Upgrade to 5.x - the good, the bad, the ugly?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Upgrade to 5.x - the good, the bad, the ugly?

L4 Transporter

OK, one for you guys who have upgraded to the 5.x stream.

Ignoring the steady furore over the UserID agent and CPU issues, what are the advantages/disadvantages of upgrading from 4.1.x to 5.0.x?

I have a single HA pair, no Panorama, no Wildfire subscription, using both IPSec and SSL/Global protect VPN's.

Anyone willing to comment?

Cheers

5 REPLIES 5

L4 Transporter

These are the main drivers for us to upgrade to 5.x

1. the return to sender for policy based routing.

2. application dependency

Ernest

Not applicable

Major pain point for us: In 5.0.4, DHCP Relay, and possibly all UDP proxying, is broken for VLAN sub-interfaces (both L2 and L3). Worked around by running DHCP on the firewall itself, but since PAN-OS can't run a DHCP server on a L2 interface, I had to re-architect the network to change all L2 interfaces to L3. Support also suggested rolling back to 4.1 or 5.0.2, but wouldn't guarantee that it would work.

As a sidenote, did this feature work in 5.0.3? And do you have a bugid available for this case?

Regarding running DHCP server on an L3 interface vs. L2 interface, you might not need to completely change all L2 interfaces to L3.  You could instead just add one L3 interface (if you have any extra), configure DHCP server on it, and physically plug it in to your existing L2 network without affecting the current L2 config.  You may even be able to do this with an L3 VLAN logical interface connected to the L2 VLAN forwarding object depending on your configuration.

Cheers,

Kelly

I upgraded directly from 4.1 to 5.0.4. (First tier) tech support said that level 2/3 tech support had seen the problem starting in 5.0.3, but did not volunteer a bugid.

@kbrazil: Yes, I could have saved myself the tedious and error-prone L2-to-L3 interface conversion in a couple different ways. But the original reason for going L2 had passed anyway.

  • 3099 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!