As part of UpKeep, our feature to keep our NWG Manage customers' devices on the latest stable version, we reviewed the latest Palo Alto releases and recommend the upgrades detailed below.

Why Are You Sharing This Information?

Even if we're not managing Palo Alto devices for you, we want you to have the latest information to help keep your devices secure.

• What should I do if I have a Palo Alto device that NWG manages?
  If you have a Palo Alto device(s) that we manage for you, we already know what hardware you have and what version you need to be on. We’ll handle the upgrade during an upcoming maintenance window (unless you are already running the recommended version). Zendesk notifications will be sent out once maintenance has been scheduled, including details about when implementation will take place. If your devices/locations require different days/times for maintenance to take place, you’ll receive separate tickets.
• What if I have Panorama devices that NWG manages?
  If you have Panorama devices, they will receive an upgrade one week prior to the additional Palo Alto device upgrades outlined below. You’ll receive Zendesk notifications for both.‍
• What if I have a Palo Alto device that NWG does not manage?
  If you have a Palo Alto device(s) in your environment, we suggest you upgrade to the recommended version listed below.‍
• What if I don't have any Palo Alto devices?
  If you don't have any Palo Alto devices, no action is needed.

Which Palo Alto Release Do You Recommend?

Note: The following recommendations are the most stable versions that remediate the high-severity vulnerability CVE-2026-0227. NWG reviewed this vulnerability when released and determined that, since there is no evidence of exploitation, and this vulnerability does not create a path for compromise or impact the security of the network, there was no need for an out-of-cycle upgrade.

For the majority of Palo Alto devices we manage, we recommend either 11.1.13 or 10.2.16-h6, depending on your hardware.

Why 11.1.13 or 10.2.16-h6?

• In general, PanOS 11.1.X has the highest adoption rate across Palo Alto platforms, making it the most stable. PanOS 11.1.13-h1 is the newest release, but we don’t recommend it because it has some known high-impact issues.
• If your device isn’t capable of running 11.1.X, PanOS 10.2.X has the second-highest adoption rate across Palo Alto platforms. There’s a newer release of that as well (PanOS 10.2.18-h1), but as mentioned above, we don’t recommend it because it also has some known high-impact issues.

What Do You Recommend For Devices That Can’t Run 11.1.X or 10.2.X?

• 12.1.4 - We only recommend this version for PA-5540, 5550, 5560, 5570, and 5580. These devices aren’t compatible with older releases.
• 11.2.7-h8 - Recommended if your device requires 11.2.X.
• 10.1.14-h20 - Recommended for all devices that are not capable of running 10.2.X.

Review Details

PanOS 12.X

PanOS 12.X Review

This version is not a preferred version for any hardware except the PA-55XX and PA-5XX. These hardware platforms require 12.X and cannot run older versions. The most current release is 12.1.4.

PanOS 12.X Conclusion

NWG does not recommend PanOS 12.1.4 at this time unless required.

PanOS 11.2

PanOS 11.2 Review

The current Palo Alto recommended version is 11.2.7-h4. PanOS 11.2.10-h2 is the newest version, but it has some known issues that can have a high impact. Some of the issues are:

Bug ID: PAN-295255

Palo Alto Networks next-generation firewalls may experience service disruptions due to all_task process crashes when deployed in environments having non-uniform MTU and are terminating IPSec tunnels.

Bug ID: PAN-259423

When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.

PanOS 11.2 Conclusion

NWG recommends PanOS 11.2.7-h8 for all devices that require PanOS 11.2.X. PanOS 11.2.7-h8 is the most stable version that remediates the high-severity vulnerability CVE-2026-0227. NWG reviewed this vulnerability when released and determined that, since there is no evidence of exploitation, and this vulnerability does not create a path for compromise or impact the security of the network, there was no need for an out-of-cycle upgrade. PanOS 11.2.X only has a ~8% adoption rate across Palo Alto platforms. NWG recommends earlier versions of PanOS where possible.

PanOS 11.1

PanOS 11.1 Review

The current Palo Alto recommended version is 11.1.13. PanOS 11.1.13-h1 is the newest version, but was released on 01/14/2026 and has some known issues that have a high impact. The issues are:

Bug ID: PAN-293673

When the firewall generates a high volume of logs and attempts to export these logs to an FTP server, it may consume excessive memory leading to all PAN-OS processes crashing.

Bug ID: PAN-279901

When decryption is enabled, segmented Client Hello packets can cause website access issues and memory leaks under the following conditions:

- The segmented Client Hello packets arrive out-of-order

- The segmented Client Hello packets arrive out-of-order and can be reassembled into a complete Client Hello when the first contiguous segment is formed by NGFW

- The first segment of the Client Hello packets is less than 5 bytes

- A decryption policy rule excludes this traffic from decryption and a Security policy rule (URL filtering) denies this session

Bug ID: PAN-207611

When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.

Bug ID: PAN-184406

Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.

Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.

PanOS 11.1 Conclusion

NWG recommends PanOS 11.1.13 for all devices that are capable of running 11.1. PanOS 11.1.13 is the most stable version that remediates the high-severity vulnerability CVE-2026-0227. NWG reviewed this vulnerability when released and determined that, since there is no evidence of exploitation, and this vulnerability does not create a path for compromise or impact the security of the network, there was no need for an out-of-cycle upgrade. PanOS 11.1.X has the highest adoption rate across Palo Alto platforms.

PanOS 10.2

PanOS 10.2 Review

The current Palo Alto recommended version is 10.2.16-h4. PanOS 10.2.18-h1 is the newest version, which was released on 12/2/25, and has some known issues that have a high impact.

Known 10.2.18-h1 issues:

Bug ID: PAN-303959

Traffic that is incorrectly identified as unknown-tcp/unknown-udp eventually drops due to an App-ID resource limitation issue.

Bug ID: PAN-297610

A firewall may become unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, causing the process to take an extended amount of time.

Bug ID: PAN-284067

A cumulative memory leak in the devsrvr process gets progressively worse whenever the CLI command show running application statistics is issued. This memory leak will gradually consume system memory and produce an out-of-memory (OOM) condition, leading to an eventual firewall reboot.

Workaround: Avoid using the CLI command: show running application statistics.

Bug ID: PAN-189076

On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.

Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.

Previous 10.2.16-h1 issues:

Bug ID: PAN-290088

When pushing configurations from Panorama to a firewall, a memory leak might occur in the firewall's configd process, particularly when the configurations contain shared policies. Each configuration push causes the configd process to consume additional memory that is not released after the commit completes.

Bug ID: PAN-266900

In Panorama, the OK button does not work when trying to install configurations to a managed firewall from the Managed Devices, Summary, Install section, even after selecting the update type and file from the drop-down menu and choosing the firewall.

Bug ID: PAN-187370

On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.

PanOS 10.2 Conclusion

NWG recommends PanOS 10.2.16-h6 for all devices that are capable of running 10.2. PanoOS 10.2.16-h6 is the most stable version that remediates the high-severity vulnerability CVE-2026-0227. NWG reviewed this vulnerability when released and determined that, since there is no evidence of exploitation, and this vulnerability does not create a path for compromise or impact the security of the network, there was no need for an out-of-cycle upgrade. PanOS 10.2.X has the second-highest adoption rate across Palo Alto platforms and should be used for devices that are not capable of running 11.1.X.

PanOS 10.1

PanOS 10.1 Review

The current Palo Alto recommended version is 10.1.14-h13.

PanOS 10.1 Conclusion

NWG recommends PanOS 10.1.14-h20 for all devices that are not capable of running 10.2. PanOS 10.1.14-h20 is the most stable version that remediates the high-severity vulnerability CVE-2026-0227. NWG reviewed this vulnerability when released and determined that, since there is no evidence of exploitation, and this vulnerability does not create a path for compromise or impact the security of the network, there was no need for an out-of-cycle upgrade. PanOS 10.1.X is nearing the end of support (3/21/26).

Review Process

• Model Evaluation
  
  • Determines major code revision compatibility

• Vendor Recommended
  
  • https://live.paloaltonetworks.com/t5/customer-resources/pan-os-globalprotect-amp-user-id-preferred-release-guidance-from/ta-p/258304

• Newest Version (Mature/GA)
  
  • Evaluate known issues
  • Evaluate resolved issues
  • Evaluate features as needed

• Evaluate known vulnerabilities
  
  • https://security.paloaltonetworks.com

Code versions reviewed

• 12.X
  
  • 12.1.4
    
    • https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/pan-os-12-1-4-known-and-addressed-issues
  • 12.1.2
    
    • https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/pan-os-12-1-2-known-and-addressed-issues
    • https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/features-introduced-in-pan-os
• 11.2
  
  • 11.2.10
    
    • https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/pan-os-11-2-10-known-and-addressed-issues
  • 11.2.4-h7
    
    • https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/pan-os-11-2-4-known-and-addressed-issues/pan-os-11-2-4-h7-addressed-issues
  • 11.2.8
    
    • https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/pan-os-11-2-8-known-and-addressed-issues/pan-os-11-2-8-known-issues
• 11.1
  
  • 11.1.13
    
    • https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-13-known-and-addressed-issues/pan-os-11-1-13-known-issues
  • 11.1.10-h1
    
    • https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-10-known-and-addressed-issues/pan-os-11-1-10-h1-addressed-issues
  • 11.1.11
    
    • https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-11-known-and-addressed-issues/pan-os-11-1-11-known-issues
• 10.2
  
  • 10.2.13-h7
    
    • https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-13-known-and-addressed-issues/pan-os-10-2-13-h7-addressed-issues
  • 10.2.16
    
    • https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-16-known-and-addressed-issues/pan-os-10-2-16-known-issues
  • 10.2.18-h1
    
    • https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-18-known-and-addressed-issues
• 10.1
  
  • 10.1
    
    • https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-14-known-and-addressed-issues