Upgrade to 7.1.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Upgrade to 7.1.0

L6 Presenter

I upgraded our lab palo to 7.1.0 last night.  Has anyone else upgraded anything in their enviornment yet?  I don't plan on doing anything in our production enviornment until at least 7.1.1 or 7.1.2.

 

Not really having much time yet I don't have much to say other than I'm looking forward greater awareness from things like the SaaS reports as well as the extra 10 or 12 cipher suites that are supported in 7.1.0 over prior versions.

 

Gotta say though I'm not digging the new look/feel of the GUI.  The sharp lines/edges make the view feel "old."

26 REPLIES 26

don't even install 7.1 on your panorama unless you want your configuration wiped by panorama templates when committing...

 

yay for bugs

L1 Bithead

Upgraded to 7.1 friday night to test over the weekend and ran into multiple problems with rule processing and URL filtering. sites being blocked that should be allowed. sessions failing to be recognized and blocking on final rule.

 

We are reverting. 😞

PAN-OS 7.1.0 has a change in default behavior with respect to security policy processing.  Check out the release notes and see if this might be what you experienced:

 - https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-release-inf...

 

 

L0 Member

We upgraded to 7.1 in test and ran into a number of issues with Linux IPsec clients (and some mobile clients not using GlobalProtect app) being unable to negotiate with the VPN and not establishing connection.

While there are some nice feature additions, this was pretty show-stopping and we probably won't go any further until a cause is identified (we're still testing various configurations to determine if anything about our setup was causing the issue.)

Also ran into the Linux IPSec clients issue.

Error on the linux clients is showing:

configuration response rejected: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)

 

Hopefully a resolution is in the works.

L4 Transporter

Is it possible to roll back from a 6.1.10 to a 7.1 or 7.0 upgrade?

Rollback or upgrade to? 

I got around the Linux Clients not connecting with VPNC but it is only working for Local Users.

I had to create a new Client Authentication object and used Local Auth as the Authentication Profile.

Now I can connect from Linux VPNC using those credentials.

 clentauth.png

 

Still playing with getting LDAP users authenticated with Linux clients.

 

rollback frome 7 to 6.1.10

L4 Transporter

@Brandon_Wertz Yessssir! haha 🙂

 

I'm agree with you I don't like this "style" .. Looks like a very OLD style.

 

😧

L1 Bithead

I 100% agree with the style. I tested it on our test system and it is beyond ugly. It's like going from WIndows 7 to 3.1.1 for Workgroups... I don't like the color choices, the sharp edges... bleh... I reverted back just because the UI is an eyesore.  Maybe I'll give it a serious try after a few updates but for now I don't want to look at it in our test environment. 

L4 Transporter

@rmonvon helped me resolve an issue we were having with decryption.  Due to the changes in how the any -> application-default is now treated, sometimes the App-ID for web-browsing is seen on port 443 within the encrypted stream.  On recommendation, I had to create a special rule for allowing outbound web traffic for the App-ID web-browsing so that it included both service-http (80) and service-https (443) so that websites would work correctly.  I'm unsure if there are other apps that could potentially get wrapped in SSL (say VPN, RDP, etc.) that could be affected due to this change. 

 

Just a heads up on this one.

 

-Matt

  • 9681 Views
  • 26 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!