Production issues with 9.0.4?

Reply
L7 Applicator

Production issues with 9.0.4?

Hello Community!

Has anyone made the jump to 9.0.4 on their production firewalls? I have read the release notes and installed it onto my lab unit. Just checking to see if anyone has had any issues outside of what is in the release notes. Currently we are running the 8.1 train.

 

Cheers!

Highlighted
L0 Member

Re: Production issues with 9.0.4?

I just did the other day because I figured 4 releases ought to be enough to work out most of the bugs...

I've run into a couple issues.

The one was that our Windows 10 machines that are dual-connected with wireless + wired weren't able to connect to wireless after the upgrade.  They weren't making a IP / User mapping.  I upgraded our User-ID agent that we run on an AD box to the newest release and that didn't fix it.

I ended up having to whitelist some more URLs for our trusted networks - basically preventing the filter from requiring authentication for those URLs (Destination Auth Exempt).  It is important to exclude any non-trusted (BYOD / Guest) because those machines need to not hit those URLs without authentication so the OS can correctly show a captive portal - but internal machines should never need it.  The plus side is - the yellow exclamation point won't show up at the login screen anymore.
The URLs were *.msftncsi.com and *.msftconnecttest.com so that it wouldn't try to do captive portal detection.  I'm not sure if the timeout maybe was changed with 9.0 - but we had a rule in for the msftnci from Windows 8.1 - but apparently with 10 - it's now msftconnecttest.com instead.
This Microsoft article talks about the change:
(https://blogs.technet.microsoft.com/netgeeks/2018/02/20/why-do-i-get-an-internet-explorer-or-edge-po...

I'm also running into an issue with the Safe Search automatic redirection not working.  I'm opening up a ticket about that right now because I'm not seeing any known issues.  Other than that, the filters seem fine on it.  There are some pretty nice new features as far as seeing protocol usage for particular rules and more about rules that have fallen out of use.  We'll see if I can get this Safe Search issue taken care of...

L7 Applicator

Re: Production issues with 9.0.4?

Have not had any issues on my home firewall thus far

L2 Linker

Re: Production issues with 9.0.4?

I deployed 9.0.4 a couple days ago. I have had no issues so far. It also fix an LDAP bug I was encountering in the previous versions of the 9.0.x releases.

Just another I.T. guy
L1 Bithead

Re: Production issues with 9.0.4?

Yes, 9.0.4 broke things badly for me.  It seems only the first four (virtual) ethernet ports on the PA VM now only work.  Ports 5 onwards never come up.  This is out of character, I rarely have problems........

 

Upon downgrading to 9.0.3-h3 again everything came back straight away.  I'd be interested to know how many other people have tried this scenario out.

Tags (2)
L0 Member

Re: Production issues with 9.0.4?

We upgraded two HA clusters from 8.1.10 and had to roll back on one because all security policies using FQDN were denied. It seemed that FQDN was not resolving at all - stuck in a "0.0.0.0  updating" state (see below). Once rolled back everything worked immediately. Interestingly, the other cluster upgraded from 8.1.10 -> 9.0.4 with zero issues. The HA clusters have significantly different configs though, so I'm not sure that they can be directly compared. We have a case open with with PA for this - it resembled a bug (PAN-105228) that was meant to be fixed in 8.1.5.

 

Sample of failure to resolve FQDN

 

show dns-proxy fqdn all

FQDN Table : Request time 2019-11-05 10:28:51

--------------------------------------------------------------------------------

        IP Address

--------------------------------------------------------------------------------

VSYS : (using mgmt-obj dnsproxy object)

        Shared

        vsys1

sa-is.us.dell.com

        0.0.0.0  updating

        ::  updating

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!