Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Feature Request List

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Feature Request List

L7 Applicator

Hi community

 

In a lot of topics there are discussions and questions about PAN-OS enhancements and missing (not yet implemented) features. So far the PaloAlto Feature Request list isn't available to the public but in a lot of these existing topics feature request IDs (FR ID) are mentionned. Even knowing that PAN-OS is already a feature rich firewall operating system, there is always room for improvement, so I thought it might be helpful for others (and myself) to collect these existing public available FR IDs and summarize them in one topic.

 

ID Description Additional Information/Workaround Implemented in
130 Filter Logs by Adress Groups - -
204 Automatic rollback to last "good" configuration - -
241 SMTP authentication in Email server profile - -
339 Add negate function to all security policy columns    
776 increase custom report limit beyound Top 500 Also in FR ID 1636 and 1693 -
889 Mac Address as match criteria in security policy - -
913 Preview response pages directly in the WebUI without having to download them - -
919 Support for ICAP (Internet Content Adaption Protocol) - -
986 Custom Reports for System logs - -
1172 Ignore usergroup from User-ID - -
1225 Participation of PA firewalls in Spannin Tree - -
1370 URL column length limit in Reports - -
1696 Include Interface IP in SNMP MIB - -
2153 Terminal Server Agent for Linux - -
2287 Different ACLs for https, snmp, ... - -
2666 VRRP Support for clusters between PA and other devices - -
2924 Optain Global Protect IP from DHCP Server - -
3051 User Activity Report Enhancement (detailed web-browsing statistics including time spent) - -
3060 DHCPv6 client support - -
3495 Custom reports for system Logs - -
3591 /31 subnetmask support for HA1 link - -
4035 Dedicated Log category for Global Protect - -
4443 Support for USB modems (3G/4G/5G ...) - -
4454 gray out policies with expired schedules - -
4507 Show current interface bandwidth in a dashboard widget and log over time. - Not a dashboard widget but throughbut statistics and other device health metrics are implemented in PAN-OS 8.1
4603 Concurrent GP VPN session limit per User - -
4669 Generate system log upon schedule end - -
4670 Proactive notification for policies with soon expiring scheduled - -
4788 Block emails based on domains in "to", "cc" or "bcc", also log these in addition to only "to" and reply with smtp 541 when blocked - -
4920 Display SFP, SFP+ and QSFP serial number - -
5000 SCEP Server integrated in the firewall - -
5078 per-IP Traffic shaping - -
5357 Global Protect Agent Uninstall Password - -
5612 Automatically disable and remove policies with expired schedules - -
5678 Log the TLS version of websites and enable reporting about this - -
5686 DHCP Client Class-ID Setting - -
5844 BGP SNMP monitorings - -
6186 Log and report search keywords - -
6548 Customizable SMTP Response for Vulnerability Protection - -
6609 Add "Threat Email" to email subject when something malicious was detected and also log "cc" and "bcc" - -
7365 DHCPv6 Server support - -
7654 Support of DIPP with non-strict recognition by devices (Cisco ASA like) - -
7832 User-ID for Azure-AD authenticated users - -
9113 Integrated addressobjects for well-known cloud services - -
9195 OCSP stapling support for inbound decryption - -
9285 Custom configrable MFA integration - -
9509 DoH (DNS over HTTPS)/DoT (DNS over TLS) Support for DNS Sinkhole Feature - -
9522 App-ID for DoH (DNS over HTTPS) / DoT (DNS over TLS) Custom App-ID for DoH -
9563 Configurable Time when Global Protect Captive Portal Notification should be shown Captive Portal Notification Delay GlobalProtect 4.1
9958 Azure Information Protection (AIP) Tag support for Data Filtering Release Notes Content Version 8129 PAN-OS 8.0 starting with Content Update 8129
10173 Automatically open browser when Global Protects a Captive Portal and opens a configurable website Automatically Launch Webpage in Default Browser Upon Captive Portal Detection Global Protect 5.0.4 starting with Content Update 8181
10931 use logd disk space (33%) for elasric search in Panorama Panorama disk space allocation -
11012 Windows Server 2019 Support for User-ID Agent - User-ID Agent/PAN-OS 9.0.2
11153 Completely remove Global Protect 4.0 Design out of Global Protect 5+ - -
11211 Forced Global Protect network rediscover after IP change - -
11251 Panorama High Availability: MFA using SAML (Okta) - -
11524 Use FIB for route monitoring instead of gateway of the route itself - -
11763 Include the username in the csv with the URL logs when running a user activity report Download thelogs directly from the URL logs -
11764 Allow for more "User Activity Report" customization - pie charts, different bar charts, color, tables, etc. - -
11765 WebUI Color/Theme changes (Dark mode) already possible with some browser extensions (or maybe even directly in the browser) by modifying the css -
12264 Reporting based on HIP match failures, specially which failed items - -
12783 Log E-Mail links forwarded to Wildfire - -
13046 Support gMSA accounts for User-IP-Mappings - -
13414 Negate source User - -
15246 Import/Export ACC and Dashboard Widgets. - -

 

So far I found a few and I'll try to update this topic regularly. If you also know about existing requests, please write them here.

 

Regards,

Remo

136 REPLIES 136

L3 Networker

add an option please to allow bonjour reflecting between vlans interfaces not just physical interfaces  

Cyber Elite
Cyber Elite

@nevolex,

Please put in a feature request with your SE or AM and update again once you have the FR ID. If you aren't putting in actual FRs through your account team, or adding your vote to an existing FR, you aren't going to gain any traction by just posting in this thread. 

You can do it centrally in Panorama CLI.

 

Instead of command:

set shared ssl-tls-service-profile...

 

You need to use:

set template <TemplateName> config shared ssl-tls-service-profile...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I know you can have a shared SSL/TLS service profile in Panorama, but
as far as i can tell (and from what Palo Alto support has confirmed as
well), there's no way to then make changes to the protocol settings to
disable ciphers from Panorama as well— that needs to be done as an
override on each managed firewall.

If this is not the case, please provide more details/examples of how
to do this process from Panorama to be applied to all managed devices.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

peace,
dannyB
peace,
dannyB

You don not need to do any overrides in firewall.

You can do this change from Panorama cli and push to firewall.

 

If you do change in firewall directly then command is:

set shared ssl-tls-service-profile <profilename> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <profilename> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <profilename>protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <profilename> protocol-settings keyxchg-algo-rsa no

 

If you do change in Panorama then command is:

set template <templatename> config shared ssl-tls-service-profile <profilename> protocol-settings auth-algo-sha1 no
set template <templatename> config shared ssl-tls-service-profile <profilename> protocol-settings enc-algo-3des no
set template <templatename> config shared ssl-tls-service-profile <profilename> protocol-settings enc-algo-rc4 no
set template <templatename> config shared ssl-tls-service-profile <profilename> protocol-settings keyxchg-algo-rsa no

 

Change <templatename> to real template name and <profilename> to ssl profile used on GlobalProtect.

 

I suggest to open dedicated post if you can't get it working so @Remo can delete non feature request related posts from this thread.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L0 Member

GP client sign out does not clear the certificate selected when using smart card authentication.  You have to delete the line in windows registry or reinstall the client application.  Please add this to the sign out tasks or at least add an option for the user to clear their certificate selection (preferable to just add this to the sign out actions).

L0 Member

Hello,

 

Some customer requires PANGP adaptor to allow packet forgery. Nessus can not inject traffic into the tunnel.

Community Team Member

Hi @JuanCanuelo ,

 

To request a new feature please reach out to your local SE.  They can create the FR for you after which you and others can add their vote to it.

https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

Please support dark theme, # 11765

Thanks a lot.

L7 Applicator

After a long time not being active here in live community I will now start again to update this topic/the feature request table in the next week. 

 

Have a nice sunday to all!

L0 Member

I would need that ID 11765 was solved soon, for my eyes it is very bad and using browser extension is not the solution, many parts are hidden. 

L0 Member

VPN IPSec point to multi-point o multipoint to multipoint

Ya que si se requiere configurar un solo túnel, por ejemplo entre PA - Forti y que en ambos se tengan dos ISP, Forti cuenta con VPN Hub-Spoke, pero en PA no hay solución actualmente a menos que en ambos lados se usen FQDN pero eso requiere un gasto extra para un DDNS, el uso de Peer Dinámico tal vez soluciona del lado de PA pero no de Forti aunque permite elegir 2 IP's parece que deben ser del mismo ISP. Espero puedan agregarlas a las solicitudes gracias.

 

Community Team Member

Hi @Alan_Martinez ,

 

Please reach out to your local SE and have him add the FR for you.  Once you have the FR# you and everyone else can add their vote to it via their local SE.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

Please implement 4454 (grayout expired rules)

L1 Bithead

Hello Team.

Can you add FR ID: 9659 granular control of custom admin role to allow export/import config and reboot/shutdown.

 

Thank you so much

 

Kinds regards

  • 77360 Views
  • 136 replies
  • 19 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!