IT Central Station is now PeerSpot: Here's why

What needs improvement with Palo Alto Networks NG Firewalls?

Please share with the community what you think needs improvement with Palo Alto Networks NG Firewalls.

What are its weaknesses? What would you like to see changed in a future version?

PeerSpot user
7373 Answers

Matt Gahafer - PeerSpot reviewer
Real User

I am looking to have the machine learning see how a virus or malware will morph, then prevent that from happening. That seems invaluable at this point. We have a lot of the older firewall models, i.e., the PA-220. It seems that with newer operating systems the PA-220 is becoming slower than when I first bought it. It is not really an issue for users who are passing traffic through the firewall, but more from the management access of it.

Amol Kurane - PeerSpot reviewer
Top 20Real User

We are not happy with Palo Alto at all. It would be better if they provided more support for the firewall. We have a few pending issues with the configuration for each application. We cannot deploy them yet due to some support-related problems in the firewall. We have deployed a few policies for DNS spoofing and DNS attacks, but we could only block a few IP addresses through the policy. That's DNS security, and we have configured a few policies for DNS spoofing and more. URL categorization and URL filtering are not yet adequately maintained. For example, if you created a few rules in the rule-based configuration and made some rules downstairs, you will lose some of them if you give access upstairs. It's not giving us a proper solution for which route it is using. We need to apply the application-based policies and URL filtering-based policies. It creates more issues because we are not getting good support from the team.

Eric Steidle - PeerSpot reviewer
Top 20Real User

Once in a while, they have new features being released that can be buggy. My criticism is more general to all sorts of network or security devices. In general, everybody is releasing less-tested software. Then, it usually ends up that the first few customers who get a new release need to end up troubleshooting it. That is one of my criticisms because we have been hit by this a few times. I shouldn't single Palo Alto out as any better or worse than anybody else because they are all doing it now. It is not like we are getting singled out. In some cases, we are looking for a new feature that we want to use. So, we upgrade and use it, and others are too, but the first release will tend to be a little bit buggy. Some of the stuff works great, but it is the newer features that you are usually integrating into your Windows clients where weird stuff happens.

Tirut Hawoldar - PeerSpot reviewer
Top 5Real User

There has been a recent change in the graphical interface. For the monitoring part, they could have a better UI.

Yannick Nganyade - PeerSpot reviewer
Top 20Real User

There is a bit of limitation with its next-generation capabilities. They could be better. In terms of logs, I feel like I am a bit limited as an administrator. While I see a lot of logs, and that is good, it could be better. I wanted Palo Alto Networks engineering to look at the traffic log, because I see traffic being dropped that happens to be legitimate. It would be interesting for me to just right click on the traffic, select that traffic, and then create a rule to allow it. For example, you sometimes see there is legitimate traffic being dropped, which is critical for a service. That's when actually you have to write it down, copy, a rule, etc. Why not just right click on it and select that link since that log will have the source destination report number? I would like to just right click, then have it pop up with a page where I can type the name of the rule to allow the traffic.

Amar-Patil - PeerSpot reviewer
Top 20Real User

The solution has normal authentication, but does not have two-factor or multi-factor authentication. There is room for development there.

reviewer1400883 - PeerSpot reviewer
Top 20Real User

When we looked at it originally, we needed to host the Panorama environment ourselves. I would prefer it if we could take this as a service. It might be that it is available, but for some reason we didn't choose it. The downsides of hosting are that we need to feed and water the machines. We are trying to move to a more SaaS environment where we have less things in our data centers, whether they be in our cloud data centers or physical data centers, which can reduce our physical data center footprint.

Gerry Hicks - PeerSpot reviewer
Top 20Real User

One of the downsides of logging with Palo Alto is that we do not capture the beginning of a session. It only captures at the end of the session. This means that if we're trying to mitigate something, such as an incident that happened, we can't say definitively that it happened at a particular time. The reason is that Palo Alto keeps track of every session that happens and if it were set up to do that, we would overload the firewall and overload the logging of anything because we do terabytes worth of data every day. Having a single pane of glass, where we can see all of the stuff that we have to be able to react to, would be very helpful. We're a small shop but we have to cover the entire security spectrum. It makes it hard because we have to wear many hats. A single pane of glass where we can put alerts and other information would make our life a lot easier. As a small EDU, we just don't have the resources that the private companies have, so we have to try to find the best bang for the buck. From a documentation standpoint, there is room for improvement. Even Palo Alto says that their documentation is terrible. It may be true for any company, where you're going to find documentation that is outdated or has not been kept up to date, but that's my main complaint.

reviewer1227594 - PeerSpot reviewer
Top 10MSP

The machine learning in Palo Alto NG Firewalls for securing networks against threats that are able to evolve and morph rapidly is good, in general. But there have been some cases where we get false positives and Palo Alto has denied traffic when there have been new updates and signature releases. Valid traffic gets blocked. We have had some bad experiences with this. If there were an ability, before it denies traffic, to get some kind of notification that some traffic is going to be blocked, that would be good. In addition, there is room for improvement with the troubleshooting tools and packet simulator. It would help to be able to see how packets traverse the firewall and, if it's denied, at what level it is denied. We would like to see this information if we simulate traffic so we can predict behavior of the traffic flow, and not just see that information on real traffic.

Qiwei Chen - PeerSpot reviewer

Over the past one or two years, Palo Alto Networks has added a lot of features into the NG Firewall products. I think this is becoming more complicated for our customers. Therefore, we could use some best practices, best practice tools, and implementation guides for some of the complicated features.

reviewer1422384 - PeerSpot reviewer
Top 20Real User

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

reviewer1210221 - PeerSpot reviewer
Real User

The solution is not straightforward.

reviewer1590417 - PeerSpot reviewer
Top 5Real User

It would be better to have more tools to control Palo Alto Networks NG Firewalls. We don't have too many tools to access Palo Alto. For example, the IT team doesn't have access to it. We can see it physically and see if it's running or not. We need to contact a special team to receive that information. I would also like to see more reporting in the next release.

reviewer1404666 - PeerSpot reviewer
Top 5Real User

There is another solution from Palo Alto for endpoints - XDR that integrates with the firewall thus providing protection at the network level and also at the end point but the XDR solution is only a cloud based solution. I would really like it if would be possible to implement this solution on-premises this is something that I would love to see with Palo Alto Networks NG Firewalls. The price could be lower.

reviewer1350975 - PeerSpot reviewer
Real User

I don't like the reporting. The reports it provides are not helpful. They should include more executive summaries and other important information — they're too technical.

reviewer1528854 - PeerSpot reviewer
Real User

They need to provide documentation for CLI, as most of the commands, we get from Community Forums.

reviewer1148964 - PeerSpot reviewer
Top 5Real User

I'd like to see some changes to the licensing policies and, on the technical side, improvement in scalability. It's not so easy to scale out your security capabilities. With the situation in business today, everybody lacks money and if you have to increase your resources and to constantly pay more for that, it becomes a problem.

Jon Cole - PeerSpot reviewer
Top 5Real User

Palo Alto could do better with integrating the Palo Alto Next-Gen Firewall with SD-WAN. The biggest issue with Palo Alto is that they are expensive. They are very expensive for what they offer. They should improve their pricing.

reviewer1049148 - PeerSpot reviewer
Top 5Real User

When it comes to their support, we have to select every single component that we want to include in a particular bundle. That is a very tedious process. The vendor will help us identify the product and the features, but it could be better. The price could also be better.

reviewer1461615 - PeerSpot reviewer
Top 5LeaderboardReseller

Its scalability for on-prem deployments can be better. For an on-prem deployment, the hardware has to be replaced if the volume goes up to a certain level.

reviewer1509057 - PeerSpot reviewer
Real User

They could improve their support and pricing and maybe integration. It's a little more expensive than Check Point but the quality is better. Integration with firewall endpoints could be better. Palo Alto does have very good malware or antivirus protection. I think they could improve on that front.

reviewer1360215 - PeerSpot reviewer
Top 20Real User

I can't recall a feature that was missing. It's a pretty complete solution. The cost of the device is very high. To buy license support is very slow. For renewing devices and products, it's slow in terms of contacting and activating upgraded devices.

reviewer1498575 - PeerSpot reviewer
Top 20MSP

For an upcoming release, they could improve on the way to build security rules per user. Palo Alto has this functionality but in implementation, we had some problem. This functionality should be better in our opinion.

reviewer1503963 - PeerSpot reviewer
Top 20Real User

I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.

reviewer1355130 - PeerSpot reviewer
Top 5Reseller

Its reporting can definitely be improved. I would like to have better graphical dashboards and more widgets for more clarity in the reporting area. In a third-generation firewall, you can generate some dashboards. It provides the information that we need, but from the C-level or a higher-level perspective, it is kind of rough and incomplete. Its data loss prevention (DLP) feature is not good enough. Currently, this feature is very basic and not suitable for enterprises. It would be nice if they can include a better DLP feature like Fortinet. We would like to have a local depot of Palo Alto in Latin America. Competitors such as Cisco and Check Point have a local depot here. If there is an issue with their hardware, you can go to the depot, and in about four hours, you can get a replacement device, but that's not the case with Palo Alto Networks because we need to import from Miami. It takes about two to three weeks.

reviewer1001214 - PeerSpot reviewer
Top 20Real User

The pricing of the solution is quite high. It's one of the most expensive firewall solutions on the market. Clients are typically looking for a solution that's more aggressive in the market. For example, with Fortinet, they have an SD-WAN that really has many capabilities. For example, it can inject a GSL SIM card along with the MPLS connection. It connects the system within one product. Palo Alto doesn't offer this. This is one area that will need to improve. In Indonesia, the market is growing strategically. Palo Alto has this one product, however, with the limitation of the GSM sim card they are getting left behind.

reviewer1469877 - PeerSpot reviewer
Top 5Real User

In terms of what could be improved, comparatively the price is very high. That would be the one thing. But technically-speaking, it's perfect.

AnkitMittal - PeerSpot reviewer
Top 5Real User

This is a difficult product to manage, so the administrator needs to have a good knowledge of it, otherwise, they will not be able to handle it properly.

Hari Pandu Dairi - PeerSpot reviewer
Top 5Real User

I think visibility can be improved. If I use the Panorama monitoring dashboard, it's still the same with or without Panorama. Even with monitoring, we don't get any valuable information. If I am a customer, I will take many variables into considerations. If I choose to use Panorama, there should be a difference between when I use it and when I'm not. If I'm a customer who paid for Panorama even when I have many firewalls, I won't get good visibility of the information I need to easily monitor our security environment. My customers have been attacked by ransomware. It's difficult to understand how the ransomware got through Palo Alto Panorama and Palo Alto dashboard monitoring from reporting. It makes it difficult to conclude what happened on the traffic which passed through Palo Alto. As such, I have to generate an all block report CSV file and analyze it through Excel.

Virendra Vishnu - PeerSpot reviewer
Top 20Real User

The features should be built into the system. For example, it generates many logs with a lot of information that can be converted into security and business information and shown to the user. This is a time-consuming job. I would like to see it provide us with intelligent information from the data that it captures, within the same cost.

reviewer1485417 - PeerSpot reviewer
Top 20Real User

The ability to check cases could be improved upon. We find that most of the packets we have to directly open with the PA. Until then, it's possible that there cannot be any support. Take, for example, the XDR. The XDR is the real power to all our solutions from PA, however, when we are using their XDR, we have directly to contact PA. It's like this for the licensing or for any technical issues. The solution could offer better pricing. We'd like it if it could be a bit more affordable for us. The solution should offer SD-WAN.

reviewer1371849 - PeerSpot reviewer
Top 5Real User

The way that the roles are made, specifically with how you specify the path, could be simpler.

reviewer1483797 - PeerSpot reviewer
Top 5LeaderboardReseller

The interface could be improved visually and simplified. It sometimes feels like some of the features are hidden and not easy to find.

Jan Hammer - PeerSpot reviewer
Top 20Consultant

Its price can be better. They should also provide some more examples of configurations online.

reviewer1461459 - PeerSpot reviewer
Top 5LeaderboardReal User

Palo Alto has all the features that any firewall should have. Other firewalls should actually copy Palo Alto so that they can provide better stability, performance, and protection - at levels that are at least at Palo-Alto's. This isn't necessarily an issue with the product per se, however, sometimes basically there are some features, depending on the customer environment, do not work as well. Sometimes some of the applications the customer has do not respond as they normally should. Palo Alto support needs to understand the customer requirements and details so that they can resolve customer queries more effectively.

Thameem Ansari - PeerSpot reviewer
Top 5LeaderboardReal User

There are some options available in other firewall products that are not supported, so there is room for improvement in that regard. Technical support could be faster. The cost of this firewall could be cheaper.

Abhirup Sarkar - PeerSpot reviewer
Top 5LeaderboardReal User

The VPN connectors should be better. We had some challenges in terms of the VPN with Palo Alto Networks NG Firewall, and that's one of the main reasons why we moved to Sophos. Its load handling can also be improved. There were challenges when traffic was high. During peak business hours, it did not function very well. There was a lot of slowness, and the users used to complain, especially when they were connecting from outside. We even reported this to the support team. Their support should also be improved. Technical support was a bit of a concern while using this solution. We didn't get very good support from the Palo Alto team.

reviewer1114245 - PeerSpot reviewer
Real User

We work very closely with the vendors here and at this point they use external support. Maybe they could add some tools and more competing services, like servers, but that would increase the cost of the solution.

reviewer1460898 - PeerSpot reviewer
Top 5LeaderboardReal User

Having a better pricing model would make this product more competitive, and more affordable for our customers.

reviewer1386969 - PeerSpot reviewer
Top 20Real User

They can work on the price. They are a little bit expensive, and not all customers are able to afford this solution. Taking into consideration that there is huge competition in the market and there are multiple firewall companies that are much cheaper than them and offer almost the same features, it would be good to improve the price.

MIhajlo MItev - PeerSpot reviewer
Top 20Real User

Its price can be improved. It is expensive. Other vendors have pre-configured policies for the protection of web servers. Palo Alto has an official procedure for protecting the web servers. Many people prefer pre-configured policies, but for me, it is not an issue.

MD.SIHAB TALUKDAR - PeerSpot reviewer
Top 5LeaderboardReal User

This solution is very stable, but Cisco devices are stable at the hardware level. Palo Alto hardware is not equal to the level of the Cisco Device. The hardware is weak. In the next release, I would like to see faster support and the integrated system a 5G network, a next-generation firewall, and endpoint security. I would like a collaboration system and reporting ASA policy needs to be smarter.

Khawaja AhsanZia - PeerSpot reviewer
Top 20Real User

There will always be room for improvement. On a daily basis you get patches for everything. They build new features, apply new technologies and new applications which need to be integrated and with that you get bugs. There are always issues, whether it's hardware or software.

reviewer1447032 - PeerSpot reviewer
Top 20Real User

They've improved a lot of things but we'd like to see more mobility between on-prem and cloud based. I'd also like to see security synchronization between the firewalls. Managing can be difficult.

Georges Samaha - PeerSpot reviewer
Top 5Reseller

The solution would benefit from having a dashboard. From a normal IPS after attack, routine attack and threat detection attack, in other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution.

Humbert Choi - PeerSpot reviewer
Top 20Reseller

I would like to see better third-party orchestration so that it is easier for the team to work with different products. Improvements should be made in the Cortex module.

reviewer1290441 - PeerSpot reviewer

I don't see any specific room for improvement. The user interface is probably not as slick as it could be.

Antonio El Khoury - PeerSpot reviewer
Top 10Reseller

The price is expensive and should be reduced to make it more competitive. Information about Palo Alto products is more restricted than some other vendors, such as Cisco, which means that getting training is important. The traps should be improved. I would like to see better integration with IoT technologies. Having a unified firewall for OT and IT would be very good.

Kenichi  Harada - PeerSpot reviewer
Real User

The whole performance takes a long time. It takes a long time to configure.

VinodPol - PeerSpot reviewer
Top 10Consultant

The interface contains some decentralized tools, so simplifying it would be an improvement. I would like the option to be able to block the traffic from a specific country in a few clicks. Some of the implements under artificial intelligence should provide better visibility in terms of my traffic, such as where it originates and where it is going. Better integration with industry tools would allow me to do quicker automation and reduce my operational costs.

Kamlesh Ridhorkar - PeerSpot reviewer
Top 5Reseller

The GSW needs some improvements right now. The endpoints could use improvement. The solution is mostly a cloud solution now, and there are a lot of competing solutions that are playing in the space and may be doing things a bit better. The pricing could be improved upon.

Mark Gleghorn - PeerSpot reviewer
Top 20Real User

We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level models I would say commit speeds need to be improved. The appliances I'm working on are relatively old now. We're talking five-year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes. Currently, if I make changes on the firewall and I want to commit changes, that can take two or three minutes to commit those changes. It doesn't happen instantly. The solution doesn't offer spam filtering. I don't know whether it's part of their plan to add something of that aspect in or not. I can always get spam filtering someplace else. It's not a deal-breaker for me. A lot of appliances do that, and there are just appliances that handle nothing but spam.

Asad Mukhtar - PeerSpot reviewer
Real User

There could be improvement with their logs, especially their CLI. When you go to the command line to understand the command line interface it's tricky and requires a deep understanding of the product. We recently faced one issue where the server side configuration changed and it wasn't replicated at the firewall. It required us to tweak things and now it is working fine. Finally, the HIPS and audio call features could be improved.

Shrihari Taluri - PeerSpot reviewer
Top 20Real User

In the future, I would like to see more OTP features. The price of this product should be reduced.

reviewer1232628 - PeerSpot reviewer
Top 5MSP

Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.

Mike Hancock - PeerSpot reviewer
Real User

I wish that the Palos had better system logging for the hardware itself.

Aleksandar Jovanovic - PeerSpot reviewer
Top 10Real User

The only thing that is a little strange is in Policy-Based Forwarding. When you delete and add a new rule, because of the one hundred rule limit, if the new rule has an ID that is greater than one hundred, even though you have fewer than that, it will not work. The same thing happens when you are renaming a rule. The new rule will have a new ID, so it is possible for it to be greater than one hundred. This can be easily fixed by using one command from CLI, but you have to be aware of it.

Kumar_Rajesh - PeerSpot reviewer

The support could be improved. The next release could use more configuration monitoring on this one, and additional features on auditing.

Denis L - PeerSpot reviewer

The manufacturer can improve the product by improving the configuration. Some of the menus are difficult to navigate when trying to find particular features. It is not entirely intuitive or convenient. You might need to configure a feature in one menu and next you need to go to another tab and configure another part of the feature in another tab. It's not very user-friendly in that way. On the other hand, it's still more user-friendly than using the console. But this is certainly one feature they can improve.

Ibrahim Ghanem - PeerSpot reviewer
Real User

The solution needs some management tool enhancements. It could also use more reporting tools. And if the solution could enhance the VPN capabilities, that would be good.

reviewer1132443 - PeerSpot reviewer
Real User

The initial configuration is complicated to set up. You really have to know what you're doing. I attribute that to all of the features and functions that are built into the product. Luckily, Palo Alto has a great support site and you can find contractors who are knowledgeable in the technology.

Jean Maurice  Prosper - PeerSpot reviewer
Real User

The support needs improvement. Also, better reporting of errors would be good.

NGfrwall677 - PeerSpot reviewer
Real User

The support in our country can be slow sometimes. It's a slow website. It could also use better customer support.

Jonny Su - PeerSpot reviewer
Real User

I think they need to have a proper hardware version for a smaller enterprise. We had to go to a very high-end version which is very expensive. If we chose the lower-end version, it would not meet our goals. A middle-end is missing in its portfolio. For example, there's the PA820 and the PA220, but there's nothing between. So they are really missing some kind of small-size or medium-size usage. Right now, you have to choose either a big one or you have a very small one, which is not really good. In the next release, it would be helpful if there was some kind of a visualized feature that showed the traffic flow, or something like that, to be able to simulate. When we define something if we could see a simulation of how the flow will be treated that would be great. Because today everything is done by experts by checking logs, but it's very time-consuming. If there's also a simulator to use when you apply some configuration, you can also apply on the simulator, to copy the configuration. So, you can see maybe to generate some traffic and to see how it will be treated. That will be very good.

EmreBektas - PeerSpot reviewer

Most customers ask about the choice of features. It's limited. It's not arranged well for users. Also, customers don't want to buy extra things for extra capabilities. I would like to implement individual profiles for each user. Capability, in general, is limited.

Mahmoud Salaheldin - PeerSpot reviewer
Real User

(Malware) On-prime scanning should be considered. Endpoint management (traps) better to be on-prime than cloud. QoS, It should be more sophisticated than it is now. TAC support should cover meddle east area by Arabic support, such as in France, Germany, Italy and Japanese.

it_user1009449 - PeerSpot reviewer
Real User

Palo Alto NG firewalls can be improved in support of finance and banking. We need better affiliations for profiling the user. The product has some delay in the maintenance. They have to find some solution to make updates quicker.

Mustafa Arrabi - PeerSpot reviewer
Real User

Palo Alto has a good product and end-user experience. It's great. They can maybe add more processing power to their hardware. That's it. Sometimes it's stuck and you need to restart it. They have been adding a lot of things, so we need to upgrade for the new features.

Rakesh Rawat - PeerSpot reviewer
Real User

Overall it is good. It is reliable and easy to understand. However, the monitoring feature could be improved. They have many solutions already. I don't think I have seen any missing features. Every device has different functions, but as a firewall, this solution has a lot.

Partnerf4b9 - PeerSpot reviewer
Real User

I would like integration with and RedLock. The data loss prevention (DLP) capabilities need to be beefed up.

reviewer961413 - PeerSpot reviewer

* Boot time * Easy UI for the non-network specialists * Commit time * Virtualization * Credit to Palo Alto knowledgebase.

InfTech4985 - PeerSpot reviewer
Real User

I would like to see more in terms of reporting tools and the threat analysis capabilities.

Bachir Elsitt - PeerSpot reviewer
Real User

I'm thinking about a new feature. They have decryption. It's a good idea to use decryption on Palo Alto. It would be good if they can offload the traffic. Like, for example, SSL Offloading on F5. They have an SSL decryption to offload the traffic.

Buyer's Guide
Palo Alto Networks NG Firewalls
May 2022
Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
598,116 professionals have used our research since 2012.