- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-16-2011 03:56 PM
Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.
Will appreciate if you can specify by functionality like :
FIREWALL
Must Have : A,B,C
Nice to Have : D,E,F
Thks
Mario
05-17-2011 07:02 AM
plz, make your docs more clear! and add detailed overview for var options and settings!
05-17-2011 10:39 AM
I couldn't agree more on the documentation side of things. There is the admin guide which shows you how to configure common options and services but doesn't actually tell you what you are doing or what the not so common options are.. Then you have the CLI reference which is nothing more than a command tree of the CLI. They are missing the part that descibes the options and the settings.
I would also like to see better troubleshooting of sessions and why they were terminated. Currently from a looking back sort of perspective it is impossible to tell why a particualr session ended which as caused a lot of issues in my deployment.
Oh and I would also like the bug in the 4.0.x of the PA-5000 series for packet filters to be fixed. I currently can't do any packet level troubleshooting because filters don't work at all.
05-19-2011 03:23 AM
FIREWALL
Must Have : A,B,C
Nice to Have : D,E,F
A: Better QA, we have had 3 x DOA boxes
B: Solid state hard disks across the whole product range
C: When adding a device to Panorama, the ability to import the firewall configuration.
But the ACE t-shirts are cool -) So don't stop that -)
05-19-2011 06:32 AM
More DLP features. Even a default set of predefined filters (SSN, Credit Card #, etc) would be a nice start.
05-20-2011 11:18 AM
Ideally following would be nice, some background>
Situation:
Suggestion:
URL filtering is compliance based / not really security. Threat management (Malware engine in the instance) on the PA (security based) has all but stopped a handful of virus's in recent time, i need the latter two to work together linked to File blocking profile to be more effective.
The logic exists between APPID and file blocking... lets extend that to include URL filtering.
Ps, im sure my regional service rep is sick of me asking for this..:-)
( and if i understand PANOS 4 "drive by downloading" feature then this req is not really the same, i may be wrong )
cheers
05-21-2011 08:55 AM
Required:
Useful in the future:
PA has now a great product and with other imporvements may become the real leader of network security firewall.
Keep the good job!
05-21-2011 09:27 PM
Must Have:
- Better integration between the wealth of documents in KnowledgePoint and the PAN-OS Administration Guide. As an example the "How to Set Up and Configure High Availability PANOS 3.1" should be referenced/hyperlinked right in the "Setting Up High Availability" section of the Administration Guide.
- Ability to verify speed/duplex of an interface from the web GUI
Nice to Have:
- The option to execute at least some elements of the test command ("test security-policy-match", "test routing", "test nat-policy-match") against the candidate configuration instead of the running configuration. Would be very handy to verify behavior of a new rule/route prior to a commit.
- Ability to delete an old saved config from the web GUI
05-23-2011 05:51 AM
Must have:
- separated reporting and logging per Device Groups/Access Domain in Panorama environment. Currently I can only choose between VSYS, nothing else and is a bit frustrating compared to FortiAnalyzer 🙂
- Better quality (and always updated) documentation on ALL available features whit a lot of case studies/real scenario (a la Juniper, for istance)
- Better filter group in Vulnerability Protection profile and an improved management feature related to Vuln Profile.
- AV, Vulnerability, AntiSpyware Exception by IP address (is totally unuseful by ID, because I can exclude a server not affected but not the entire signature and working with many profile and many rules is not a clean way)
Nice to have:
- MLPS/OSPF/BGP inspection. i.e what's inside an MPLS tunnel? Many customer are asking me this feature (not simple solution..)
- a series more little then 500. Many Italian customers asking for some firewall up to 100 Mbps, to better compete with Fortinet (also in terms of pricing)
Thanks
05-23-2011 10:48 PM
mario.chancay wrote:
Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.
Will appreciate if you can specify by functionality like :
FIREWALL
Must Have : A,B,C
Nice to Have : D,E,F
Thks
Mario
Documentation, Documentation, Documentation.
Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it.
Support, Support, Support.
I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!).
05-29-2011 11:58 PM
Must have:
Security policies: column with number indicating processing order.
And closely related: ability to sort policies on other colums.
Nice to have:
Security profiles/groups in security policies window should be displayed by name, not logo. If you have several profiles/groups they're all the same icon.
05-30-2011 02:10 AM
Nice to see I'm not the only one that is complaining about:
-Documentation with proper real-life scenarios/examples. Detailed explanation what different settings does and why they should be used or not.
-QA has been mentioned. I agree as well.
I'd like to see:
-The ability to block/act on ongoing attacks directly from the session browser and log (traffic/threat). IE, block offending IP for X hours.
-Better exceptions for Threats. I'd like to be able to create an exception for a particular threat in conjunction with a source and/or destination IP.
-If possible, Better reporting/logging for DDoS/Zone protection.
-commit timer. I'd like to be able to commit with a timer value. If a second commit hasn't been performed within the specified time, the box automaticaly reverts to the previous version.
-Multiple Captive Portal "profiles"
-Bulk set security profiles in CLI, (example: set rulebase security * from trust to untrust profile-setting profile ......) This helps making changes in large rulebases.
05-30-2011 02:45 AM
Must have:
- Documentation Cleanup...E.g. There is an "official" Documentation (PA-4.0_Administrators_Guide.pdf) and a Lot of "How To" Guides (How to Configure HA on PANOS 3.1.2.pdf, Active Active Techz Note-2.pdf, ...). I don't like to have that many documents. Especially if they talk about the same topic and one File doesn't have all the info.
- Easy Access to "show system state" information by Script (for Monitoring). E.g. accessible by SNMP or XML-API
Nice to have:
- Since the newest PanOS supports active/active. It would be nice to have a "active/passive"-per-VirtualSystem possibility. Its a lot easier to debug if you know, this hole V-Sys is processed by this cluster node. And there is no asymmetric routing within this setup.
05-31-2011 07:41 AM
I agree with the Documentation needs discussed thus far.
Must Have's:
1. Make filters applied to Logs, sticky, so that you can switch logs and then return to the same filter you applied earlier
2. Add ability for administrators to EXCLUDE users/groups/objects in a policy rule.
Nice to Have's:
- Colored Allow/Deny entries in logs. For example, green for allowed rules and red for denied. Users should be able to choose from a palette of colors to set their own colors.
- Faster scrolling of log traffic. ~1 second would be great.
- Customizable columns in the logs. Ability to re-arrange columns. Ability to choose which columns are displayed. Make these changes sticky so they stay when leaving the log page you are viewing.
- That the “Resolve” check box only applies to the log window in which you check it.
- Ability to perform text search within Logs, Rules, Users, Threats, etc…
- Add/show the appropriate “Rule” being applied in the URL, Threat and Data Filtering logs
- ACC Panel:
a. For entries of the “Insufficient Data” type, include the Protocol and port number when viewing the Application Information about it. May help an administrator to define a custom or in-house application if they can see what protocols and ports are being accessed.
- Make sticky the number of rows chosen to display in the logs.
- For all Logs, reference each row by row numbers and allow them to be sortable.
- For all Logs, include/declare total number of rows retrieved when a filter is applied, at bottom of page.
- Add the ability to be able to listen for URL headers from external clients and not just IP addresses, for internally published servers/websites.
- Sorting. Throughout the user interface are many instances of Columns that should have the ability to be sorted. (I.E. Objects tab>Name and Address columns)
05-31-2011 08:26 AM
Ability for user to authenticate to firewall and get the allow rule then sign-off when done troubleshooting an issue. I know it can be done now but in a "hack" kinda way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!