12-19-2023 07:52 AM
Hello everyone, I have an old PA 220 running 9.1.13 that is out of support. It is running in an air-gapped network that has not been updated since the start of the year. The plan was to have our replacement 440s take over this network before end of the year but this is no longer happening so my question/concern is obviously with the 220 running code with an expiring root certificate.
Given the scenario I've mentioned above should I be concerned about traffic suddenly stopping on this device or any other "show stoppers"? I'm not concerned about it not inspecting any traffic (it only has Threat Prevention on it anyway and again that hasn't been updated since February) or any issues with updates but it would certainly be very bad if it stopped passing traffic for some reason.
Is there any potential for traffic to suddenly not be allowed to traverse this firewall Dec31?
12-19-2023 11:25 AM - edited 12-19-2023 11:28 AM
The answer is it depends on what connectivity if any this "air gapped" network has to the larger Internet.
If this air gapped network and your firewall is truly autonomous and not reliant upon any Palo Alto cloud connectivity (For licensing updates, software updates, content updates, or any other consumed cloud Palo Alto service (inline ML, DNS Sec or other feature)) then it sounds like the firewall is safe to run this older code on your PA-220.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Vp5CAE
12-19-2023 10:24 AM - edited 12-19-2023 10:25 AM
Hello,
I would say contact your sales team and sales engineer and see if they can get you upgraded code. PAN is usually pretty good about this, especially since you are upgrading hardware.
Also check your software downloads on the support site and see if a fixed version is available.
Regards,
12-19-2023 11:25 AM - edited 12-19-2023 11:28 AM
The answer is it depends on what connectivity if any this "air gapped" network has to the larger Internet.
If this air gapped network and your firewall is truly autonomous and not reliant upon any Palo Alto cloud connectivity (For licensing updates, software updates, content updates, or any other consumed cloud Palo Alto service (inline ML, DNS Sec or other feature)) then it sounds like the firewall is safe to run this older code on your PA-220.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Vp5CAE
12-19-2023 01:07 PM
Thanks @Brandon_Wertz , I logged it with PA support under the new 440 device that is supposed to be taking over services (delayed now until January) and they were kind enough to respond. Basically they said the same thing you did (and what I was hoping for) - The normal operation of the device will not be affected just that you will no longer get any updates/communication for the PA cloud services.
So with that I'm happy as service will continue as it is today until we finally get around to getting things cutover.
12-19-2023 03:07 PM
Great to hear you'll be ok and I was able to help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
