7.0.3 upgrade

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

7.0.3 upgrade

L4 Transporter

I am planning on upgrading the PA 5050 os from 6.1.7 to 7.0.3. I have been reading over the changes and I think it would be beneficial to see examples instead of description of what changes are , anyone have any recommendations

27 REPLIES 27

What services are you referring too?

L4 Transporter

I agree with @john.langford and couldn't have said it better.  We are actually going to downgrade a few active/passive firewalls running 7.0.3 to 6.1.8 just to resolve issues with SSL decryption / dataplane memory leak bugs.  We experienced them in 7.0.1 as well.

 

I'm hoping 7.1.x gets a more rigorous QA to avoid these types of issues.  Basically in my mind if you want to run SSL Decryption and 7.0.x, it's not if, its just when will your SSL sessions stall or SSL buffers run out before you have to reboot / restart the dataplane.  I'm actually surprised that the software posted hasn't been deffered.

 

Love the product however I am not sure what happened with 7.0.x.

 

-Matt

Great information latest and greatest isn't as important and most stable

Hi all

 

As @mlinsemier, john.langford@aplp.net and others already said. Unless you do not really need the features of 7.0.x STAY WITH 6.1.X!

 

Thes is just the short list of bugs I know and also experienced:

  • SSL Decryption completely useless (if you have more than a few users)
  • Global Protect: If you use LDAP as Authentication Profile there is this nice bug which shows a "Password expires in 0 days" on the Global Protect agents as you can see here (VPN users getting password expires in 0 day) --> probably fixed in 7.0.5
  • Global Protect: There is an issue with RADIUS authentication and setting permissions on GP Portal for AD Users/Groups whitch at least prevents Global Protect from working in my situation
  • User ID Redistribution: With this I don't know exactly whats going wrong because I hadn't had enough time to investigate further because I had to go back from 7.0.3 to 6.1.8, But an other firewall on 6.1.7 was not able to get the Global Protect User-IP Mappings from the 7.0.x Firewall

I also agree with you all with the point that I still really like the PaloAlto Products, but there have to be big, really big quality improvements in 7.1 to restore the trust into the product I once had.

 

Regards,

Remo

We have 37 firewalls (from 5000 to 200 ) managed with Panorama 7.0.3. I love template and device group stacking feature, new ACC look. 15 of them running 7.0.3 the rest is on 6.1.7. I dont see any issues on 7.0.3,  but we dont use SSL decryption or GP, any other features works just as it suppose to.

Does the code 7.0.3 have issues with GP too? Please let me know. 

L2 Linker

No idea what PAN did in version 7, but it seems that the QA process just isn't there.  Unfortunately we made some changes with our policies in 7.0.3 and cannot easily revert back to 6.1.8.  I am forced to fail over my FWs every morning and reboot just to keep the dataplane passing traffic.  I hope this bug is addressed in 7.0.4 and also hope that staff from PAN is reading these posts as numerous people have this problem.

We use GP so we are going to hold off untill the next version

I think I am on the same boat as you on the GP. Thanks. Hope there is a fix on next updated code. Our customer is becoming upset. 

What is the ETA for 7.0.4?

 

Thanks

@dfeddersen From what I recall it was December 21st for 7.0.4 release.

L2 Linker

There is another GP related bug on 7.0.3. When using domain names for LDAP instead of IPs, GP cannot resolve the domain name so you get plethora error messages in authd.log telling you the LDAP server is down. A workaround is to use a FQDN object, but even that is very temperamental; it'll work and then suddenly stop for no apparant reason. Kind of sucks as I purchased a 3rd party cert so that I could verify the SSL sessions for the LDAP servers and now I can't even do that.

 

Looks like a typical case of people at the top pushing for deadlines and overlooking quality which results in shabby work.

I have been on 7.04 since Dec 2015 and now 7.0.5h2 and thankfully the SSL decryption problrems have been resoved. I would feel safe recommending 7.0.5h2

  • 10254 Views
  • 27 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!