This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
PAN-OS 10.1.9 -- CAUTION
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- PAN-OS 10.1.9 -- CAUTION
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
PAN-OS 10.1.9 -- CAUTION
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2023 05:24 AM - edited 03-07-2023 05:32 AM
I would highly recommend waiting on deploying 10.1.9 in your enviornment, whether it be large enterprise or SOHO.
Recently my company had upgraded a 5250 pair from 10.1.8 to 10.1.9 as we had experienced 2 service impacting bugs.
After upgrading 10.1.9 we found that the FW was exhibiting odd behavior where traffic which had specific allow rules for it wasn't matching the defined allow rules and was instead being denied all together or was matching a different rule lower in the policy stack.
What made troubleshooting this further was the traffic which was being denied, that shouldn't have been, could only be seen in the session browser as being denied. Even hours later the incorrectly denied traffic was nowhere in the GUI logs; and could only be found in the CLI by using the session ID from the temporary session browser view while the session existed there.
We had a log P1 TAC case that unfortunately found no cause for this behavior so we downgraded back to 10.1.8 and all services were restored.
Traffic types effected were:
IKE
IPSec
GRE
Non-decrypted HTTPS TLS1.2 (That we saw)
5 REPLIES 5
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2023 08:12 PM
Hi @Brandon_Wertz ,
Thanks for sharing! This is great feedback that can be helpful for our users.
LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-09-2023 10:08 AM
OK so 10.1.8 is pretty good?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-09-2023 10:17 AM
To piggyback on the topic.
March 7 dynamic update updated threat id 32968 that has loads of false positives in SMTP traffic and no fix out yet...
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks