What is still missing or needs to be improved in PA Next Generation Firewalls ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

78 REPLIES 78

L4 Transporter

I would like to have something more to organize the view on ruleset, because the more rules we get the more difficult it is keeping the overwiew. We are using zones, tags and webgui but it is to less.

  • SPEED.  Five minutes to COMMIT a URL to a filter?  Twenty minutes to reboot?  My Microsoft ISA 2004 booted faster.  A URL filter took ten seconds at most.
  • Same request as others: Better documentation with real examples.
  • Better logging for VPN!  I want to know when user JSmith logged on and when she logged off the VPN.
  • REDUNDANT POWER SUPPLIES!!!  Over 99% of my servers have dual power supplies.  Edge switches have dual power supplies. Minimum is to have a modular power supply design with a secondary empty slot.  Those that don't need/want the supply simply don't order it.
  • Better interface into Active Directory.  The PAN-AGENT sucks.  If there are multiple users on a computer I cannot get reliable logs for Internet monitoring.

Great comments!!

Documentation needs real examples in every section. Tired of searching on Communities.....

PAN-AGENT sucks. Multiple users confuses it badly.....

egearhart wrote:


but please for the love of packets improve your QA process! Test all the features in the product! Test all the features when every major release comes out!

I love your turn of phrase, and 100% agree with your sentiment.

QA of late has *sucked*. Documentation and QA are my two biggest bugbears with PAN.

L6 Presenter

IPSEC VPN  IKEv2


IPSEC VPN Phase-1 Authentication RSA-Signature


Throughput report backwards from directly Paloalto (not any snmp, etc)


embryonic/half-open tcp session values on zone protection / DDOS rule


QOS with Link aggregation


802.1x support


L3 Networker

Nice to have: Ability to select the threat action from a threat log message - i.e. If a threat is logged ("alert"), the administrator can open the threat log and select a new action such as "block" or "reset" etc. The new action is updated in the corresponding threat profile.

MUST HAVE: SSD's for the win!!! :smileycool: all models

L3 Networker

Management interface improvements - look into features of FMT 2.0!

L3 Networker

This should be an easy one.  From the GUI, I should be able to get the properties of an Ethernet interface.  The only way I know how to do that is via the CLI command show interface ...

Mike

Which properties are you missing ? in 4.11 you can hover over the red/green interface icon & it pops up the speed / duplex ?

Things I would like to see (I run 4.1.11h1 mostly):

- The ability to log implicit rules so I can get rid of the explicit block all at the end of my policy which causes it to generate a screen full of warnings - or add an option to turn off the generation of spurious warnings on commit.

- Port Panorama to HyperV for more deployment options. Panorama should be free IMHO.

- Improved logging for high profile events like a reboot so I dont have to guess why the box restarted.

- Better QC ; I would much rather have a slower release of new features & better testing to ensure that existing features are not broken.

- Allow me to customise the messages generated when dropping SMTP with a Data Filter rule. At the moment it sticks in something about Blocked by PaloAlto firewall which is undesirable.

- SSD upgrade options for all the older hardware so I dont have to replace everything to get rid of my 15 min commit time....

msullivan wrote:

This should be an easy one.  From the GUI, I should be able to get the properties of an Ethernet interface.  The only way I know how to do that is via the CLI command show interface ...

Mike

What, you mean like this?

interface.png

Shows the interface properties pretty well, from where I'm sitting.

Regarding Speed... Would it be possible somehow to offload some of the computation effort during a commit to the client browser (JavaScript)? I know the PA is a security device...but maybe some less critical parts... or maybe there are techniques where the PA could verify that code hasn't been altered on the client...? Just a thought.

oschuler wrote:

Regarding Speed... Would it be possible somehow to offload some of the computation effort during a commit to the client browser (JavaScript)? I know the PA is a security device...but maybe some less critical parts... or maybe there are techniques where the PA could verify that code hasn't been altered on the client...? Just a thought.

*Horrible* idea. Java is about as secure as a broken padlock. Doing this would completely remove the use of the PAN device for security by opening it to god knows what kind of hacks.

I would definitely agree with the test GlobalProtect comment.  There are so many bugs that the client it is virtually unusable with my staff.  Compared to other solutions on the market, SonicWALL, Cisco, and CheckPoint are leaps and bounds ahead.  GlobalProtect doesn't even compare or rank with these.  There are times it takes it 30+ seconds to connect when CheckPoint takes less than 2.  Sometimes users have to connect 10-15 times before it finally occurs.  All we ever get it "open a support call" or "submit an enhancement."  Typical response.  It seems that Palo Alto doesn't put much effort into fixing the product.  I would figure that an enterprise-class product would behave differently, especially for the price they charge!  Simply get a competitors VPN product and PAN will see that theirs cannot keep up.

I agree with you,connecting should be quickly. Also ssl vpn clients should have a reserved/static ip option.

We had a similar issue. GP clients took 30 sec+ to connect. For a fix please see https://live.paloaltonetworks.com/message/22957#22957

darren.g  Java and Javascript are two different things, just want to point that out. Although trusting a browser client's Javascript interpreter to verify firewall policy is a rather cray idea, I agree.


oschuler  If the policy build could be pushed to the client in a secure way and then signed and pushed back to the PA appliance this would feasibly work. I don't know of a good way to do that without something like a Java applet though, which would make the PA admin implementation much "fatter" by requiring a Java applet

  • 34672 Views
  • 78 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!