When managing a network secured by Palo Alto Networks, choosing the correct software version for your devices is critical for ensuring stability, performance, and security. Palo Alto Networks uses specific labels to indicate the stability of their software releases. This guide will help you understand what the Preferred Release label means, their versioning system, and how to choose the correct version for your needs.
Building a Relationship with Palo Alto Networks
I’m putting this first because this is very important for all companies. While understanding these labels and versioning is essential, having a strong relationship with Palo Alto Networks is equally important. Knowing your Palo Alto Networks Sales Engineer and Account Manager can be immensely beneficial. Develop a relationship with them, as they can provide you with the recommended software versions to use and offer insights into Palo Alto Networks’ roadmaps. They are invaluable resources for getting the most out of your Palo Alto Networks investments and ensuring your network runs smoothly.
Preferred Release
The Preferred Release label is assigned to the most stable and widely recommended software versions. These releases have been thoroughly tested and validated, making them ideal for most deployments, including critical production environments. Preferred releases are selected based on their proven stability, performance, and positive feedback from Palo Alto Networks’ Technical Assistance Center (TAC). They are the versions that TAC sees as generally very stable and reliable.
Understanding Palo Alto Networks’ Versioning
In Palo Alto Networks’ versioning, the numbers typically break down as follows:
Example: 10.1.0
- The first number (10) represents the main software version or release train.
- The second number (1) indicates the feature release within that main version.
- The third number (0) signifies a specific build or maintenance release of that feature release.
Example: 11.1.1-h1
- The 11.1.1 portion follows the same main version (11), feature release (1), and maintenance release (1) pattern.
- The -h1 suffix refers to a hotfix release, which provides critical bug fixes or security patches between main releases.
Key Points About Palo Alto Networks’ Versioning
Main Versions (e.g., 10.x, 11.x)
- These major software releases can introduce significant new features and architectural changes.
- Main versions are typically supported for several years with maintenance releases.
Feature Releases (e.g., 10.1.x, 11.1.x)
- Feature releases within a main version bring new capabilities and enhancements.
- They are released periodically, often annually or semi-annually.
Base Versions (e.g., 10.0, 11.0)
- Base versions are the initial release of a main version and include major new features and changes.
- Base versions often undergo extensive testing and may be less stable initially compared to subsequent feature releases.
- It is typically recommended to avoid installing base versions (e.g., 11.0.0) and to wait for the first maintenance update (e.g., 11.0.1), which usually addresses initial bugs and improves stability.
Maintenance Releases (e.g., 10.1.0, 10.1.1)
- Maintenance releases provide bug fixes, security updates, and minor enhancements within a feature release.
- They help maintain stability and address issues without introducing new major features.
Hotfixes (e.g., 11.1.1-h1)
- Hotfixes are interim releases that address critical issues or vulnerabilities between scheduled maintenance releases.
- They are designed for targeted deployments to resolve specific problems.
Upgrade Strategy
Palo Alto Networks recommends staying on the latest maintenance release of a feature release that meets your organization’s needs for long-term stable deployment. Major version upgrades (e.g., 10.x to 11.x) often require more planning and testing due to the scope of changes involved. It is generally advised to consider upgrading to an X.1 release as required or after it reaches versions like X.1.4-5 or later, ensuring that it has matured and any initial bugs have been addressed.
Conclusion
Understanding these labels and versioning helps you make informed decisions about which Palo Alto Networks software versions to deploy in your network. Always refer to Palo Alto Networks’ official documentation and recommendations to ensure you use the most appropriate and stable software for your environment. Additionally, leveraging the expertise of your Palo Alto Networks representatives can provide you with tailored advice and access to the latest information and resources.
By carefully selecting the right software versions and building a strong relationship with Palo Alto Networks, you can maintain a robust, secure, and efficient network that meets your organization’s needs.
You can filter the images by Palo Alto “preferred” here:
https://support.paloaltonetworks.com/Updates/SoftwareUpdates