Recommended Software release

Showing results for 
Search instead for 
Did you mean: 

Recommended Software release

L1 Bithead

Hi PAN Community!


I'm just wondering if there's a dedicated page/link I can refer to if I want to confirm if a certain release is recommended or not. I don't want to raise a TAC case everytime. Thanks!


Yeah, missed page2 before commenting.    D'oh!

 Why release 8.0.10 if it is not recommended???


Every release is published prior to it moving to recommended status, you can't say something is recommended until you actually have customers running it to see if they notice any issues. Recommended status is only granted after the release has been running for a period of time without any reported issues. 

I'm told 8.0.10 is in-fact a recommended code base on the 8.0.X branch.  (As of a e-mail to/from my SE today)

This would appear to cause a problem if a zero day exploit needs to be mitigated -- you are taking a risk to stability by patching your code. Of course, I've seen that with Cisco devices -- a vulnerability is patched, and then the manufacturer releases a vulnerability patch to the vulnerability patch because the first patch was unstable -  I'm assuming Palo Alto Networks has internal QA before something goes out in the wild to sanity check stability -- but it does sound like zero day mitigation introduces an inherent stability risk if what you are saying is true about waiting for clients to adopt the code in the wild.




That's the same for any vendor really. If you need the features of the latest version, or it fixes a bug that you ran into, then you update as soon as it becomes available; if it doesn't really do anything that you need then you wait for it to hit recommended status. 

In your given example it would be making the same call that you would for anything else. As a personal example we had a few ASAs in place when the last zero-day that allowed for remote administration came in. You have to make the determination on whether or not to install non-recommended software or attempting to plug the hole as best as you can.  

Zero day mitigation is a process that almost everyone has an issue with as you obviously want to get it pushed out as soon as possible, while doing as much basic QA as you can afford. Depending on who identifies the zero day, whether it is active in the wild, and how hard it is to implement, the vendor may do a limited form of QA that doesn't actually catch everything. 

To bring the conversation full circle --  unlike other vendors, we have no ready reference for Recommended Software releases.  I understand there are challenges to making such a recommendation, but other vendors at least can use support activity to generate a recommended release on a web page that can stay updated as a baseline.


L1 Bithead

Today we have a security advisory saying everything earlier than 8.0.11 is vulnerable to an XSS attack and needs to be updated, and here you guys are telling us that 8.0.10 isn't even recommended in production yet?! I came here to see what the fix was for the 8.1.x branch, since I NEVER SAW ANYTHING INDICATING IT WASN'T STABLE FOR PRODUCTION BEFORE. Shouldn't there be some kind of barrier/notification before you can install it, saying "Hey, this stuff here is beta, but you can try it if you want"?! 


Actually as @Brandon_Wertz pointed out above, 8.0.10 had entered recommended status. The vulnerability doesn't effect the 8.1 branch, so if you are running anything within that branch you're perfectly fine. 


To address your 8.1 issues I don't think anyone here is going to defend the lack of an available 'Recommended Release' notice whether that be on a KB document, via a sticky Live Post, or simply by emailing everyone. The fact that you can't rediably find this information is stupid and we all know that. 

@BPry wrote:


Actually as @Brandon_Wertz pointed out above, 8.0.10 had entered recommended status. The vulnerability doesn't effect the 8.1 branch, so if you are running anything within that branch you're perfectly fine.

This is helpful. Thanks!!


Maybe the simplest/most effective way to distinguish recommended from non-recommended releases is to actually have them named accordingly. They would show up in the software list as "8.1.2 beta", or "development", or "test", or whatever word PA prefers to indicate that those versions are not ready for prime time.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!