02-12-2019 10:12 AM - edited 02-12-2019 10:13 AM
Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers.
Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.
Upgrade Advice:
Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need.
Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment.
There are issues:
Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100 different issue IDs!
My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0.
Questions about 9.0?
Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap.
Lastly:
I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS.
Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks.
02-12-2019 10:59 AM
Ok, over / under...
How many posts about how terrible 9.0.X and someone's environment is degraded because they have deployed 9.0.X (because of a want) without the due diligence you talked about?
I am gonna go with 8.
02-12-2019 11:08 AM
How long are we going to let it go for? I easily see 10 within the first few weeks just like with 8.1.
02-12-2019 01:33 PM
Funny I've got a 5220 (I see it for download in my user account on the Palo support potal) and it doesn't see the 9.0.0 software to download, but my 3220 pair sees it.
02-12-2019 01:37 PM
Odd. I can download it from support for my 5200s perfectly fine.
02-12-2019 01:39 PM
Yeah not sure...The box is fully supported and has no other "connectivity" issues, so I'm not sure why the hangup. Not that I'm trying to install it ATM, just a curiousity I had.
02-12-2019 02:16 PM
Even 8.1.6 isn't recommended yet, right?
Now with this topic you created (and if we keep replying so that this topic keeps to be on top as I don't think paloalto will make this a sticky topic) I think there will be less "my network is down after installing 9.0.0 - why?"-topics, so I'm gonna say 6 😉
02-12-2019 02:21 PM
To the best of my knowledge it is not.
02-12-2019 06:18 PM
I got pretty excited while reading the release notes today and I'm installing 9.0 on my lab PAN-220 this evening to give it a spin.
Things that jumped out at me
Things I have questions about
Seems like I had some other questions but they aren't coming to mind at the moment.
02-12-2019 06:34 PM
Things I have questions about
An upgrade to 5.0.0 for the desktop agents is available at this time. They just refreshed the Windows and macOS interface a while back so I wouldn't expect any major redesigns in the near feature. There will be an upgraded Android app pushed out in the near feature, the iOS upgrade was a little rushed out due to iOS12.
Nope. You can still only have one entry with the same name, or you'll run into an issue with the validation process.
I believe these simply count towards the devices tunnel limit. So 1,000 for a PA-220. Don't take my word for that though.
02-12-2019 07:37 PM - edited 02-12-2019 07:51 PM
Wow our 5250s can do 30,000 tunnels. Do we know what the GRE througput performance looks like? I know IPSec and GlobalProtect SSL tunnels have limited max bandwitdh but I've always heard GRE has the potential to be closer to standard network speeds.
That's kind of disappointing on the Unique Policy ID but the audit history is still really cool.
*edit* I just downloaded GP 5.0 64-bit for Windows. It's a completely different interface than the 4.x client! Definitely will play around with it. Can't wait for the Android version.
02-12-2019 08:15 PM
@jsalmans wrote:Wow our 5250s can do 30,000 tunnels. Do we know what the GRE througput performance looks like? I know IPSec and GlobalProtect SSL tunnels have limited max bandwitdh but I've always heard GRE has the potential to be closer to standard network speeds.
*edit* I just downloaded GP 5.0 64-bit for Windows. It's a completely different interface than the 4.x client! Definitely will play around with it. Can't wait for the Android version.
I have to admit I've been using the 5.0 beta for a while now, but I don't recall any major interface differences between 4.1 and 5.0. I could simply be forgetting about them, or you could have been using 4.0 which 5.0 is a noticeable improvement over (even more so if using a 3.* agent).
As for the GRE throughput I haven't tested this feature in-depth on the production release and giving a bandwidth rating on the beta wouldn't be fair. From the limited testing that I did it was noticeably faster than IPSec tunnels as one would expect.
02-13-2019 05:41 AM
@jsalmans wrote:
- Multiple categories for URL filtering is definitely cool and could allow more granual control
- Cisco SGT
These two features were eye catchers for me as well. Regarding SGT incorporation your FW deployment needs to be L2 or vwire, so admins just need to be mindful of that. (Hopefully L3 integration will come in the future, not sure how likely that is though.)
There's also VXLAN inspection and security policy enforcement on traffic in said tunnel (without the need for terminating the tunnel on the box) as well which is really cool I think.
02-13-2019 08:12 AM
Odd, I downloaded the 5.x version of GP and it looked exactly the same as the 4.x version I was running. Also the Android version was redesigned a while ago and looks beautiful compaired to the previous version. Not sure why so many people posting here are seeing different things with these clients...
02-13-2019 08:47 AM
The 5.0 GP agent hasn't been overhauled for any client outside of iOS, I just went back and checked 4.0 and 4.1. While the Android version definately looks better than it did when it first launched, the iOS redesign is vastly improved and what 5.0 should look like on Android when it officially launches.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
