PA-3410 Refer Latest Version and Upgrade Path

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-3410 Refer Latest Version and Upgrade Path

L1 Bithead

Hi Guy,

I am using PA-3410 PAN-OS version 10.2.8-h3, I want to upgrade the firewall to the latest reference version. Thanks to the team, please help me refer to the latest version of the current device and the upgrade path.

10 REPLIES 10

Cyber Elite
Cyber Elite

Hi @nhutvt2 ,

 

The current (as of the day of this post) TAC recommended version in the 10.2 train is 10.2.9-h.  https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks TomYoung.

What about versions 11.x.x? Can you refer me to the best current version? I will upgrade my device to the latest versions as recommended.

Cyber Elite
Cyber Elite

Hi @nhutvt2 ,

 

Please look on the URL that I posted for the recommended release for all major release trains.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

It Access Deny when I access.

nhutvt2_0-1716204105854.png

 

Cyber Elite
Cyber Elite

Hi @nhutvt2 ,

 

That is strange.  As far as I know, your live community login should give you access to that page.  The current preferred release for the 11.1 train is 11.1.2-h3.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.


@nhutvt2 wrote:

Thanks TomYoung.

What about versions 11.x.x? Can you refer me to the best current version? I will upgrade my device to the latest versions as recommended.


If you are deploying this to a production firewall environment I wouldn't run anything beyond 10.2.X.  IMO 11.0, 11.1 and 11.2 are not ready for production environments yet.

Cyber Elite
Cyber Elite

Hi @Brandon_Wertz ,

 

That is a good point.  Some of the newer models only run 11+.  So, I have customers on 11.1.

 

PAN-OS 11.1 has been out 18 months which is my personal threshold for considering it for production.  I am leaning towards upgrading my NGFWs to 11.1 soon.  (EDIT:  Wrong!  See post below.)  What has been your experience been with 11.1?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung  -- Did you mean 11.0 has been out for 18 months?

My past 11(ish) years of running Palo I don't deploy any code that isn't at least a .6+ on the patched version and I really prefer to be .8  Every single time I've deployed code/hardware running below that we've hit a system impacting bug...EVERY single time.  (Since 6.0)

 

We recently (6 months ago) deployed 3410s running 10.2.6 and had a HA/BGP bug that wasn't fixed until 10.2.8 I believe.  (We were able to get a special hotfix version for 10.2.7.  

 

If it's new code and new hardware I wait until the .8 now.

 

About a year ago I tried upgrading from 10.1.5 to 10.1.9+...Palo changed how the firewall responded to ARPs.  IMO this should have been a major release modification, but Palo did it under a minor fix.  It took almost 12 months and months long engineering engagement to identify why traffic was failing when we were upgrading.

 

 

Brandon_Wertz_0-1716306548729.png

 

Cyber Elite
Cyber Elite

Hi @Brandon_Wertz ,

 

Thank you for the correction!  PAN-OS 11.0 has been out 18 months.  I did the math wrong for 11.1.  That settles it.  I don't see a reason to upgrade to 11.0 since it will go EoL this November and force me to go to 11.1 which would be out only 12 months at the time.  I will keep my stuff at 10.2.

 

I like your method of waiting for the x.x.8 maintenance release.  I will see how close that corresponds to my 18 month benchmark.

 

Thanks!

 

Tom

Help the community: Like helpful comments and mark solutions.

Yeah I'm skipping 11.0 all together.  Still have most on 10.1.X with only 3400s running 10.2.  I'll be pushing our 10.1.X to 10.2.X here in October.  Then ridding 10.2.X until EOS around Jun-25 just before EOS in Aug.  Hopefully by then 11.1.X will be stable for an enterprise at which point I'll upgrade 110+ firewalls to 11.1.X.

 

It's a real balancing act trying to find the "right" stable code, but we usually run older code, we hit too many service impacting bugs.  (We actually hit a MD5 hash collision on a commit once.  2 URL profiles ended up having the same MD5 hash upon a commit.  That's how unlucky we are) 

  • 1473 Views
  • 10 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!