cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

PAN-OS 9.0 Released - Stop and Think

Cyber Elite
Cyber Elite

Today Palo Alto Network officially released PAN-OS 9.0 to the general public. Some of you may have read posts recently regarding features that have leaked out from the beta, and if you have any questions those of us that have been participating with the beta are now actually able to give you direct answers. 

Like any major release the next few weeks will be filled with new posts describing issues users are having with 9.0; the most alarming of which will be issues found in production equipment. I wanted to take this time to caution users about jumping on 9.0 just because it's available.

 

Upgrade Advice:

Stop and Think! When upgrading to the next major version the first question you should be asking yourself this early in the products release cycle is if you need the new features or if you want the new features. Disrupting business because you wanted to install 9.0 for the new featureset is a terrible idea. If you have a business need for the new features the risk associated with running a new major release can be offset by business need. 

Lab equipment is cheap, and I highly recommend that anybody have a lab device to test new releases prior to upgrading to a new software release. If you do not have lab equipment to test your specific configuration in 9.0 I would hold off on rushing to install 9.0 on production equipment. 

 

There are issues:

Like any major software release, we are already aware of a number of limitations and known issues when using PAN-OS 9.0. The release notes attached to 9.0 have a list of known issues that is over 100  different issue IDs! 

 

My general guidance on major versions has not changed. If you do not have access to lab equipment to properly test your production configuration feature for feature please stay away from 9.0 for the time being. Let those of us that have lab equipment or non-critical firewalls figure out the issues within the 9.0 code base, and give PA some time to actually work on cutting down the number of known bugs in 9.0. 

 

Questions about 9.0?

Now that 9.0 is officially released and beta members are no-longer held by their NDA's, I'm more than happy to answer any questions about 9.0. If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. 

 

Lastly:

I can't stress this enough; 9.0 is cool and all the new features are awesome, but nothing is worth having to explain why your firewall stopped processing traffic in the middle of the day. If you do not have a way to properly test your configuration will actually work in 9.0 you'll want to stay away from it until we can actually generally recommend it on production equipment. This usually happens around the .5 software update within any major software release for PAN-OS. 

 

Disclaimer: I am not a Palo Alto Networks employee and this is not an official recommendation from Palo Alto Networks. 

Who Me Too'd this topic