https://live.paloaltonetworks.com/t5/general-topics/upgrading-from-10-2-9-h1/m-p/1256403#M126599 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184904">@mmarie</a>&nbsp;,</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN> I would recommend reviewing the known and addressed issues for both </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-16-known-and-addressed-issues/pan-os-10-2-16-known-issues" target="_self"><STRONG><SPAN>10.2.16-h6</SPAN></STRONG></A><SPAN> and </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-16-known-and-addressed-issues/pan-os-10-2-16-h8-addressed-issues" target="_self"><STRONG><SPAN>10.2.16-h8</SPAN></STRONG></A><SPAN>, then comparing those against the features you actually use in production and determine what is acceptable vs. unacceptable.&nbsp;</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>As far as CVE-2026-0257 specifically, the advisory also lists mitigations if you need a temporary workaround while planning the upgrade:</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <UL data-spread="false"> <LI><SPAN>Use a dedicated certificate for Authentication Override cookies. Do not reuse the portal/gateway certificate or share that certificate with other features.</SPAN></LI> <LI><SPAN>Disable Authentication Override on the GlobalProtect portal and gateway by unchecking the options to generate and accept cookies.</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>For example, if Auth Override is enabled today, you could consider disabling it on both the GP portal and gateway as a temporary mitigation while you complete your upgrade review and change planning.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> Tue, 16 Jun 2026 01:24:03 GMT JayGolf 2026-06-16T01:24:03Z https://live.paloaltonetworks.com/t5/general-topics/upgrading-from-10-2-9-h1/m-p/1256305#M126594 <P>Hello,</P> <P class="isSelectedEnd"><SPAN>We currently have two PA-3410 firewalls configured in HA, running PAN-OS 10.2.9-h1.</SPAN></P> <P class="isSelectedEnd"><SPAN>We are planning to upgrade to the preferred release PAN-OS 10.2.16-h6. However, after reviewing the security advisories, it appears that this version does not fully mitigate some vulnerabilities, including CVE-2026-0257.</SPAN></P> <P class="isSelectedEnd"><SPAN>Would it be advisable to upgrade directly to PAN-OS 10.2.16-h8 instead of 10.2.16-h6 to ensure all known CVEs are addressed? Has anyone encountered any issues or concerns with 10.2.16-h8 in a production HA environment?</SPAN></P> <P><SPAN>Any recommendations would be appreciated.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> Sun, 14 Jun 2026 11:52:04 GMT https://live.paloaltonetworks.com/t5/general-topics/upgrading-from-10-2-9-h1/m-p/1256305#M126594 mmarie 2026-06-14T11:52:04Z https://live.paloaltonetworks.com/t5/general-topics/upgrading-from-10-2-9-h1/m-p/1256403#M126599 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184904">@mmarie</a>&nbsp;,</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN> I would recommend reviewing the known and addressed issues for both </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-16-known-and-addressed-issues/pan-os-10-2-16-known-issues" target="_self"><STRONG><SPAN>10.2.16-h6</SPAN></STRONG></A><SPAN> and </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-16-known-and-addressed-issues/pan-os-10-2-16-h8-addressed-issues" target="_self"><STRONG><SPAN>10.2.16-h8</SPAN></STRONG></A><SPAN>, then comparing those against the features you actually use in production and determine what is acceptable vs. unacceptable.&nbsp;</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>As far as CVE-2026-0257 specifically, the advisory also lists mitigations if you need a temporary workaround while planning the upgrade:</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <UL data-spread="false"> <LI><SPAN>Use a dedicated certificate for Authentication Override cookies. Do not reuse the portal/gateway certificate or share that certificate with other features.</SPAN></LI> <LI><SPAN>Disable Authentication Override on the GlobalProtect portal and gateway by unchecking the options to generate and accept cookies.</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>For example, if Auth Override is enabled today, you could consider disabling it on both the GP portal and gateway as a temporary mitigation while you complete your upgrade review and change planning.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> Tue, 16 Jun 2026 01:24:03 GMT https://live.paloaltonetworks.com/t5/general-topics/upgrading-from-10-2-9-h1/m-p/1256403#M126599 JayGolf 2026-06-16T01:24:03Z