What is still missing or needs to be improved in PA Next Generation Firewalls ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is still missing or needs to be improved in PA Next Generation Firewalls ?

L1 Bithead

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :


Must Have : A,B,C

Nice to Have : D,E,F




Not applicable

plz, make your docs more clear! and add detailed overview for var options and settings! Smiley Wink

I couldn't agree more on the documentation side of things.  There is the admin guide which shows you how to configure common options and services but doesn't actually tell you what you are doing or what the not so common options are.. Then you have the CLI reference which is nothing more than a command tree of the CLI.  They are missing the part that descibes the options and the settings.

I would also like to see better troubleshooting of sessions and why they were terminated.  Currently from a looking back sort of perspective it is impossible to tell why a particualr session ended which as caused a lot of issues in my deployment.

Oh and I would also like the bug in the 4.0.x of the PA-5000 series for packet filters to be fixed.  I currently can't do any packet level troubleshooting because filters don't work at all.

L1 Bithead


Must Have : A,B,C

Nice to Have : D,E,F

A: Better QA, we have had 3 x DOA boxes

B: Solid state hard disks across the whole product range

C: When adding a device to Panorama, the ability to import the firewall configuration.

But the ACE t-shirts are cool -) So don't stop that -)

Not applicable

More DLP features.  Even a default set of predefined filters (SSN, Credit Card #, etc) would be a nice start.

Not applicable

Ideally following would be nice, some background>


  • When ever i get malware infected client (missed by PA and most of us are SSL decrypted) the one common link i can see is that the user unwittingly (lets hope) downloaded a .EXE file from an unknown ( URL filter classification) source. Id like to be able to link the file blocking profile ( with all its derivatives)  to the URL classification profile so that if a user goes to a site which falls in the "unknown" category then they will be able to browse only .. not download .EXE and other type extensions.


URL filtering is compliance based / not really security. Threat management (Malware engine in the instance)  on the PA (security based)  has all but stopped a handful of virus's in recent time, i need the latter two to work together linked to File blocking profile to be more effective.

The logic exists between APPID and file blocking... lets extend that to include URL filtering.

Ps, im sure my regional service rep is sick of me asking for this..:-)

( and if i understand PANOS 4 "drive by downloading" feature then this req is not really the same, i may be wrong )


Not applicable


  1. Better DLP support (quite bad right now) and integration with outbound email control & block
  2. SSLVPN portal for clientless connection. A client for mobile (Iphone/Android) and linux is also quite useful.
  3. A deeper integration between rules/applications and URL filtering

Useful in the future:

  1. Seamless user notification when policies are violated.
  2. Large log & monitoring SSD for all devices
  3. Packet Fowing test section in order to verify rules, nat, profile group, url filtering. Cisco and Websense have a section like this and is great for troubleshooting & quick deployment.

PA has now a great product and with other imporvements may become the real leader of network security firewall.

Keep the good job!

L1 Bithead

Must Have:

- Better integration between the wealth of documents in KnowledgePoint and the PAN-OS Administration Guide.  As an example the "How to Set Up and Configure High Availability PANOS 3.1" should be referenced/hyperlinked right in the "Setting Up High Availability" section of the Administration Guide. 

- Ability to verify speed/duplex of an interface from the web GUI

Nice to Have:

- The option to execute at least some elements of the test command ("test security-policy-match", "test routing", "test nat-policy-match") against the candidate configuration instead of the running configuration.  Would be very handy to verify behavior of a new rule/route prior to a commit.

- Ability to delete an old saved config from the web GUI

L0 Member

Must have:

- separated reporting and logging per Device Groups/Access Domain in Panorama environment. Currently I can only choose between VSYS, nothing else and is a bit frustrating compared to FortiAnalyzer 🙂

- Better quality (and always updated) documentation on ALL available features whit a lot of case studies/real scenario (a la Juniper, for istance)

- Better filter group in Vulnerability Protection profile and an improved management feature related to Vuln Profile.

- AV, Vulnerability, AntiSpyware Exception by IP address (is totally unuseful by ID, because I can exclude a server not affected but not the entire signature and working with many profile and many rules is not a clean way)

Nice to have:

- MLPS/OSPF/BGP inspection. i.e what's inside an MPLS tunnel? Many customer are asking me this feature (not simple solution..)

- a series more little then 500. Many Italian customers asking for some firewall up to 100 Mbps, to better compete with Fortinet (also in terms of pricing)


L4 Transporter

mario.chancay wrote:

Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved.

Will appreciate if you can specify by functionality like :


Must Have : A,B,C

Nice to Have : D,E,F



Documentation, Documentation, Documentation.

Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it.

Support, Support, Support.

I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!).

L4 Transporter

Must have:

Security policies: column with number indicating processing order.

And closely related: ability to sort policies on other colums.

Nice to have:

Security profiles/groups in security policies window should be displayed by name, not logo. If you have several profiles/groups they're all the same icon.

L3 Networker

Nice to see I'm not the only one that is complaining about:

-Documentation with proper real-life scenarios/examples. Detailed explanation what different settings does and why they should be used or not.

-QA has been mentioned. I agree as well.

I'd like to see:

-The ability to block/act on ongoing attacks directly from the session browser and log (traffic/threat). IE, block offending IP for X hours.

-Better exceptions for Threats. I'd like to be able to create an exception for a particular threat in conjunction with a source and/or destination IP.

-If possible, Better reporting/logging for DDoS/Zone protection.

-commit timer. I'd like to be able to commit with a timer value. If a second commit hasn't been performed within the specified time, the box automaticaly reverts to the previous version.

-Multiple Captive Portal "profiles"

-Bulk set security profiles in CLI, (example: set rulebase security * from trust to untrust profile-setting profile ......) This helps making changes in large rulebases.

L2 Linker

Must have:

- Documentation Cleanup...E.g. There is an "official" Documentation (PA-4.0_Administrators_Guide.pdf) and a Lot of "How To" Guides (How to Configure HA on PANOS 3.1.2.pdf, Active Active Techz Note-2.pdf, ...). I don't like to have that many documents. Especially if they talk about the same topic and one File doesn't have all the info.

- Easy Access to "show system state" information by Script (for Monitoring). E.g. accessible by SNMP or XML-API

Nice to have:

- Since the newest PanOS supports active/active. It would be nice to have a "active/passive"-per-VirtualSystem possibility. Its a lot easier to debug if you know, this hole V-Sys is processed by this cluster node. And there is no asymmetric routing within this setup.

L0 Member

I agree with the Documentation needs discussed thus far.

Must Have's:

1.   Make filters applied to Logs, sticky, so that you can switch logs and then return to the same filter you applied earlier

2. Add ability for administrators to EXCLUDE users/groups/objects in a policy rule.

Nice to Have's:

- Colored Allow/Deny entries in logs. For example, green for allowed rules and red for denied. Users should be able to choose from a palette of colors to set their own colors.

- Faster scrolling of log traffic. ~1 second would be great.

- Customizable columns in the logs. Ability to re-arrange columns. Ability to choose which columns are displayed. Make these changes sticky so they stay when leaving the log page you are viewing.

- That the “Resolve” check box only applies to the log window in which you check it.

- Ability to perform text search within Logs, Rules, Users, Threats, etc…

- Add/show the appropriate “Rule” being applied in the URL, Threat and Data Filtering logs

- ACC Panel:

a. For entries of the “Insufficient Data” type, include the Protocol and port number when viewing the Application Information about it. May help an administrator to define a custom or in-house application if they can see what protocols and ports are being accessed.

- Make sticky the number of rows chosen to display in the logs.

- For all Logs, reference each row by row numbers and allow them to be sortable.

- For all Logs, include/declare total number of rows retrieved when a filter is applied, at bottom of page.

- Add the ability to be able to listen for URL headers from external clients and not just IP addresses, for internally published servers/websites.

- Sorting. Throughout the user interface are many instances of Columns that should have the ability to be sorted. (I.E. Objects tab>Name and Address columns)

Ability for user to authenticate to firewall and get the allow rule then sign-off when done troubleshooting an issue. I know it can be done now but in a "hack" kinda way.

  • 78 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!