12-04-2018 03:48 PM
Hi there! Has anybody had the chance to play with PAN OS 8.1.5 yet in Production? Are there any noticable issues? I've been locked into this killchain of bugs ever since we made the leap to 8.1.0, and I'm just wondering if this build will be the "stable" release.
12-05-2018 09:08 AM
The palo alto TAC say the stable version for 8.1 is 8.1.3. We will upgrade to 8.1.5 in the next days. In 8.1.5 fix a lot issue related with panorama M-series and VM. So also in this new release PA do not adding any new features. I hope this version is more stable that 8.1.3.
what kind of issues do you have with 8.1.x?
12-10-2018 03:51 PM
We've been having some really wierd issues with the Palo Alto on 8.1 code. I've seen issues with some application signatures breaking. One of them was RTP, which we use for our fax server. It should allow all of the dynamic UDP ports, but some ports were being blocked between the fax server and the call manager. This was on 8.1.3, and we've upgraded to 8.1.4 now.
We've had issues with the Globalprotect data file not updating. That was sorta fixed in 8.1.4. I'm still having issues with HIP check on Globalprotect, but it's random.
The main thing we're seing that is troublesome is, at random intervals Office 365 traffic will get denied on the firewall for no reason. We're using Minemeld to grab the list of updated IP's from Microsoft, and I compared those to an actual IP list from a powershell script that gets the IPs. I compared the 2 text files and they are identical, so I have no clue as to why traffic is getting blocked intermittently.
Honestly, it feels like things get better every time we upgrade to a newer build, but it never feels as stable as 8.0 was. Have you upgraded to 8.1.5 yet? If so, have you noticed any issues?
12-10-2018 04:15 PM
Not yet, This 12/12 We will proceed to upgrade one panorama to 8.1.5 and Thuerday one 3260 upgrade to 8.1.5. I hope to have good news for you.
But I hope this release not show critical issues.
In this link you can see the critical issues fixed in each release
12-11-2018 06:30 AM
That's interesting that TAC informed you that PAN-OS 8.1.3 was recommended, I know for a fact that PA-3200 series have internal path monitoring failures occurring on PAN-OS 8.1.3 which causes the dataplane to restart (fixed in 8.1.4).
8.1.4 looks to be fairly recommended if you're not using Panorama from what I've seen. Otherwise, we'll see what 8.1.5 has to bring to the table with regards to stability since that does have a number of Panorama fixes as you mention.
12-11-2018 06:33 AM
Actually last I heard that's just straight wrong. 8.1.4 is the current recommended version of 8.1 if the software features or hardware make 8.1 a requirement.
12-11-2018 06:35 AM
12-11-2018 07:53 PM
Looking at this confirms that I should stay on 8.0.x. Very helpful!
12-15-2018 03:24 PM
Having issues with OS 8.1.5 Security Policies start dropping traffic every morning at 4 am.
12-17-2018 01:47 PM
M-100 Panorama cluster A/P upgraded to 8.1.5. For now the panorama working as expeted without issues. For now looking stable PANOS8.1.5 Also we have 3060 cluster firewall upgraded to 8.1.5, for not working as expeted.
With Panorama we experimented issues due to you need active "suspend local device" to upgrade the devices, if you not active this option each time that you start the upgrade proceess the device get stuck on 36% of progress. And you need restart the management server (debug software restart process management-server).
12-19-2018 09:47 AM
I've also had problems with 8.1.5 dropping all traffic - the same as DonJarmon - it occurs after antivirus updates each day at 11pm. It's highly disruptive and creates a massive outage to service. Traffic that is normally permitted ceases to be permitted and starts hitting the default deny rule.
Forcing a FQDN refresh and clearing SIP sessions (for some reason these get stuck too) brings everything back to life.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC has it listed as PAN-100244 but it seems to me to be affected and resolved in completely the opposite versions, namely present in 8.1.5 but not present in any versions prior.
I have gone back to 8.1.4 now as I can't afford to have this sort of problem leading up to holidays. This is the first major problem I've encountered in a maintenance release.
12-19-2018 04:49 PM
@ReubenFarrelly That is very disconcerting that you are seing this in 8.1.5. We're seeing sporadic denies of traffic going out to Office 365 on 8.1.4. We use an EDL for the Destination, and I was told by a Palo Alto rep that this is a known bug (PAN-100244) and is fixed in 8.1.5. As a precaution, I have set the Antivirus updates to only execute once at 5:15am. I will have someone on the early shift monitor traffic after that time, and with any luck, hopefully we are unaffected. If will let you all know how it goes. Fingers Crossed!
12-20-2018 03:49 PM
So we made the jump to 8.1.5 and all is well right now! The EDL issue is definitely gone. I just wanted to let you all know.
12-21-2018 05:40 AM - edited 12-21-2018 05:41 AM
Having issue with SNMP ifInOctets/ifOutOctets in PanOS 8.1.5:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!