11-24-2015 02:59 AM - edited 11-24-2015 03:40 AM
Hi all
Does anyone already have installed 6.1.8 and tested? Are there any new issues?
What I can tell so far is ...
... some sites with supported ciphersuites and TLS versions which did not work in 6.1.7 are working now
... websites with ECDHE/DHE Ciphers are working now respectively are not decrypted anymore when no decryption profile is applied which should block the connection
... with a decryption profile applied which blocks unsupported versions and ciphers I would still expect the ssl decryption error notify response page, but the connection fails without any message exept the ones from IE/Chrome...
I would be glad if you could share your experiences with this release.
Regards,
Remo
11-24-2015 01:05 PM
I can let you know tonight. With 7.0.4 still being almost a month away, we just can't wait that long so I am basically being forced to downgrade a few firewalls to resolve stability issues.
I've fought long and hard with 7.0.1, 7.0.2, and now 7.0.3 with SSL issues and memory leaks that caused more havoc than I would like to admit too. As an early adopter I expected some issues, but not like these. For me 6.0.x and 6.1.x were rock solid where I had very few issues. Hopefully, with 7.1.x, Palo Alto can restore some of my faith. I love the product I just didn't expect these types of issues from such a great vendor.
-Matt
P.S. It would be great if Palo Alto had a better hotfix / special software program for there customers as well. I can get a special build from Cisco to fix a specific bug that may be plaguing our environment. I was hoping that Palo Alto would have a similar type program but apparently that is not the case.
11-24-2015 11:33 PM
Just for clarification: NO, ECDHE/DHE ciphers could still not get decrypted by PaloAlto. Maybe with 7.1 ...
What I meant was only that you probably don't have to write every website with only FS ciphers to a custom URL category, because these connections pass without decryption through the firewall (this requires that you do not block such connections with a decryption profile)
11-25-2015 08:55 AM - edited 11-25-2015 08:56 AM
Downgraded from 7.0.3 to 6.1.8 and it was relatively painless. I re-pushed the templates and policies via Panorama and then did the global override for LDAP to add our Active Directory domain (see my article on this) and cleaned up my wildfire rules (changes in 7.x vs 6.x).
So far, so good. Some of the issues surrounding SSL (such as large file sessions timing out) seem to be resolved now. There is no support for PFS as stated above (I believe that’s a 7.1.x feature). I will report again next week on the crashes due to the SSL memory leak which usually take a few days to manifest.
-Matt
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
