PAN OS 8.1.5 - Thoughts?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN OS 8.1.5 - Thoughts?

L2 Linker

Hi there! Has anybody had the chance to play with PAN OS 8.1.5 yet in Production? Are there any noticable issues? I've been locked into this killchain of bugs ever since we made the leap to 8.1.0, and I'm just wondering if this build will be the "stable" release.

18 REPLIES 18

Cyber Elite
Cyber Elite

@Fr4nk4,

Hasn't been out long enough to determine that at all. 

L3 Networker

Hello

The palo alto TAC say the stable version for 8.1 is 8.1.3.  We will upgrade to 8.1.5 in the next days. In 8.1.5 fix a lot issue related with panorama M-series and VM. So also in this new release PA do not adding any new features. I hope this version is more stable that 8.1.3.

what kind of issues do you have with 8.1.x?

 

Best Regards

Best Regards

Apadilla,

 

We've been having some really wierd issues with the Palo Alto on 8.1 code. I've seen issues with some application signatures breaking. One of them was RTP, which we use for our fax server. It should allow all of the dynamic UDP ports, but some ports were being blocked between the fax server and the call manager. This was on 8.1.3, and we've upgraded to 8.1.4 now.

 

We've had issues with the Globalprotect data file not updating. That was sorta fixed in 8.1.4. I'm still having issues with HIP check on Globalprotect, but it's random.

 

The main thing we're seing that is troublesome is, at random intervals Office 365 traffic will get denied on the firewall for no reason. We're using Minemeld to grab the list of updated IP's from Microsoft, and I compared those to an actual IP list from a powershell script that gets the IPs. I compared the 2 text files and they are identical, so I have no clue as to why traffic is getting blocked intermittently. 

 

Honestly, it feels like things get better every time we upgrade to a newer build, but it never feels as stable as  8.0 was. Have you upgraded to 8.1.5 yet? If so, have you noticed any issues?

Hello Fr4nk4

 

Not yet, This 12/12 We will proceed to upgrade one panorama to 8.1.5  and Thuerday one 3260 upgrade to 8.1.5. I hope to have good news for you. 

 

But I hope this release not show critical issues.


In this link you can see the critical issues fixed in each release

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC

 

Best Regards

Andres

 

 

Best Regards

Hey @Apadilla

 

That's interesting that TAC informed you that PAN-OS 8.1.3 was recommended, I know for a fact that PA-3200 series have internal path monitoring failures occurring on PAN-OS 8.1.3 which causes the dataplane to restart (fixed in 8.1.4). 

 

8.1.4 looks to be fairly recommended if you're not using Panorama from what I've seen. Otherwise, we'll see what 8.1.5 has to bring to the table with regards to stability since that does have a number of Panorama fixes as you mention.

 

Cheers,

Luke.

@Apadilla,

Actually last I heard that's just straight wrong. 8.1.4 is the current recommended version of 8.1 if the software features or hardware make 8.1 a requirement. 

@BPry

 

Looks like we're in agreement 😉

L1 Bithead

Looking at this confirms that I should stay on 8.0.x. Very helpful!

L1 Bithead

Having issues with OS 8.1.5 Security Policies start dropping traffic every morning at 4 am.

L2 Linker

Hello,

M-100  Panorama cluster A/P upgraded to 8.1.5. For now the panorama working as expeted without issues. For now looking stable PANOS8.1.5 Also we have 3060 cluster firewall upgraded to 8.1.5, for not working as expeted. 

 

With Panorama we experimented issues due to you need active "suspend local device" to upgrade the devices, if you not active this option each time that you start the upgrade proceess the device get stuck on 36% of progress. And you need restart the management server (debug software restart process management-server).

 

 

 

 

I've also had problems with 8.1.5 dropping all traffic - the same as DonJarmon - it occurs after antivirus updates each day at 11pm.  It's highly disruptive and creates a massive outage to service.  Traffic that is normally permitted ceases to be permitted and starts hitting the default deny rule.

Forcing a FQDN refresh and clearing SIP sessions (for some reason these get stuck too) brings everything back to life.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC has it listed as PAN-100244 but it seems to me to be affected and resolved in completely the opposite versions, namely present in 8.1.5 but not present in any versions prior.

 

I have gone back to 8.1.4 now as I can't afford to have this sort of problem leading up to holidays.  This is the first major problem I've encountered in a maintenance release.

@ReubenFarrelly That is very disconcerting that you are seing this in 8.1.5.  We're seeing sporadic denies of traffic going out to Office 365 on 8.1.4. We use an EDL for the Destination, and I was told by a Palo Alto rep that this is a known bug (PAN-100244) and is fixed in 8.1.5. As a precaution, I have set the Antivirus updates to only execute once at 5:15am. I will have someone on the early shift monitor traffic after that time, and with any luck, hopefully we are unaffected. If will let you all know how it goes. Fingers Crossed! 

 

So we made the jump to 8.1.5 and all is well right now! The EDL issue is definitely gone. I just wanted to let you all know. 

L1 Bithead
  • 12528 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!