I have got customers using the 4.0.5 version and have complained about the Memorly leak and High CPU on DP. I have requested them to go over to 4.0.7 and since then I have not heard back from them with any issues with the 4.0.7 Version. It is a very stable and strong version and I would Highy recommend you to go with 4.0.7.
I concur, since upgrading to 4.0.7 we seen the memory leak on the management plane ( did not see this on dataplane ) resolved. Some of the issues within the release notes were applicable to our environment, to this end those fixes have worked as expected.
Some issues noted
1. We see alot of pan agent read-log alerts in the console since 4.0.7 upgrade ( when checking the connections there appears to be no problem so this may be spurious)
2. On one of my 2020's i sometimes still get the AV and application definition update downloads in a hung state. I have not see this on my 4020 HA pair however.
That said, thus far, 4.0.7 appears to be much better than 4.0.5 which caused some frustration.
As one of my team aptly put it.. he can sit and sip on a lemonade watching the packets flow by without spilling on himself...
I had just upgraded from panos 4.0.5 to 4.0.7 due to a data plane memory issue. Currently, I'm monitoring it to see how things go for the day.
As for the stuck jobs, try the following from the CLI:
1. show jobs all
2. Look under the status column for problems.
3. Make note of the ID column that's associated with the failed or stuck job.
4.. clear job id IDNumber Ex: clear job id 24
This worked for me everytime something goes wrong with the subcribed updates, can't download, and can't commit jobs.
I have had several clients upgrade to 4.0.7 and have not heard of any issues so far, but they have each been up for less than a week.
as a side note, 4.1 contains a monitor pop up that shows the jobs on the firewall, so you won't have to go to the CLI to check downloads.
A work around for the stuck jobs is to set a timeout on your dynamic updates to about 3 hours.
Correction Threshold is actually a setting for delaying when an update will be installed. I apologize for any confusion I may have caused.
Though a setting like that would be really awesome - please hit up your Sales Engineer if you agree.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!