PAN-OS 9.0 Released - Stop and Think

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-OS 9.0 Released - Stop and Think

Cyber Elite
Cyber Elite

Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers. 

Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.

 

Upgrade Advice:

Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need. 

Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment. 

 

There are issues:

Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100  different issue IDs! 

 

My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0. 

 

Questions about 9.0?

Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. 

 

Lastly:

I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS. 

 

Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks. 

30 REPLIES 30

I just checked the patch notes.  We're running 4.0.x currently and the visaul improvement came in 4.1:

 

"GlobalProtect app 4.1 for Windows and macOS endpoints introduces an enhanced user experience through a more modern and streamlined user interface and a more intuitive connection process. The new app features simplified workflows that enable end users to view and modify GlobalProtect app settings, manage notifications from a central location, and connect to or disconnect from GlobalProtect more seamlessly."

@BPry

 

Interesting, I just checked. I am running version 5.0.0 on Android 9 right now. It is the nice blue image with the single connect and disconnect button in the center

@hshawn,

You aren't a member of the Android beta are you? 5.0.0 is definately still only officially available in the beta channels with the new UI, and I haven't seen any official public releases being pushed out just yet. They could be pushing it to Play and letting Google do a phased roll-out to production however. 

 

@BPryhow does one get signed up for the beta?  I was in the beta for 4.0 or maybe one of the later 3.x versions but I think it was only for that version... I haven't seen beta community forums or emails for a long while.

@jsalmans,

I think officially to get started again you are supposed to contact your SE. That being said you could likely email beta-access@paloaltonetworks.com to get the ball rolling again and they would help you get your account and SNs registered. I know that Warren is always looking for new Beta members. 

L2 Linker

I'm quite disappointed in Palo Alto's approch to not make 9.0 supported on the 5000 (i.e 5020, 5060, etc.)  For a customer that purchased their equipment right before th 5200s came out it seems we (and probably many others) were screwed over on this deal.  Palo's approch when I discussed this was "you'll have to upgrade."  Ya that's all fine and good if you want to fork out another $250K for a pair fully licensed.  As an enterprise customer I would hope to get 5 years out of them but that dones't look to be possible IF we need some of the featuers in 9.  Now I'll admit that we wouldn't go to it until at least 9.0.6 or .7 so maybe a year out but that still is less than what we're hoping to get out of them.  I can see maybe not doing this on a 200 or 3000 but the 5000 should have more than enough power to handle it.  Just a major downer by PAN on this one.

@NickThen,

I'm not sure how much I can get into specifics due to it being brought up in an NDA conversation, but the 5000s are spec'd high enough to handle 9.0, but they lack the proper hardware compodents to make all the features work/work as suspected. Instead of branching the codebase it's easier for Palo Alto to simply drop any *000 series firewalls than having a 9.0 that can do certain things and one that can't due to platform. 

If you want to get into specifics you'd need to reach out to your SE and have them setup a meeting with the proper folks from Palo Alto, but that may or may not put you under an NDA about the specifics (This was prior to 9.0 being publically released so all talks I was having on the matter were NDA, you might not actually need one anymore?)

I think we're only up to like 3 threads asking about implementing 9.0.  Looks like I would have lost the bet.

 Looks like this topic has saved people from mischief 😉

 

(If this is true then this could have a negative impact on the first 9.0.x release that becomes recommended ... if fewer people who install 9.0.0 right away run into problems, less support cases will be opened, less problems are known and can be fixed and so it could take longer untill all critical ones will be solved 😛   )


@Remo wrote:

 Looks like this topic has saved people from mischief 😉

 

(If this is true then this could have a negative impact on the first 9.0.x release that becomes recommended ... if fewer people who install 9.0.0 right away run into problems, less support cases will be opened, less problems are known and can be fixed and so it could take longer untill all critical ones will be solved 😛   )


 

Good point...Install away!!  Hit those bugs before I do.  That way when I upgade at 9.0.6+ I don't hit a bug no one has seen yet.

Yes, I am pretty bummed that my 5050 are not supported, but my 3020 are.

L1 Bithead

Didn't mean to "me too" your post!

 


@BPry wrote:

If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. 

 

Do you know off hand how I would sign up for the beta program?

 

Thanks!

Troy

@tszafalowicz 

Just ask your SE. He can add you to the beta program or at least forward your request into the right direction.


@Brandon_Wertz wrote:

 

Good point...Install away!!  Hit those bugs before I do.  That way when I upgade at 9.0.6+ I don't hit a bug no one has seen yet.


I hit a bug in 8.0.15 no one had found yet...


@DPoppleton wrote:

@Brandon_Wertz wrote:

 

Good point...Install away!!  Hit those bugs before I do.  That way when I upgade at 9.0.6+ I don't hit a bug no one has seen yet.


I hit a bug in 8.0.15 no one had found yet...


 

We hit an unidentifed bug in 8.0.10 (which won't be back ported into 8.0, but will make it's way into 8.1.X -- super rare hash collision)

We hit a bug in 8.0.14 memory leak...fixed by upgrading to 8.1.6

 

So yeah, truly anything is possible but by-in-large the .5/6 patch is usually when the code base gets stable.

  • 16343 Views
  • 30 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!