02-12-2018 07:09 AM - edited 02-12-2018 07:11 AM
Hey guys,
I have a HA pair of 3020s with 7.1.7
and a single 820 firewall with 8.0.2
Which version can you recommend for the 3020s and the 820?
8.0.5?
8.0.6?
Is there anything to be aware of?
02-12-2018 07:19 AM
Hi @MPI-AE,
Currently in the PAN-OS 8.0 branch the recommended version is 8.0.7.
In the PAN-OS 7.1 branch, the recommended version is 7.1.14.
Cheers !
-Kiwi.
02-12-2018 08:20 AM
If you are looking to upgrade your 3020s to 8.0 then I would recommend going with 8.0.7; I've been running it on my A/P pairs and haven't run into any issues. If you stay on the 7.1 train then go to 7.1.14.
With the 820 I really recommend running 8.0.7 and getting it off of 8.0.2. I'm actually more suprised you haven't had to update already simply to address some of the bugs that people ran into on that specific version.
02-14-2018 12:30 AM
Thanks you both!
Can I directly upgrade from 7.1.7 to 8.0.7 or is it better first upgrade to 8.0 and after that to 8.0.7?
02-14-2018 12:38 AM
Hi @MPI-AE,
As per our best practice guide :
Full article on best practices for PAN-OS upgrades :
Best-Practices-for-PAN-OS-Upgrade
Cheers !
-Kiwi.
03-16-2018 07:46 AM - edited 03-16-2018 07:47 AM
03-16-2018 07:58 AM
the lowest PAN-OS automatically gets priority in a cluster, so you will need to set the passive as suspended, which will cause it to not participate in case of a failure
03-23-2018 07:12 AM - edited 03-23-2018 07:12 AM
thank you!
and can you tell me what I need the device state for?
I can't export it, the firewall webinterface always reloads.
06-14-2018 03:30 AM
Guys, do I have to upgrade my user id agent? my current version is 7.0.2-2.
Will that work with Pan OS 8.0.7?
06-14-2018 03:42 AM - edited 06-14-2018 03:43 AM
Hi MPE-AE,
Just fyi this information is always included within the release notes found under the software page. Within the release notes: Associated Software and Content Versions
I've had a quick check and can see the minimum supported User-ID™ Agent 8.0.0 is supported for PAN-OS 8.0.x.
kind regards,
Ben
06-14-2018 03:53 AM
Sorry where can I find that information?
So User ID agent 7.0.2 won't work with PAN OS 8.0.7?
06-14-2018 04:00 AM - edited 06-14-2018 04:02 AM
Hi MPI-AE,
No worries, so you'll always have release notes for either software or dynamic updates. these can be found by going to support.paloaltonetworks.com (login) and then on the left nav bar check under Updates for software and dynamic updates.
Quick link to software:
https://support.paloaltonetworks.com/Updates/SoftwareUpdates/339
Once you've found the relavent software version you will notice the release notes for each version within the release notes coloumn. Alternatively you can access the release notes from the firewalls themselfs. ( Device > Software ). remember to hit check now to obtain the latest list and corresponding links attached.
So in short the User-ID agent "may" work however it will not be supported as stated by the release notes and would suggest plan to upgrade the agent also.
regards,
Ben
06-14-2018 04:10 AM - edited 06-14-2018 04:13 AM
Hi Ben,
1) so when I'm running PAN OS 8.0.7, which USER ID agent version should I install? 8.0.7-2?
2) When I read it correctly, USER ID agent 8.0.7-2 is compatible with PAN OS 7.1.X. Is that correctly? Can I install USER ID agent 8.0.7-2 right now? (before upgrading my firewalls)
06-14-2018 04:34 AM
Hi MPI-AE,
you can technically run the latest user-id agent as the are backwards compatible:
looks at 8.1 agent release notes: The User-ID agent is compatible with PAN-OS® 8.1 and earlier PAN-OS releases that Palo Alto Networks still support.
Agent: I would Deploy the latest within the given major release so either 8.0.9-6 or 8.1.1-77, while they may not be recommended they will include the latest fixes and protections. otherwise contact tac to obtain the current stable recommended release if any. apologies they used to publish the recommended versions but not sure if they still do as i could not locate for you.
You can either deploy the new agent on a new machince and add the agent to the firewall along side the old agent(s) which would give you the ability to check it is working as expected before removing old agents.. or go straight with upgrading the agent(s)
regards,
Ben
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
