I don't know if this would be classified as a new feature, but it would be nice if on the policies/security if there was a separation of the inbound rules and the outbound rules. Right now these rules are all thrown in the same view.
In PAN-OS 4.0 and higher, there is a tag column that you can use to group rules together. Simply add 'inbound' as the tag for all inbound rules, and so on. Then you can filter on the tag to display only the rules you want.
Whats the possibility to get some GUI grouping similar to Juniper NSM (and others for that matter)?
So one can expand/compact each group of rules (for example if you group the rules as inbound rules to each zone).
The look would be something like:
click on the DMZ-ZONE1 and you will see the rules you need to see:
Have you tried using the search bar and/or 'Filter' feature in 4.0?
It accomplishes what you're suggesting here through a search function rather than a grouping function, but is just as effective. Hover over and click the drop down arrow in say the dest zone field for "DMZ-ZONE1" and you'll see a "Filter" button. Click this and a query will appear in the search field at top "(to/member eq 'DMZ-ZONE1')". Click the Go (green arrow to the right) and you've filtered on all rules for dest zone DMZ-ZONE1.
You could equally just type "DMZ-ZONE1" in the search field and find all rules with DMZ-ZONE1 in it, source or dest.
Also, tagging works great too, and is a great way to search and filter rules. It's doubtful that expand/collapsed rule groups are on the roadmap, but if I had my choice between collapsible rule groups and a search bar with filters, I'd take the flexibility of the search bar 8 days a week.
The search thingy doesnt work since you need to tag EACH AND EVERY rule and thats just retarded (or at least not as fun as if you just drag and drop the rule to the correct grouping directly in the view of security policies).
But dont get me wrong, the tag method is better than nothing but it would be far better if one could group directly in the GUI aswell.
Is this perhaps a patent limitation that stops PAN from being able to fix grouping in the GUI directly in the view of security policies?
I can completely see the idea behind the tagging and searching based on tags etc but I think grouping serves a different purpose and would be a great addition. I really don't think it would be a case of either or.
When you're working with a long rule base if you are working through where traffic would get allowed or denied the ability to remove or return a group of rules from view at the click of a button is very handy. Yes, the rules can achieve the same but there is more clicking or changing of search expression to add 'not' for example and you have to wait for the web page to update which hasn't always been that quick.
I know there is the risk that it is seen as a copy of Check Point or Juniper etc but loads of applications allow such behaviour and not just firewall interfaces. It would certainly be a shame is discount it entirely.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!