We changed our name from IT Central Station: Here's why
2018-07-12T09:32:00Z

What needs improvement with Palo Alto Networks NG Firewalls?


Please share with the community what you think needs improvement with Palo Alto Networks NG Firewalls.

What are its weaknesses? What would you like to see changed in a future version?

ITCS user
Guest
6868 Answers

author avatar
Top 20Real User

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

2021-11-11T17:32:00Z
author avatar
Top 20Real User

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

2021-10-08T08:31:00Z
author avatar
Top 20Real User

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day. Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck. From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

2021-09-23T17:45:00Z
author avatar
Top 10MSP

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good. In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

2021-08-10T22:10:00Z
author avatar
Reseller

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

2021-08-10T12:31:00Z
author avatar
Top 20Real User

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

2021-07-30T07:40:00Z
author avatar
Real User

The solution is not straightforward.

2021-06-09T16:53:02Z
author avatar
Top 5Real User

It would be better to have more tools to control Palo Alto Networks NG Firewalls. We don't have too many tools to access Palo Alto. For example, the IT team doesn't have access to it. We can see it physically and see if it's running or not. We need to contact a special team to receive that information. I would also like to see more reporting in the next release.

2021-06-07T15:27:12Z
author avatar
Top 5Real User

There is another solution from Palo Alto for endpoints - XDR that integrates with the firewall thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls. The price could be lower.

2021-05-19T18:12:46Z
author avatar
Real User

I don't like the reporting. The reports it provides are not helpful. They should include more executive summaries and other important information — they're too technical.

2021-05-18T05:59:13Z
author avatar
Real User

They need to provide documentation for CLI, as most of the commands, we get from Community Forums.

2021-04-07T11:09:32Z
author avatar
Top 5Real User

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem.

2021-04-01T09:30:53Z
author avatar
Top 5Real User

Palo Alto could do better with integrating the Palo Alto Next-Gen Firewall with SD-WAN. The biggest issue with Palo Alto is that they are expensive. They are very expensive for what they offer. They should improve their pricing.

2021-03-04T18:02:15Z
author avatar
Top 5Real User

When it comes to their support, we have to select every single component that we want to include in a particular bundle. That is a very tedious process. The vendor will help us identify the product and the features, but it could be better. The price could also be better.

2021-03-02T16:01:23Z
author avatar
Top 5LeaderboardReseller

Its scalability for on-prem deployments can be better. For an on-prem deployment, the hardware has to be replaced if the volume goes up to a certain level.

2021-03-02T07:38:59Z
author avatar
Real User

They could improve their support and pricing and maybe integration. It's a little more expensive than Check Point but the quality is better. Integration with firewall endpoints could be better. Palo Alto does have very good malware or antivirus protection. I think they could improve on that front.

2021-02-22T21:26:00Z
author avatar
Top 20Real User

I can't recall a feature that was missing. It's a pretty complete solution. The cost of the device is very high. To buy license support is very slow. For renewing devices and products, it's slow in terms of contacting and activating upgraded devices.

2021-02-12T08:51:27Z
author avatar
Top 20MSP

For an upcoming release, they could improve on the way to build security rules per user. Palo Alto has this functionality but in implementation, we had some problem. This functionality should be better in our opinion.

2021-02-11T11:33:05Z
author avatar
Top 20Real User

I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.

2021-02-11T00:50:07Z
author avatar
Top 5Reseller

Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete. Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet. We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks.

2021-02-04T21:54:27Z
author avatar
Top 20Real User

The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market. Clients are typically looking for a solution that's more aggressive in the market. For example, with Fortinet, they have an SD-WAN that really has many capabilities. For example, it can inject a GSL SIM card along with the MPLS connection. It connects the system within one product. Palo Alto doesn't offer this. This is one area that will need to improve. In Indonesia, the market is growing strategically. Palo Alto has this one product, however, with the limitation of the GSM sim card they are getting left behind.

2021-01-31T06:58:32Z
author avatar
Top 5Real User

In terms of what could be improved, comparatively the price is very high. That would be the one thing. But technically-speaking, it's perfect.

2021-01-30T13:39:00Z
author avatar
Top 5Real User

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

2021-01-28T10:33:01Z
author avatar
Top 5Real User

I think visibility can be improved. If I use the Panorama monitoring dashboard, it's still the same with or without Panorama. Even with monitoring, we don't get any valuable information. If I am a customer, I will take many variables into considerations. If I choose to use Panorama, there should be a difference between when I use it and when I'm not. If I'm a customer who paid for Panorama even when I have many firewalls, I won't get good visibility of the information I need to easily monitor our security environment. My customers have been attacked by ransomware. It's difficult to understand how the ransomware got through Palo Alto Panorama and Palo Alto dashboard monitoring from reporting. It makes it difficult to conclude what happened on the traffic which passed through Palo Alto. As such, I have to generate an all block report CSV file and analyze it through Excel.

2021-01-27T10:49:16Z
author avatar
Top 20Real User

The features should be built into the system. For example, it generates many logs with a lot of information that can be converted into security and business information and shown to the user. This is a time-consuming job. I would like to see it provide us with intelligent information from the data that it captures, within the same cost.

2021-01-27T09:19:49Z
author avatar
Top 20Real User

The ability to check cases could be improved upon. We find that most of the packets we have to directly open with the PA. Until then, it's possible that there cannot be any support. Take, for example, the XDR. The XDR is the real power to all our solutions from PA, however, when we are using their XDR, we have directly to contact PA. It's like this for the licensing or for any technical issues. The solution could offer better pricing. We'd like it if it could be a bit more affordable for us. The solution should offer SD-WAN.

2021-01-15T20:15:01Z
author avatar
Top 5Real User

The way that the roles are made, specifically with how you specify the path, could be simpler.

2021-01-12T15:26:56Z
author avatar
Top 5LeaderboardReseller

The interface could be improved visually and simplified. It sometimes feels like some of the features are hidden and not easy to find.

2021-01-12T12:47:26Z
author avatar
Top 20Consultant

Its price can be better. They should also provide some more examples of configurations online.

2021-01-04T10:46:56Z
author avatar
Top 5LeaderboardReal User

Palo Alto has all the features that any firewall should have. Other firewalls should actually copy Palo Alto so that they can provide better stability, performance, and protection - at levels that are at least at Palo-Alto's. This isn't necessarily an issue with the product per se, however, sometimes basically there are some features, depending on the customer environment, do not work as well. Sometimes some of the applications the customer has do not respond as they normally should. Palo Alto support needs to understand the customer requirements and details so that they can resolve customer queries more effectively.

2020-12-19T13:47:52Z
author avatar
Top 5LeaderboardReal User

There are some options available in other firewall products that are not supported, so there is room for improvement in that regard. Technical support could be faster. The cost of this firewall could be cheaper.

2020-12-16T11:18:08Z
author avatar
Top 5LeaderboardReal User

The VPN connectors should be better. We had some challenges in terms of the VPN with Palo Alto Networks NG Firewall, and that's one of the main reasons why we moved to Sophos. Its load handling can also be improved. There were challenges when traffic was high. During peak business hours, it did not function very well. There was a lot of slowness, and the users used to complain, especially when they were connecting from outside. We even reported this to the support team. Their support should also be improved. Technical support was a bit of a concern while using this solution. We didn't get very good support from the Palo Alto team.

2020-12-10T16:08:04Z
author avatar
Real User

We work very closely with the vendors here and at this point they use external support. Maybe they could add some tools and more competing services, like servers, but that would increase the cost of the solution.

2020-12-10T14:16:00Z
author avatar
Top 5LeaderboardReal User

Having a better pricing model would make this product more competitive, and more affordable for our customers.

2020-12-08T16:55:47Z
author avatar
Top 20Real User

They can work on the price. They are a little bit expensive, and not all customers are able to afford this solution. Taking into consideration that there is huge competition in the market and there are multiple firewall companies that are much cheaper than them and offer almost the same features, it would be good to improve the price.

2020-11-18T17:49:17Z
author avatar
Top 20Real User

Its price can be improved. It is expensive. Other vendors have pre-configured policies for the protection of web servers. Palo Alto has an official procedure for protecting the web servers. Many people prefer pre-configured policies, but for me, it is not an issue.

2020-11-16T18:30:20Z
author avatar
Top 5LeaderboardReal User

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device. The hardware is weak. In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security. I would like a collaboration system and reporting ASA policy needs to be smarter.

2020-11-12T05:04:08Z
author avatar
Top 20Real User

There will always be room for improvement. On a daily basis you get patches for everything. They build new features, apply new technologies and new applications which need to be integrated and with that you get bugs. There are always issues, whether it's hardware or software.

2020-11-10T17:19:34Z
author avatar
Top 20Real User

They've improved a lot of things but we'd like to see more mobility between on-prem and cloud based. I'd also like to see security synchronization between the firewalls. Managing can be difficult.

2020-11-06T21:14:58Z
author avatar
Top 5LeaderboardReseller

The solution would benefit from having a dashboard. From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

2020-07-27T07:17:38Z
author avatar
Top 20Reseller

I would like to see better third-party orchestration so that it is easier for the team to work with different products. Improvements should be made in the Cortex module.

2020-07-26T08:19:12Z
author avatar
MSP

I don't see any specific room for improvement. The user interface is probably not as slick as it could be.

2020-07-26T08:18:00Z
author avatar
Top 20Reseller

The price is expensive and should be reduced to make it more competitive. Information about Palo Alto products is more restricted than some other vendors, such as Cisco, which means that getting training is important. The traps should be improved. I would like to see better integration with IoT technologies. Having a unified firewall for OT and IT would be very good.

2020-07-23T07:58:37Z
author avatar
Real User

The whole performance takes a long time. It takes a long time to configure.

2020-07-13T06:56:00Z
author avatar
Top 10Consultant

The interface contains some decentralized tools, so simplifying it would be an improvement. I would like the option to be able to block the traffic from a specific country in a few clicks. Some of the implements under artificial intelligence should provide better visibility in terms of my traffic, such as where it originates and where it is going. Better integration with industry tools would allow me to do quicker automation and reduce my operational costs.

2020-07-13T06:55:57Z
author avatar
Top 5Reseller

The GSW needs some improvements right now. The endpoints could use improvement. The solution is mostly a cloud solution now, and there are a lot of competing solutions that are playing in the space and may be doing things a bit better. The pricing could be improved upon.

2020-07-05T09:37:56Z
author avatar
Top 20Real User

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes. Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly. The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam.

2020-06-30T08:17:31Z
author avatar
Real User

There could be improvement with their logs, especially their CLI. When you go to the command line to understand the command line interface it's tricky and requires a deep understanding of the product. We recently faced one issue where the server side configuration changed and it wasn't replicated at the firewall. It required us to tweak things and now it is working fine. Finally, the HIPS and audio call features could be improved.

2020-06-28T08:51:00Z
author avatar
Top 20Real User

In the future, I would like to see more OTP features. The price of this product should be reduced.

2020-06-15T07:34:02Z
author avatar
Top 20MSP

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

2019-12-04T05:40:00Z
author avatar
Top 5Real User

I wish that the Palos had better system logging for the hardware itself.

2019-09-10T13:54:00Z
author avatar
Top 20Real User

The only thing that is a little strange is in Policy-Based Forwarding. When you delete and add a new rule, because of the one hundred rule limit, if the new rule has an ID that is greater than one hundred, even though you have fewer than that, it will not work. The same thing happens when you are renaming a rule. The new rule will have a new ID, so it is possible for it to be greater than one hundred. This can be easily fixed by using one command from CLI, but you have to be aware of it.

2019-07-01T11:17:00Z
author avatar
Consultant

The support could be improved. The next release could use more configuration monitoring on this one, and additional features on auditing.

2019-07-01T07:58:00Z
author avatar
Top 5LeaderboardReseller

The manufacturer can improve the product by improving the configuration. Some of the menus are difficult to navigate when trying to find particular features. It is not entirely intuitive or convenient. You might need to configure a feature in one menu and next you need to go to another tab and configure another part of the feature in another tab. It's not very user-friendly in that way. On the other hand, it's still more user-friendly than using the console. But this is certainly one feature they can improve.

2019-06-27T08:15:00Z
author avatar
Real User

The solution needs some management tool enhancements. It could also use more reporting tools. And if the solution could enhance the VPN capabilities, that would be good.

2019-06-27T06:06:00Z
author avatar
Real User

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

2019-06-26T20:18:00Z
author avatar
Real User

The support needs improvement. Also, better reporting of errors would be good.

2019-06-26T05:25:00Z
author avatar
Real User

The support in our country can be slow sometimes. It's a slow website. It could also use better customer support.

2019-06-26T05:25:00Z
author avatar
Real User

I think they need to have a proper hardware version for a smaller enterprise. We had to go to a very high-end version which is very expensive. If we chose the lower-end version, it would not meet our goals. A middle-end is missing in its portfolio. For example, there's the PA820 and the PA220, but there's nothing between. So they are really missing some kind of small-size or medium-size usage. Right now, you have to choose either a big one or you have a very small one, which is not really good. In the next release, it would be helpful if there was some kind of a visualized feature that showed the traffic flow, or something like that, to be able to simulate. When we define something if we could see a simulation of how the flow will be treated that would be great. Because today everything is done by experts by checking logs, but it's very time-consuming. If there's also a simulator to use when you apply some configuration, you can also apply on the simulator, to copy the configuration. So, you can see maybe to generate some traffic and to see how it will be treated. That will be very good.

2019-06-26T05:25:00Z
author avatar
Consultant

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

2019-06-26T05:25:00Z
author avatar
Real User

(Malware) On-prime scanning should be considered. Endpoint management (traps) better to be on-prime than cloud. QoS, It should be more sophisticated than it is now. TAC support should cover meddle east area by Arabic support, such as in France, Germany, Italy and Japanese.

2019-06-26T05:25:00Z
author avatar
Real User

Palo Alto NG firewalls can be improved in support of finance and banking. We need better affiliations for profiling the user. The product has some delay in the maintenance. They have to find some solution to make updates quicker.

2019-06-26T05:25:00Z
author avatar
Real User

Palo Alto has a good product and end-user experience. It's great. They can maybe add more processing power to their hardware. That's it. Sometimes it's stuck and you need to restart it. They have been adding a lot of things, so we need to upgrade for the new features.

2019-06-24T12:13:00Z
author avatar
Real User

Overall it is good. It is reliable and easy to understand. However, the monitoring feature could be improved. They have many solutions already. I don't think I have seen any missing features. Every device has different functions, but as a firewall, this solution has a lot.

2019-05-15T05:16:00Z
author avatar
Real User

I would like integration with Evident.io and RedLock. The data loss prevention (DLP) capabilities need to be beefed up.

2019-03-11T07:21:00Z
author avatar
User

* Boot time * Easy UI for the non-network specialists * Commit time * Virtualization * Credit to Palo Alto knowledgebase.

2018-11-16T12:20:00Z
author avatar
Real User

I would like to see more in terms of reporting tools and the threat analysis capabilities.

2018-08-08T07:09:00Z
author avatar
Real User

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic. Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic.

2018-07-12T09:32:00Z
Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
563,148 professionals have used our research since 2012.