This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Changes to SSH communication method and ARP output format during upgrade

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Changes to SSH communication method and ARP output format during upgrade

n-tomo
L1 Bithead

‎02-03-2025 06:43 PM

Hello.

 

If we upgrade PA-450 from 10.1.6-h6 to 10.2 or 11.1 (or 11.2) series, is it correct to assume that there is no change in SSH communication method or ARP output format?

 

I am aware that there is no change as far as I can see from the release notes, but please let me check just to be sure.

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎02-04-2025 11:37 AM

Hello,

I cant recall ever seeing an issue with either when upgrading a PAN. Both hold to pretty strict standards.

SSH https://datatracker.ietf.org/doc/html/rfc4253

ARP https://datatracker.ietf.org/doc/html/rfc826

 

Regards,

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎02-04-2025 08:21 PM

Hello @n-tomo

 

over past years I have done a few Firewall migrations / upgrades. I never came across an issue with SSH, however I run into an issue with ARP during migrations. By doing upgrades there will be no change in SSH or ARP, however you might run into a bug affecting functionality of either of the protocols. In earliest PAN-OS releases of 10.2 there are a few bugs related to ARP: PAN-221033, PAN-209346, PAN-207533, PAN-204838, PAN-199726. Regardless what target PAN-OS version you decide to upgrade to you should aim for latest recommended version that has all bugs addressed.

 

Kind Regards

Pavel   

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to OtakarKlier

‎02-05-2025 07:29 AM - edited ‎02-05-2025 07:30 AM

@OtakarKlier wrote:

Hello,

I cant recall ever seeing an issue with either when upgrading a PAN. Both hold to pretty strict standards.

SSH https://datatracker.ietf.org/doc/html/rfc4253

ARP https://datatracker.ietf.org/doc/html/rfc826

 

Regards,

@OtakarKlier -- Palo has actually has such an issue when we were upgrading to a 10.1.X from a 10.0.X we had "weird" traffic not working issues.  In the end, it was because we had our NAT rules setup wrong.  Prior to the upgrade from 10.0.X to 10.1.X traffic worked just fine with the firewall matching traffic to the NAT policy, but in 10.1.9 (mid code) they changed how the device functioned regarding ARP (Ours was a single VR, not dual):

Brandon_Wertz_0-1738769371493.png

 

0 Likes Likes
  • 753 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks