7.0.3 upgrade

Cyber Elite

The only thing I know for certain is that "patches" X.X.X are released every 6 weeks.  I'm not certain about the release cycle of new versions (X.) or major revisions/feature releases (X.X) from within a version.


I think the later two are "it depends."

L4 Transporter

Okay I never viewed them as patches before, that gives me a totally different perspective

L4 Transporter

I would avoid 7.0 2 or 3 at all costs. We upgraded and have had nothing but problems. SSL decryption stops working (stops passing traffic). The firewalls have buffer problems and stop passing all traffic. We were a happy PAN customer for 5 years and now I spend my days and nights nursing my Palo Alto firewalls and talking to TAC. 7.0.x is one of the worst versions of code I have seen in my 30+ years in IT.




L3 Networker

I upgraded to 7.0.3 because I had to get 1-2 of the features it provided. luckily I dont use some of the services (yet) that have been really problematic for users. I would have stayed on 6.1.X if I could.

L4 Transporter

What services are you referring too?

L3 Networker

I agree with @john.langford and couldn't have said it better.  We are actually going to downgrade a few active/passive firewalls running 7.0.3 to 6.1.8 just to resolve issues with SSL decryption / dataplane memory leak bugs.  We experienced them in 7.0.1 as well.


I'm hoping 7.1.x gets a more rigorous QA to avoid these types of issues.  Basically in my mind if you want to run SSL Decryption and 7.0.x, it's not if, its just when will your SSL sessions stall or SSL buffers run out before you have to reboot / restart the dataplane.  I'm actually surprised that the software posted hasn't been deffered.


Love the product however I am not sure what happened with 7.0.x.



L4 Transporter

Great information latest and greatest isn't as important and most stable

Cyber Elite

Hi all


As @mlinsemier, john.langford@aplp.net and others already said. Unless you do not really need the features of 7.0.x STAY WITH 6.1.X!


Thes is just the short list of bugs I know and also experienced:

  • SSL Decryption completely useless (if you have more than a few users)
  • Global Protect: If you use LDAP as Authentication Profile there is this nice bug which shows a "Password expires in 0 days" on the Global Protect agents as you can see here (VPN users getting password expires in 0 day) --> probably fixed in 7.0.5
  • Global Protect: There is an issue with RADIUS authentication and setting permissions on GP Portal for AD Users/Groups whitch at least prevents Global Protect from working in my situation
  • User ID Redistribution: With this I don't know exactly whats going wrong because I hadn't had enough time to investigate further because I had to go back from 7.0.3 to 6.1.8, But an other firewall on 6.1.7 was not able to get the Global Protect User-IP Mappings from the 7.0.x Firewall

I also agree with you all with the point that I still really like the PaloAlto Products, but there have to be big, really big quality improvements in 7.1 to restore the trust into the product I once had.




We have 37 firewalls (from 5000 to 200 ) managed with Panorama 7.0.3. I love template and device group stacking feature, new ACC look. 15 of them running 7.0.3 the rest is on 6.1.7. I dont see any issues on 7.0.3,  but we dont use SSL decryption or GP, any other features works just as it suppose to.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!