This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will find their way into PAN-OS in the next years…
This is a living list. I’ll update it whenever I discover something new.
- Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
- A more effective (read: working) way of retrieving nested groups within the User Identification -> Group Mapping to not run into the unnecessary “user group count exceeds threshold” issue. Details here.
Routing table lookup within the GUI, not only via the CLI (test routing fib-lookup virtual-router default ip <ip>). As PAN firewalls are fully manageable through the GUI, this little feature is really missing. Report.Added with PAN-OS 9.1.
- IPv6 DHCPv6 Prefix Delegation for upstream interfaces: In order to operate a Palo Alto at german residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be a big problem to add it as well. Report.
- IPv6 stateful and stateless DHCPv6 server. Currently, only DHCPv6 relay is possible.
- IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
- Email Server Profile with SMTP authentication. That is: Possibility to use a smart host rather than own internal SMTP servers. Report.
- Precise CLI output whether or not NTP authentication was successful or not. Details here.
Grouping of policy entries rather than displaying all at once.Added in PAN-OS 9.0.
- Dashboard widget for environment values such as power supply, fan, temperature.
- Dashboard widget to write down some notes. Report.
- SCP copy of the running-config after each commit. Report.
- Enabling/disabling the “additional-threat-log” through the GUI. Report.
Featured image “Baustellentick?” by Dennis Skley is licensed under CC BY-ND 2.0.
5 thoughts on “Palo Alto Networks Feature Requests”
Juniper has a commit confirmed with automatic rollback. Similar to cisco’s “reload in”, but doesn’t require a reboot of the device. Saved me a trip to a remote site when re-configuring IPSEC tunnels. Time of rollback should be configurable.
We are also missing a SD-WAN integration on PAN interfaces. Regards.
That’s now a fact with PANOS 9.1
A few wishes from my side:
-rule changelog / version control
-management support for DoT and DoH
-use Traps client on endpoints as source for User-ID
-support for BOOTP on DHCP relay
I missing a grouping of regions to keep security policy small.