Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers.
Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.
Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need.
Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment.
There are issues:
Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100 different issue IDs!
My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0.
Questions about 9.0?
Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap.
I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS.
Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks.
Ok, over / under...
How many posts about how terrible 9.0.X and someone's environment is degraded because they have deployed 9.0.X (because of a want) without the due diligence you talked about?
I am gonna go with 8.
Yeah not sure...The box is fully supported and has no other "connectivity" issues, so I'm not sure why the hangup. Not that I'm trying to install it ATM, just a curiousity I had.
Even 8.1.6 isn't recommended yet, right?
Now with this topic you created (and if we keep replying so that this topic keeps to be on top as I don't think paloalto will make this a sticky topic) I think there will be less "my network is down after installing 9.0.0 - why?"-topics, so I'm gonna say 6 ;)
I got pretty excited while reading the release notes today and I'm installing 9.0 on my lab PAN-220 this evening to give it a spin.
Things that jumped out at me
Things I have questions about
Seems like I had some other questions but they aren't coming to mind at the moment.
Things I have questions about
An upgrade to 5.0.0 for the desktop agents is available at this time. They just refreshed the Windows and macOS interface a while back so I wouldn't expect any major redesigns in the near feature. There will be an upgraded Android app pushed out in the near feature, the iOS upgrade was a little rushed out due to iOS12.
Nope. You can still only have one entry with the same name, or you'll run into an issue with the validation process.
I believe these simply count towards the devices tunnel limit. So 1,000 for a PA-220. Don't take my word for that though.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!