01-25-2016 04:05 AM
Hi,
Which would be the best upgrade path from 4.1.7-h2 to 6.0.12.
Steps:
1) download and install 5.0.0
2)download 6.0.0 not install, download 6.0.12 and install directly.
correct, right??
anything to keep in mind in this upgrade????
01-25-2016 04:35 AM
you always need to install a major version before you can go on to the next major version, so yes you would need to download and install 5.0.0, reboot, download 6.0.0 AND 6.0.12, install 6.0.12
01-25-2016 04:09 AM
Hi
are you upgrading a cluster or a standalone device ?
a cluster you could take a few steps to ensure there is minimal to no downtime while a standalone will require downtime during the reboots
your sequence is correct for a firewall(panorama needs another hop to 5.1)
5.0.0 needs to be downloaded but since you want to move on to 6, you can install that version instead of a later maintenance version
6.0.0 needs to be downloaded as base, but since you want to move to 6.0.12 you can immediately install that version
01-25-2016 04:26 AM
ITs a cluster Active/Passive. Panorama has version 6.0.0, so its ok.
We need to update GProtect (current 1.1.6) and UserID agent (current v5).
So version 5.0.0 in fw needs to be installed right?
01-25-2016 04:35 AM
you always need to install a major version before you can go on to the next major version, so yes you would need to download and install 5.0.0, reboot, download 6.0.0 AND 6.0.12, install 6.0.12
01-26-2016 12:37 AM
Hi reaper,
My colleague had problems going through 4.x.x to 6.0.12. He had traffic problem. He had to run these two commands to solve it in 6.x.x
# set deviceconfig setting session tcp-reject-non-syn no
#set deviceconfig setting tcp asymmetric-path bypass
I looked in release notes and i cant see anything about these to commando when u upgrade.....
01-26-2016 12:52 AM
those commands are useful as an interim solution if you're doing a 'dirty' upgrade of a cluster, if you follow the proper procedure these should not be necessary (although _some_ network topologies could require these, but that should be the exception, not the norm)
it basically disables all tcp sanity checks that would normally block abnormal flows (where tcp handshake is missing or incomplete)
it is not recommended to keep these settings in your configuration after the upgrade, but they might be useful to keep in your back pocket, just in case
if you follow these instructions and allow both HA peers enough time to properly and fully synchronize their state tables, the upgrade should be smooth and would not require you to disable tcp sanity checks: How to Upgrade a High Availability (HA) Pair
01-26-2016 03:11 AM
Completely agree with reaper. those command disable important tcp sanity checks and allow asymmetrical traffic flows. They should NEVER be a permanent solution to an issue.
The permanent solution is to identify why the traffic is not flowing fully through the firewall and change the network flow so that the entire flow crosses the firewall.
Palo Alto inspection relies on being able to see all of the flow to be fully correct and accurate for the inspection and identification of threats and applications. Having partial flows bypass the firewall greatly lowers the security posture.
10-06-2023 06:43 AM
where do I get these version 6.0?
10-06-2023 10:05 AM
Hello,
These are super old and have been deprecated. If you need to upgrade an older version like this, I would suggest contacting support.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
