topic Software Version 11.1.5-h1 in Next-Generation Firewall Discussions

Software Version 11.1.5-h1

Suhail-Hameed — Thu, 21 Nov 2024 12:39:13 GMT

Hello,

We are experiencing packet loss, and the IPsec tunnels are going down on the following version and model:

Software Version: 11.1.5-h1
Model: PA-1420

After restarting the firewall, it resumes normal operation.

I want to know, this version is stable, any advise.

Re: Software Version 11.1.5-h1

kiwi — Thu, 21 Nov 2024 14:16:55 GMT

Hi @Suhail-Hameed ,

11.1.5-h1 is a new version. It's too soon to be considered a preferred version.

Currently 11.1.4-h7 is the preferred version in the 11.1.x PAN-OS.

Please bookmark this page to know which OS versions are preferred:

Support PAN-OS Software Release Guidance

Kind regards,

-Kim.

Re: Software Version 11.1.5-h1

ksauer507 — Thu, 21 Nov 2024 20:32:56 GMT

Kiwi,

I can understand why they went to 11.1.5-h1, because in the Palo CVE-2024-0012 and CVE-2024-9474 it clearly states affected ; less than 11.1.5-h1. Unaffected: greater than or equal to 11.1.5-h1.

We were on 11.1.2 and moved to 11.1.4-h7. Its a preferred release and the notes state that these CVE fixes are in there, and preferred as of 11/18/2024.

I would just like clarification as to if we are really protected, because these links lead you to believe in the 11.1 train you need 11.1.5-h1 or newer. Please advise.

https://security.paloaltonetworks.com/CVE-2024-0012

https://security.paloaltonetworks.com/CVE-2024-9474

Now look at the releases post:
https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304

11.1.4-h7

11/18/24

Preferred Release [11/18/24]
Note: A fix was made to address CVE-2024-0012 (PAN-SA-2024-0015) and CVE-2024-9474.

Note: If using IoT Security, wifclient might exit multiple times causing firewall to reboot.
Workaround:
Uninstall IoT License and disable Enhanced Application Logs
Note:

If using IoT Security, the device may run into wifclient crashes during server cert verification causing dataplane to restart
Workaround: Use below CLI to disable CRL

debug iot eal key-value PAN_ICD_SERVER_CERT_USE_CRL=False

Note: [PA-5400f Platforms Only ] Extremely high receive packet rate can cause an interrupt storm leading to heartbeat failures and dataplane down.

So which one is it?

Re: Software Version 11.1.5-h1

ksauer507 — Thu, 21 Nov 2024 21:48:15 GMT

I opened a case with Palo to confirm the discrepancy between the CVE publications and the release notes posting. They did confirm and I have it in writing that yes, both CVE's are also fixed in 11.1.4-h7. Although the CVE notification claims you need 11.1.5-h1 or newer, that is not the case. If the OP upgraded to 11.1.5-h1 because of the CVE, I feel bad he was mislead into a release that was not ready. Hopefully PAN will update the CVE documentation.

Re: Software Version 11.1.5-h1

JohnstonM — Fri, 29 Nov 2024 23:57:31 GMT

I have a scheduled maintenance to upgrade to 11.1.5-h1 for Dec 6th. I too was lead to believe that the above statement, you needed to go to 11.1.5-h1 to be covered for those CVEs, encompassed as PA-SA-2024-0015. I am going to get in touch with my (new term) Solutions Consultant on Monday, as this is what I was searching for. I'm going to send a link to this discussion thread to him, to get behind the scenes on to correctly get this answer. I would prefer to be on the preferred version, so I hopefully do NOT encounter that stuck logon to OneDrive. This would be 2 upgrades within the last 3 months and since CISA has added these to their KEV, I'm bound to do the upgrade on Friday the 6th (crossing my fingers).