PAN-OS 9.0 Released - Stop and Think

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-OS 9.0 Released - Stop and Think

Cyber Elite
Cyber Elite

Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers. 

Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.

 

Upgrade Advice:

Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need. 

Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment. 

 

There are issues:

Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100  different issue IDs! 

 

My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0. 

 

Questions about 9.0?

Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. 

 

Lastly:

I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS. 

 

Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks. 

30 REPLIES 30

L6 Presenter

Ok, over / under...

 

How many posts about how terrible 9.0.X and someone's environment is degraded because they have deployed 9.0.X (because of a want) without the due diligence you talked about?

 

I am gonna go with 8.

@Brandon_Wertz,

How long are we going to let it go for? I easily see 10 within the first few weeks just like with 8.1. 

Funny I've got a 5220 (I see it for download in my user account on the Palo support potal) and it doesn't see the 9.0.0 software to download, but my 3220 pair sees it.  

@Brandon_Wertz,

Odd. I can download it from support for my 5200s perfectly fine. 

Yeah not sure...The box is fully supported and has no other "connectivity" issues, so I'm not sure why the hangup.  Not that I'm trying to install it ATM, just a curiousity I had.

L7 Applicator

@BPry

Even 8.1.6 isn't recommended yet, right?

 

Now with this topic you created (and if we keep replying so that this topic keeps to be on top as I don't think paloalto will make this a sticky topic) I think there will be less "my network is down after installing 9.0.0 - why?"-topics, so I'm gonna say 6 😉

@Remo,

To the best of my knowledge it is not. 

L4 Transporter

I got pretty excited while reading the release notes today and I'm installing 9.0 on my lab PAN-220 this evening to give it a spin.

 

Things that jumped out at me

  • Security policy optimization is going to help out big time.  Expedition seems powerful but it also is a bit overwhelming when you're just trying to use it for security policy migration to app-based rules.  I'm sure I'll still use the best practices analyzer though.
  • App-default rules applying correctly to decrypted traffic including web-browsing... yay!
  • GRE tunnel support... A previous coworker had a thought about redoing our campus design to incorporate newer methods of network segmentation. GRE tunnels were an interesting method since it means the core and access layer can be pretty much whatever you need it to be as long as each building has a GRE capable Layer 3 device that can tunnel to the firewall.
  • Traffic simulator for security rules.... one of the only things I miss from the ASA.
  • DNS security
  • WinRM for UserID
  • Multiple categories for URL filtering is definitely cool and could allow more granual control
  • Cisco SGT

 

Things I have questions about

  • Any plans for a GlobalProtect update for other platforms besides iOS? I've seen it on my coworkers phones and it looks waayyyy better than my Android version or even the desktop versions.
  • Will the Universal Unique IDs for Pocily Rules allow more than one rule with the same name?  I ended up copying rules from our own old device group into our new one and, of course, am having to deal with rules with "-1" at the end due to the existing code using the rule name as the unique ID.  I can also see this being handy for pointing a rule out to someone... rules being moved around or renamed makes them hard to refer to others sometimes.
  • GRE Tunnels.. how many can each hardware platform support?

 

Seems like I had some other questions but they aren't coming to mind at the moment.

@jsalmans,

Things I have questions about

  • Any plans for a GlobalProtect update for other platforms besides iOS? I've seen it on my coworkers phones and it looks waayyyy better than my Android version or even the desktop versions.

An upgrade to 5.0.0 for the desktop agents is available at this time. They just refreshed the Windows and macOS interface a while back so I wouldn't expect any major redesigns in the near feature. There will be an upgraded Android app pushed out in the near feature, the iOS upgrade was a little rushed out due to iOS12. 

  • Will the Universal Unique IDs for Pocily Rules allow more than one rule with the same name?  I ended up copying rules from our own old device group into our new one and, of course, am having to deal with rules with "-1" at the end due to the existing code using the rule name as the unique ID.  I can also see this being handy for pointing a rule out to someone... rules being moved around or renamed makes them hard to refer to others sometimes.

Nope. You can still only have one entry with the same name, or you'll run into an issue with the validation process. 

  • GRE Tunnels.. how many can each hardware platform support?

believe these simply count towards the devices tunnel limit. So 1,000 for a PA-220. Don't take my word for that though. 

Wow our 5250s can do 30,000 tunnels.  Do we know what the GRE througput performance looks like?  I know IPSec and GlobalProtect SSL tunnels have limited max bandwitdh but I've always heard GRE has the potential to be closer to standard network speeds.

 

That's kind of disappointing on the Unique Policy ID but the audit history is still really cool.

 

*edit* I just downloaded GP 5.0 64-bit for Windows.  It's a completely different interface than the 4.x client!  Definitely will play around with it.  Can't wait for the Android version.


@jsalmans wrote:

Wow our 5250s can do 30,000 tunnels.  Do we know what the GRE througput performance looks like?  I know IPSec and GlobalProtect SSL tunnels have limited max bandwitdh but I've always heard GRE has the potential to be closer to standard network speeds.

 

 

*edit* I just downloaded GP 5.0 64-bit for Windows.  It's a completely different interface than the 4.x client!  Definitely will play around with it.  Can't wait for the Android version.


I have to admit I've been using the 5.0 beta for a while now, but I don't recall any major interface differences between 4.1 and 5.0. I could simply be forgetting about them, or you could have been using 4.0 which 5.0 is a noticeable improvement over (even more so if using a 3.* agent).

 

As for the GRE throughput  I haven't tested this feature in-depth on the production release and giving a bandwidth rating on the beta wouldn't be fair. From the limited testing that I did it was noticeably faster than IPSec tunnels as one would expect. 


@jsalmans wrote:

 

  • Multiple categories for URL filtering is definitely cool and could allow more granual control
  • Cisco SGT

 

 

These two features were eye catchers for me as well. Regarding SGT incorporation your FW deployment needs to be L2 or vwire, so admins just need to be mindful of that.  (Hopefully L3 integration will come in the future, not sure how likely that is though.)

 

There's also VXLAN inspection and security policy enforcement on traffic in said tunnel (without the need for terminating the tunnel on the box) as well which is really cool I think.

@jsalmans

 

Odd, I downloaded the 5.x version of GP and it looked exactly the same as the 4.x version I was running. Also the Android version was redesigned a while ago and looks beautiful compaired to the previous version. Not sure why so many people posting here are seeing different things with these clients... 

@hshawn,

The 5.0 GP agent hasn't been overhauled for any client outside of iOS, I just went back and checked 4.0 and 4.1. While the Android version definately looks better than it did when it first launched, the iOS redesign is vastly improved and what 5.0 should look like on Android when it officially launches. 

  • 14168 Views
  • 30 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!