What is still missing or needs to be improved in PA Next Generation Firewalls ?
Showing results for 
Search instead for 
Did you mean: 

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :


Must Have : A,B,C

Nice to Have : D,E,F




L4 Transporter

Must have:

Security policies: column with number indicating processing order.

And closely related: ability to sort policies on other colums.

Nice to have:

Security profiles/groups in security policies window should be displayed by name, not logo. If you have several profiles/groups they're all the same icon.

L3 Networker

Nice to see I'm not the only one that is complaining about:

-Documentation with proper real-life scenarios/examples. Detailed explanation what different settings does and why they should be used or not.

-QA has been mentioned. I agree as well.

I'd like to see:

-The ability to block/act on ongoing attacks directly from the session browser and log (traffic/threat). IE, block offending IP for X hours.

-Better exceptions for Threats. I'd like to be able to create an exception for a particular threat in conjunction with a source and/or destination IP.

-If possible, Better reporting/logging for DDoS/Zone protection.

-commit timer. I'd like to be able to commit with a timer value. If a second commit hasn't been performed within the specified time, the box automaticaly reverts to the previous version.

-Multiple Captive Portal "profiles"

-Bulk set security profiles in CLI, (example: set rulebase security * from trust to untrust profile-setting profile ......) This helps making changes in large rulebases.

L2 Linker

Must have:

- Documentation Cleanup...E.g. There is an "official" Documentation (PA-4.0_Administrators_Guide.pdf) and a Lot of "How To" Guides (How to Configure HA on PANOS 3.1.2.pdf, Active Active Techz Note-2.pdf, ...). I don't like to have that many documents. Especially if they talk about the same topic and one File doesn't have all the info.

- Easy Access to "show system state" information by Script (for Monitoring). E.g. accessible by SNMP or XML-API

Nice to have:

- Since the newest PanOS supports active/active. It would be nice to have a "active/passive"-per-VirtualSystem possibility. Its a lot easier to debug if you know, this hole V-Sys is processed by this cluster node. And there is no asymmetric routing within this setup.

L0 Member

I agree with the Documentation needs discussed thus far.

Must Have's:

1.   Make filters applied to Logs, sticky, so that you can switch logs and then return to the same filter you applied earlier

2. Add ability for administrators to EXCLUDE users/groups/objects in a policy rule.

Nice to Have's:

- Colored Allow/Deny entries in logs. For example, green for allowed rules and red for denied. Users should be able to choose from a palette of colors to set their own colors.

- Faster scrolling of log traffic. ~1 second would be great.

- Customizable columns in the logs. Ability to re-arrange columns. Ability to choose which columns are displayed. Make these changes sticky so they stay when leaving the log page you are viewing.

- That the “Resolve” check box only applies to the log window in which you check it.

- Ability to perform text search within Logs, Rules, Users, Threats, etc…

- Add/show the appropriate “Rule” being applied in the URL, Threat and Data Filtering logs

- ACC Panel:

a. For entries of the “Insufficient Data” type, include the Protocol and port number when viewing the Application Information about it. May help an administrator to define a custom or in-house application if they can see what protocols and ports are being accessed.

- Make sticky the number of rows chosen to display in the logs.

- For all Logs, reference each row by row numbers and allow them to be sortable.

- For all Logs, include/declare total number of rows retrieved when a filter is applied, at bottom of page.

- Add the ability to be able to listen for URL headers from external clients and not just IP addresses, for internally published servers/websites.

- Sorting. Throughout the user interface are many instances of Columns that should have the ability to be sorted. (I.E. Objects tab>Name and Address columns)

Ability for user to authenticate to firewall and get the allow rule then sign-off when done troubleshooting an issue. I know it can be done now but in a "hack" kinda way.

Not applicable

Nice to Have : cisco integration with Filtering Service on Palo Alto, like websense or SurfControl

L4 Transporter

Nice to have: Applipedia should include the information if a specific application requires an exclusion for SSL decryption in order to work. E.g. dropbox

L4 Transporter

Ability to define and fold up groups of security rules.  The tags are very cool but a way to fold up groups of rules to a single line would be nice.

Longer captive portal, ability to put in length of captive portal based on user/group and/or timeout and/or native client etc.  Bottom line is BYOD is here.

Free copy of Panorama for small rollouts.  Why?  Word of mouth for larger installations, ability to gain experience with Panorama.

Real world examples of implementation, rules etc.  It is a different way of thinking and honestly is difficult to get a grip on it for complex situations.

Graphical interface for schedules.


L2 Linker

What i really would like to see in PA device is usable DLP. A few days ago i powered up old fortigate device and damn their DLP is quite nice to work with. They even had a chance to search for keywords in mail subject or body.

The ability to import user and group information periodically, and the ability to use those imported objects to create groups on the box. Our management does not like the fact that I need to rely on our IT group for firewall ACL's. Nor do they want to create another process in which we have to monitor more group memberships/changes to AD.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!