reporting about this | - | - |
5686 | DHCP Client Class-ID Setting | - | - |
5844 | BGP SNMP monitorings | - | - |
6186 | Log and report search keywords | - | - |
6548 | Customizable SMTP Response for Vulnerability Protection | - | - |
6609 | Add "Threat Email" to email subject when something malicious was detected and also log "cc" and "bcc" | - | - |
7365 | DHCPv6 Server support | - | - |
7654 | Support of DIPP with non-strict recognition by devices (Cisco ASA like) | - | - |
7832 | User-ID for Azure-AD authenticated users | - | - |
9113 | Integrated addressobjects for well-known cloud services | - | - |
9195 | OCSP stapling support for inbound decryption | - | - |
9285 | Custom configrable MFA integration | - | - |
9509 | DoH (DNS over HTTPS)/DoT (DNS over TLS) Support for DNS Sinkhole Feature | - | - |
9522 | App-ID for DoH (DNS over HTTPS) / DoT (DNS over TLS) | Custom App-ID for DoH | - |
9563 | Configurable Time when Global Protect Captive Portal Notification should be shown | Captive Portal Notification Delay | GlobalProtect 4.1 |
9958 | Azure Information Protection (AIP) Tag support for Data Filtering | Release Notes Content Version 8129 | PAN-OS 8.0 starting with Content Update 8129 |
10173 | Automatically open browser when Global Protects a Captive Portal and opens a configurable website | Automatically Launch Webpage in Default Browser Upon Captive Portal Detection | Global Protect 5.0.4 starting with Content Update 8181 |
10931 | use logd disk space (33%) for elasric search in Panorama | Panorama disk space allocation | - |
11012 | Windows Server 2019 Support for User-ID Agent | - | User-ID Agent/PAN-OS 9.0.2 |
11153 | Completely remove Global Protect 4.0 Design out of Global Protect 5+ | - | - |
11211 | Forced Global Protect network rediscover after IP change | - | - |
11251 | Panorama High Availability: MFA using SAML (Okta) | - | - |
11524 | Use FIB for route monitoring instead of gateway of the route itself | - | - |
11763 | Include the username in the csv with the URL logs when running a user activity report | Download thelogs directly from the URL logs | - |
11764 | Allow for more "User Activity Report" customization - pie charts, different bar charts, color, tables, etc. | - | - |
11765 | WebUI Color/Theme changes (Dark mode) | already possible with some browser extensions (or maybe even directly in the browser) by modifying the css | - |
12264 | Reporting based on HIP match failures, specially which failed items | - | - |
12783 | Log E-Mail links forwarded to Wildfire | - | - |
13046 | Support gMSA accounts for User-IP-Mappings | - | - |
13414 | Negate source User | - | - |
15246 | Import/Export ACC and Dashboard Widgets. | - | - |
So far I found a few and I'll try to update this topic regularly. If you also know about existing requests, please write them here.
Regards,
Remo
11-27-2019 03:03 PM
Added FR ID 13046: Support gMSA Accounts for User-IP-Mappings
Description: Currently only standard windows Useraccounts can be identified by PaloAlto User-ID Agent. This capability should be extended to group managed service accounts as more and more of them will be used in windows environments. This way it remains possible to restrict access from servers to specific ressources so that the installed software is able to communicate but not an admin which might be able to log in to the specific server.
01-07-2020 08:30 AM
Hi.
I have several feature request for Palo Alto firewalls:
01-07-2020 08:35 AM
To create a new Feature Request you'll need to reach out to your SE to get them into the system. Once that's done and you have the FR numbers, post them here so people can add their votes to the FR.
01-17-2020 01:15 PM
Added FR ID 13414: Negate source user
Thanks for sharing @SCarraway
01-27-2020 05:13 AM - edited 01-27-2020 05:15 AM
It would be nice to be able to associate an address group object with a IPsec VPN tunnel Proxy ID. It can be tedious to add multiple local subnets/addresses to local subnets/addresses per line in the configuration. Maybe incorporate tagging as well. It would make it easier/quicker to setup the static routes for the remote subnets as well and less chance of error (fat fingering) during the configuration.
I'll update this with the FR ID from my SE when I get it.
01-27-2020 08:44 AM
It would be awesome to harden Android GlobalProtect when it's in Always-On mode. Despite that the admin can disable sign out, GP can be simply killed by the Android OS, or a user can simply remove the app from the phone, or kill the VPN in the settings. Yes, you can try to configure it on MDM, but it means a different ifrastructure, and, in most cases MDM will not help for BYOD devices.
Look how it's been done on Checkpoint Sandblast, or google maps or any other navigation system. It can't be killed by the os at any time or by another app. Or look how kaspersky implemented their antivirus solution. no way to get it removed without knowing the password. So why GP is so weak then ?
Another awesome feature would be if GP could detect from which android app the traffic is being sourced. For example if you watch youtube and use google play store, you can't differentiate the traffic, because in both cases they're using QUIC. You can't decrypt quic, disabling quic means you will make google play not working, so how can we, for example, enable google play, but disable watching youtube videos using youtube app. Or their google maps are also using quic.
02-28-2020 06:06 AM
Hello Palo Alto teams !
I would like to raise a feature request here for Global Protect;
Thanks to version 9.0, we're now able to have Global Protect DNS configuration assignment based on user group.
Unfortunately, it's a "hard settings" and it cannot change according to which gateway we push those settings from Panorama. Yet, the Panorama already have the capability of using "Variables" which change the setting according to which gateway we push the configuration. Everything is already there to make it work, I'm sure it's not a big work.
We would like as new feature, the possibility to use Panorama variables on the Global Protect DNS assignment based on user group.
We have an ASPAC & EMEA GP gateway which share the same gateway settings, so our users can't get a local DNS according to which gateway they connect.
04-08-2020 10:49 PM
Hi Community,
Is there any update on feature request #4603 - limit number of concurrent sessions per user for GP. Is it available now or it can be achieved by the scripts only still.
Thanks in advance.
04-09-2020 03:24 AM
@Remo& @reaper is this feature still planned?
SNMP ARP Tables
https://live.paloaltonetworks.com/t5/General-Topics/ARP-table-By-SNMP/m-p/73680#M41497
You said it has FR ID: 2659 but I cant see it planned.
04-09-2020 03:55 AM
a feature request goes into a big bucket of hundreds of feature requests, every so often the counsel of elders (the engineering team) get together to decide which features they'll want to introduce into a new upcoming major release and then start working on the code.
In the end some features get added, others get delayed, but up to the point the Beta gets release there's really no way to see which feature requests are going to make the cut
04-09-2020 04:23 AM - edited 04-09-2020 04:24 AM
Cheers @reaper just wanted to make sure it was still active somewhere or if it had be closed
05-05-2020 04:34 PM
Please allow the use of special characters on user names (Like space, dot, @)
We have integrated the Paloalto with AzureAD, and would like to use the email accounts as users on the PaloAlto.
05-07-2020 04:16 AM
1) allow option "negate" for source and destination zones
Our infrastructure uses many trusted-internal zones (corp) and few untrusted-external zone (internet).
For each request to ALLOW traffic to all corp and BLOCK traffic to internet we have to use :
- Policy 1 > zone external block
- Policy 2 > zone any allow app1 app2 app3
- Policy 3 > zone any allow portA portB portC
We would like the option to simply implement :
- Policy X > negate zone external allow app1 app2 app3
- Policy Y > negate zone external allow portA portB portC
or
2) allow the creation of groups of zones / zone bundling
We would like the option to create :
- Zone Group 1 : includes all untrusted-external zones
- Zone Group 2 : includes all trusted-internal zones
They could then be used in policies :
- Policy 1 > destination Zone Group 1 block
- Policy 2 > destination Zone Group 2 allow
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!