It's a case of "you are free to run whatever PanOS release you want, but if it's not one of the recommended releases, we won't support you". 🙂 Being a school district, we have a fair bit of autonomy on how we run our networks. But if we want support from the Ministry of Education, the provincial team that originally designed/implemented things for all districts, and the provincial helpdesk, then we need to run specific versions on the firewalls (plus or minus a bit). But, I'll bring this up as something to look at over the summer months. I think a re-architecting of the network is in order, now that we have more experience with things. 🙂 For example, it would be nice to move the OSPF off the district firewall completely, and put it onto the router in front. That way, only traffic for the district data centre would go through the district firewall, and all school Internet traffic would by-pass it completely. Currently, schools on the telco network are "in front" of the district firewall (routed directly to the Internet), while the schools on our fibre/wireless network use the district firewall as a router (no Security Policies affect Internet traffic from those schools). And to move to a single subnet for the OSPF endpoints on the fibre/wireless network. And maybe play with the OSPF timeouts a bit. And maybe enable QoS prioritisation of the routing protocol traffic on the switches/Ubiquiti gear on the fibre/wireless network. Lots of ideas here to investigate. 🙂
... View more