- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-02-2019 11:38 AM
Hello Community!
Has anyone made the jump to 9.0.4 on their production firewalls? I have read the release notes and installed it onto my lab unit. Just checking to see if anyone has had any issues outside of what is in the release notes. Currently we are running the 8.1 train.
Cheers!
10-02-2019 02:00 PM
I just did the other day because I figured 4 releases ought to be enough to work out most of the bugs...
I've run into a couple issues.
The one was that our Windows 10 machines that are dual-connected with wireless + wired weren't able to connect to wireless after the upgrade. They weren't making a IP / User mapping. I upgraded our User-ID agent that we run on an AD box to the newest release and that didn't fix it.
I ended up having to whitelist some more URLs for our trusted networks - basically preventing the filter from requiring authentication for those URLs (Destination Auth Exempt). It is important to exclude any non-trusted (BYOD / Guest) because those machines need to not hit those URLs without authentication so the OS can correctly show a captive portal - but internal machines should never need it. The plus side is - the yellow exclamation point won't show up at the login screen anymore.
The URLs were *.msftncsi.com and *.msftconnecttest.com so that it wouldn't try to do captive portal detection. I'm not sure if the timeout maybe was changed with 9.0 - but we had a rule in for the msftnci from Windows 8.1 - but apparently with 10 - it's now msftconnecttest.com instead.
This Microsoft article talks about the change:
(https://blogs.technet.microsoft.com/netgeeks/2018/02/20/why-do-i-get-an-internet-explorer-or-edge-po...
I'm also running into an issue with the Safe Search automatic redirection not working. I'm opening up a ticket about that right now because I'm not seeing any known issues. Other than that, the filters seem fine on it. There are some pretty nice new features as far as seeing protocol usage for particular rules and more about rules that have fallen out of use. We'll see if I can get this Safe Search issue taken care of...
10-03-2019 10:19 AM
I deployed 9.0.4 a couple days ago. I have had no issues so far. It also fix an LDAP bug I was encountering in the previous versions of the 9.0.x releases.
Just another I.T. Guy
10-07-2019 10:26 PM
Yes, 9.0.4 broke things badly for me. It seems only the first four (virtual) ethernet ports on the PA VM now only work. Ports 5 onwards never come up. This is out of character, I rarely have problems........
Upon downgrading to 9.0.3-h3 again everything came back straight away. I'd be interested to know how many other people have tried this scenario out.
12-12-2019 01:52 AM
We upgraded two HA clusters from 8.1.10 and had to roll back on one because all security policies using FQDN were denied. It seemed that FQDN was not resolving at all - stuck in a "0.0.0.0 updating" state (see below). Once rolled back everything worked immediately. Interestingly, the other cluster upgraded from 8.1.10 -> 9.0.4 with zero issues. The HA clusters have significantly different configs though, so I'm not sure that they can be directly compared. We have a case open with with PA for this - it resembled a bug (PAN-105228) that was meant to be fixed in 8.1.5.
Sample of failure to resolve FQDN
show dns-proxy fqdn all
FQDN Table : Request time 2019-11-05 10:28:51
--------------------------------------------------------------------------------
IP Address
--------------------------------------------------------------------------------
VSYS : (using mgmt-obj dnsproxy object)
Shared
vsys1
0.0.0.0 updating
:: updating
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!