Quick Note on 8.1.0 Deployments
cancel
Showing results for 
Search instead for 
Did you mean: 

Quick Note on 8.1.0 Deployments

Cyber Elite
Cyber Elite

Since its release we've seen an uptick in folks deploying 8.1.0 to their firewalls, and that's a great thing. I just want to throw out a word of caution before doing so however; while 8.1.0 is one of the most stable base releases Palo Alto Networks has published, you need to do your homework before deploying this in any environment. 

 

LAB Devices:

If you have access to any sort of LAB equipment, this is where you should be installing 8.1.0. Start testing your configuration in a LAB environment so that you can have a knowledgeable estimate of when you feel comfortable deploying 8.1 to your production equipment. 

If you happen to utilize your LAB equipment in a Change Management process, take note that you are running a different version of PAN-OS when you actually test changes. Something that didn't work in your 8.1.0 LAB may work perfectly fine on 8.0.8 that you have running on your production equipment. On the other hand, something that works out perfectly fine on 8.1.0, may not function on 8.0.8 due to a bug being patched between versions. 

 

Production Devices:

If you do not have access to LAB equipment to verify that your production configuration will actually fully function on 8.1.0, I would personally highly advise you to keep 8.1.0 off your production equipment. 

Limitations of 8.1.0 are fairly small, however there are 13 pages of known issues within 8.1.0 along with 3 known issues specific to a WF-500 appliance. Before you contend with loading 8.1.0 on production equipment you should take the time to go through all of these known issues and decide if your environment would actually experience them and if you can work around them until they are patched in future maintenance releases. Causing an outage because you want to utilize the awesome SSL Decryption Broker, or the awesome new hit counters, is likely not going to go well. 

 

Generally this boils down to following Palo Alto's recommended upgrade procedure and just doing your own due diligence before upgrading to 8.1. I think there are a few people that are getting wrapped up in the truly amazing feature improvements of 8.1, and throwing best practices out the window. If you don't have LAB equipment to properly test things out, let those of us that do find all of the bugs before causing an outage due to wanting a new software upgrade quickly. 

If you truly want 8.1 and just simply can't wait to upgrade, I'd at least make a post here about what your configuration looks like prior to upgrading. We have a lot of people within these forums that have been running 8.1.0 since the beta was released on LAB equipment and home deployments that can likely take a glance at what you are doing and at least give you some real-world experience on what you should expect. 

 

15 REPLIES 15

Hi,

I agree. I have the same issues after upgrading to 8.1.0. Then I have to downgrade too. Thanks.

Had the same issues with 8.1.0 and went back to 8.0.8.

 

We experienced slow/non-working domain logons and SMB/CIFS/DFS Shares.

 

If I ran "show session all filter state discard application ms-ds-smbv3" I had lots of sessions discarded. If I looked in detail on one of those sessions with show session id [session-id] I could see that they were discarded due to "resources-unavailable".

 

Some users report that 'Application Override' might be a way forward until the issue is fixed.

 

 

https://live.paloaltonetworks.com/t5/General-Topics/PAN-OS-8-1-0-SMB-Issues/m-p/205760

L1 Bithead

The 8.1.0 Interface is terribly buggy.  I would advise EVERYONE to not use it until they at least patch it once.

 

NAT and Security rules do not highlight correctly at intervals, and it has already cost us production time as we were attempting to modify one NAT rule (after highlighting it) and having it return a different one.  All browsers show this issue too.

 

Its a bad release, and I wish PA would have done a better job of QC'ing it instead of expecting the rest of us to "Fix the airplane before it hits the ground". 

 

Ususally PA is good about this.  But this one is a clear miss, and the release should be pulled.


@ITSysEng wrote:

 

Its a bad release, and I wish PA would have done a better job of QC'ing it instead of expecting the rest of us to "Fix the airplane before it hits the ground". 

 

Ususally PA is good about this.  But this one is a clear miss, and the release should be pulled.


 

 

Then there was 7.0.0 which was totally deferred...I think 7.0.0 still wins this "contest" haha

 

 

Totally agree I've always thought the major releases process could use a bit of improvement.  No doubt there's push to deploy new capabilities from Palo, but like has already been mentioned; if as admins of a service, in this case a company's edge/firewall environment the onus is on US as firewall admins to do the due diligence to ensure the code version is stable and appropriate.

 

This includes dev/qa testing if need be.  If an admin wants to risk their career because a new software release is out that's on you.  Not Palo IMO.

I'm hearing a target of early May for 8.1.1 roll out, so just a couple more weeks.

@Brandon_Wertz,

 

I think you nailed my reaction on all of these "PAN-OS 8.1.0 is real bad; Palo should pull the release; this killed my production network". Palo Alto did not come on premise and force you to upgrade to 8.1.0, Palo Alto didn't stop supplying updates to other software versions, they didn't release hardware that only runs 8.1.0 (unlike 8.0), and Palo Alto didn't automatically install 8.1.0 to anyone's firewall. 

I agree that Palo Alto should, and could, tone down the marketing around 8.1.0 until its actually hit recommended status. There are defiantly mistakes that they've made in that regard. There shouldn't have been as much noise surrounding the 8.1.0 release, the SMB over VPN issues experianced by users of the Beta channel should have been included in the release notes, as it was already noticed by the time 8.1.0 was offically released, and it should have been clear in all communication that it wasn't recommended you actually install it on production equipment. 

 

In the end though it comes down to the decision that you made as an admin. You choose to run 8.1.0, you made the decision to run new code, you made the decision to prioritize features over stability, you failed to QA the code with your configuration to verify it didn't effect your production network. YOU caused an outage or a degradation of services because you installed 8.1.0 on your production equipment without validating it worked for you and your company.  

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!