Discussion on most stable PAN-OS image as of July 2016

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Discussion on most stable PAN-OS image as of July 2016

L0 Member

I am going through some cleanup of our PAN firewalls. We have 8 sites with active/standby pairs of PAN's. The sites are connected with IPSEC VPN's. The code varies from 6.0.3 to 7.0.4 versions.

 

What's your feeling on the most stable 7.X code as of now?  

 

Requirements:

 

1. I want to get to the newer/later code for encryption enhancements (Suite B algortihms).

2. I'm mostly trying to level set and get everything ont he same version.

3. If there are any great new features that you want to plug int he 7.0.x or 7.1.x code, would like to hear it.

 

As of now, I am leaning towards 7.0.8 PAN-OS as it is my habit to stay just a bit back of the bleeding edge.

7 REPLIES 7

Cyber Elite
Cyber Elite

Bump

 

I am especailly interested to hear from those who have gone to 7.1.3.

 

Regards,

L1 Bithead

Running couple of 5060 with Active/passive and vsys enabled on 7.0.7 and 7.0.8, so far no compliants yet..    

We are running some small sites with version 7.1.3 and no issues.

 

I am considering to upgrade 1 primary site to 7.1.3 but only for 1 improvement:

Better SSL decryption PFS cipher support

 

(Primary sites on 7.0.8 now)

My expereince has been the same as @Gertjan-HFG as we are identically doing the same thing.  7.0.8 on across the board, 7.1.3 Panorama with some testing of 7.1.3.  No issues with 7.1.3, either Panorama or PAN-OS, that I have ran into yet.

 

Matt

I'm running two HA pairs, 2x3020 and 2x5050. The 3020s are running 7.1.3 with no issues. I've tested it on the 5050s, got 3 restarts in a few hours. Downgraded to 7.0.8 (which looks very stable, aside from a bug in the software manager(*)) and opened a ticket. Picture of system logs attached.

 

Schermata 2016-07-27 alle 09.46.36.png

 

(*) 7.0.8 does not allow me to upgrade to 7.1.x versions directly, it complains that a "base" 7.1 version is not downloaded on the system, while 7.1.0 is present and loaded in the software manager. Had to take the 7.0.8->7.1.0->7.1.3 route to upgrade on thee 5050s. Opened a ticket.

I have two sets of firewalls 5060 & 5050's and I'm currently running 7.0.7 and planning to go to 7.0.9 when it comes out 8/1. I've been discussing going to 7.1.5 when it comes out, but support still has not given the 7.1.x branch the official blessing. I currently have no issues on 7.0.7, it's been very stable.

-Brad

We are having issue with userid group-mapping stop refreshing with vsys enabled 5060 running 7.0.7 and above.   Restart the useridd process will fix it in the short term, but some of the vsys will stop refreshing the group-mapping in less than 24 hours.  Also, after restart the useridd process, some of the vsys are no longer able to connect to the userid agents.  We end up need to fail over the firewall to restore service.   

 

The group-mapping refresh issue is fixed in 7.1.4, there is no word from TAC about backport to 7.0 yet.

 

E

  • 4043 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!