Same thoughts here as well. Each week we had to add increasingly more sites to non-decrypt policies. Eventually we unchecked the "Block unsupported cipher suites" in the decryption policy in hopes of allowing these sites to still work but just not be decrypted. Unfortunately in 6.x, this setting appears to be bugged and the site still won't load. We were recommended by support to move to 7.x, where they said the issue was fixed. We moved to 7.0.2 and found that these sites wouldn't load on first attempt, but a browser refresh would then successfully load it. Not great, but better than before. Unfortunately a month into running 7.x, we ran into a bug in which our Palos began depleting a certain buffer and would stop processing all SSL/TLS traffic for ~10 minutes. At first this issue happened once or twice a day, but now I've seen it occur as many as 15 times in one day. Early on I wrote a program to monitor for this buffer depletion and fail-over as needed, so none of our users actually experience issues with it. I don't like the fact that I'm having to invoke HA fail-overs so many times though. Failing back to 6.x isn't really an option due to the length of time to see this issue after we upgraded to 7.x and the amount of changes we made within that timeframe. Support assures me that this issue will be fixed in 7.0.3. I've lost a lot of faith in PAN's ability to stay up with current technology and publish quality releases. Minor bugs are one thing, but when every release has bug fixes related to dataplane restarts, race conditions, memory leaks, etc... It's just getting to be too much for a critical system. You could say not to update to the latest and greatest, but these kinds of bugs have been in every version. We had them in 5.x, 6.0.x, 6.1.x, and now 7.x. Also with certain things like trusted root certs being tied to software upgrades, you really need to stay up to date. I have a datacenter firewall upgrade project coming up, and I was really considering putting in PA-5060s or VMs for SDN. At this point I've pretty much dropped PAN from my options because I can't afford to have the same issues in the datacenter that I've had on the perimeter. Ultimately I really hope PAN can work through the current issues and put in a better QA process. I'd imagine they're going to have to completely revamp their decryption methods however.
... View more