This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-3410 Refer Latest Version and Upgrade Path

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-3410 Refer Latest Version and Upgrade Path

nhutvt2
L1 Bithead

‎05-20-2024 02:57 AM

Hi Guy,

I am using PA-3410 PAN-OS version 10.2.8-h3, I want to upgrade the firewall to the latest reference version. Thanks to the team, please help me refer to the latest version of the current device and the upgrade path.

0 Likes Likes
10 REPLIES 10

TomYoung
Cyber Elite
Cyber Elite

‎05-20-2024 04:09 AM

Hi @nhutvt2 ,

 

The current (as of the day of this post) TAC recommended version in the 10.2 train is 10.2.9-h.  https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

nhutvt2
L1 Bithead
In response to TomYoung

‎05-20-2024 04:13 AM

Thanks TomYoung.

What about versions 11.x.x? Can you refer me to the best current version? I will upgrade my device to the latest versions as recommended.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-20-2024 04:18 AM

Hi @nhutvt2 ,

 

Please look on the URL that I posted for the recommended release for all major release trains.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

nhutvt2
L1 Bithead
In response to TomYoung

‎05-20-2024 04:21 AM

It Access Deny when I access.

nhutvt2_0-1716204105854.png

 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-20-2024 06:38 AM

Hi @nhutvt2 ,

 

That is strange.  As far as I know, your live community login should give you access to that page.  The current preferred release for the 11.1 train is 11.1.2-h3.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to nhutvt2

‎05-21-2024 08:01 AM

@nhutvt2 wrote:

Thanks TomYoung.

What about versions 11.x.x? Can you refer me to the best current version? I will upgrade my device to the latest versions as recommended.

If you are deploying this to a production firewall environment I wouldn't run anything beyond 10.2.X.  IMO 11.0, 11.1 and 11.2 are not ready for production environments yet.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-21-2024 08:41 AM - edited ‎05-21-2024 09:06 AM

Hi @Brandon_Wertz ,

 

That is a good point.  Some of the newer models only run 11+.  So, I have customers on 11.1.

 

PAN-OS 11.1 has been out 18 months which is my personal threshold for considering it for production.  I am leaning towards upgrading my NGFWs to 11.1 soon.  (EDIT:  Wrong!  See post below.)  What has been your experience been with 11.1?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to TomYoung

‎05-21-2024 08:55 AM

@TomYoung  -- Did you mean 11.0 has been out for 18 months?

My past 11(ish) years of running Palo I don't deploy any code that isn't at least a .6+ on the patched version and I really prefer to be .8  Every single time I've deployed code/hardware running below that we've hit a system impacting bug...EVERY single time.  (Since 6.0)

 

We recently (6 months ago) deployed 3410s running 10.2.6 and had a HA/BGP bug that wasn't fixed until 10.2.8 I believe.  (We were able to get a special hotfix version for 10.2.7.  

 

If it's new code and new hardware I wait until the .8 now.

 

About a year ago I tried upgrading from 10.1.5 to 10.1.9+...Palo changed how the firewall responded to ARPs.  IMO this should have been a major release modification, but Palo did it under a minor fix.  It took almost 12 months and months long engineering engagement to identify why traffic was failing when we were upgrading.

 

 

Brandon_Wertz_0-1716306548729.png

 

TomYoung
Cyber Elite
Cyber Elite

‎05-21-2024 09:05 AM

Hi @Brandon_Wertz ,

 

Thank you for the correction!  PAN-OS 11.0 has been out 18 months.  I did the math wrong for 11.1.  That settles it.  I don't see a reason to upgrade to 11.0 since it will go EoL this November and force me to go to 11.1 which would be out only 12 months at the time.  I will keep my stuff at 10.2.

 

I like your method of waiting for the x.x.8 maintenance release.  I will see how close that corresponds to my 18 month benchmark.

 

Thanks!

 

Tom

Help the community: Like helpful comments and mark solutions.

Brandon_Wertz
L6 Presenter
In response to TomYoung

‎05-21-2024 09:10 AM - edited ‎05-21-2024 09:12 AM

Yeah I'm skipping 11.0 all together.  Still have most on 10.1.X with only 3400s running 10.2.  I'll be pushing our 10.1.X to 10.2.X here in October.  Then ridding 10.2.X until EOS around Jun-25 just before EOS in Aug.  Hopefully by then 11.1.X will be stable for an enterprise at which point I'll upgrade 110+ firewalls to 11.1.X.

 

It's a real balancing act trying to find the "right" stable code, but we usually run older code, we hit too many service impacting bugs.  (We actually hit a MD5 hash collision on a commit once.  2 URL profiles ended up having the same MD5 hash upon a commit.  That's how unlucky we are) 

0 Likes Likes
  • 1576 Views
  • 10 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks