What is still missing or needs to be improved in PA Next Generation Firewalls ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :


Must Have : A,B,C

Nice to Have : D,E,F




gfowler: we feed our PAs into a SIEM via syslog and it works wonderfully... I almost never have to log in to the appliance itself for the usual day to day log review.

On the cheaper side, you could have your PA feed into something like rsyslog or Splunk (up to 500 megs a day is free with Splunk!) and review logs that way

L4 Transporter

Better Quality Assurance

It is honestly insane how many bug report tickets we have filed with PA for their devices... it seems like every time we go to take advantage of one of Palo Alto's many firewall features we are bitten by some bug or another. I like PA, I like the product line, I like the approach the company is taking, heck I like the smaller company atmosphere that seems to prevail there, but please for the love of packets improve your QA process! Test all the features in the product! Test all the features when every major release comes out!

And please test and improve GlobalProtect until it is to the point where it is rock solid!

Anyways, that's my .02 cents

L0 Member

Palo Alto really should create an upgrade kit for the PA-500's. 

The amount of time that a commit takes to be processed is just ridiculous at this point.  We've had commits take upwards of 5 minutes at some points. 

This is not good when you need to suddenly make a change to revert a commit or tweak something.

Just put together a kit with some SSD storage, and more RAM and all would be well.  There have been plenty of threads on the slowness of the PA-500's, and while PA themselves admit it's because it's older hardware, they haven't really done much to rectify that. 

5 minutes would be an "okay" time for a commit on our side. We're using a PA-2050 active/passive cluster and it usually takes 10 minutes to commit a change 😞

We recently did a hardware refresh - replacing our 2050s with 3050s.  Our commits were also close to 10 minutes on the 2050s.  They are now about 10 seconds on the 3050s.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!