What is still missing or needs to be improved in PA Next Generation Firewalls ?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Management interface improvements - look into features of FMT 2.0!

Highlighted
L3 Networker

This should be an easy one.  From the GUI, I should be able to get the properties of an Ethernet interface.  The only way I know how to do that is via the CLI command show interface ...

Mike

Highlighted
L2 Linker

Which properties are you missing ? in 4.11 you can hover over the red/green interface icon & it pops up the speed / duplex ?

Things I would like to see (I run 4.1.11h1 mostly):

- The ability to log implicit rules so I can get rid of the explicit block all at the end of my policy which causes it to generate a screen full of warnings - or add an option to turn off the generation of spurious warnings on commit.

- Port Panorama to HyperV for more deployment options. Panorama should be free IMHO.

- Improved logging for high profile events like a reboot so I dont have to guess why the box restarted.

- Better QC ; I would much rather have a slower release of new features & better testing to ensure that existing features are not broken.

- Allow me to customise the messages generated when dropping SMTP with a Data Filter rule. At the moment it sticks in something about Blocked by PaloAlto firewall which is undesirable.

- SSD upgrade options for all the older hardware so I dont have to replace everything to get rid of my 15 min commit time....

Highlighted
L4 Transporter

msullivan wrote:

This should be an easy one.  From the GUI, I should be able to get the properties of an Ethernet interface.  The only way I know how to do that is via the CLI command show interface ...

Mike

What, you mean like this?

interface.png

Shows the interface properties pretty well, from where I'm sitting.

Highlighted
L4 Transporter

Regarding Speed... Would it be possible somehow to offload some of the computation effort during a commit to the client browser (JavaScript)? I know the PA is a security device...but maybe some less critical parts... or maybe there are techniques where the PA could verify that code hasn't been altered on the client...? Just a thought.

Highlighted
L4 Transporter

oschuler wrote:

Regarding Speed... Would it be possible somehow to offload some of the computation effort during a commit to the client browser (JavaScript)? I know the PA is a security device...but maybe some less critical parts... or maybe there are techniques where the PA could verify that code hasn't been altered on the client...? Just a thought.

*Horrible* idea. Java is about as secure as a broken padlock. Doing this would completely remove the use of the PAN device for security by opening it to god knows what kind of hacks.

Highlighted
L3 Networker

I would definitely agree with the test GlobalProtect comment.  There are so many bugs that the client it is virtually unusable with my staff.  Compared to other solutions on the market, SonicWALL, Cisco, and CheckPoint are leaps and bounds ahead.  GlobalProtect doesn't even compare or rank with these.  There are times it takes it 30+ seconds to connect when CheckPoint takes less than 2.  Sometimes users have to connect 10-15 times before it finally occurs.  All we ever get it "open a support call" or "submit an enhancement."  Typical response.  It seems that Palo Alto doesn't put much effort into fixing the product.  I would figure that an enterprise-class product would behave differently, especially for the price they charge!  Simply get a competitors VPN product and PAN will see that theirs cannot keep up.

Highlighted
L6 Presenter

I agree with you,connecting should be quickly. Also ssl vpn clients should have a reserved/static ip option.

Highlighted
L4 Transporter

We had a similar issue. GP clients took 30 sec+ to connect. For a fix please see https://live.paloaltonetworks.com/message/22957#22957

Highlighted
L4 Transporter

darren.g  Java and Javascript are two different things, just want to point that out. Although trusting a browser client's Javascript interpreter to verify firewall policy is a rather cray idea, I agree.


oschuler  If the policy build could be pushed to the client in a secure way and then signed and pushed back to the PA appliance this would feasibly work. I don't know of a good way to do that without something like a Java applet though, which would make the PA admin implementation much "fatter" by requiring a Java applet

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!