PAN-OS 9.0 Released - Stop and Think

Reply
L7 Applicator

PAN-OS 9.0 Released - Stop and Think

Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers. 

Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.

 

Upgrade Advice:

Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need. 

Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment. 

 

There are issues:

Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100  different issue IDs! 

 

My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0. 

 

Questions about 9.0?

Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. 

 

Lastly:

I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS. 

 

Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks. 

L6 Presenter

Re: PAN-OS 9.0 Released - Stop and Think

Ok, over / under...

 

How many posts about how terrible 9.0.X and someone's environment is degraded because they have deployed 9.0.X (because of a want) without the due diligence you talked about?

 

I am gonna go with 8.

L7 Applicator

Re: PAN-OS 9.0 Released - Stop and Think

@Brandon_Wertz,

How long are we going to let it go for? I easily see 10 within the first few weeks just like with 8.1. 

L6 Presenter

Re: PAN-OS 9.0 Released - Stop and Think

Funny I've got a 5220 (I see it for download in my user account on the Palo support potal) and it doesn't see the 9.0.0 software to download, but my 3220 pair sees it.  

L7 Applicator

Re: PAN-OS 9.0 Released - Stop and Think

@Brandon_Wertz,

Odd. I can download it from support for my 5200s perfectly fine. 

L6 Presenter

Re: PAN-OS 9.0 Released - Stop and Think

Yeah not sure...The box is fully supported and has no other "connectivity" issues, so I'm not sure why the hangup.  Not that I'm trying to install it ATM, just a curiousity I had.

L7 Applicator

Re: PAN-OS 9.0 Released - Stop and Think

@BPry

Even 8.1.6 isn't recommended yet, right?

 

Now with this topic you created (and if we keep replying so that this topic keeps to be on top as I don't think paloalto will make this a sticky topic) I think there will be less "my network is down after installing 9.0.0 - why?"-topics, so I'm gonna say 6 ;)

L7 Applicator

Re: PAN-OS 9.0 Released - Stop and Think

@vsys_remo,

To the best of my knowledge it is not. 

L4 Transporter

Re: PAN-OS 9.0 Released - Stop and Think

I got pretty excited while reading the release notes today and I'm installing 9.0 on my lab PAN-220 this evening to give it a spin.

 

Things that jumped out at me

  • Security policy optimization is going to help out big time.  Expedition seems powerful but it also is a bit overwhelming when you're just trying to use it for security policy migration to app-based rules.  I'm sure I'll still use the best practices analyzer though.
  • App-default rules applying correctly to decrypted traffic including web-browsing... yay!
  • GRE tunnel support... A previous coworker had a thought about redoing our campus design to incorporate newer methods of network segmentation. GRE tunnels were an interesting method since it means the core and access layer can be pretty much whatever you need it to be as long as each building has a GRE capable Layer 3 device that can tunnel to the firewall.
  • Traffic simulator for security rules.... one of the only things I miss from the ASA.
  • DNS security
  • WinRM for UserID
  • Multiple categories for URL filtering is definitely cool and could allow more granual control
  • Cisco SGT

 

Things I have questions about

  • Any plans for a GlobalProtect update for other platforms besides iOS? I've seen it on my coworkers phones and it looks waayyyy better than my Android version or even the desktop versions.
  • Will the Universal Unique IDs for Pocily Rules allow more than one rule with the same name?  I ended up copying rules from our own old device group into our new one and, of course, am having to deal with rules with "-1" at the end due to the existing code using the rule name as the unique ID.  I can also see this being handy for pointing a rule out to someone... rules being moved around or renamed makes them hard to refer to others sometimes.
  • GRE Tunnels.. how many can each hardware platform support?

 

Seems like I had some other questions but they aren't coming to mind at the moment.

L7 Applicator

Re: PAN-OS 9.0 Released - Stop and Think

@jsalmans,

Things I have questions about

  • Any plans for a GlobalProtect update for other platforms besides iOS? I've seen it on my coworkers phones and it looks waayyyy better than my Android version or even the desktop versions.

An upgrade to 5.0.0 for the desktop agents is available at this time. They just refreshed the Windows and macOS interface a while back so I wouldn't expect any major redesigns in the near feature. There will be an upgraded Android app pushed out in the near feature, the iOS upgrade was a little rushed out due to iOS12. 

  • Will the Universal Unique IDs for Pocily Rules allow more than one rule with the same name?  I ended up copying rules from our own old device group into our new one and, of course, am having to deal with rules with "-1" at the end due to the existing code using the rule name as the unique ID.  I can also see this being handy for pointing a rule out to someone... rules being moved around or renamed makes them hard to refer to others sometimes.

Nope. You can still only have one entry with the same name, or you'll run into an issue with the validation process. 

  • GRE Tunnels.. how many can each hardware platform support?

believe these simply count towards the devices tunnel limit. So 1,000 for a PA-220. Don't take my word for that though. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!