PANOS 9.1.13 Planning NOT to upgrade before Dec 31 Cert Expiry

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANOS 9.1.13 Planning NOT to upgrade before Dec 31 Cert Expiry

L1 Bithead

Hello everyone, I have an old PA 220 running 9.1.13 that is out of support. It is running in an air-gapped network that has not been updated since the start of the year. The plan was to have our replacement 440s take over this network before end of the year but this is no longer happening so my question/concern is obviously with the 220 running code with an expiring root certificate.

 

Given the scenario I've mentioned above should I be concerned about traffic suddenly stopping on this device or any other "show stoppers"? I'm not concerned about it not inspecting any traffic (it only has Threat Prevention on it anyway and again that hasn't been updated since February) or any issues with updates but it would certainly be very bad if it stopped passing traffic for some reason. 

 

Is there any potential for traffic to suddenly not be allowed to traverse this firewall Dec31?

1 accepted solution

Accepted Solutions

L6 Presenter

The answer is it depends on what connectivity if any this "air gapped" network has to the larger Internet. 

 

If this air gapped network and your firewall is truly autonomous and not reliant upon any Palo Alto cloud connectivity (For licensing updates, software updates, content updates, or any other consumed cloud Palo Alto service (inline ML, DNS Sec or other feature)) then it sounds like the firewall is safe to run this older code on your PA-220.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Vp5CAE

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

I would say contact your sales team and sales engineer and see if they can get you upgraded code. PAN is usually pretty good about this, especially since you are upgrading hardware.

 

Also check your software downloads on the support site and see if a fixed version is available.

Regards,

L6 Presenter

The answer is it depends on what connectivity if any this "air gapped" network has to the larger Internet. 

 

If this air gapped network and your firewall is truly autonomous and not reliant upon any Palo Alto cloud connectivity (For licensing updates, software updates, content updates, or any other consumed cloud Palo Alto service (inline ML, DNS Sec or other feature)) then it sounds like the firewall is safe to run this older code on your PA-220.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Vp5CAE

L1 Bithead

Thanks @Brandon_Wertz , I logged it with PA support under the new 440 device that is supposed to be taking over services (delayed now until January) and they were kind enough to respond. Basically they said the same thing you did (and what I was hoping for) - The normal operation of the device will not be affected just that you will no longer get any updates/communication for the PA cloud services.

 

So with that I'm happy as service will continue as it is today until we finally get around to getting things cutover.

 

 

Great to hear you'll be ok and I was able to help

  • 1 accepted solution
  • 1267 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!