07-07-2016 11:14 AM
I am going through some cleanup of our PAN firewalls. We have 8 sites with active/standby pairs of PAN's. The sites are connected with IPSEC VPN's. The code varies from 6.0.3 to 7.0.4 versions.
What's your feeling on the most stable 7.X code as of now?
Requirements:
1. I want to get to the newer/later code for encryption enhancements (Suite B algortihms).
2. I'm mostly trying to level set and get everything ont he same version.
3. If there are any great new features that you want to plug int he 7.0.x or 7.1.x code, would like to hear it.
As of now, I am leaning towards 7.0.8 PAN-OS as it is my habit to stay just a bit back of the bleeding edge.
07-08-2016 02:13 PM
Bump
I am especailly interested to hear from those who have gone to 7.1.3.
Regards,
07-08-2016 05:23 PM
Running couple of 5060 with Active/passive and vsys enabled on 7.0.7 and 7.0.8, so far no compliants yet..
07-11-2016 12:18 AM - edited 07-11-2016 12:19 AM
We are running some small sites with version 7.1.3 and no issues.
I am considering to upgrade 1 primary site to 7.1.3 but only for 1 improvement:
Better SSL decryption PFS cipher support
(Primary sites on 7.0.8 now)
07-26-2016 01:51 PM
My expereince has been the same as @Gertjan-HFG as we are identically doing the same thing. 7.0.8 on across the board, 7.1.3 Panorama with some testing of 7.1.3. No issues with 7.1.3, either Panorama or PAN-OS, that I have ran into yet.
Matt
07-27-2016 12:52 AM
I'm running two HA pairs, 2x3020 and 2x5050. The 3020s are running 7.1.3 with no issues. I've tested it on the 5050s, got 3 restarts in a few hours. Downgraded to 7.0.8 (which looks very stable, aside from a bug in the software manager(*)) and opened a ticket. Picture of system logs attached.
(*) 7.0.8 does not allow me to upgrade to 7.1.x versions directly, it complains that a "base" 7.1 version is not downloaded on the system, while 7.1.0 is present and loaded in the software manager. Had to take the 7.0.8->7.1.0->7.1.3 route to upgrade on thee 5050s. Opened a ticket.
07-29-2016 05:57 AM
I have two sets of firewalls 5060 & 5050's and I'm currently running 7.0.7 and planning to go to 7.0.9 when it comes out 8/1. I've been discussing going to 7.1.5 when it comes out, but support still has not given the 7.1.x branch the official blessing. I currently have no issues on 7.0.7, it's been very stable.
08-03-2016 01:03 PM
We are having issue with userid group-mapping stop refreshing with vsys enabled 5060 running 7.0.7 and above. Restart the useridd process will fix it in the short term, but some of the vsys will stop refreshing the group-mapping in less than 24 hours. Also, after restart the useridd process, some of the vsys are no longer able to connect to the userid agents. We end up need to fail over the firewall to restore service.
The group-mapping refresh issue is fixed in 7.1.4, there is no word from TAC about backport to 7.0 yet.
E
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
