OK, one for you guys who have upgraded to the 5.x stream.
Ignoring the steady furore over the UserID agent and CPU issues, what are the advantages/disadvantages of upgrading from 4.1.x to 5.0.x?
I have a single HA pair, no Panorama, no Wildfire subscription, using both IPSec and SSL/Global protect VPN's.
Anyone willing to comment?
Major pain point for us: In 5.0.4, DHCP Relay, and possibly all UDP proxying, is broken for VLAN sub-interfaces (both L2 and L3). Worked around by running DHCP on the firewall itself, but since PAN-OS can't run a DHCP server on a L2 interface, I had to re-architect the network to change all L2 interfaces to L3. Support also suggested rolling back to 4.1 or 5.0.2, but wouldn't guarantee that it would work.
Regarding running DHCP server on an L3 interface vs. L2 interface, you might not need to completely change all L2 interfaces to L3. You could instead just add one L3 interface (if you have any extra), configure DHCP server on it, and physically plug it in to your existing L2 network without affecting the current L2 config. You may even be able to do this with an L3 VLAN logical interface connected to the L2 VLAN forwarding object depending on your configuration.
I upgraded directly from 4.1 to 5.0.4. (First tier) tech support said that level 2/3 tech support had seen the problem starting in 5.0.3, but did not volunteer a bugid.
@kbrazil: Yes, I could have saved myself the tedious and error-prone L2-to-L3 interface conversion in a couple different ways. But the original reason for going L2 had passed anyway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!