- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
When managing an organization's Next-Generation Firewalls, it's important to be aware of the End-of-Life dates, the support preferred OS, and their known issues. They are very helpful resources that help to mitigate risk and ensure you are supported.
Did you know that Palo Alto Networks lists the End-of-Life dates for PAN-OS? There are 11 months until 9.1 becomes EoL so that means you have a bit of time to begin planning and testing your upgrade strategy. If you don't know already, being EoL brings risks of no longer being able to address security vulnerabilities!
If you are planning to upgrade this year, consider the support-preferred release of 9.1, 10.1, and 10.2 as a great starting point. The recommendations should be taken with a grain of salt as it does not take specific customer configuration. Here are the preferred releases within the major releases that are not EoL. 11.0 was recently released and currently does not have a preferred release.
P | 9.1.15 | 10/24/22 |
Preferred release. |
P | 10.1.8-h2 | 12/20/22 |
Preferred release. |
P |
10.2.3-h2 | 12/13/22 |
Preferred release. |
Keep up to date with Support PAN-OS Software Release Guidance.
With every decision to upgrade, consider your organization's needs and take note of the known issues listed in the release notes. If you are running into chaos troubleshooting, take a quick glance over the items to see if it may be listed.
—
|
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
|
—
|
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
|
PLUG-380
|
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
|
PAN-197919
|
When path monitoring for a static route is configured with a new Ping Interval value, that value does not get used as intended.
Workaround
: Disable and re-enable path monitoring for that static route to change that Ping Interval value. |
PAN-197859
|
On firewalls running LSVPN with tunnel monitoring enabled, upgrades to 9.1.14 or later cause the LSVPN tunnels to flap.
|
Check out 9.1.15 Known Issues for the total list.
—
|
If you use Panorama to retrieve logs from Cortex Data Lake (CDL), new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround:
Enable duplicate logging to send the logs to CDL and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode. |
—
|
Upgrading a PA-220 firewall takes up to an hour or more.
|
—
|
PA-220 firewalls are experiencing slower web interface and CLI performance times.
|
—
|
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
|
—
|
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
|
Check out 10.1.8 Known Issues for the total list.
WF500-5754
|
In WildFire appliance clusters, issuing the
show cluster controller
CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.Workaround:
Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6). |
WF500-5632
|
The number of registered WildFire appliances reported in Panorama (
Panorama
Managed WildFire Appliances
Firewalls Connected
View
|
PAN-208622
|
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile (
Objects
DLP
Data Filtering Profiles
Block
to a Security policy rule (
Policies
Security
|
PAN-206005
|
(
PA-3400 Series and PA-5440 firewalls only
) The I7_misc memory pool on this platform is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.Workaround:
Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool. |
PAN-198174
|
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the
Resolve Hostname
feature, can cause the appliance to crash and restart if DNS server settings have not been configured.Workaround:
Provide a DNS server setting for the firewall (
Device
DNS Setup
Services
|
Check out 10.2.3 Known Issues for the total list.
More Information:
Palo Alto Networks Security Advisory
Palo Alto Networks Announces PAN-OS 11.0 Nova
New Networking Features With PAN-OS 11.0 Nova
Thanks for reading!
@JayGolf out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
2 Likes | |
2 Likes | |
1 Like |