What is still missing or needs to be improved in PA Next Generation Firewalls ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :


Must Have : A,B,C

Nice to Have : D,E,F




L2 Linker

I would like to see a fat client for Log review.   Maybe a QT based executable.   Develop it once and compile for Windows, Mac, and Linux.   I would think such a feature would be exponentially faster than the Flash based log viewer I'm currently saddled with.

L1 Bithead

Must have:

B. Ability to quarantine malicious or infected devices/computers for a given period of time e.g. TippingPoint which blocks access.

When the time duration has expired access is granted until another threat is triggered.

(For DHCP clients the IP address can change to another device that is clean.)

This forces users with infected systems to call the HelpDesk for assistance.

Blocking access only on malicious activity does not resolve the root cause on a protected LAN.

Must Have:

1) Ability to have collapsible tags/groups in Policies.  When we have dozens of Tags, it would be nice to be able to view them ALL at a higher level.

2) Better QA from Palo Alto.  We seem to find bugs in the software way more than we would like to.

Well said TCPDump would be much less cumbersome than current approach.  BPF filter support would be nice too.

Nice to have:

1) Create rules based on MachineID as described in https://live.paloaltonetworks.com/thread/6589

gfowler: we feed our PAs into a SIEM via syslog and it works wonderfully... I almost never have to log in to the appliance itself for the usual day to day log review.

On the cheaper side, you could have your PA feed into something like rsyslog or Splunk (up to 500 megs a day is free with Splunk!) and review logs that way

L4 Transporter

Better Quality Assurance

It is honestly insane how many bug report tickets we have filed with PA for their devices... it seems like every time we go to take advantage of one of Palo Alto's many firewall features we are bitten by some bug or another. I like PA, I like the product line, I like the approach the company is taking, heck I like the smaller company atmosphere that seems to prevail there, but please for the love of packets improve your QA process! Test all the features in the product! Test all the features when every major release comes out!

And please test and improve GlobalProtect until it is to the point where it is rock solid!

Anyways, that's my .02 cents

L0 Member

Palo Alto really should create an upgrade kit for the PA-500's. 

The amount of time that a commit takes to be processed is just ridiculous at this point.  We've had commits take upwards of 5 minutes at some points. 

This is not good when you need to suddenly make a change to revert a commit or tweak something.

Just put together a kit with some SSD storage, and more RAM and all would be well.  There have been plenty of threads on the slowness of the PA-500's, and while PA themselves admit it's because it's older hardware, they haven't really done much to rectify that. 

5 minutes would be an "okay" time for a commit on our side. We're using a PA-2050 active/passive cluster and it usually takes 10 minutes to commit a change 😞

We recently did a hardware refresh - replacing our 2050s with 3050s.  Our commits were also close to 10 minutes on the 2050s.  They are now about 10 seconds on the 3050s.



jared181920 wrote:

Palo Alto really should create an upgrade kit for the PA-500's. 

PAN-PA-500-UPG-2GB is a 2GB RAM Upgrade kit for the PA-500s.  

I did not know this!

Does it actually make a noticeable improvement in commit times and overall responsiveness of the device?  It should in theory, but just wondering if there's a real-world difference.

I haven't had the chance to compare both 1GB and 2GB models under similar loads. There are some discussions here in the forum talking about experiences with the upgrade:


L1 Bithead
  • SPEED.  Five minutes to COMMIT a URL to a filter?  Twenty minutes to reboot?  My Microsoft ISA 2004 booted faster.  A URL filter took ten seconds at most.
  • Same request as others: Better documentation with real examples.
  • Better logging for VPN!  I want to know when user JSmith logged on and when she logged off the VPN.
  • REDUNDANT POWER SUPPLIES!!!  Over 99% of my servers have dual power supplies.  Edge switches have dual power supplies. Minimum is to have a modular power supply design with a secondary empty slot.  Those that don't need/want the supply simply don't order it.
  • Solid State Hard Drives would be a good idea.
  • Better interface into Active Directory.  The PAN-AGENT sucks.  If there are multiple users on a computer I cannot get reliable logs for Internet monitoring.

L1 Bithead

For 'A'

We use the 2000 series firewalls with 4.0.x code. The web based interface is so slooooooooooooooow it is painful and doing a commit takes 10 minutes.

For 'B'

We were also unlucky to have three DOA firewalls (2 had failed disks), you do not supply kit with solid state disks and would not entertain it, so again would like to see this included.

I would also second the post from TNaami.

  • 78 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!