We are running Global Protect 6.0.7, which is still listed as the preferred release with 6.0.8 listed as new.
Question is at what point should we upgrade to 6.1.x or 6.2.x?
Looking at the End-of-Life, it appears that 6.0.x is supported longer than 6.1.x, so we probably want to skip 6.1.x altogether being 6.0.x appears to be on a long-term support lifecycle.
What do you think?
I am guessing at some point we may want to jump to 6.2.x, but the current preferred is 6.2.2, which may be a bit early.
Would you just ride on 6.0.x for a bit longer and when it goes Preferred jump to 6.0.8 and ride the 6.0.8 wagon a bit longer?
I can see why upgrading might be appealing but I’d be asking myself a few things first:
1 - does the newer version have something I want/need?
2 - is the version I’m on no longer supported?
3 - is the version I’m on unstable?
4 - is the version I’m on carrying some kind of bug or vulnerability I need to mitigate?
Unless you answered “Yes” to one or more of these, just stay as you are. You could be introducing a problem if you’re just upgrading for the sake of it.
Check the PANW known problems list for the version you’re on to check out question 4.
Hope this helps.
I am looking at same issues. My users would love the extend time and disconnect prompts which requires I get up to 6.1 or 6.2.
I had been planning on going to the 6.1, then assume I am making another jump before it EOLs but now I am also second guessing and considering just moving to 6.0.7.
I was thinking the same as you late last year. We went with 6.0.8 at the start of the year and haven’t had issues (with ~1,500 users). I suspect 6.0.7 is ‘Preferred’ due to Mac OS issue on 6.0.8, so went with 6.0.8 as we use Windows only for laptops.
Some versions of PAN-OS require a minimum version of GP. In my case, I usually push an update every six months or so. Easy to do and easy to roll back for our limited users - about 30 or so.
FYI that GlobalProtect 6.2.2 on macOS fixes a cosmetic bug where the Connections page in Settings shows a big blank instead of the connection information. (6.1.x is impacted. Don’t know about 6.0.x.)
Not a functional issue but makes diagnosing issues a lot harder when the user doesn’t conveniently have that information available.
We are still on 6.0.5, I really should upgrade us soon. We tend to transparently push out the updates but have had some issues with installing the new version and getting stuck in a loop, anyone else had issues? Very intermittent but enough to be noticeable
we want to start rolling out 6.0.8 next week. testing it with around 50 users was showing no bad feedback, however 6.0.8 is still not preferred… i thought it will be preferred until we start when we were planning the rollout…
we have around 4500 windows users using globalprotect - anyone using 6.0.8 and can provide feedback if it is stable in similar environment?
Only issues with 6.1.3 is that MacOS has issues with captive portal detection. Only really any issue if you force an always-on VPN with network restrictions. Outside of that sticking with 6.1.x for the foreseeable future.
That is very true. Many of my upgrades are chasing product life-cycles to be honest. For example I migrated from Cisco IOS-XE 17.3.x to 17.6.x because 17.3.x goes EOL. Chasing that will land me at 17.9.x before the end of this year for sure.