This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will find their way into PAN-OS in the next years…
This is a living list. I’ll update it whenever I discover something new.
- Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
- A more effective (read: working) way of retrieving nested groups within the User Identification -> Group Mapping to not run into the unnecessary “user group count exceeds threshold” issue. Details here.
Routing table lookup within the GUI, not only via the CLI (test routing fib-lookup virtual-router default ip <ip>). As PAN firewalls are fully manageable through the GUI, this little feature is really missing. Report.Added with PAN-OS 9.1.
- IPv6 DHCPv6 Prefix Delegation for upstream interfaces: In order to operate a Palo Alto at german residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be a big problem to add it as well. Report.
- IPv6 stateful and stateless DHCPv6 server. Currently, only DHCPv6 relay is possible.
- IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
- Email Server Profile with SMTP authentication. That is: Possibility to use a smart host rather than own internal SMTP servers. Report.
- Precise CLI output whether or not NTP authentication was successful or not. Details here.
Grouping of policy entries rather than displaying all at once.Added in PAN-OS 9.0.
- Dashboard widget for environment values such as power supply, fan, temperature.
- Dashboard widget to write down some notes. Report.
- SCP copy of the running-config after each commit. Report.
- Enabling/disabling the “additional-threat-log” through the GUI. Report.