What is still missing or needs to be improved in PA Next Generation Firewalls ?

Reply
Highlighted
L1 Bithead

What is still missing or needs to be improved in PA Next Generation Firewalls ?

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

Highlighted
Not applicable

plz, make your docs more clear! and add detailed overview for var options and settings! :smileywink:

Highlighted
L0 Member

I couldn't agree more on the documentation side of things.  There is the admin guide which shows you how to configure common options and services but doesn't actually tell you what you are doing or what the not so common options are.. Then you have the CLI reference which is nothing more than a command tree of the CLI.  They are missing the part that descibes the options and the settings.

I would also like to see better troubleshooting of sessions and why they were terminated.  Currently from a looking back sort of perspective it is impossible to tell why a particualr session ended which as caused a lot of issues in my deployment.

Oh and I would also like the bug in the 4.0.x of the PA-5000 series for packet filters to be fixed.  I currently can't do any packet level troubleshooting because filters don't work at all.

Highlighted
L1 Bithead

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

A: Better QA, we have had 3 x DOA boxes

B: Solid state hard disks across the whole product range

C: When adding a device to Panorama, the ability to import the firewall configuration.

But the ACE t-shirts are cool -) So don't stop that -)

Highlighted
Not applicable

More DLP features.  Even a default set of predefined filters (SSN, Credit Card #, etc) would be a nice start.

Not applicable

Ideally following would be nice, some background>

Situation:

  • When ever i get malware infected client (missed by PA and most of us are SSL decrypted) the one common link i can see is that the user unwittingly (lets hope) downloaded a .EXE file from an unknown ( URL filter classification) source. Id like to be able to link the file blocking profile ( with all its derivatives)  to the URL classification profile so that if a user goes to a site which falls in the "unknown" category then they will be able to browse only .. not download .EXE and other type extensions.

Suggestion:

URL filtering is compliance based / not really security. Threat management (Malware engine in the instance)  on the PA (security based)  has all but stopped a handful of virus's in recent time, i need the latter two to work together linked to File blocking profile to be more effective.

The logic exists between APPID and file blocking... lets extend that to include URL filtering.

Ps, im sure my regional service rep is sick of me asking for this..:-)

( and if i understand PANOS 4 "drive by downloading" feature then this req is not really the same, i may be wrong )

cheers

Highlighted
Not applicable

Required:

  1. Better DLP support (quite bad right now) and integration with outbound email control & block
  2. SSLVPN portal for clientless connection. A client for mobile (Iphone/Android) and linux is also quite useful.
  3. A deeper integration between rules/applications and URL filtering

Useful in the future:

  1. Seamless user notification when policies are violated.
  2. Large log & monitoring SSD for all devices
  3. Packet Fowing test section in order to verify rules, nat, profile group, url filtering. Cisco and Websense have a section like this and is great for troubleshooting & quick deployment.

PA has now a great product and with other imporvements may become the real leader of network security firewall.

Keep the good job!

Highlighted
L0 Member

Must Have:

- Better integration between the wealth of documents in KnowledgePoint and the PAN-OS Administration Guide.  As an example the "How to Set Up and Configure High Availability PANOS 3.1" should be referenced/hyperlinked right in the "Setting Up High Availability" section of the Administration Guide. 

- Ability to verify speed/duplex of an interface from the web GUI

Nice to Have:

- The option to execute at least some elements of the test command ("test security-policy-match", "test routing", "test nat-policy-match") against the candidate configuration instead of the running configuration.  Would be very handy to verify behavior of a new rule/route prior to a commit.

- Ability to delete an old saved config from the web GUI

Highlighted
L0 Member

Must have:

- separated reporting and logging per Device Groups/Access Domain in Panorama environment. Currently I can only choose between VSYS, nothing else and is a bit frustrating compared to FortiAnalyzer :-)

- Better quality (and always updated) documentation on ALL available features whit a lot of case studies/real scenario (a la Juniper, for istance)

- Better filter group in Vulnerability Protection profile and an improved management feature related to Vuln Profile.

- AV, Vulnerability, AntiSpyware Exception by IP address (is totally unuseful by ID, because I can exclude a server not affected but not the entire signature and working with many profile and many rules is not a clean way)

Nice to have:

- MLPS/OSPF/BGP inspection. i.e what's inside an MPLS tunnel? Many customer are asking me this feature (not simple solution..)

- a series more little then 500. Many Italian customers asking for some firewall up to 100 Mbps, to better compete with Fortinet (also in terms of pricing)

Thanks

Highlighted
L4 Transporter

mario.chancay wrote:

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

Documentation, Documentation, Documentation.

Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it.

Support, Support, Support.

I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!