PAN-OS Updates: EoL, Preferred Release, and Known Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

General Graphics.jpg

 

When managing an organization's Next-Generation Firewalls, it's important to be aware of the End-of-Life dates, the support preferred OS, and their known issues. They are very helpful resources that help to mitigate risk and ensure you are supported.

 

End-of-Life Summary

 

Did you know that Palo Alto Networks lists the End-of-Life dates for PAN-OS? There are 11 months until 9.1 becomes EoL so that means you have a bit of time to begin planning and testing your upgrade strategy. If you don't know already, being EoL brings risks of no longer being able to address security vulnerabilities! 

 

Screen Shot 2023-01-13 at 4.10.28 AM.png

 

Latest Preferred PAN-OS

 

If you are planning to upgrade this year, consider the support-preferred release of 9.1, 10.1, and 10.2 as a great starting point. The recommendations should be taken with a grain of salt as it does not take specific customer configuration. Here are the preferred releases within the major releases that are not EoL. 11.0 was recently released and currently does not have a preferred release. 

 

P 9.1.15 10/24/22

Preferred release.

P 10.1.8-h2 12/20/22

Preferred release.

P

10.2.3-h2 12/13/22

Preferred release.

 

Keep up to date with Support PAN-OS Software Release Guidance.

 

PAN-OS Preferred Release Known Issues

 

 With every decision to upgrade, consider your organization's needs and take note of the known issues listed in the release notes. If you are running into chaos troubleshooting, take a quick glance over the items to see if it may be listed.

 

9.1.15

 

Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
 
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: 
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
 
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message 
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
     license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
 
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
PAN-197919
When path monitoring for a static route is configured with a new Ping Interval value, that value does not get used as intended.
Workaround
: Disable and re-enable path monitoring for that static route to change that Ping Interval value.
PAN-197859
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.

Check out 9.1.15 Known Issues for the total list.

 

10.1.8-h2

 

If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
 Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode.
Upgrading a PA-220 firewall takes up to an hour or more.
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
 
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: 
    Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
 
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message 
    System capacity adjusted to VM-50 capacity due to insufficient memory for VM-
    <xxx>
     license
    , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
 

 

Check out 10.1.8 Known Issues for the total list.

 

10.2.3-h2

 

WF500-5754
In WildFire appliance clusters, issuing the 
show cluster controller
 CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround:
 Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
WF500-5632
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
) does not accurately reflect the current status of connected WildFire appliances.
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
 with the Action set to 
Block
 to a Security policy rule (
Policies
Security
).
PAN-206005
(
PA-3400 Series and PA-5440 firewalls only
) The I7_misc memory pool on this platform is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.
Workaround:
 Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool.
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the 
Resolve Hostname
 feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround:
 Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
). If you cannot reference a valid DNS server, you can add a dummy address.

 

Check out 10.2.3 Known Issues for the total list.

 

More Information:

Palo Alto Networks Security Advisory

Palo Alto Networks Announces PAN-OS 11.0 Nova

New Networking Features With PAN-OS 11.0 Nova 

 

Thanks for reading!

 

@JayGolf out!

9 Comments
L1 Bithead

I have a Palo at version 9.0.6 Can you tell me what the preferred release for 9.0 and 10.0 I do not have sufficent acces to click the preferred button on the determine upgrade path document. Thanks in advance. 

Community Team Member

Hi @AnthonyT ,

 

The preferred release for 9.0 is 9.0.16-H3 & the preferred for 10.0 is 10.0.11-h1. Please keep in mind that 10.0 is end-of-life as of July 16, 2022 & 9.0 is end-of-life as of March 1, 2022. 

L1 Bithead

JayGolf,

 

Thanks for the info. It will help with my upgrade.

 

 

L1 Bithead

JayGolf,

 

Once I land on 10.1 what is the preferred release? I am sorry for all the questions. I have limited access to the community. 

 

Thanks,

Tony

 

Community Team Member

Hi @AnthonyT ,

 

No worries! Thats what the community is here for. 10.1.9 is the preferred release for 10.1.

L0 Member

We are using 10.1.8-h6 do you recommend to upgrade to 10.2.x version. If yes what is the preferred version?

Community Team Member

Hi @KumarRaj ,

 

If you are on 10.1, the preferred release is 10.1.9-h3. I would recommend taking a look at the release notes and see if your environment will be okay with the known issues listed. 

L2 Linker

Hi @AnthonyTAnthonyT,

 

I have a question. We are planning to upgrade from 9.1.14-h4 to 10.1.6-h6. As the 10.0 is already EOL, do we still need to proceed to download the 10.0 base and download and install the latest release for 10.0 prior to upgrade to 10.1?

 

As I refer to this below path:

 

Screenshot 2023-06-27 213019.png

 

And may I know what does mean by this sentence below? 

Screenshot 2023-06-27 213158.png

 

Hi @NurulAfiqah ,

You still need to downloald 10.0 and download and install latest 10.0.x (at this moment 10.0.12)

 

The fact that 10.0 is End of Life doesn't mean you should skip it during the upgrade path. EoL just means that it no bug fixes will be provided for this version.

 

The meaning of the sentence from the second screenshot is that PAN TAC recommends to use 10.1, because 10.0 is EoL. The key word here is "use". Upgrading to 10.0.12 is mandatory step that you shouldn't skip, but it is not recommended to stay on this version for longer period as it may have unknown bugs and TAC wouldn't provide support. I would expect TAC to support you if you face any issues during the upgrade (if you done it following the official upgrade path)

  • 17393 Views
  • 9 comments
  • 3 Likes
Register or Sign-in
Labels
Top Liked Authors