I'm starting a new project where I will be migrating Juniper Firewalls to PAN-OS.
I would like to hear an opinion if there is a point to migrate to 7.0 instead of latest 6.1.x.
I would appreciate complete and well explained suggestions.
I would go with 6.1.5 (just came out), since 6.1.x probably is more polished and bugs ironed out. I am testing 7.0 in my test environment, nothing major yet, but I go against placing a brand new major release in production.
I will be personally waiting until 7.0.2 or so probably, unless there becomes a need to update sooner such as security issue or need one of the new features.
I'd say a lot depends on what you are doing with the Juniper firewalls and your timeline for deploying PA's in production. If your existing configuration isn't super-complex and you have a bit of time to wait for the next minor release (just-in-case as a precaution), start with 7.0. I am running 7.0 a couple of smaller firewalls (no surprises so far). I'm leaving the larger production PA's on 6.x code for now.
Are you currently running SSG's or NS-??? boxes? I don't have first hand experience with Palo Alto Migration Tool 3.0. It might be worth evaluating how well it does with your Juniper firewall configs...
Thanks for your response. I about 5 of SSG550 to migrate, 2 them are HA pair and there I'm thinking to stick with 6.1.5.
However, the other 3 SSG550's have relatively simple configurations and I'm seriously thinking to go with 7.0 there, however I'm not 100% sure yet and that's why I've created this topic.
I definitely will use MT3 to migrate and will post the experience.
I am very conservative for unexpected outages. So your milage may vary.
I waited to the 5.0.6 release before upgrading. For the next round I went to PanOS 6.0.3 as the comfortable path.
Palo Alto has made tremendous strides in release quality over the years.
Your best resource for getting a bead on your comfort for upgrade is your sales engineer. I would ask for the list of reported bugs roughly 2-3 weeks after each release. We would scan these against our deployed feature set. Would the reported bug affect our systems?
Then with the next release we read the reported fixed issues and the reported known issues. Again we compare against our deploy to see how many would affect us.
Once the list of bugs that actually affect our features is basically null, we go for the upgrade for the new train.
Steven is absolutely correct... keep the lines of communication open with your Palo Alto Networks or reseller SE. They can help with recommending PAN-OS versions. Generally speaking, they will start recommending a release when the following has happened:
1.) statically significant % of customers running the new release
2.) the new release has been available for more than 30 days
3.) no major P1 critical bugs reported for that release
If a PAN-OS version can meet all 3 requirements, then it will likely be recommended.
Of course, if there is a feature that you absolutely must have, then you can be a little more adventurous about using new(er) versions of PAN-OS... just remember that you'll be on the "cutting edge" and might need a band-aid or two. :smileyhappy:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!