This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will find their way into PAN-OS in the next years…
This is a living list. I’ll update it whenever I discover something new.
- Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
Routing table lookup within the GUI, not only via the CLI (test routing fib-lookup virtual-router default ip <ip>). As PAN firewalls are fully manageable through the GUI, this little feature is really missing. Report.Added with PAN-OS 9.1.
- IPv6 DHCPv6 Prefix Delegation for upstream interfaces: In order to operate a Palo Alto at german residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be a big problem to add it as well. Report.
- IPv6 stateful and stateless DHCPv6 server. Currently, only DHCPv6 relay is possible.
- IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
- Email Server Profile with SMTP authentication. That is: Possibility to use a smart host rather than own internal SMTP servers. Report.
- Precise CLI output whether or not NTP authentication was successful or not. Details here.
Grouping of policy entries rather than displaying all at once.Added in PAN-OS 9.0.
- Dashboard widget to write down some notes. Report.
- SCP copy of the running-config after each commit. Report.