PAN-OS Updates: EoL, Preferred Release, and Known Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

General Graphics.jpg

 

When managing an organization's Next-Generation Firewalls, it's important to be aware of the End-of-Life dates, the support preferred OS, and their known issues. They are very helpful resources that help to mitigate risk and ensure you are supported.

 

End-of-Life Summary

 

Did you know that Palo Alto Networks lists the End-of-Life dates for PAN-OS? There are 11 months until 9.1 becomes EoL so that means you have a bit of time to begin planning and testing your upgrade strategy. If you don't know already, being EoL brings risks of no longer being able to address security vulnerabilities! 

 

Screen Shot 2023-01-13 at 4.10.28 AM.png

 

Latest Preferred PAN-OS

 

If you are planning to upgrade this year, consider the support-preferred release of 9.1, 10.1, and 10.2 as a great starting point. The recommendations should be taken with a grain of salt as it does not take specific customer configuration. Here are the preferred releases within the major releases that are not EoL. 11.0 was recently released and currently does not have a preferred release. 

 

P 9.1.15 10/24/22

Preferred release.

P 10.1.8-h2 12/20/22

Preferred release.

P

10.2.3-h2 12/13/22

Preferred release.

 

Keep up to date with Support PAN-OS Software Release Guidance.

 

PAN-OS Preferred Release Known Issues

 

 With every decision to upgrade, consider your organization's needs and take note of the known issues listed in the release notes. If you are running into chaos troubleshooting, take a quick glance over the items to see if it may be listed.

 

9.1.15

 

Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
 
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: 
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
 
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message 
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
     license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
 
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
PAN-197919
When path monitoring for a static route is configured with a new Ping Interval value, that value does not get used as intended.
Workaround
: Disable and re-enable path monitoring for that static route to change that Ping Interval value.
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.

Check out 9.1.15 Known Issues for the total list.

 

10.1.8-h2

 

If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
 Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode.
Upgrading a PA-220 firewall takes up to an hour or more.
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
 
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: 
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
 
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message 
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
     license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
 

 

Check out 10.1.8 Known Issues for the total list.

 

10.2.3-h2

 

WF500-5754
In WildFire appliance clusters, issuing the 
show cluster controller
 CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
 Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
 with the Action set to 
Block
 to a Security policy rule (
Policies
Security
).
PAN-206005
(
PA-3400 Series and PA-5440 firewalls only
) The I7_misc memory pool on this platform is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.
Workaround:
 Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool.
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the 
Resolve Hostname
 feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
 Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.

 

Check out 10.2.3 Known Issues for the total list.

 

More Information:

Palo Alto Networks Security Advisory

Palo Alto Networks Announces PAN-OS 11.0 Nova

New Networking Features With PAN-OS 11.0 Nova 

 

Thanks for reading!

 

@JayGolf out!

Register or Sign-in
Labels
Top Liked Authors