Title pretty much says it all but we're wanting to move to 8.0.6 since it is a Palo Alto support recommended version. We're currently running 7.1.4 I believe with both of our active/active firewalls. Panorama is already on the 8.0.x track.
My normal update procedure is to apply the update to one firewall, let it reboot and come back online and start passing traffic and then do the same to the other one. Usually only results in 5 to 10 seconds of dropped traffic when each firewall goes down.
I figured there is probably no difference in the actual upgrade procedure but I wanted to check to see if anyone has run into any gotchas or any settings that need to be modified once the new version is online that might result in a longer outage otherwise?
I don't have a lot to add but we looked into this as well as we are A/P with ours HA pair. The firewalls in 7.1.x and 8.0.x will still synchronize after one is upgraded and rebooted, anything older (7.0.x etc) will not synchronize.
I would recommend following the recommendation detailed in this document HERE. Also keep in mind that 8.0 does some interesting things with the logs, so that takes a few minutes to get everything working correctly.
Keep in mind that the upgrade procedure best practices recently changed later last year to the following.
Upgrading to a new major version for another with maintenance releases already available was simply to download the base image and the maintenance release, and only install the maintenance release.
Upgrade to the latest maintenance release within your current major version; then install the base 8.0.0 and restart before proceeding to 8.0.6.
The old method worked perfectly fine because the firewall is able to explode the base image and the maintenance image installer packages to pick apart all of the pieces and parts required to form an installer image for a direct upgrade to 8.0.6. However with the larger file sizes of the new releases PA started to see some issues with firewalls with limit storage, primarly the PA-200/220, PA-500, PA-2000, and the PA-4000.
If your not running an effected platform and you know that you have plenty of system space to explode the images you can still use the old upgrade recommendation to keep downtime to a minimal. Just know that you wouldn't be following the best practices as recommended and it can cause issues if you don't actually have the disk space required to perform this action.
Another note. We upgraded our Panorama to 8.0.7 and did not have any problems. We did this based on a security release that was fixed in 8.0.7 and was recommended by our SEs.
Another thing we are finding out right now based on a support ticket is that from our current 7.1.10 there is a bug going to 8.0.x that Panorama will blow out the VPN configurations unless your firewalls are on 7.1.15.
@BrianRa thanks for that information, I'll definitely move to 7.1.15 first.
Out of curiousity, what security bug did they reocmmend moving to 8.0.7 for?
@BPry thanks for the info. Panorama is already at 8.0.6 and we switched it to the new logging. Does anything have to be done on the firewalls themselves for the logging change or does it do it automatically?
My current plan for upgrading is:
Based on what support is saying and what we have been reading that install order looks correct. That is what we will be doing next week when we upgrade our first PA-3020 (only to the 8.0.7).
This is the email we received.
PAN-SA-2017-0030 - Cross Site Scripting in PAN-OS GlobalProtect
* Medium Severity
* Fixed in PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14, PAN-OS 8.0.6-h3
* Affects PAN-OS GlobalProtect portal and gateway
PAN-SA-2017-0031 - Cross Site Scripting in PAN-OS Captive Portal
* Medium Severity
* Fixed in PAN-OS 8.0.7
* Affects PAN-OS captive portal
PAN-SA-2017-0032 - ROBOT attack against PAN-OS
* High Severity
* Fixed in 8.0.7
* Affects PAN-OS SSL/Decryption and GlobalProtect portal and gateway
Is 8.0.7 still in review phase? I don't mind upgrading to that to fix security issues but I don't necessarily want to land on a version not currently recommended by Palo Alto after upgrading between major versions.
It is production, our SEs and support did not have any concerns with it when we have talked to them about it. Panorama has run fine. Remember we haven't done a firewall yet but I haven't been able to find any negatives posted. If we do ours first before you I will update with anything we noticed. This will be a remote site, we didn't want to tackle the VPN possible problems and the major revision update at the same time first as we have this option.
Can confirm that most of my firewalls are now running 8.0.7 without any issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!