Experiences with skipping the base image.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Experiences with skipping the base image.

L2 Linker

Hello.

so slowly but surely I'm upgrading a large number of palo alto's from versions 7.1.x to eventualy version 8.1.6( or higher)

 

In my palo alto training. and from some upgrades done before of pavm100 specifically. I always loved the fact that you can basically skip the install of a base image(though not recommended)

I don't like to do it with x.0.y version. as the .0 versions usually introduce new features. but 8.0 to 8.1x I don't see a major issue)

 

however my upgrade procedure has been:

from 7.1.x --> install version 8.0.0

from 8.0.0 --> download 8.1.0 and 8.1.x but install directly 8.1.x

 

I know palo alto recommends always installing the base image. however I would like to know what peoples real experiences are (with skipping base images, not going to the latest patch, etc)
am I dodging bullets so far( had no issues yet)

or do more people ignore this recommended part?

 

 

if we really want to follow all best practices it would be:

7.1.x to latest 7.1.y

7.1.y to 8.0.0.

8.0.0 to latest 8.0.x

8.0.x to 8.1.0

8.1.0 to latest 8.1.x

 

--> with a palo alto vm-100 add in a 3-5 more reboots between 7.1.y and 8.0.0 because you need to expand the memory, upgrade, shutdown, add a 60gb disk, copy disk, shutdown, remove old disk)

 

So just wanted to know. who does what when upgrading palo alto's?

--> always install baseimage every time?

--> always upgrade to latest patchrelease before upgrade

--> differnces between pa-vm and hardware appliances?

 

Thanks. and keep it friendly please.

 

 

1 accepted solution

Accepted Solutions

@TommieVanHove ,

So essentially the reason the new recommendation came to be due to smaller devices running out of disk space. When you skip the install of the base image, the firewall still needs to explode both images to piece together a working image to actually install the requested maintenance image.

The issue with the above process is that as PAN-OS has grown in size, the smaller devices simply don't have enough disk space to ensure that the device can actually do the above process. Now when the firewall has to explode images to piece together a working image, the firewall can't easily verify the disk space required for that process. This caused the firewall to fail piecing everything together again as it couldn't build a big enough temp file to build the install image. 

 

I still highly recommend you don't actually skip the base image install process, regardless of what model of firewall you have or even if you know enough to verify your firewall has the space required to build a working install image. Piecing together an install image can still cause issues to pop up because the firewall has nothing to verify the image hasn't been messed up in the process. 

You can certainly follow the old method with larger firewalls and not run into any issues, but keep in mind that there were enough issues reported that Palo Alto needed to change the process. This wasn't something PAN did to make us all scratch our heads, it was due to the number of issues people ran into on PA-200s and PA-500s; there was even a few issues on the 3000 series reported.

 

I like to live fast and dangerous: Congrats, feel free to follow the old method and hope you don't run into any issues. 

I like to not cause extended maintenance windows or outages: Follow the new process.  

View solution in original post

7 REPLIES 7

L4 Transporter

You cannot skip having hte base image on the device. you do not have to install/boot to that base image but if you are going from 7.1.x to 8.1.x you must have 8.0 downloaded to the device.

I agree with hshawn.  You can do this from Panorama as well if that's in the equation.  I just did this early this week in the lab as a demonstration.

 

8.0.x -> 8.1.0 (download but do not install), 8.1.6 (download & install)

hello hshawn.

I know you have to download the base image.
my question was not if it's possible and how. more a discussing if anybody had bad experiences doing it.
(there probably is a reason why PAN now recommends installing the base image)

 

the example you gave I think you made a typo perhaps. as I don't believe it is possible installing 8.1.x without installing 8.1.0

 

but seeing as you don't mention any bad experiences I assume you've done upgrades without installing the base image before with no problems.
so that means I'm not the only one doing it. and so far no bad experiences as well.

 

thx

Hello Jeremy.

thanks for the feedback.

so far I've also done it a few times. each time with new setups( eg upgrading before the firewalls are in production environments)

still wonder why the pan best practices guide now says to install the base image as recommended. but possibly this is of course to cover their bases.

it  only has to go wrong once to have a unhappy customer claiming PAn documentation is bad.

 

 

@TommieVanHove ,

So essentially the reason the new recommendation came to be due to smaller devices running out of disk space. When you skip the install of the base image, the firewall still needs to explode both images to piece together a working image to actually install the requested maintenance image.

The issue with the above process is that as PAN-OS has grown in size, the smaller devices simply don't have enough disk space to ensure that the device can actually do the above process. Now when the firewall has to explode images to piece together a working image, the firewall can't easily verify the disk space required for that process. This caused the firewall to fail piecing everything together again as it couldn't build a big enough temp file to build the install image. 

 

I still highly recommend you don't actually skip the base image install process, regardless of what model of firewall you have or even if you know enough to verify your firewall has the space required to build a working install image. Piecing together an install image can still cause issues to pop up because the firewall has nothing to verify the image hasn't been messed up in the process. 

You can certainly follow the old method with larger firewalls and not run into any issues, but keep in mind that there were enough issues reported that Palo Alto needed to change the process. This wasn't something PAN did to make us all scratch our heads, it was due to the number of issues people ran into on PA-200s and PA-500s; there was even a few issues on the 3000 series reported.

 

I like to live fast and dangerous: Congrats, feel free to follow the old method and hope you don't run into any issues. 

I like to not cause extended maintenance windows or outages: Follow the new process.  

HI. 

thanks for this clear explanation. 
it is basically what I was hoping for. as this explains why the recommendation is now to install base images. 

 

in which case I'll modify my own procedures as well. 

for non production installs/new installs I'll probably keep skipping the base image install. purely because there is no impact if it goes wrong. and new installs tend to have a fairly empty disk. 

(especially vm's as if it goes wrong it's possible to fairly quickly make a new vm.)

 

for production environments. due to risk of impact I'll have to install the base image. jsut to be on the safe side. 
it does extend the maintenance window needed to do it. 
however I prefer having to request a maintenance window of 2+ hours and having no impact then requesting a 1hour window but breaking a cluster member and causing possible impact/higher risk of impact)

BPry,

 

With this being an old thread, are you aware if Palo has returned to the "skip the base image install" stance?  I notice 2 years later, that their: Best Practices for PAN-OS Upgrade indicates:

– Download 8.1.0 (base version).
– Download and install the latest preferred 8.1.x maintenance release, and reboot to complete the upgrade.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

 

From your concise explanation, it would appear that this document just hasn't been updated yet?  Thoughts?

  • 1 accepted solution
  • 7292 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!