Episode Transcript:
John:
Hello PANCasters and welcome back. Today Olivier joins us again and is going to talk about PANOS versions.
Olivier:
Hello John, glad to be back.
Today I will talk about:
- the PAN-OS naming convention,
- which version to choose, and
- what do “preferred" and "end of life" version mean
It happens multiple times, when I work on some cases, that customers do not really understand the different versions, or theyOlivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France. refused to upgrade to a certain maintenance release because it was not the preferred one. So I think an episode about our PAN-OS versioning may help our PANCasters.
John:
Great, thanks Olivier. So maybe you can start with the naming convention.
Olivier:
Sure, PAN-OS version naming convention is quite simple: the first number indicates the major version number, the second one indicates the minor version number and the last one indicates the maintenance release version. For instance, 10.1.10 means that it is a release from major version 10, minor version 1 and maintenance release 10.
A different major version number indicates major changes in features, behavior or architecture, while a minor version indicates smaller changes in terms of features or architecture.
And when we talk about the version, we will talk directly about the major version followed by its minor : for instance, PAN-OS 10.0 is End of Life.
Finally, the maintenance release version number indicates how mature the version is. So 10.1.10 is the 11th iteration of PAN-OS 10.1. Keep it mind 10.1.0 is the first iteration of PAN-OS 10.1.
Also each maintenance release is cumulative, that means it contains all the fixes from all the previous maintenance releases. 10.1.10 contains all fixes from 10.1.0.
As a result it is safe to assume that the higher the maintenance release version number is, the more mature the version is.
But don’t take the same assumption for the major version and minor version number. They are to distinguish the amount of features : PAN-OS 10.0 will have more features than PAN-OS 8.1, there is no relation to the software stability.
John:
OK, so we have multiple versions at the same time, how would we know which one to choose?
Olivier:
There is no perfect answer, it will depend on the devices, the enabled features, the cloud services you are using : for instance, Panorama version needs to be the same or greater than the version of the managed firewalls. It can also depend on the design or the technologies chosen : for example, if you need specific routing features only available on the Advanced Routing Engine, you will have to run on PAN-OS 11.0 or above. Except for upgrades due to version reaching its end of life, you should review the listed new features and decide if the upgrade is interesting or not.
Also, I would recommend to not upgrade to a new PAN-OS version (from instance moving from PAN-OS 9.1 to PAN-OS 10.1) while you have reported an issue to TAC, unless it is a known issue which is fixed in that version.
Why? Simply because a new version introduced a lot of changes, that would only add complexity to isolate the cause of your issue. However, upgrading to the last maintenance release can be interesting to do as it helps to see if the issue is still present on the version, and a fix is required or not.
To illustrate what I just mentioned, for instance you have an issue on 9.1.7 and you engaged TAC, do not upgrade to PAN-OS 10.0, but upgrade to latest maintenance release, for instance 9.1.10, and check if the issue persists or not.
And if you have an software issue ID, you can always contact your account team to check the status of the issue.
John:
At the start you mentioned the preferred version. Can you tell us more about this?
Olivier:
Sure John, let’s talk about the preferred version. A publicly available page is regularly updated with the current supported version, and the preferred version, actually the preferred maintenance release for each version.
Before I start to talk about the preferred version, you need to know all publicly released versions have passed through a series of QA tests (something like thousands of tests), those tests would validate most general use cases of PAN-OS situations. And it happens that corner cases are not caught when a maintenance release is out. Anyway, I just want to say that all releases are considered ready for production, otherwise we won’t release it.
So then why a maintenance release is marked “preferred”? The ETAC team will monitor the adoption of the newly releases and the reported issues to see if there is no critical issues to decide if it is be a good option to upgrade the devices to.
However, let’s say you are running on 9.1.9, the preferred release is 9.1.9-h2 and you are experiencing a software issue resolved only on 9.1.10. Will you upgrade to 9.1.9-h2 or the 9.1.10? Some customers would only upgrade to 9.1.9-h2 and wait 9.1.10 to be preferred to consider upgrading to it, while by upgrading directly to 9.1.10, they will not experience the issue.
Also, by waiting for the new release to be marked as “preferred”, customers are actually pushing back the date it will be actually marked as “preferred” as the adoption of the version is a factor to decide if it is “preferred” or not. Finally, let’s say a new vulnerability with active exploitation in the wild is fixed, on the last release, would you wait for the version to be “preferred”? Of course not, you will immediately upgrade the PAN-OS device to fix the vulnerability.
Lastly, the notion of “preferred” release is at a point in time, if you ask again the next month, the answer would have changed.
So for all those reasons, “preferred” version is not always the version to install.
John:
Good info. Thanks Olivier. What about software end of life and support?
Olivier:
So when a version becomes end of life, that means the Engineering will stop working on that version. Unless there is a major security vulnerability, you can expect no new maintenance release on an End of life version.
Also from the TAC side, we can assist you in best effort to solve an issue, but eventually, if it is a software issue, you will eventually need to upgrade to a supported version so the issue can be further investigated and eventually if a fix need to be released, the fix would be released.
John:
Perfect! So, what are the key takeaways for today Olivier?
Olivier:
So the key takeaways:
- The PAN-OS version naming convention is simple : major version (dot) minor version (dot) maintenance release
- You should choose a PAN-OS version based on your actual needs, the stability requirements and the software support.
- “Preferred” version is not always the version to install, it will depends on the situation at a point in time
- And do not run on "end of life" version.
John:
Thanks again Olivier. As always, you will find the transcript with its different relevant links at live.paloaltonetworks.com under PANCast.
Related Content:
NGFW Panorama