Thinking of upgrading to 4.1.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Thinking of upgrading to 4.1.0

Not applicable

We have two 2050's in an active/passive cluster running 4.0.5.  We are looking to upgrade to 4.1.0.  Had anyone had any negative experience with this version - particularly related to the SSL-VPN changes or User-ID functionality?  I've heard a few things that have made me wary.

Thanks!

13 REPLIES 13

Retired Member
Not applicable

There are some behavior changes in 4.1.x with regards to user-id and SSL VPN. In particular, 4.1.x introduces a new User-Id agent that combines the former AD Pan Agent and LDAP agent into one. Also SSL VPN changes in that 4.1.x no longer uses NetConnect client but instead uses Global Protect client. Functionally they should perform same function but there are changes in how you configure as GP can separate the SSL portal and GP gateway whereas NetConnect used same.

These are just two of the new features within 4.1.x. There are many others. I would recommend reviewing 4.1.1 release notes thoroughly before considering upgrade to 4.1.x. But in general if you do not need any of the new features, then upgrading to latest within 4.0.x release is generally safe and recommended. Currently 4.0.8 is latest version.

-Richard

We deployed a new firewall with 4.1.1 in order avoid the VPN client switch, among other reasons. I obviously can't speak to upgrade experience, but the software basically works.

We have had intermittent problems with rules requiring Active Directory group membership -- access fails, show user ip-user-mapping ip (address) shows user not a member of any group, do a policy commit with no related changes, and then all of a sudden access works and "show user" displays correct information.

PAN only documented how to get userid agent working on Windows 2008 last week.

A 4.1.1-h1 hotfix exists with some critical fixes. But I've been unable to find out what they are. One support tech says I can read the release notes in the portal, but they're not there.

If this is a particularly good time in your business cycle to make the change, it won't blow up, but you might want to wait a month for 4.1.2.

Thanks for the advice, everyone!  I see 4.1.2 was just released so I'll be doing that this weekend.

Have you done the upgrade yet? Any issues? We're about to do the exact same upgrade (4.0.5 -> 4.1.2 on a 2050 active/passive cluster).

We don't have any active VPN users outside of the IT department so I'm not too worried about the changes to the SSL/GP portal.

We do have IPSec VPNs though that I don't want to fail.

I found troubles with PANOS  4.1.1 and 4.1.2 in Global Protect Gateway with 200 and 2000 series (unable to commit due to error in useridd module). Also some minor difficulties with Active Directory browse user into policies tab.

The other stuffs look great

Wait for 4.1.3 ... I have 7 tickets open for 7 different (and many impacting) problems currently ....

Could you name two or three bugs?

I have a 4.1.1->4.1.2 update scheduled next weekend, but it could be aborted.

If they're regressions from prior to 4.1.0, we're already living with them, but any post-4.1.1 regression would be of interest.

essnet, could you share what those issues are please?   I am deploying a brand new install of a Palo Alto 2050 HA pair and am curious what issues you have found with 4.1.2.

Well, I did it this weekend and didn't encounter any issues, although I wish they had just stuck with NetConnect; it worked great and GlobalProtect seems a bit on the twitchy side.  So far so good.

Is there any way to actually close GlobalProtect?

We went to 4.1.2 on our 2050 cluster a week ago. The only issue we've found is a misclassification of skype traffic for bittorrent. And since the timeouts for bittorrent seems to be higher than for skype, the number of open udp sessions in the session table has increased by a factor 20 or so.

I found a strange issue with my PA-200 and (probably) our customers's PA-2020 using 4.1.2. When configuring Global Protect Gateway in WAN interface with a QoS rule I receive a commit error due to useridd module failed.

After a case support I removed the QoS rule and the commit was succesfull. Same configuration on a PA-500 works with QoS rule.

Another unsolved issue is related to D user browse in policy tab, only a subpart of the total users are shown in the GUI. By the way this is a minor problem becous I can manually enter the domain\name in every policy.

Version 4.1 is much faster the the previous ones and I'm confident that resolved this (and other) bugs the operating system can be used widely without concern.

L1 Bithead

Hello,

Can someone tell me how did you do the migration from NetConnect to GlobalProtect when upgrading to 4.1.x?

Was it automatic like for an upgrade of the VPN SSL client or do have you to redone configuration?

Do you have to uninstall NetConnect and instal GlobalProtect on every computer?

Thanks

Remi

Migration to Global Protect is automatic.  I have done a couple of upgrades and no where was it necessary for me to change any settings or uninstall and install any agent.  Should be a smooth changeover.

  • 5915 Views
  • 13 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!