I am currently looking to upgrade my HA pair of 3050s from 7.1.10 to 8.1.6 and per Palo Alto's best practices guide, it is recommended to upgrade to the latest maintenance release prior going to the next major one. As it stands per that best practice guide, I would be to going to 7.1.22, 8.0, 8.0.16, 8.1, 8.1.6 and I am wondering if anyone has done a multiple major release upgrade and how they approached it? The two different upgrade paths I have in my head are:
1. Upgrade the active firewall via the best practices method shown above, but don't upgrade the passive firewall until after so many days until confidence is reached that there are no issues then upgrade the passive. If there are issues during the testing phase, I could just switch my passive to active.
2. Upgrade the active/passive firewalls in a staggered approach across multiple days/weeks. For example, upgrade the active/passive firewall to 8.0 > test for x amount of days > upgrade > test.
Any recommendations on this would greatly be appreciated.
Solved! Go to Solution.
Start to upgrade the passiv one first. Then you will save on failover :-)
After compltion of all upgrade path on the passiv one, failover, test the new release during couple of days then, if test is ok, upgrade the other cluster's member else downgrade the fw.
Carefull: during this procedure, freeze your configuration.
I thought you could go from 7.1.x directly to the latest 8.0.16, and then directly to 8.1.7. You need to download the 8.0 and 8.1 base, but they can be deployed with the latest 0.0.x update.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!