Software Version 11.1.5-h1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Software Version 11.1.5-h1

L0 Member

Hello,

 

We are experiencing packet loss, and the IPsec tunnels are going down on the following version and model:

  • Software Version: 11.1.5-h1
  • Model: PA-1420

After restarting the firewall, it resumes normal operation.

 

I want to know, this version is stable, any advise. 

4 REPLIES 4

Community Team Member

Hi @Suhail-Hameed ,

 

11.1.5-h1 is a new version. It's too soon to be considered a preferred version.

Currently 11.1.4-h7 is the preferred version in the 11.1.x PAN-OS.

 

Please bookmark this page to know which OS versions are preferred:

Support PAN-OS Software Release Guidance

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Kiwi,

I can understand why they went to 11.1.5-h1, because in the Palo CVE-2024-0012 and CVE-2024-9474 it clearly states affected ; less than 11.1.5-h1.  Unaffected: greater than or equal to 11.1.5-h1.

We were on 11.1.2 and moved to 11.1.4-h7.  Its a preferred release and the notes state that these CVE fixes are in there, and preferred as of 11/18/2024. 

I would just like clarification as to if we are really protected, because these links lead you to believe in the 11.1 train you need 11.1.5-h1 or newer.  Please advise.

https://security.paloaltonetworks.com/CVE-2024-0012

https://security.paloaltonetworks.com/CVE-2024-9474

 

Now look at the releases post:
https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

P*
11.1.4-h7 11/18/24

Preferred Release [11/18/24]
Note: A fix was made to address CVE-2024-0012 (PAN-SA-2024-0015) and CVE-2024-9474.

Note: If using IoT Security, wifclient might exit multiple times causing firewall to reboot. 
Workaround:
Uninstall IoT License and disable Enhanced Application Logs
Note: 

<meta charset="utf-8" />

If using IoT Security, the device may run into wifclient crashes during server cert verification causing dataplane to restart
Workaround: 
Use below CLI to disable CRL 

debug iot eal key-value PAN_ICD_SERVER_CERT_USE_CRL=False

Note: [PA-5400f Platforms Only ] Extremely high receive packet rate can cause an interrupt storm leading to heartbeat failures and dataplane down. 

 

So which one is it?

 

L3 Networker

I opened a case with Palo to confirm the discrepancy between the CVE publications and the release notes posting.  They did confirm and I have it in writing that yes, both CVE's are also fixed in 11.1.4-h7.  Although the CVE notification claims you need 11.1.5-h1 or newer, that is not the case.  If the OP upgraded to 11.1.5-h1 because of the CVE, I feel bad he was mislead into a release that was not ready.  Hopefully PAN will update the CVE documentation.

L0 Member

I have a scheduled maintenance to upgrade to 11.1.5-h1 for Dec 6th.  I too was lead to believe that the above statement, you needed to go to 11.1.5-h1 to be covered for those CVEs, encompassed as PA-SA-2024-0015.  I am going to get in touch with my (new term) Solutions Consultant on Monday, as this is what I was searching for.  I'm going to send a link to this discussion thread to him, to get behind the scenes on to correctly get this answer.  I would prefer to be on the preferred version, so I hopefully do NOT encounter that stuck logon to OneDrive.  This would be 2 upgrades within the last 3 months and since CISA has added these to their KEV, I'm bound to do the upgrade on Friday the 6th (crossing my fingers).

  • 975 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!