Experience with PANOS 6 so far ?

Reply
L3 Networker

Re: Experience with PANOS 6 so far ?

ON TAGS:

We manage our firewalls with Panorama.  We upgraded Panorama first (to 6.0.3) and then the firewalls after.   We found that the initial commit to Panorama post-upgrade to many of the firewalls failed - with Panorama complaining about tags.

Although most of our security/NAT rules are defined in Panorama; some rules were local to the firewalls.  Those rules that had tags caused this issue.

Separately, on each of the two firewalls in a HA pair, I removed the tags from the local rules; removed the tag object from the new Tags page in Objects, and then hit save.  I could then do a commit from Panorama (with the "merge with candidate configuration" option set).

Perhaps I could have done a force on the Panorama commit; but that sort of thing scares me ;-)

L2 Linker

Re: Experience with PANOS 6 so far ?

What I have found is that you need to do the following when going from 5.0.9 or later versions to 6.0.x

1. If using URL filtering make sure the latest definitions are loaded.

2. Update All of your Content to the latest version

3. Download the 6.0 base image

4. Download and install 6.0.x

5. Once you are on 6.0.x you will need to re-download your URL DB if using one as there're new Country Options in 6.x PanDB

I have seen no issues yet on 6.0.3 Act/Pass or 6.0.4 Act/Act in production installations.

L3 Networker

Re: Experience with PANOS 6 so far ?

We failed to update our Global Protect Client from 1.2.6 in advance of an upgrade from 5.0.10 to 6.0.4.  This seems to have caused the useridd deamon to suffer a memory leak and repeated reset due to over-usage of virtual memory - impacting Global Protect sessions.    Don't follow my lead ;-)

L4 Transporter

Re: Experience with PANOS 6 so far ?

Hello,

Is the recommendation to be on version 2.x of the GP client prior to upgrading from 5.x to 6.x? Thanks!

Mike

L3 Networker

Re: Experience with PANOS 6 so far ?

You may well be OK running 1.2.10 - but we just decided to go straight to 2.0.4.  Many of our clients are running XP; so version 2 isn't hitting issues with this older OS.

Here's an example of the log output we were getting,

2014-09-05 08:37:12.655 +0000 Error:  pan_hip_update_report(pan_hip_handler.c:1653): ha_cfg_file_update('/opt/panlogs/global-protect/hip_report_base/250/5b1074f600c942093d84b3a26ec68199_vsys1_10.a.b.c.xml') failed: Transaction in progress

2014-09-05 08:37:12.737 +0000 Error:  ha_lib_trans_file_unique_update(ha_lib_trans_file.c:445): usr.tran.hip-report unable to update unique with transaction in progress

If you can update a test box to PANOS 6 and then you can check for these log entries with the command  "less mp-log useridd.log".

If you're not getting any of these errors; you shouldn't hit the issue I did.

Oh, also seems we only suffer the issue if HA session synchronisation is enabled; we've disabled that whilst we move all users to GP 2.0.4.

L2 Linker

Re: Experience with PANOS 6 so far ?

No OSPF ECMP Support yet? Whats the Timeline?

Highlighted
L6 Presenter

Re: Experience with PANOS 6 so far ?

started to upgrade 6.0.5

no issues.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!