11-21-2024 04:39 AM
Hello,
We are experiencing packet loss, and the IPsec tunnels are going down on the following version and model:
After restarting the firewall, it resumes normal operation.
I want to know, this version is stable, any advise.
11-21-2024 06:16 AM
Hi @Suhail-Hameed ,
11.1.5-h1 is a new version. It's too soon to be considered a preferred version.
Currently 11.1.4-h7 is the preferred version in the 11.1.x PAN-OS.
Please bookmark this page to know which OS versions are preferred:
Support PAN-OS Software Release Guidance
Kind regards,
-Kim.
11-21-2024 12:32 PM
Kiwi,
I can understand why they went to 11.1.5-h1, because in the Palo CVE-2024-0012 and CVE-2024-9474 it clearly states affected ; less than 11.1.5-h1. Unaffected: greater than or equal to 11.1.5-h1.
We were on 11.1.2 and moved to 11.1.4-h7. Its a preferred release and the notes state that these CVE fixes are in there, and preferred as of 11/18/2024.
I would just like clarification as to if we are really protected, because these links lead you to believe in the 11.1 train you need 11.1.5-h1 or newer. Please advise.
https://security.paloaltonetworks.com/CVE-2024-0012
https://security.paloaltonetworks.com/CVE-2024-9474
Now look at the releases post:
https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...
|
P*
|
11.1.4-h7 | 11/18/24 |
Preferred Release [11/18/24] Note: If using IoT Security, wifclient might exit multiple times causing firewall to reboot. <meta charset="utf-8" /> If using IoT Security, the device may run into wifclient crashes during server cert verification causing dataplane to restart debug iot eal key-value PAN_ICD_SERVER_CERT_USE_CRL=False
Note: [PA-5400f Platforms Only ] Extremely high receive packet rate can cause an interrupt storm leading to heartbeat failures and dataplane down. |
So which one is it?
11-21-2024 01:48 PM
I opened a case with Palo to confirm the discrepancy between the CVE publications and the release notes posting. They did confirm and I have it in writing that yes, both CVE's are also fixed in 11.1.4-h7. Although the CVE notification claims you need 11.1.5-h1 or newer, that is not the case. If the OP upgraded to 11.1.5-h1 because of the CVE, I feel bad he was mislead into a release that was not ready. Hopefully PAN will update the CVE documentation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
