Do you only need to install the latest update from Panorama, or the prior updates as well?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Do you only need to install the latest update from Panorama, or the prior updates as well?

L0 Member

I am being told that when updates are released (sometimes 3 a week or 2 in 1 day) that you only need to install the latest update as it includes the previous updates rolled in. My security mindset says to install them all anyways to be sure. But I am curious what everyone else does?

 

Thanks,

 

-Andrew

1 accepted solution

Accepted Solutions

@AndrewCain,

Maintenance releases can be skipped and they will roll-up like what you are stating. So if for example you were running 8.0.2 and you went to update to 8.0.6-h3, you only need to download and install 8.0.6-h3 and not every maintenance release in between. 

View solution in original post

4 REPLIES 4

L3 Networker

Hi Andrew,

 

 

You don't need to install the intermediate software updates and can go to the latest version.

 

Please keep in mind that if you are going to upgrade your firewall from one major version to the next (say version 7.x to 8.x) you will need to download the base image for the major release before installing the patch fix.  (You don't have to install that base version, only download it.)

That makes perfect sense - Thanks for the reply!

 

Andrew

@davanderson,

Actually this is no longer recommended. The original recommendation is what you mentioned. The base image and the maintenance release is to be downloaded and only the maintenance release needed to be installed. The new recommendation is that the base image actually be installed before continuing to the latest maintenance release. 

This change came out in late July of this year, primarly due to the increased size of PAN-OS 8.0 and later. While this recommendation is primarly for the PA-200/220,PA-500,PA-2000 and the PA-4000 platforms, it's a valid consideration for all devices and should be considered the 'new' way of doing things. 

 

Essentially on older devices/platforms that had limited storage, or any device with storage restraints, it's best to use the new method due to the increased size of the new system images. The old way of doing things the system actually needed to explode both the base image and the maintenance image installer packages on-disk, and then it picked all the parts it needed to form an installer image to write to the system volume. With the new method the base components are available from the active operating system and the installer packages no longer needs to be expanded to pick to choose different parts of the image. 

@AndrewCain,

Maintenance releases can be skipped and they will roll-up like what you are stating. So if for example you were running 8.0.2 and you went to update to 8.0.6-h3, you only need to download and install 8.0.6-h3 and not every maintenance release in between. 

  • 1 accepted solution
  • 3059 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!