Just wondering since this is a topic that comes up often and I actually just asked TAC about it myself, should we maybe have a stickied post on here that documents the recommended versions for each software track? I realize Palo Alto doesn't publish it anywhere but the knowledge is usually spread around among the users anyways after one or more of them ask TAC as part of an open support case. When one of us gets updated information, we could reply to the stickied post and the original post can be edited with the new version info and date.
Or even better: a public available (without login or with an API key or something) xml/json textfile that can be used for automated firewallupdates ...
There's been a lot of talk about this and truth be told I've yet to hear a good excuse from PA as to why this doesn't already exist. The only 'good' feedback I've ever got was that they would rather you talk to your SE and determine a recommended version for your environment.
The problem with that answer is, obviously, the SE may or may not even know all of the features you have enabled and how you actually use the equipment.
@BPryActually, that's the reason I found most compelling. I too wish I had access to the official TAC published list, and YMMV with your own assigned PANW SE. However my track record has been pretty good - the SE assigned to my companies has known our environment fairly well. Not well enough to know server names/IPs, etc., but which general features we're using and what our configuration we used to deploy our PANW Firewalls...they've had that fairly well, and sometimes that affects whether or not a version can be recommended. Usually that amounts to "TAC says Version X is recommended, but there's some cautions about the PA-5000 series using TS-Agents" or something like that. But it could go/has gone the other way: "TAC hasn't officially flagged version Y as recommended, but this has a bug fix in it that affects you and is otherwise fairly mature in the line - it just hasn't been out long enough to be recommended by TAC. But I think you'd be safe and possibly better off considering moving to that version."
To be sure, I wish it was cut & dry/black & white - "just use TAC-approved version X". I wish I could at least see that so I know when TAC changes their official opinion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!