What is still missing or needs to be improved in PA Next Generation Firewalls ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :

FIREWALL

Must Have : A,B,C

Nice to Have : D,E,F

Thks

Mario

78 REPLIES 78

gfowler Also it appears that another fast open source log management project, ELSA (Enterprise Search and Log Archive), has support for PA as well.

egearhart wrote:

darren.g  Java and Javascript are two different things, just want to point that out. Although trusting a browser client's Javascript interpreter to verify firewall policy is a rather cray idea, I agree.

Java/Javascript - they're both prone to security holes (albeit of different types), and I wouldn't trust any device which offloads processing to either option for security.

On the other hand this is already happening today since you use a webbrowser to configure the security rules in the PA.

The same malware that could screw up clientbased compile could at the same time hide rules from being seen in your browser - rules that opens a hole through your firewall for the malware to act upon.

L4 Transporter

- Ability to deploy and update User-ID Agent from the Firewall UI/Panorama. This would make life much easier in large environments

- Abilty to run scheduled commands (cron ?), such as a system reboot directly on the Firewall

- Ability to run local backups on the FW and export via ftp/tftp/scp/smb (this is an old one...)

- Improve FW UI in a way  to allow creation of Rule Sections. Now the rulebase is quickly becoming very confusing. Look at the Migration Tool, that's how It's done (Thanks Albert 🙂

- Ability to analyze MS Office files and pdf's in Wildfire

- Integrated WAN acceleration Technology would be a killer 🙂

I agree 100% with this one:

- Improve FW UI in a way  to allow creation of Rule Sections. Now the rulebase is quickly becoming very confusing. Look at the Migration Tool, that's how It's done (Thanks Albert 🙂

Would be nice if some official from PA could summarize this thread and comment on each and every suggestion what is in the pipe, what will be in the pipe and what will be discarded due to hardware/political limitations.

L0 Member

Let´s Encrypt integration in PANOS and PANORAMA would be very helpful.

As an Example for the global protect portal and gateway function or ssl inspection functions.

cheers

Andy

L5 Sessionator

I'll crawl the intranet we use for feature requests. I will try to crawl and relay PM response on these, and if not create some NGFW 

Help the community! Add tags and mark solutions please.

L0 Member

FIREWALL
Must Have : OSPFv2 RFC5709 Support (SHA1&2 hash support for authentication).
Nice to Have : Improved logging for long duration connections, such as logging traffic every few hours instead of only when connection ends. The way it currently logs makes ACC much less useful since it shows all traffic from a months-long connection all at once.

Cyber Elite
Cyber Elite

Here's one that LOTS of people want - the ability to select multiple objects from the list when adding objects to a policy rule.  This can be done by adding the Browse button that already exists in Address Groups.  The code already exists, and only needs to be applied to policy rules.

Help the community: Like helpful comments and mark solutions.

L1 Bithead

IPv6 support when using PPoE

 

eth_conf_ppoe.png

 

Cyber Elite
Cyber Elite

Hi @mario.chancay ,

 

Thanks for asking!  I don't know if you still look at this thread.

 

Must Have:

* Echo what @PANcake says below.  Add a column on Monitor > Logs > Traffic for the matching NAT rule.

* Schedule software upgrade from Panorama.

 

Nice to Have:

* The ability to select multiple items at once from a drop down menu.  For example, if I want multiple source addresses in a security policy rule, I currently have to click Add, select one, click Add, select one. etc.

* Change Link State to down for sub-interfaces.

* SSO for clientless VPN for the same SAML iDP.  (I think the NGFW would have to intercept and store the iDP cookies.)

* Template variables for GlobalProtect interfaces (portal physical, gateway physical, and gateway tunnel).

 

If anyone is drive-by browsing and would like to see this feature, like this post!

 

Tom

 

Help the community: Like helpful comments and mark solutions.

L0 Member

In the Detailed Log View (when clicking magnifying glass on the log view) it would be great to be able to see which NAT policy rule was used for the session. You can see source and destination NAT addresses, but not which NAT rule the traffic hit.

I'd like a faster web interface in general. And much faster log viewing and reporting in particular. Especially in Panorama, it is painfully slow.

L0 Member

Hello,

 

FIREWALL:

Must have: IPv6 source and destination country option.

 

Thanks,

Adrian

 

  • 34875 Views
  • 78 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!