When creating remote access for users, it would be beneficial to be able to base the object on on-premises or the cloud. We should be able to push policies based on a segregation or as a whole. 

The initial setup was complex.

The licensing costs are quite high.

I would like there to already be a log centralized for the things, however, I don't see any soft security operation center or something that can make it a regular report. When we need some GDPR policy, we just have a one-pack we deploy and tune by ourselves a little bit to suit our organization. We'd like to have something more standardized for this purpose. It would be more of a value-add. 

We'd like more log monitoring in general.

The pricing of the solution could be considered an area of improvement, as it is a comprehensive and feature-rich product that may include features that are not needed by some companies. Therefore, the solution should have a more competitive pricing structure.

While Palo Alto is the leading firewall worldwide, it's so pricey. Other products like Checkpoint still do the job, and yet it's way cheaper than Palo Alto. The solution is extremely expensive. You can integrate it with other Palo Alto products, however, it ends up being too much.

Palo Alto prefers the VM version. However, for the VM level, often we have a migration from one host, VM host, to another host, and then the network jobs. And they're not fully redundant. With VM, the purpose is easy migration from one host to another one. That's the purpose of VM in play, however, if you want to have high availability or redundancy, you have to purchase two licenses - one on one host, another one on another host - and it costs a lot of money to do that. 

Technical support could be better.

The inbuilt RAM is quite low. If you are increasing the number of firewalls and you want to get this managed via this management server, there are some performance issues. The cost of this product is more. However, the resources they have provided, the inbuilt resources, are less. 

The pricing is quite high.

A potential improvement for Palo Alto Networks Panorama could be a more competitive pricing structure.

Sometimes in Palo Alto Networks Panorama, we receive issues where it is overloaded and unresponsive. We have issues with accessing the devices due to a slow response from Panorama.

Palo Alto Networks Panorama should be more robust and resilient. 

It tends to move along fairly quickly in terms of features because it is a part of PAN-OS. We are waiting on one feature that's on the beta at the moment, but that's because we use Okta as our authentication.

Reporting might be an area to improve. It can provide reporting or some sort of graphical representation of your environment.

Before I joined this organization, they experienced some issues when trying to set up zone protection parameters. Last week I applied a zone protection profile; for each and every branch, I had to apply a zone protection profile or modify existing metrics — I needed to physically go to each branch. When we originally deployed Panorama, we were managing the firewalls individually. After implementing all those firewalls and changing all of the templates, it's really hard to modify them. 

You can't just modify them with a single click, you need to physically go to each individual branch and make the changes yourself — we can't directly seal all of the fireworks. This needs to be improved. 

With version 9.1, when configuring it, if something goes wrong, then it reverts back to your original settings automatically. This is a nice feature but it's not available on the standard firewalls. If we didn't have Panorama and I was setting up some remote Palo Alto firewalls, after implementing my configurations, if I were to lose the configurations then I would lose firewall access. This isn't the case with other firewalls like Cisco and Juniper SRX where you can just put in a reminder in the last 10 minutes. 

Palo Alto Networks Panorama currently lacks the capability of integrating with other software, such as AlgoSec to simplify rule management and schedule management. However, this feature has been requested by the company and it is uncertain if Palo Alto will implement it in the future. Additionally, the UI needs improvement, it is too slow.

I don't have any real comments in terms of areas of improvement. 

The scalability is limited. 

It is an expensive product. 

Price is probably one of the biggest things that we struggle with, specifically with Palo, and that's across their whole portfolio. Also, the tech support could be better.

There is room for improvement in response time for tech support.

Palo Alto Networks Panorama has some bugs that could be fixed.

My company's getting whatever it needs from Palo Alto Networks Panorama, but in the cloud, there's an issue with CPU management, and that's an area for improvement. Though the normal data traffic doesn't go through the management interface, whenever there's an increase in the throughput, CPU management becomes high. If you increase the load, CPU management spikes, and it's what needs to be taken care of in Palo Alto Networks Panorama.

We have faced some challenges with the solution. We had Panorama in the cloud, and then we used Panorama to manage the on-prem firewalls. Then we had some network-centric architecture to connect to on-prem, where we had two separate Palo Alto firewalls on the cloud. From there, we had a direct connect, external direct connect to the on-prem. In that case, the issue we faced was that whenever the traffic left AWS, it went with any one of the subnets, either from availabilities on one subnet or availabilities on two subnets. When we configured Panorama, it was actually behind a NAT device on two separate IP signals, and there were challenges around that.

When we were deploying Panorama in AWS, there were some issues with Panorama deployment in AWS. I was the first customer to deploy Panorama in AWS, and I raised a case with both AWS and Panorama. Then, in the next Panorama release, they enhanced some features, and both came up in the same version. I had to wait for two or three months to get to a resolution. 

Sometimes technical support is slow to respond. 

The solution is expensive. 

Panorama can be a bit difficult compared to other Palo Alto solutions. It would be ideal if they could simplify it a bit. 

In the future, it would be beneficial if Panorama could include a firewall assurance feature similar to Skybox. While each firewall has its policy optimizer, a consolidated policy optimizer in Panorama could further enhance firewall management and optimization.

The price could be lower. I would like to see remote VPN, like the Cisco client.

The dual WAN functionality is missing in this solution.

The configuration could be a bit better. For us, it's a critical aspect. We've noticed Cisco may be better in this regard. 

There are times when we are backing up a device centrally, we do not get a full backup. We are able to do a full backup of all the devices but when we attempt to backup a single device, it only does the backup of a few presets and not the full configuration.

In the future, they could improve by providing better management of the devices, such as bandwidth. 

This is a relatively expensive solution and I wouldn't recommend it for a stand-alone deployment. 

It's not part of my role to connect other devices to Panorama, so I don't know how the integration works. I maybe need a better understanding of how the policies of the signature work. For example, what does it mean to exclude an IP, and what are the policy rules and priorities? I need more knowledge about the signature policy and priorities.

Instead of searching their knowledge base in their website, maybe they can interact with us in the user interface to explain things better. If they had pop-ups to help guide us, we might get fewer failures along the way. Small notifications would be quite helpful. 

It should have more connection with Threat Intelligence Cloud. They can also include features related to SecOps and automation API.

We have had some issues in the past because integrating a new device is not intuitive. If there is some room for improvement, that would be it.

I'm not an expert on the matter, but I would like to see more capabilities regarding automation and integration. We are seeing a trend where the clients are asking for integrations with European tools. I know the solution is quite integral with all kinds of tools, but there are some different tools here in the market in Europe, so this is important. 

The menu is full of options, which is good in some ways, but for a newbie it can be a little bit overwhelming and you need to properly understand it before starting to work with it. I think the ramp up at the beginning is quite intense.

Pricing is always something that consumers hope will be addressed in their favor. I think that some method of allowing for more customization and open integration with other controls within the enterprise is something that we want to have. We want to be able to have more orchestration of disparate parts.  

I think the features that most of the features that I would like to see are currently being implemented. Behavioral heuristic analysis of connections, for example. That is something that I know is being done now.  

The price of Palo Alto Networks Panorama could be better.

It communicates with remote devices, and sometimes, there is a little bit of delay during its communication with remote devices. There should be real-time communication or updates from the manager to devices.

In Panorama and Palo Alto firewalls, I would like to have a traffic simulator. They have packet capture for troubleshooting, but it would help if they can provide a traffic simulator so that we can simulate the traffic and see the route the traffic is taking and get feedback about whether it is blocked or it is able to pass.

The pricing should be reconsidered. It's too high right now.

At times we have noticed that we get into issues where Panorama is going too slow or has other little problems. The performance can suffer occasionally.

The alerts in Palo Alto Networks Panorama could improve by integration with other systems, such as a forwarding trigger system. For example, if a customer has their own system it would be helpful to have the alarms integrated. 

In the future, when doing an update all solutions should be updated at once. For example, if many different solutions are being managed by Palo Alto Networks Panorama the updates can be done for all firewalls, such as EDR and XDR.

If a large company uses Panorama as a log collector, it may require setting up multiple local collector devices due to potential limitations in handling firewall logs. It would be beneficial to improve the capabilities of Panorama to handle logs more efficiently, potentially reducing the need for additional local collectors. Adding more predefined dashboards as features would enhance the monitoring and reporting capabilities. The iOPS tools, which are currently offered separately, could be integrated into Panorama to eliminate the need for an additional dashboard or GUI.

Storage in Palo Alto Networks Panorama needs improvement.

My company also experienced deployment issues when the product was first installed, particularly when binding with the firewall. It's not as user-friendly because not everyone can deploy it without some knowledge.

Updating Palo Alto Networks Panorama was also a bit challenging when upgrading your firewall, so that's another area for improvement.

The solution needs to improve its pricing model.

Panorama needs to work on its configuration issues.

They should also focus on firewall management. Many clients have multiple firewalls, so Palo Alto should offer better management of them. They could model themselves off of AlgoSec, or maybe FireMon which are other very good firewall management tools.

The central firewall management could be better. 

As the cybersecurity threats have become more aggressive these days, Palo Alto Networks Panorama can still be improved, particularly on the security side, for example, more network management, and penetration test. Improving the security feature for internal endpoints is needed in the solution.

What I'd like to see in the next release of Palo Alto Networks Panorama is more training and more marketing.

Panorama: The ability to add scheduled jobs would be a significant improvement. Panorama has the ability to push out OS updates, but it would be nice to be able to schedule those updates so not to affect the site during normal business hours.

Firewalls:

• (1) App-ID is good, but could be better. We use off ports for some common services and App-ID does identify the application correctly, but the rule allowing the traffic does not allow the traffic without adding the ports to the rule. This negates the need for App-ID in the rule. If App-ID worked as I think it should, we would use it and then block the common port.
• (2) Integration with Microsoft Active Directory incurs significant additional traffic across the WAN circuits. We have a number of GCs across our environment and the configuration of Active Directory in the firewalls requires significant communications to all of the GCs across our environment. We were seeing the firewalls generate around 500kb of WAN traffic communicating with all of the GCs. After reviewing the configuration with Palo Alto support, the config was correct. While we do want to be able to use the User-ID functionality of the firewalls, that kind of overhead is not acceptable.

A bottleneck in Palo Alto Networks Panorama is the licensing. The pricing and licensing model for the product is expensive and can be complicated, or it could be because I'm more familiar with Cisco licensing, which I find brilliant and easy, compared to Panorama licensing, which could be hell.

Another area for improvement in Palo Alto Networks Panorama is report generation.

It is expensive and suitable only in an enterprise environment.

It is not a cheap product. Some kinds of Palo Alto devices can cost a few thousands of dollars, and Panorama will be even higher. For the big customers that have a lot of devices, it is crucial to get all the benefits from the Palo Alto Networks portfolio regarding network security.

For a highly secure environment, they sometimes need only hardware appliances, not a virtual machine. 

Everyone, I suppose, would like the price to be improved. Price is always a good thing to change.

There is always room for improvement in anything. But I couldn't really comment on that off the top of my head.

In terms of updates, I believe everything is in order. That is not an issue for me.

It is quite hard to understand the platform. It is not easy and user-friendly. You need some experience and the proper technincal training  to use Panorama without risks.
It is very complex, and you must know exactly what to do.
The bigger problem is that Panorama Dashboard Logic is quite different than PanOS firewall Dashboard.
The second problem is that you dont have wizards or template .You need to build your enviroment from zero on your own incurring in possibile configuration or logic errors.

I would like to have a more user-friendly and simple to use product .
For istance FortiManager is comparatively much more easier  to use and understand.
Palo Alto Firewall too are Really easier to manage than Panorama. 

Panorama Logging and reporting features are quite good ( like PaloAlto Firewall) but not the best on the market ( for istance Checkpoint SmartEvent is still far better) 

I would improve the management. I need to view charts and traffic statistics, but the management console doesn't share that information with me.

I would also improve the integration with other solutions. 

The customer support needs to be better. Sometimes we need to wait for hours before getting someone from the product team or someone from the Palo Alto customer support to get on a call if we are facing some issue. They could reduce the wait times.

There is a need to improve the upgrade process. When we are upgrading the solution we are facing some issues with Elasticsearch services. Every time we upgrade it takes a long time to become stable.

In an upcoming release, I recommend having policy segmentation because that will help Panorama. There is no policy segmentation as you would find in Check Point. 

We found a vulnerability where when we have a low flow, like 2.7K, it is not getting fired by the threat prevention. That's something important to improve on. They should have a proxy or some solution to solve the issue.

We also found some issues around decrypting the flow. When we have more flow than expected to decrypt, the performance goes down.

It's difficult to implement. 

There are too many OS upgrades. We've had six new versions in the past six months. Even if they are updating it to fix bugs, it's hard to keep pace with the change when you have 800 or more Palo Alto devices that you now need to update and upgrade.

We try to follow version minus one or two for security reasons. To keep pace with the changes, it takes us nearly six months as we have to check with the business, arrange downtime, and count and cover all devices.

These upgrades aren't just little fixes either. Whenever there is a new release, it requires an OS upgrade. It would be nice if there was some automation on the upgrades of the devices.

They need to do less bug-related releases and create versions that are stable for at least six months at a time. I don't find this issue in other solutions like Cisco, Check Point, FortiGate, or others. Those just provide a patch if there is a bug and we don't have to worry about downtime.

An area for improvement would be the connectivity, which sometimes means logs can be slow to display.

The solution's utilization of network ports makes things as complex as possible. 

The pricing could be better. 

I haven't come across any issues with the product. Overall, it's been very positive.

I don't recall missing any features. It's a fairly complete solution.

The product could offer more integration with other solutions.

I would like to see more real-world testing before updates and patches are released in the live environment. The last VPN update that was released caused a problem that kicked users out. I would also like to see better documentation. The current documentation is not detailed enough.

We have experienced a few bugs which the team at Palo Alto don't have solutions for. 

In the next release, it would be good to have features which increase the processing power in clusters.

I would like to have better analytics.

The network traffic analysis (NTA) is something that you can add on to get more insight from the traffic passing through the firewall, and it should be included.

I have had some leakage issues before, but it was solved. I would, however like to see better integration with other products.

I am observing that whenever pushing our configurations sometimes the configuration will not push properly and then we have to go to the individual firewall and save it again.

Its UI and usability could be improved. The way the UI looks could be improved to make it a little bit more intuitive. Other than that, it is a pretty simple product.

There were a few bugs a couple of years into it. There was a big bug where it had trouble communicating with the two main boxes.

In our version, there is no feature to transfer or upload a database of third-party vulnerabilities or signatures so that Panorama can convert them into its own database. This kind of feature might already have come in version 10.

The general customer feedback is when saving the configuration, it takes a long time. That needs to be fixed. The troubleshooting, the debugging part is also a little bit of a pain. It's not user-friendly on the interface to do our debugging when comparing it with other firewalls, like Forcepoint.

It would be nice to have a real-time traffic monitoring console similar to Forcepoint firewalls where you can see in real-time instead of having to keep on refreshing, or maybe a command on the console where you are able to see the traffic. 

The solution needs to work on speeding up the committing time. 

Clients need to have an alarm and alert system from which they can forward the trigger. The product needs to improve its integration as well. 

The ease of use of Palo Alto Networks Panorama is an area for improvement, because it's not very easy to use. The downside with the system is that you need a lot of comprehension to understand what it is. There are also risks associated with making a change, e.g. you can accidentally break your network which knocks off the firewall, and then you can't get back on again. If you know what you're doing, e.g. if you're a specialist, then there won't be any problems, in general.

It's important to gain an understanding of Palo Alto Networks Panorama, or the concept, before you start. It works like Palo Alto, but it doesn't at the same time, because you have templates, and the templates have to be applied before your variables, and then those variables directly affect your objects. It's important to understand how it works. I wish they could make it easier, and a bit more intuitive, but if you're doing the training, and you're properly in the system, then it will make sense the way it's explained to you, otherwise, it'll be hard to make sense of it.

It could be difficult to get to the stage you want to be on with this system. It's similar to a different language, and it's so hard to just do it on your own, but if you are in the culture and you're speaking to other people, then it becomes easier because you're doing it. That's the learning curve right there, e.g. if you've never done it before, you'll sit and look around saying: "What is this? I don't understand." If you're doing the training, and you're more involved in the product, or even if you speak to specialists, they will be able to help you, then you start to learning it and what it can do.

It could be easier to manage. In the future, it should be much easier because it's not very easy to manage. So in the next release, I think it should be much easier to manage, especially in the first configuration. It could also be more stable.

I think the multitenancy of this solution can be improved. I would also like to see better management task automation for the trial environment. That is missing in this solution.

In the next version, I would like to have more integration with the cloud and with the services delivered by Palo Alto. It isn't very task integrated at this stage. I would also like more dashboard management. 

The solution can improve by providing unique reports in relation to the function of which you choose the firewall to do.

Palo Alto Networks Panorama could improve by making the solution less expensive.

They can improve its cloud integration. 

I don't see many places to improve the solution. For us, it's working quite well.

The solution should improve the speed at which they make changes on the system. Historically, they've been a bit slow in that respect. They should apply changes to the box quicker and more often.

The notification and alerting system could be improved.

It can take a few minutes to test to see if any changes are successful or not. This needs to be improved. A change commit should take a second, not a minute or more.

Panorama does suffer from performance issues, which they need to resolve.

Also, technical support isn't very responsive and could use some improvement.

There could be more integrations with third parties.

Palo Alto must provide a cloud-based feature or solution.

The initial setup requires expertise and can be a bit complex.

I would like to see the management be a bit more simple than it is currently.

My pain point is the automation process is not well-documented. There are some things that they could improve on there.

If you go in the system to search for something, it is not intuitive. They could really improve that.

There is a concept of device groups and a concept of templates. The templates can allow for inheritance, but the device groups do not.

The solution could improve by having a true single pane of glass environment for unified management. At the present time, you still have to use three or four different solutions to bring everything together.

The product does need a bit of configuration. It's not quite ready to go out of the box.

The solution could do a bit more with its security updates. Palo Alto in general could be a bit more secure.

Support is pretty good, however, they could always be a bit faster and more responsive.

I would like to see Networks Panorama more integrated into the firewall solutions rather than being a separate component. This would be helpful so that we can do rule-based change management for the firewall through it as well.  

I'd like to see improvement in the speed and reliability of the solution. They're the two things most important to me right now. 

Its scalability can be improved. It is too expensive to scale it in the way Palo Alto wants us to scale. Scalability is one of the main reasons why our customer is looking for alternatives. It is too expensive to scale.

Its redundancy also requires improvement, but it seems that in the latest version, redundancy is improved, and you can have more than two devices in an HA pair. So, they are heading in that direction.

It would be good if they combine their dynamic list functionality in a much better way with Panorama and include it as out-of-the-box functionality. Palo Alto supports the dynamic list functionality for some basic threats, but there is a lot of scope for improvement.

There is room for improvement in the integration within endpoint detection. They need to do some integration between endpoints and the firewalls.

They also need to add a mobile version for product so we can access the interface easily.

It could be more secure.

Aside from pricing, I don't have any issues with Panorama.