1. Major Releases
PAN-OS 10.2
PAN-OS 11.0
PAN-OS 11.1
PAN-OS 11.2
A major release introduces:
New features
Support for new firewall models
Architectural changes
New integrations and capabilities
2. Maintenance Releases
11.1.0 → initial release
11.1.1
11.1.2
11.1.3
11.1.4
Maintenance releases contain:
Bug fixes
Performance improvements
Stability enhancements
Security fixes
3. Hotfix Releases
11.1.4-h1
Hotfixes are targeted fixes for:
Critical bugs
Security vulnerabilities
High-impact customer issues
Firewall upgrades cycle – Formal document to follow.
Emergency Patch Process
Shadowing of engineers for upgrades – Khoa to shadow DK for next upgrade
Create a Standard Change Template for firewall upgrades – Minor – H2-H3 – Manny to initiate this request
For critical CVEs:
Day 0
• Advisory released
• Security team evaluates exposure
Day 1–3
• Upgrade test region
• Validate production configuration
Day 4–7
• Upgrade internet-facing firewalls
• Upgrade Panorama
Day 8–14
• Upgrade remaining production devices
For severe management-plane or Global Protect vulnerabilities, compress this timeline to 24–72 hours.
Recommended Production Standards
• Maintenance releases bi-annually
- Move to preferred version, stay on same train
- Ex. Current Ver – 11.2.10-h10 – Ended preferred version
- Upgrade to latest hotfix 11.3.13-h5
- Test 30 days, adopt new Preferred Version
• Major release every 18–24 months
o Move to the next major train release only if:
Obtained preferred-release status
Wait till Prisma Access is on X.Y version
Reach at least X.Y.h4-8 hotfix maturity
Been in production elsewhere for several months
