Palo Alto Networks Feature Requests

This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will enter PAN-OS in the next years…

This is a living list. I’ll update it whenever I discover something new.

  • Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
  • A more effective (read: working) way of retrieving nested groups within the User Identification -> Group Mapping to not run into the unnecessary “user group count exceeds threshold” issue. Details here.
  • Routing table lookup within the GUI, not only via the CLI (test routing fib-lookup virtual-router default ip <ip>). As PAN firewalls are fully manageable through the GUI, this little feature is really missing. Report. Added with PAN-OS 9.1.
  • IPv6 DHCPv6 Prefix Delegation for upstream interfaces: In order to operate a Palo Alto at German residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be a big problem to add it as well. Report. Added with PAN-OS 11.0.
  • IPv6 stateful and stateless DHCPv6 server. Currently, only DHCPv6 relay is possible.
  • IPv6 PPPoE support, usable for layer 3 interfaces and subinterfaces. Added in PAN-OS 11.1.
  • IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
  • Email Server Profile with SMTP authentication. That is: The possibility to use a smart host rather than own internal SMTP servers. Report.
  • Precise CLI output whether or not NTP authentication was successful or not. Details here.
  • Grouping of policy entries rather than displaying all at once. Added in PAN-OS 9.0.
  • Dashboard widget for environment values such as power supply, fan, and temperature.
  • Dashboard widget to write down some notes. Report.
  • SCP copy of the running-config after each commit. Report.
  • Enabling/disabling the “additional-threat-log” through the GUI. Report.

Featured image “Baustellentick?” by Dennis Skley is licensed under CC BY-ND 2.0.

5 thoughts on “Palo Alto Networks Feature Requests

  1. Juniper has a commit confirmed with automatic rollback. Similar to cisco’s “reload in”, but doesn’t require a reboot of the device. Saved me a trip to a remote site when re-configuring IPSEC tunnels. Time of rollback should be configurable.

  2. A few wishes from my side:
    -rule changelog / version control
    -management support for DoT and DoH
    -use Traps client on endpoints as source for User-ID
    -support for BOOTP on DHCP relay

Leave a Reply

Your email address will not be published. Required fields are marked *