Palo Alto Networks Feature Requests

This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see whether some of them will find their way into PAN-OS in the next years…

This is a living list. I’ll update it whenever I discover something new.

  • Possibility to disable the “application dependency warning” messages on a per-rule basis. They appear after each commit. Sometimes they are correct – often they aren’t. I have customers with thousands of these warnings while the whole security ruleset is sound and working. In the end, nobody reads these warnings anymore which is contrary to its purpose.
  • IPv6 DHCPv6 Prefix Delegation: In order to operate a Palo Alto at german residential ISP connections, DHCPv6-PD is mandatory. (Sample here.) Since it is working with fairly old Juniper ScreenOS firewalls and even FortiGates, it shouldn’t be that big problem to add it as well. Report.
  • IPv6 6in4 tunnel support. Again, working with ScreenOS and FortiGates out of the box. Report.
  • Email Server Profile with SMTP authentication. That is: Possibility to use a smart host rather than own internal SMTP servers. Report.
  • Precise CLI output whether or not NTP authentication was successful or not. Details here.
  • Grouping of policy entries rather than displaying all at once. Added in PAN-OS 9.0.
  • Dashboard widget to write down some notes. Report.

Featured image “Baustellentick?” by Dennis Skley is licensed under CC BY-ND 2.0.

2 thoughts on “Palo Alto Networks Feature Requests

  1. Juniper has a commit confirmed with automatic rollback. Similar to cisco’s “reload in”, but doesn’t require a reboot of the device. Saved me a trip to a remote site when re-configuring IPSEC tunnels. Time of rollback should be configurable.

Leave a Reply

Your email address will not be published. Required fields are marked *