Recommended Software release

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Recommended Software release

L1 Bithead

Hi PAN Community!

 

I'm just wondering if there's a dedicated page/link I can refer to if I want to confirm if a certain release is recommended or not. I don't want to raise a TAC case everytime. Thanks!

34 REPLIES 34

Is there consideration being given to creating a standing kb article of current recommended releases by platform?

 

With a commitment to valid and update monthly or quarterly.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@pulukas,

I actually spoke to a few people at Ignite this year that are higher up in the chain ( in support ) and none of them really gave me a clear answer to why this hasn't been done already, outside of external KB articles and simply incorporating this into the actual support page. WIth the support page getting a refresh this would have been the perfect time to implement something like a 'Gold Star' recommended release icon similar to Cisco or other vendors. 

The best that I could understand is that PA doesn't really like saying that any one software release is truly 'recommended' as any software release really depends on the features that you are using on the firewall (which is 100% true); the general consensus was that customers should be able to ask their SE and they could recommend a release for the customer's particular environment. Sadly, that really isn't the case for most customers and I would say that the majority of the SEs assigned to people don't really have a full understanding of what their configuration looks like and what features that particular customer is using. It makes for a really nice idea that simply breaks down when you get too the real world. 

Thanks for pushing on this issue.  This really is an industry standard now to have such a recommendation based on support activity.  And making customer hunt for the right information does not help your reputation as a company at all.

 

As you note, we live in the real world.  Where newly released software has bugs and needs to be road tested by those who truely really need those new features while the rest of us follow when the bugs are crushed.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Found this page searching for the same answer.   I presume that the list below is no longer accurate.   Can we please get this to a maintained KB article (with revision history would be great too).

@Quinn,

This list

PAN-OS 8.1.2 - This is not recommened, meaning you shouldn't be running it in production. If you must have the latest and greatest run 8.1.2 so you get the latest bug fixes with 8.1

PAN-OS 8.0.9 - 8.0.10 is released but has not yet entered recommended status

PAN-OS 7.1.17

PAN-OS 6.1.20 ( You should be upgrading) 

Cause yup this would still be current unless 8.0.10 has actually moved into a recommended status, but I haven't heard anything on that yet. 

Yeah, missed page2 before commenting.    D'oh!

 Why release 8.0.10 if it is not recommended???

@mans-paloalto-support,

Every release is published prior to it moving to recommended status, you can't say something is recommended until you actually have customers running it to see if they notice any issues. Recommended status is only granted after the release has been running for a period of time without any reported issues. 

I'm told 8.0.10 is in-fact a recommended code base on the 8.0.X branch.  (As of a e-mail to/from my SE today)

This would appear to cause a problem if a zero day exploit needs to be mitigated -- you are taking a risk to stability by patching your code. Of course, I've seen that with Cisco devices -- a vulnerability is patched, and then the manufacturer releases a vulnerability patch to the vulnerability patch because the first patch was unstable -  I'm assuming Palo Alto Networks has internal QA before something goes out in the wild to sanity check stability -- but it does sound like zero day mitigation introduces an inherent stability risk if what you are saying is true about waiting for clients to adopt the code in the wild.

 

 

@mans-paloalto-support,

That's the same for any vendor really. If you need the features of the latest version, or it fixes a bug that you ran into, then you update as soon as it becomes available; if it doesn't really do anything that you need then you wait for it to hit recommended status. 

In your given example it would be making the same call that you would for anything else. As a personal example we had a few ASAs in place when the last zero-day that allowed for remote administration came in. You have to make the determination on whether or not to install non-recommended software or attempting to plug the hole as best as you can.  

Zero day mitigation is a process that almost everyone has an issue with as you obviously want to get it pushed out as soon as possible, while doing as much basic QA as you can afford. Depending on who identifies the zero day, whether it is active in the wild, and how hard it is to implement, the vendor may do a limited form of QA that doesn't actually catch everything. 

To bring the conversation full circle --  unlike other vendors, we have no ready reference for Recommended Software releases.  I understand there are challenges to making such a recommendation, but other vendors at least can use support activity to generate a recommended release on a web page that can stay updated as a baseline.

 

L1 Bithead

Today we have a security advisory saying everything earlier than 8.0.11 is vulnerable to an XSS attack and needs to be updated, and here you guys are telling us that 8.0.10 isn't even recommended in production yet?! I came here to see what the fix was for the 8.1.x branch, since I NEVER SAW ANYTHING INDICATING IT WASN'T STABLE FOR PRODUCTION BEFORE. Shouldn't there be some kind of barrier/notification before you can install it, saying "Hey, this stuff here is beta, but you can try it if you want"?! 

@crimichigan,

Actually as @Brandon_Wertz pointed out above, 8.0.10 had entered recommended status. The vulnerability doesn't effect the 8.1 branch, so if you are running anything within that branch you're perfectly fine. 

 

To address your 8.1 issues I don't think anyone here is going to defend the lack of an available 'Recommended Release' notice whether that be on a KB document, via a sticky Live Post, or simply by emailing everyone. The fact that you can't rediably find this information is stupid and we all know that. 


@BPry wrote:

@crimichigan,

Actually as @Brandon_Wertz pointed out above, 8.0.10 had entered recommended status. The vulnerability doesn't effect the 8.1 branch, so if you are running anything within that branch you're perfectly fine.


This is helpful. Thanks!!

 

Maybe the simplest/most effective way to distinguish recommended from non-recommended releases is to actually have them named accordingly. They would show up in the software list as "8.1.2 beta", or "development", or "test", or whatever word PA prefers to indicate that those versions are not ready for prime time.

  • 17196 Views
  • 34 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!