The latest reliable panOS version

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The latest reliable panOS version

L4 Transporter

Hi All,

 

I'm currently checking documentation and release notes etc about 7.1.X.

I have to learn how can I understand if a version is really stable/reliable?

 

Obviously testing  and working on it it's a good way to learning about a specific release.. I know it's sounds like a stupid question but in my opinion is not.

 

Besides my first question,  the main question is: Which is the most reliable panOS version out right now?

 

Thanks in advance,

BR

Luca

7 REPLIES 7

L3 Networker

I had a rough 4 weeks trying to run 7.1.7 and I uncovered two bugs that have been reported. I upgraded from 7.0.12 with no issues and then for 4 weeks spent most of my day dealing with high management plane CPU and useridd crashing repeatedly. Last Friday I was have devsvr crashing repeatedly and my internet was down most of the day. I finally gave up and rolled back to 7.0.13 with no issues. My original bug that was started with useridd is supposed to be fixed in 7.1.9. I'm going to stick with 7.0.x branch for the foreseeable future.

 

I have 5060 and 5050 firewalls.

-Brad

Cyber Elite
Cyber Elite

I think that most people would agree that around all of the chassis 7.0.X is the most stable branch to be on currently. That being said on the 3020 chassis I've seen zero issues with how I run things on 7.1.8 and 7.1.9. One of the largest things to take into account is that something that may be a show stopper for yourself, I'm not even going to be utilzing. So everybody has different 'stable' releases since they don't always encounter the same bugs. 

If you want proven stable across the board I would go with 7.0.13. If you want the feature set of 7.1 then go with 7.1.8 (I believe that is TACs recommended branch at this point, I could be wrong). If you want the feature set of 8.0...well wait until some of the bugs get worked out because I wouldn't recommend it at this point. 

L3 Networker

There are multiple correct answers.(see above previous posts)

It al depends on what you have en need:

 

 

Apart from that pan-os 8.0.0 is not recommended 🙂

But if you have a new model its the only choice.

 

 

And of course now we have this:

 

https://securityadvisories.paloaltonetworks.com/

 

Cheers!

@OtakarKlier You mean that for  the latest HIGH only 7.1.8 is not vulnerable?

 

The dirty cow Kernel Vulnerability is rated high,  but the attack surface is very very small.

 

You have to login the CLI then you have to escape the CLI  to the shell (only possible for PA TAC)

After that you can use the exploit

Hello,

While I agree obatining shell access is super difficult. I was looking at the other ones listed. For those of us that have to regularly scan our environments, these show up and need to have a remediation plan in place :(.

 

But as for a stable version, I would say contact TAC and your SE.

 

Cheers!

Hi All,

 

Many many thanks to all for your answers.

I will check everything you gave me, really appreciated.

 

Also if it's helpful, PA TAC confirms and suggests to install panOS 7.1.7.

 

Best Regards

Luca

  • 4385 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!