Recommendation for Palo Alto Devices: Upgrade to 11.1.10-h1

As part of UpKeep, our new feature to keep our NWG Manage customers' devices on the latest stable version, we reviewed the latest Palo Alto releases and recommend the upgrades detailed below.

Why Are You Sharing This Information?

Even if we're not managing Palo Alto devices for you, we want you to have the latest information to help keep your devices secure.

What should I do if I have a Palo Alto device that NWG manages?
If you have a Palo Alto device(s) that we manage for you, we already know what hardware you have and what version you need to be on. We’ll handle the upgrade during an upcoming maintenance window (unless you are already running the recommended version). Zendesk notifications will be sent out once maintenance has been scheduled, including details about when implementation will take place. If your devices/locations require different days/times for maintenance to take place, you’ll receive separate tickets.
What if I have a Palo Alto device that NWG does not manage?
If you have a Palo Alto device(s) in your environment, we suggest you upgrade to the recommended version listed below.
What if I don't have any Palo Alto devices?
If you don't have any Palo Alto devices, no action is needed.

Which Palo Alto Release Do You Recommend?

For the majority of Palo Alto devices we manage, NWG recommends either 11.1.10-h1 or 10.2.13-h7, depending on your hardware.

Note: Newer hardware is not capable of running older versions of PanOS. Virtual Palo Alto firewalls do not have this limitation. The compatibility matrix can be found here.

Why 11.1.10-h1 or 10.2.13-h7?

In general, PanOS 11.1.X has the highest adoption rate across Palo Alto platforms making it the most stable. PanOS 11.1.11 is the newest release, but we don’t recommend it because has some known high-impact issues.
If your device isn’t capable of running 11.1.X, PanOS 10.2.X has the second-highest adoption rate across Palo Alto platforms. There’s a newer release of that as well (PanOS 10.2.16-h1), but as mentioned above, we don’t recommend it because it also has some known high-impact issues.

What Do You Recommend For Devices That Can’t Run 11.1.X or 10.2.X?

12.1.2 - We only recommend this version for PA-5540, 5550, 5560, 5570, and 5580. These devices aren’t compatible with older releases.
11.2.4-h7 - Recommended if your device requires 11.2.X. PanOS 11.2.8 is newer, but has some known issues that can have a high impact.
10.1.14-h13 - Recommended if your device requires 10.1.X. PanOS 10.1.X is nearing the end of support (3/21/26), so these devices should be replaced soon.

Review Details

PanOS 12.1.2

PanOS 12.1.2 Review

Support for PanOS 12.X begins with version 12.1.2. This version is not a preferred version for any hardware except the PA-5540, 5550, 5560, 5570, and 5580. These hardware platforms require 12.1.2 and cannot run older versions.

PanOS 12.1.2 Conclusion

NWG does not recommend PanOS 12.1.2 at this time.

PanOS 11.2

PanOS 11.2 Review

The current Palo Alto recommended version is 11.2.4-h7. PanOS 11.2.8 is the newest version but has some known issues that can have a high impact. Some of the issues are:

Bug ID: PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.

Bug ID: PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.‍

Bug ID: PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all.

PanOS 11.2 Conclusion

NWG recommends PanOS 11.2.4-h7 for all devices that require PanOS 11.2.X. PanOS 11.2.X only has a ~5% adoption rate across Palo Alto platforms. NWG recommends earlier versions of PanOS where possible.

PanOS 11.1

PanOS 11.1 Review

The current Palo Alto recommended version is 11.1.10-h1. PanOS 11.1.11 is the newest version, but was just released on 9/9/25 and has some known issues that have a high impact. The issues are:

Bug ID: PAN-293673
When the firewall generates a high volume of logs and attempts to export these logs to an FTP server, it may consume excessive memory leading to all PAN-OS processes crashing.

Bug ID: PAN-290088
When pushing configurations from Panorama to a firewall, a memory leak might occur in the firewall's configd process, particularly when the configurations contain shared policies. Each configuration push causes the configd process to consume additional memory that is not released after the commit completes.

Bug ID: PAN-285894
If the Preserve Pre-NAT feature is enabled, dataplane crashes may occur, which could result in firewall reboots.

PanOS 11.1 Conclusion

NWG recommends PanOS 11.1.10-h1 for all devices that are capable of running 11.1. PanOS 11.1.X has the highest adoption rate across Palo Alto platforms.

PanOS 10.2

PanOS 10.2 Review

The current Palo Alto recommended version is 10.2.13-h7. PanOS 10.2.16-h1 is the newest version, which was released on 7/2/25, and has some known issues that have a high impact. The issues are:

Bug ID: PAN-266900
In Panorama, the OK button does not work when trying to install configurations to a managed firewall from the Managed Devices, Summary, Install section, even after selecting the update type and file from the drop-down menu and choosing the firewall.

Bug ID: PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.

PanOS 10.2 Conclusion

NWG recommends PanOS 10.2.13-h7 for all devices that are capable of running 10.2. PanOS 10.2.X has the second-highest adoption rate across Palo Alto platforms and should be used for devices that are not capable of running 11.1.X.

PanOS 10.1

PanOS 10.1 Review

The current Palo Alto recommended version is 10.1.14-h13. PanOS 10.1.14-h16 only addresses a low-severity CVE specific to SDWAN.

PanOS 10.1 Conclusion

NWG recommends PanOS 10.1.14-h13 for all devices that are not capable of running 10.2. PanOS 10.1.X is nearing the end of support (3/21/26).

Review Process

Model Evaluation
- Determines major code revision compatibility

Vendor Recommended
- https://live.paloaltonetworks.com/t5/customer-resources/pan-os-globalprotect-amp-user-id-preferred-release-guidance-from/ta-p/258304

Newest Version (Mature/GA)
- Evaluate known issues
- Evaluate resolved issues
- Evaluate features as needed

Evaluate known vulnerabilities
- https://security.paloaltonetworks.com

Code versions reviewed

‍

Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.