PA 3050 PAN-OS Upgrade Path

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA 3050 PAN-OS Upgrade Path

I am currently looking to upgrade my HA pair of 3050s from 7.1.10 to 8.1.6 and per Palo Alto's best practices guide, it is recommended to upgrade to the latest maintenance release prior going to the next major one. As it stands per that best practice guide, I would be to going to 7.1.22, 8.0, 8.0.16, 8.1, 8.1.6 and I am wondering if anyone has done a multiple major release upgrade and how they approached it? The two different upgrade paths I have in my head are:

 

1. Upgrade the active firewall via the best practices method shown above, but don't upgrade the passive firewall until after so many days until confidence is reached that there are no issues then upgrade the passive. If there are issues during the testing phase, I could just switch my passive to active.

 

2. Upgrade the active/passive firewalls in a staggered approach across multiple days/weeks. For example, upgrade the active/passive firewall to 8.0 > test for x amount of days > upgrade  > test.

 

Any recommendations on this would greatly be appreciated.

2 accepted solutions

Accepted Solutions

L5 Sessionator

Hi Justin,

 

Start to upgrade the passiv one first. Then you will save on failover 🙂

After compltion of all upgrade path on the passiv one, failover, test the new release during couple of days then, if test is ok, upgrade the other cluster's member else downgrade the fw.

Carefull: during this procedure, freeze your configuration. 

 

Hope help.

 

v.

View solution in original post

That's correct. No need to run 8.0 or 8.1 but it must be downloaded before run 8.0.X or 8.1.X.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

Yep that is pretty much the path you will take.

 

Cheers!

L5 Sessionator

Hi Justin,

 

Start to upgrade the passiv one first. Then you will save on failover 🙂

After compltion of all upgrade path on the passiv one, failover, test the new release during couple of days then, if test is ok, upgrade the other cluster's member else downgrade the fw.

Carefull: during this procedure, freeze your configuration. 

 

Hope help.

 

v.

Thanks!

I thought you could go from 7.1.x directly to the latest 8.0.16, and then directly to 8.1.7. You need to download the 8.0 and 8.1 base, but they can be deployed with the latest 0.0.x update.

That's correct. No need to run 8.0 or 8.1 but it must be downloaded before run 8.0.X or 8.1.X.

  • 2 accepted solutions
  • 6540 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!