What needs improvement with Palo Alto Networks NG Firewalls?

The reporting feature needs significant improvement. Generating reports in Palo Alto is challenging because it relies on specific attributes and source IDs. We want to create reports to view the number of users and consumption, but customization is difficult. The interface for generating reports is user-unfriendly, making it difficult to find information. Overall, the reporting capabilities are weak compared to other firewall solutions. The SD-WAN feature needs improvement. It currently relies on the physical interface instead of the sub-interface, requiring Panorama rather than a local firewall. Furthermore, the configuration customization for SD-WAN application source and subnetting is significantly limited compared to other firewalls. The technical support is slow and needs improvement.

Some of our clients find the price of the NG Firewalls to be expensive. The UI needs to be more user-friendly to attract novice users.

Palo Alto is a leader in the market when it comes to performance, virtualization, and the cloud platform. It is working well. In my opinion, nothing can be added at this time. However, when it comes to the cost, Palo Alto firewalls are the most expensive.

Palo Alto could improve its machine-learning capabilities. That's all new. They integrate the telemetry data and analytics up to the cloud, where they can analyze security policies and best practices like DNS Security. It uses AI tools to sort through all the massive logs and highlight where you can take action or be aware of what's happening. If you don't have many tools in your organization, it's nice to have one tool that does an excellent job across the board.

One area for improvement with Palo Alto Networks NG Firewall would be customer support. Currently, in regions like India, customer support is handled by third-party partners. Unfortunately, the support provided by these partners has not been satisfactory. It would be beneficial if the tool handled customer support directly, similar to how Cisco maintains high-quality customer care. This would ensure that customers receive the level of support they expect. Getting reliable service is important when you're a customer, especially with critical devices like firewalls. Firewalls are key parts of a network; if they fail, the whole network can become unstable. So, the support you get needs to be just as reliable as the device itself.

We haven't had any issues so far.

The setup was complex. We have perimeter firewalls and multiple voice devices handling calls. Directing traffic through gateway perimeter firewalls becomes quite complex in such a scenario. The implementation took around two months and required three to four people for deployment.

The technical support needs improvement.

The tool's central management system is complicated, making it challenging to manage multiple devices centrally. Individually, the firewalls are easy to use and manage. I'd like to see better central management features in the next release. They've introduced some, but I haven't tried them yet, so I can't say how effective they are. However, having a single management interface would be a big improvement.

The solution has a lot of features. However, there are no deep configurations available. The functionalities are limited. Other products offer more customization.

Palo Alto Networks NG Firewalls work slowly for vulnerability management. Its performance could be faster.

Palo Alto Networks NG Firewalls do not provide a unified platform that natively integrates all security capabilities. Customer support could be improved.

I don't deal with it from a day-to-day perspective, but I can say that the evidence that I typically need is there, but sometimes, it's a task to actually get it and pull it out. They can make it easier to gather that evidence. From our NetOps team's perspective also, they can make it easier to manage and constantly update those rule sets.

I like the reports, but I wish the reporting was a little better. When I set up the automatic reports to come in, they're pretty basic. I would like them to be a little more advanced at the ACC monitoring and things like that. I still enjoy all the daily alerts that I get and all the daily PDFs and reports, but I just feel that it could expand upon the visualization of the reports.

The cloud could be improved. I would like to have more visibility of the network vulnerabilities as well.

The VPN has room for improvement.

We would like to see improvement in the web interface for this solution, so that it can handle updates without manual intervention to put the data in order.

Telnet command does not work from the firewall which is a very basic requirement and this should be added. 

The reporting and visibility are phenomenal, but you don't get that information out of the box. They can email reports regularly, and the functionality is all there. However, a lot of it is based on an older model for email, where customers have in-house email servers. The small and medium-sized business customers I deal with are moving toward Office 365 or some other cloud-based mail and not maintaining their own internal mail servers. Palo Alto is developing that, and I need to understand how they integrate with an Office 365-type mail environment. The next piece is figuring out how to get that information to the people who need it without somebody physically sitting in front of the screen or going to the firewall to have it delivered to them regularly. The capability is there, but it's primarily based on an older email architecture that customers rarely use anymore.

There are some features of Fortinet such as the virtual domain capability, that I would love to see in this solution, but they don't outweigh the technical capabilities of Palo Alto as the firewall. We have not taken Palo Alto's firewall management solution because it's too expensive and we don't feel it delivers significant value. We have developed our own reporting. Sometimes there are limitations around the APIs and it would be great if the APIs could be enhanced.

We would like to see the external dynamic list for this solution improved. The current version does not automatically block malicious IP addresses, which would be very useful.

The biggest thing that needs to be improved with them is their training. I took a training class for the 8.0 build, then I took it again for the 9.0 and 10 builds. They add new features every time that they do a new major release, but the training doesn't keep up. It is the same basic training that probably was with the 3.0 build, and they just change the screenshots. I would love to see them do some more work since they have all these bells and whistles, but we don't know how to use those features on a large scale. I know this little section here about the firewall, but I know there is a huge amount that still could be done with it. I am not touching enough of it because I just don't know how. It seems like the more I learn about it, the more I learn that there is to learn

I would like them to improve their GUI interface, making it more user-friendly. I would like the dashboard to have real-time analytics.

It is not a unified solution yet. That is probably why it has been hurting them in the cloud evolution. It does not have a complete single-pane-of-glass management,

The solution's VPN, called GlobalProtect, could be improved as I've had a few issues with that. It can be challenging to migrate configurations between Palo Alto firewalls or restart with a backup configuration using the CLI. That could be improved. I think I'm one of the only people still using the CLI over the GUI, so that's just a personal issue.

There is always scope for improvement on any particular device in any particular organization. For example, when there was change from IPv4 to IPv6, some of the firewalls still didn't support IPv6. In North America, we have seen most customers are using IPv6, as they are getting the IPv6 IPs from their ISPs. Sometimes, when they go through the firewall, it denies the traffic.

In terms of the network performance, I am not very happy with Palo Alto. Other solutions, such as Fortinet, have better throughput and network performance. I am in GCC in the Middle East. The support that we are getting from Palo Alto is disastrous. The problem is that the support ticket is opened through the distributor channel. Before opening a ticket, we already do a lot of troubleshooting, and when we open a ticket, it goes to a distributor channel. They end up wasting our time again doing what we have already done. They execute the same things and waste time. The distributor channel's engineer tries to troubleshoot, and after spending hours, they forward the ticket to Palo Alto. It is a very time-consuming process. The distributor channels also do not operate 24/7, and they are very lazy in responding to the calls. It is expensive as compared to other brands. Its pricing can be improved.

We use ACC which is a tool for verifying the activity or traffic within your network. Currently, in ACC, the time of the samples that they offer is about five minutes. When you try to go down to a shorter duration, you can't. You only have five minutes. They can provide samples for shorter durations, such as one minute.

The pricing could be improved. They need to work on the setup over the firewall, VLAN, and PPPoE.

I am looking to have the machine learning see how a virus or malware will morph, then prevent that from happening. That seems invaluable at this point. We have a lot of the older firewall models, i.e., the PA-220. It seems that with newer operating systems the PA-220 is becoming slower than when I first bought it. It is not really an issue for users who are passing traffic through the firewall, but more from the management access of it.

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall. We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more. URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now. It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI.

There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better. I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day. Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck. From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good. In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

The solution is not straightforward.

It would be better to have more tools to control Palo Alto Networks NG Firewalls. We don't have too many tools to access Palo Alto. For example, the IT team doesn't have access to it. We can see it physically and see if it's running or not. We need to contact a special team to receive that information. I would also like to see more reporting in the next release.

There is another solution from Palo Alto for endpoints - XDR that integrates with the firewall thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls. The price could be lower.

I don't like the reporting. The reports it provides are not helpful. They should include more executive summaries and other important information — they're too technical.

They need to provide documentation for CLI, as most of the commands, we get from Community Forums.

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem.

Palo Alto could do better with integrating the Palo Alto Next-Gen Firewall with SD-WAN. The biggest issue with Palo Alto is that they are expensive. They are very expensive for what they offer. They should improve their pricing.

When it comes to their support, we have to select every single component that we want to include in a particular bundle. That is a very tedious process. The vendor will help us identify the product and the features, but it could be better. The price could also be better.

Its scalability for on-prem deployments can be better. For an on-prem deployment, the hardware has to be replaced if the volume goes up to a certain level.

They could improve their support and pricing and maybe integration. It's a little more expensive than Check Point but the quality is better. Integration with firewall endpoints could be better. Palo Alto does have very good malware or antivirus protection. I think they could improve on that front.

I can't recall a feature that was missing. It's a pretty complete solution. The cost of the device is very high. To buy license support is very slow. For renewing devices and products, it's slow in terms of contacting and activating upgraded devices.

For an upcoming release, they could improve on the way to build security rules per user. Palo Alto has this functionality but in implementation, we had some problem. This functionality should be better in our opinion.

I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.

Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete. Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet. We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks.

The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market. Clients are typically looking for a solution that's more aggressive in the market. For example, with Fortinet, they have an SD-WAN that really has many capabilities. For example, it can inject a GSL SIM card along with the MPLS connection. It connects the system within one product. Palo Alto doesn't offer this. This is one area that will need to improve. In Indonesia, the market is growing strategically. Palo Alto has this one product, however, with the limitation of the GSM sim card they are getting left behind.

In terms of what could be improved, comparatively the price is very high. That would be the one thing. But technically-speaking, it's perfect.

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

I think visibility can be improved. If I use the Panorama monitoring dashboard, it's still the same with or without Panorama. Even with monitoring, we don't get any valuable information. If I am a customer, I will take many variables into considerations. If I choose to use Panorama, there should be a difference between when I use it and when I'm not. If I'm a customer who paid for Panorama even when I have many firewalls, I won't get good visibility of the information I need to easily monitor our security environment. My customers have been attacked by ransomware. It's difficult to understand how the ransomware got through Palo Alto Panorama and Palo Alto dashboard monitoring from reporting. It makes it difficult to conclude what happened on the traffic which passed through Palo Alto. As such, I have to generate an all block report CSV file and analyze it through Excel.

The features should be built into the system. For example, it generates many logs with a lot of information that can be converted into security and business information and shown to the user. This is a time-consuming job. I would like to see it provide us with intelligent information from the data that it captures, within the same cost.

The ability to check cases could be improved upon. We find that most of the packets we have to directly open with the PA. Until then, it's possible that there cannot be any support. Take, for example, the XDR. The XDR is the real power to all our solutions from PA, however, when we are using their XDR, we have directly to contact PA. It's like this for the licensing or for any technical issues. The solution could offer better pricing. We'd like it if it could be a bit more affordable for us. The solution should offer SD-WAN.

The way that the roles are made, specifically with how you specify the path, could be simpler.

The interface could be improved visually and simplified. It sometimes feels like some of the features are hidden and not easy to find.

Its price can be better. They should also provide some more examples of configurations online.

Palo Alto has all the features that any firewall should have. Other firewalls should actually copy Palo Alto so that they can provide better stability, performance, and protection - at levels that are at least at Palo-Alto's. This isn't necessarily an issue with the product per se, however, sometimes basically there are some features, depending on the customer environment, do not work as well. Sometimes some of the applications the customer has do not respond as they normally should. Palo Alto support needs to understand the customer requirements and details so that they can resolve customer queries more effectively.

There are some options available in other firewall products that are not supported, so there is room for improvement in that regard. Technical support could be faster. The cost of this firewall could be cheaper.

The VPN connectors should be better. We had some challenges in terms of the VPN with Palo Alto Networks NG Firewall, and that's one of the main reasons why we moved to Sophos. Its load handling can also be improved. There were challenges when traffic was high. During peak business hours, it did not function very well. There was a lot of slowness, and the users used to complain, especially when they were connecting from outside. We even reported this to the support team. Their support should also be improved. Technical support was a bit of a concern while using this solution. We didn't get very good support from the Palo Alto team.

We work very closely with the vendors here and at this point they use external support. Maybe they could add some tools and more competing services, like servers, but that would increase the cost of the solution.

Having a better pricing model would make this product more competitive, and more affordable for our customers.

They can work on the price. They are a little bit expensive, and not all customers are able to afford this solution. Taking into consideration that there is huge competition in the market and there are multiple firewall companies that are much cheaper than them and offer almost the same features, it would be good to improve the price.

Its price can be improved. It is expensive. Other vendors have pre-configured policies for the protection of web servers. Palo Alto has an official procedure for protecting the web servers. Many people prefer pre-configured policies, but for me, it is not an issue.

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device. The hardware is weak. In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security. I would like a collaboration system and reporting ASA policy needs to be smarter.

There will always be room for improvement. On a daily basis you get patches for everything. They build new features, apply new technologies and new applications which need to be integrated and with that you get bugs. There are always issues, whether it's hardware or software.

They've improved a lot of things but we'd like to see more mobility between on-prem and cloud based. I'd also like to see security synchronization between the firewalls. Managing can be difficult.

The solution would benefit from having a dashboard. From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

I would like to see better third-party orchestration so that it is easier for the team to work with different products. Improvements should be made in the Cortex module.

I don't see any specific room for improvement. The user interface is probably not as slick as it could be.

The price is expensive and should be reduced to make it more competitive. Information about Palo Alto products is more restricted than some other vendors, such as Cisco, which means that getting training is important. The traps should be improved. I would like to see better integration with IoT technologies. Having a unified firewall for OT and IT would be very good.

The whole performance takes a long time. It takes a long time to configure.

The interface contains some decentralized tools, so simplifying it would be an improvement. I would like the option to be able to block the traffic from a specific country in a few clicks. Some of the implements under artificial intelligence should provide better visibility in terms of my traffic, such as where it originates and where it is going. Better integration with industry tools would allow me to do quicker automation and reduce my operational costs.

The GSW needs some improvements right now. The endpoints could use improvement. The solution is mostly a cloud solution now, and there are a lot of competing solutions that are playing in the space and may be doing things a bit better. The pricing could be improved upon.

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes. Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly. The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam.

There could be improvement with their logs, especially their CLI. When you go to the command line to understand the command line interface it's tricky and requires a deep understanding of the product. We recently faced one issue where the server side configuration changed and it wasn't replicated at the firewall. It required us to tweak things and now it is working fine. Finally, the HIPS and audio call features could be improved.

In the future, I would like to see more OTP features. The price of this product should be reduced.

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

I wish that the Palos had better system logging for the hardware itself.

The only thing that is a little strange is in Policy-Based Forwarding. When you delete and add a new rule, because of the one hundred rule limit, if the new rule has an ID that is greater than one hundred, even though you have fewer than that, it will not work. The same thing happens when you are renaming a rule. The new rule will have a new ID, so it is possible for it to be greater than one hundred. This can be easily fixed by using one command from CLI, but you have to be aware of it.

The support could be improved. The next release could use more configuration monitoring on this one, and additional features on auditing.

The manufacturer can improve the product by improving the configuration. Some of the menus are difficult to navigate when trying to find particular features. It is not entirely intuitive or convenient. You might need to configure a feature in one menu and next you need to go to another tab and configure another part of the feature in another tab. It's not very user-friendly in that way. On the other hand, it's still more user-friendly than using the console. But this is certainly one feature they can improve.

The solution needs some management tool enhancements. It could also use more reporting tools. And if the solution could enhance the VPN capabilities, that would be good.

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

Palo Alto NG firewalls can be improved in support of finance and banking. We need better affiliations for profiling the user. The product has some delay in the maintenance. They have to find some solution to make updates quicker.

The support in our country can be slow sometimes. It's a slow website. It could also use better customer support.

I think they need to have a proper hardware version for a smaller enterprise. We had to go to a very high-end version which is very expensive. If we chose the lower-end version, it would not meet our goals. A middle-end is missing in its portfolio. For example, there's the PA820 and the PA220, but there's nothing between. So they are really missing some kind of small-size or medium-size usage. Right now, you have to choose either a big one or you have a very small one, which is not really good. In the next release, it would be helpful if there was some kind of a visualized feature that showed the traffic flow, or something like that, to be able to simulate. When we define something if we could see a simulation of how the flow will be treated that would be great. Because today everything is done by experts by checking logs, but it's very time-consuming. If there's also a simulator to use when you apply some configuration, you can also apply on the simulator, to copy the configuration. So, you can see maybe to generate some traffic and to see how it will be treated. That will be very good.

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

The support needs improvement. Also, better reporting of errors would be good.

(Malware) On-prime scanning should be considered. Endpoint management (traps) better to be on-prime than cloud. QoS, It should be more sophisticated than it is now. TAC support should cover meddle east area by Arabic support, such as in France, Germany, Italy and Japanese.

Palo Alto has a good product and end-user experience. It's great. They can maybe add more processing power to their hardware. That's it. Sometimes it's stuck and you need to restart it. They have been adding a lot of things, so we need to upgrade for the new features.

Overall it is good. It is reliable and easy to understand. However, the monitoring feature could be improved. They have many solutions already. I don't think I have seen any missing features. Every device has different functions, but as a firewall, this solution has a lot.

I would like integration with Evident.io and RedLock. The data loss prevention (DLP) capabilities need to be beefed up.

* Boot time * Easy UI for the non-network specialists * Commit time * Virtualization * Credit to Palo Alto knowledgebase.

I would like to see more in terms of reporting tools and the threat analysis capabilities.

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic. Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic.