What needs improvement with Palo Alto Networks VM-Series?

If additional web application firewall capabilities could be integrated into the existing firewall, it would negate the need for additional products.

An area for improvement would be AI-related features, particularly in rule management or threat intelligence. Focusing on AI-based threat detection would be beneficial. Additionally, enhancing the ease of accessing technical support would be useful.

The scalability could be improved further. The virtual instances of the firewall are not as scalable as their hardware firewalls.

The product must create some awareness in Pakistan. People are less aware of Palo Alto. Everyone knows about Fortinet and Cisco. Very few vendors are promoting the tool.

The flexible throughput in Palo Alto Networks VM-Series can be improved. The customers of our organization demand 500 meg throughput and the payment also depends on it. The basic firewall from Palo Alto has the size of one gig, and it isn't logical for a customer to buy for one gig when just 500 meg is required. Palo Alto Networks VM-Series should become a more flexible firewall. VM management in an environment is difficult with Palo Alto Networks VM-Series, but it can be smoothly managed through Panorama. The vendor can work on enhancing and processing that will not affect the server itself or the VM firewall protection. In our company, we have multiple VMs implemented on the same server, and the Palo Alto Networks VM-Series is used to protect these VMs completely. The tools being used should not affect the operations between VMs.

No other major concerns, just the specific issue with Apps ID configuration. Otherwise, overall stability, VPN, IPSec, VRF, and flow management with the VM-Series have been very stable and reliable.

The reporting part of the product is an area of concern where improvements are required. Compared to Palo Alto Networks VM-Series's reports, FortiGate NGFW provides users with reports that are easy to understand.

The DLP functionality or data classification can be improved in the solution's basic firewalling.

The cost must be improved. The tool is very costly.

It is not very easy to scale up the solution.

Palo Alto Networks VM-Series is a complex product to work with.

The vendor must improve the way it advertises and markets the product.

The product's AIOps process needs improvement.

With Palo Alto Networks VM-Series, it is hard for me to manage its network configuration part. Regarding Palo Alto Networks VM-Series, I am figuring out whether to use interzone or intrazone networks for the VMs in our company's environment, which is very confusing. The aforementioned aspects of the solution can be considered for improvement. In the future, whenever I try to onboard Palo Alto Networks VM-Series, it should allow for easy configuration, especially in terms of network connectivity. I want an easier setup and configuration in the product's future releases.

Palo Alto Networks VM-Series needs to improve its order process.

There could be dynamic DNS features similar to Fortinet in the product.

Compared to Azure Firewall, the product could be better in terms of performance.

Firstly, Palo Alto should update their documentation to make it more readable and provide easier-to-follow instructions through videos. This would help people learn and deploy the product more easily. Even if the product itself is excellent, lacking proper documentation and troubleshooting guidance renders it less useful. It won't be helpful even if it's rock solid but lacks sufficient information and tutorials.

Palo Alto has launched different products, such as physical firewalls as well as cloud and VM-based firewalls. Recently, they introduced their Prisma Cloud solution. Compared to the previous technologies, like Panorama, which is used for centralized firewall management, or even individual firewalls, it's a bit challenging to integrate the traditional firewall policies into Prisma Cloud. And the Prisma Cloud interface isn't very user-friendly.

The migration of workloads to the cloud is difficult because the cloud provider and Palo Alto Networks are different platforms. We had to research many articles online and after our research and development were completed we were able to deploy. The migration of data to the cloud can be more user-friendly and has room for improvement. The utilization monitoring and GUI have room for improvement. Sometimes we encounter licensing issues where our licenses are not activated, and as a result, we are required to redeploy. This problem could be related to VM-Series or the template image and how they are integrated with Azure Marketplace.

There's room for improvement in terms of integration with the load balancer. It isn't like Fortinet, which has a load balancer built into its firewall. It is effortless to integrate within the load balancer-plus-firewall solution. Palo Alto doesn't have much ability to load balance, so you must purchase a third-party load balancer. It would be great if they did these kinds of changes to integrate the solution with the load balancer.

The web interface is very slow, and it needs to be faster.

It would be helpful if we had a direct number for the support manager or the supporting engineer. That would be better than having to email every time because there would be less wait. Having a dedicated number where we could send a text message in the case of an emergency would be helpful.

When we activate the solution on Amazon, instead of AWS, GCP or another type of public cloud, we encounter problems, as our engineers are not yet completely hands-on in respects of the public cloud platforms. Still, they can configure the firewall just fine. Integrative capabilities with other solutions should also be addressed.

It can be improved in areas such as DevOps and quality assurance. The installation rules deployment process we also improved when we deployed these firewalls. In terms of new features, for simplicity reasons, it is faster, because as I mentioned above we can reused the same rules and the same objects from the local PAN that has a Panorama such as the single point of supervision. We are looking for ways to integrate with other cloud in the future. For this, we will require a more secure integration and encrypted connections with other companies.

The firewall itself is very complex. You have to do a lot of research, look through all the documentation, consult, and figure out how to use it. It's not so easy as a regular firewall, like Hypertable. It'll help if Palo Alto Networks provided better documentation. It would be even better if they had simple documentation on some use cases as well.

The implementation should be simplified.

The one issue that I didn't like is that the SNMP integration with interfaces didn't record the interface counters. It seems that you really need to upgrade to the very latest version, whereas the physical one has worked for ages now. I think that it narrowly affects the Azure deployment because I remember that we were using the VMware solution before, and we didn't have such issues. I think that the most important point for Palo Alto is to be as consistent and compatible as possible. It should be compliant such that all of the features are consistently available between the physical and virtualized deployments. It is not always easy to integrate Palo Alto into the network management system. This is significant because you want to compare what your network management system is giving you to what Palo Alto is giving you. Perhaps in the GUI, they can allow for being able to monitor the interface traffic statistics. The other things are pretty much great with traffic calls and sessions, but just being able to look at it on an interface physical level, would either avoid using the monitoring integration by SNMP or would create a reference, a baseline check. This would allow you to see whether your network monitoring system or tool is actually giving you correct traffic figures. You need traffic figures for being able to recognize trends and plan the capacity.

It would be good if the common features work consistently in physical and virtual environments. There was an integration issue in the virtual deployment where it didn't report the interface counters, and we had to upgrade to the latest version, whereas the same thing has been working in the physical deployment for ages now. It seems that it was because of Azure. We were using VMware before, and we didn't have any such issues. We do see such small issues where we expect things to work, but they don't because of some incompatibilities. There also seems to be a limitation on how to do high availability in a virtualized environment. All features should be consistently available in physical and virtual environments. It is not always easy to integrate Palo Alto in the network management system. We would like to be able to compare two network management systems. They can maybe allow monitoring an interface through the GUI to create a reference or do a baseline check about whether your network monitoring system is actually giving you the correct traffic figures. You need traffic figures to be able to recognize the trends and plan the capacity.

Its web interface is a bit outdated, and it needs to be updated. They can also improve the NAT functionality. We have had issues with the NAT setup.

The user interface could use some improvement. I would like to see SD-WAN features added in the future.

We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID, employees were all sitting in the office at the location and the requirements for firewalls were a different thing. $180 billion a year is made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems that no one cared that there was COVID they just had to fulfill the contracts. When people claimed they had to work from home because it was safer for them, they ended up having to prove that they could work from home safely. That became a very interesting situation. Especially when you lack a key element, like the Secure Access Services. Palo Alto implemented SASE with Prisma. In my opinion, they made a halfhearted attempt to put in DLP (Data Loss Prevention), those things need to be fixed.

The disadvantage with Palo Alto is that they don't have a cloud-based solution that includes a secure web gateway. For example, if a person is working from home and you want a proxy then you have to rely on a secure web gateway. Palo Alto cannot do that because they don't have a cloud solution. So, if you want direct internet access and if you also want the proxies then Palo Alto is not a good choice.

From my understanding, we used to have the Sophos firewall and a nice feature that is missing in Palo Alto is the heartbeat that monitors each endpoint. It would be helpful if Palo Alto monitored the status of every endpoint. It could be that it was not set up correctly. In the next release, I would like to see better integration between the endpoints and the firewalls.

Even when the solution locks away a virus, there seems to be a delay for four or five minutes. It should be as little as one. Right now, it's such a long delay. It can be frustrating for clients and I need to answer a lot of questions surrounding that. The solution needs to have more easily searchable details or documentation about it online, so it's easier to Google if you have queries. The solution requires more use cases.

I would like to have automatic daily reporting, such as how many users have connected via SSL VPN. As it is now, we have to manually look at the logs, which is tedious. There are no ready-made reports on that level and the information is not easily available. I really need more advanced features that support the correlation of log files.

The command-line interface is something that some people struggle with and I think that they should have an option to go straight to the GUI. The interface for Panorama has not changed greatly and could be updated.

There should be an option for direct integration with the Azure platform. This would allow this product to take advantage of the auto-scaling that is offered by Azure. Because I am purchasing it as a SaaS model, I should get the complete functionality. I would like to see the direct support and product ownership from the principal vendor. Ideally, the vendor should maintain ownership and be responsible for the system, including that it is operating correctly. This would give my company a better value when purchasing the product. The pricing could be improved. The Panorama management license should come with this solution. We have eight nodes and we still have to purchase it separately. Everything should come with a single license, rather than something that is broken into many parts.

We have ran into issues with Palo Alto’s limitations for resolving large IP lists from DNS lookups, as well as the antivirus interfering with App-ID. I would like to see a more thorough QA process. We have had some difficulties from bugs in releases. I see more improvements needed from AWS than from Palo Alto on the VM-Series, namely a design centered on NGFW.

It can definitely improve on the performance. I would like more scalability included on the next release.

The product could provide protection above Layer 3, which gets into the application layer and provides better visibility into those aspects of application security. This would be very helpful. This way, there would be one tool that we could continue using. The data aspects of data security and data loss prevention could provide visibility which would be very useful.

There is work to be done on the integration side, as AWS doesn't integrate well with third-party firewalls. I would like to see AWS have more integration with Palo Alto from a routing standpoint, so it could become a routing egress without having to redesigning it.

We still need to understand what are the best practices which we need to implement. We also don't know how it will scale once we start putting more load on it.

On the cloud side, they need to come up with more HA solutions to support the multi-region.

I would like a way to do everything programmatically, or be able to copy the configs from different prices at different levels.

In the next release, I would like to see better integration of multi-factor authentication vendors.