Experiences with PAN-OS 6.1.8 ...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Experiences with PAN-OS 6.1.8 ...

L7 Applicator

Hi all

 

Does anyone already have installed 6.1.8 and tested? Are there any new issues?

What I can tell so far is ...

... some sites with supported ciphersuites and TLS versions which did not work in 6.1.7 are working now

... websites with ECDHE/DHE Ciphers are working now respectively are not decrypted anymore when no decryption profile is applied which should block the connection

... with a decryption profile applied which blocks unsupported versions and ciphers I would still expect the ssl decryption error notify response page, but the connection fails without any message exept the ones from IE/Chrome...

 

I would be glad if you could share your experiences with this release.

 

Regards,

Remo

4 REPLIES 4

L4 Transporter

I can let you know tonight.  With 7.0.4 still being almost a month away, we just can't wait that long so I am basically being forced to downgrade a few firewalls to resolve stability issues.  

 

I've fought long and hard with 7.0.1, 7.0.2, and now 7.0.3 with SSL issues and memory leaks that caused more havoc than I would like to admit too.  As an early adopter I expected some issues, but not like these.  For me 6.0.x and 6.1.x were rock solid where I had very few issues.  Hopefully, with 7.1.x, Palo Alto can restore some of my faith.  I love the product I just didn't expect these types of issues from such a great vendor.

 

-Matt

 

P.S.  It would be great if Palo Alto had a better hotfix / special software program for there customers as well.  I can get a special build from Cisco to fix a specific bug that may be plaguing our environment.  I was hoping that Palo Alto would have a similar type program but apparently that is not the case.

L6 Presenter

So ECDHE/DHE Ciphers (when doing SSL-termination) are working or not now with 6.1.8?

Just for clarification: NO, ECDHE/DHE ciphers could still not get decrypted by PaloAlto. Maybe with 7.1 ...

What I meant was only that you probably don't have to write every website with only FS ciphers to a custom URL category, because these connections pass without decryption through the firewall (this requires that you do not block such connections with a decryption profile)

L4 Transporter

Downgraded from 7.0.3 to 6.1.8 and it was relatively painless.  I re-pushed the templates and policies via Panorama and then did the global override for LDAP to add our Active Directory domain (see my article on this) and cleaned up my wildfire rules (changes in 7.x vs 6.x).

 

So far, so good.  Some of the issues surrounding SSL (such as large file sessions timing out) seem to be resolved now.  There is no support for PFS as stated above (I believe that’s a 7.1.x feature).  I will report again next week on the crashes due to the SSL memory leak which usually take a few days to manifest.

 

-Matt

  • 2726 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!