03-11-2018 08:44 AM - edited 03-13-2018 12:43 PM
Since its release we've seen an uptick in folks deploying 8.1.0 to their firewalls, and that's a great thing. I just want to throw out a word of caution before doing so however; while 8.1.0 is one of the most stable base releases Palo Alto Networks has published, you need to do your homework before deploying this in any environment.
If you have access to any sort of LAB equipment, this is where you should be installing 8.1.0. Start testing your configuration in a LAB environment so that you can have a knowledgeable estimate of when you feel comfortable deploying 8.1 to your production equipment.
If you happen to utilize your LAB equipment in a Change Management process, take note that you are running a different version of PAN-OS when you actually test changes. Something that didn't work in your 8.1.0 LAB may work perfectly fine on 8.0.8 that you have running on your production equipment. On the other hand, something that works out perfectly fine on 8.1.0, may not function on 8.0.8 due to a bug being patched between versions.
If you do not have access to LAB equipment to verify that your production configuration will actually fully function on 8.1.0, I would personally highly advise you to keep 8.1.0 off your production equipment.
Limitations of 8.1.0 are fairly small, however there are 13 pages of known issues within 8.1.0 along with 3 known issues specific to a WF-500 appliance. Before you contend with loading 8.1.0 on production equipment you should take the time to go through all of these known issues and decide if your environment would actually experience them and if you can work around them until they are patched in future maintenance releases. Causing an outage because you want to utilize the awesome SSL Decryption Broker, or the awesome new hit counters, is likely not going to go well.
Generally this boils down to following Palo Alto's recommended upgrade procedure and just doing your own due diligence before upgrading to 8.1. I think there are a few people that are getting wrapped up in the truly amazing feature improvements of 8.1, and throwing best practices out the window. If you don't have LAB equipment to properly test things out, let those of us that do find all of the bugs before causing an outage due to wanting a new software upgrade quickly.
If you truly want 8.1 and just simply can't wait to upgrade, I'd at least make a post here about what your configuration looks like prior to upgrading. We have a lot of people within these forums that have been running 8.1.0 since the beta was released on LAB equipment and home deployments that can likely take a glance at what you are doing and at least give you some real-world experience on what you should expect.
04-23-2018 10:32 AM
I think you nailed my reaction on all of these "PAN-OS 8.1.0 is real bad; Palo should pull the release; this killed my production network". Palo Alto did not come on premise and force you to upgrade to 8.1.0, Palo Alto didn't stop supplying updates to other software versions, they didn't release hardware that only runs 8.1.0 (unlike 8.0), and Palo Alto didn't automatically install 8.1.0 to anyone's firewall.
I agree that Palo Alto should, and could, tone down the marketing around 8.1.0 until its actually hit recommended status. There are defiantly mistakes that they've made in that regard. There shouldn't have been as much noise surrounding the 8.1.0 release, the SMB over VPN issues experianced by users of the Beta channel should have been included in the release notes, as it was already noticed by the time 8.1.0 was offically released, and it should have been clear in all communication that it wasn't recommended you actually install it on production equipment.
In the end though it comes down to the decision that you made as an admin. You choose to run 8.1.0, you made the decision to run new code, you made the decision to prioritize features over stability, you failed to QA the code with your configuration to verify it didn't effect your production network. YOU caused an outage or a degradation of services because you installed 8.1.0 on your production equipment without validating it worked for you and your company.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!