The palo alto TAC say the stable version for 8.1 is 8.1.3. We will upgrade to 8.1.5 in the next days. In 8.1.5 fix a lot issue related with panorama M-series and VM. So also in this new release PA do not adding any new features. I hope this version is more stable that 8.1.3.
what kind of issues do you have with 8.1.x?
We've been having some really wierd issues with the Palo Alto on 8.1 code. I've seen issues with some application signatures breaking. One of them was RTP, which we use for our fax server. It should allow all of the dynamic UDP ports, but some ports were being blocked between the fax server and the call manager. This was on 8.1.3, and we've upgraded to 8.1.4 now.
We've had issues with the Globalprotect data file not updating. That was sorta fixed in 8.1.4. I'm still having issues with HIP check on Globalprotect, but it's random.
The main thing we're seing that is troublesome is, at random intervals Office 365 traffic will get denied on the firewall for no reason. We're using Minemeld to grab the list of updated IP's from Microsoft, and I compared those to an actual IP list from a powershell script that gets the IPs. I compared the 2 text files and they are identical, so I have no clue as to why traffic is getting blocked intermittently.
Honestly, it feels like things get better every time we upgrade to a newer build, but it never feels as stable as 8.0 was. Have you upgraded to 8.1.5 yet? If so, have you noticed any issues?
Not yet, This 12/12 We will proceed to upgrade one panorama to 8.1.5 and Thuerday one 3260 upgrade to 8.1.5. I hope to have good news for you.
But I hope this release not show critical issues.
In this link you can see the critical issues fixed in each release
That's interesting that TAC informed you that PAN-OS 8.1.3 was recommended, I know for a fact that PA-3200 series have internal path monitoring failures occurring on PAN-OS 8.1.3 which causes the dataplane to restart (fixed in 8.1.4).
8.1.4 looks to be fairly recommended if you're not using Panorama from what I've seen. Otherwise, we'll see what 8.1.5 has to bring to the table with regards to stability since that does have a number of Panorama fixes as you mention.
M-100 Panorama cluster A/P upgraded to 8.1.5. For now the panorama working as expeted without issues. For now looking stable PANOS8.1.5 Also we have 3060 cluster firewall upgraded to 8.1.5, for not working as expeted.
With Panorama we experimented issues due to you need active "suspend local device" to upgrade the devices, if you not active this option each time that you start the upgrade proceess the device get stuck on 36% of progress. And you need restart the management server (debug software restart process management-server).
I've also had problems with 8.1.5 dropping all traffic - the same as DonJarmon - it occurs after antivirus updates each day at 11pm. It's highly disruptive and creates a massive outage to service. Traffic that is normally permitted ceases to be permitted and starts hitting the default deny rule.
Forcing a FQDN refresh and clearing SIP sessions (for some reason these get stuck too) brings everything back to life.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC has it listed as PAN-100244 but it seems to me to be affected and resolved in completely the opposite versions, namely present in 8.1.5 but not present in any versions prior.
I have gone back to 8.1.4 now as I can't afford to have this sort of problem leading up to holidays. This is the first major problem I've encountered in a maintenance release.
@ReubenFarrelly That is very disconcerting that you are seing this in 8.1.5. We're seeing sporadic denies of traffic going out to Office 365 on 8.1.4. We use an EDL for the Destination, and I was told by a Palo Alto rep that this is a known bug (PAN-100244) and is fixed in 8.1.5. As a precaution, I have set the Antivirus updates to only execute once at 5:15am. I will have someone on the early shift monitor traffic after that time, and with any luck, hopefully we are unaffected. If will let you all know how it goes. Fingers Crossed!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!