This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will find their way into PAN-OS in the next years…
This is a living list. I’ll update it whenever I discover something new.
- Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
- IPv6 DHCPv6 Prefix Delegation for upstream interfaces: In order to operate a Palo Alto at german residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be a big problem to add it as well. Report.
- IPv6 stateful and stateless DHCPv6 server. Currently, only DHCPv6 relay is possible.
- IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
- Email Server Profile with SMTP authentication. That is: Possibility to use a smart host rather than own internal SMTP servers. Report.
- Precise CLI output whether or not NTP authentication was successful or not. Details here.
Grouping of policy entries rather than displaying all at once.Added in PAN-OS 9.0.
- Dashboard widget to write down some notes. Report.