For details on cookie usage on our site, read our Privacy Policy
Upgrade Path 10.0.10 to 10.1.6-h6 !!
- LIVEcommunity
- Discussions
- Best Practice Assessment Discussions
- Re: Upgrade Path 10.0.10 to 10.1.6-h6 !!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2022 09:59 AM - edited 08-31-2022 10:01 AM
I see i'm on an unsupported version of PAN OS. I'd like to upgrade but I'm stumped on the upgrade path. 10.0 is EOL so it doesnt list a preferred release. Can I move to 10.1 immedietly? Also, 10.1 version lists 10.1.5 as the first version on the upgrade release guidance page, yet I can download 10.1 on my PA.
If either of the two options below are incorrect let me know the proper path. I do have an HA pair so I don't expect an outage based on past experience.
Also, thoughts on 10.2? I dont mind moving to a new version I just don't want anything breaking!
Do I step in this manner:
10.0.10 > 10.0.11-h1
10.0.11-h1 > 10.1.0
10.1.0 > 10.1.5
10.1.5 > 10.1.6-h6
Or like this:
10.0.10 > 10.1.5
10.1.5 > 10.1.6-h6
Please advise. Thanks.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2022 08:58 AM
Sorry if I didn't make it clear. The PANOS releases are numbered in the form "major.minor.maintenance-hotfix" (or "major.feature.maintenance-hotfix"). The "major.minor" portion of the release number is the "chain"; 9.1, 10.0, 10.1 are all distinct PANOS development/feature paths and switching from one to the other is considered a major change (x.0 is a feature/testing chain and x.1 is a long-term stable chain). I don't think PA uses the word "chain" anywhere to describe releases, but it is commonly used in other device OSes, such as Cisco, to describe different development paths. The "maintenance" portion of the release number indicates development updates and general fixes. The "hotfix" portion indicates emergency fixes.
When changing between release paths (chains), you need to install the .0 maintenance release package first as it contains additional base files and setup not found in the maintenance updates. This can be seen in the package file sizes:
9.1.0 - 857MB
9.1.1 - 334MB
9.1.2 - 335MB
9.1.3 - 344MB
9.1.3-h1 - 344MB
So the official upgrade path is to download and install the .0 version in the chain (e.g. 10.1.0). Then, after rebooting, download and install the .x version (e.g. 10.1.5). It is technically possible to download the .0 and .x version at the same time and then click install on the .x version only, the PA will find the .0 package and install all the necessary parts from that first, then install the .x version over the top, in one upgrade cycle. But again, I DO NOT RECOMMEND this for an HA pair or standalone firewalls with limited downtime windows... though I have done it on a standalone firewall without issue. PA recommended doing it as individual steps in a support call.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2022 01:22 PM - edited 09-01-2022 09:00 AM
I don't believe either posted is quite right (at least the way I would do it). PaloAlto recommends you upgrade to the latest maintenance before upgrading further, though if there is not a specific config problem fixed between your current 10.0.x and the latest 10.0.x then I don't see the point. You do need to download/install the major.minor.0 version though, before you can update to the latest maintenance release in that minor release chain.
So your most direct upgrade path would be:
10.0.10 -> 10.1.0
10.1.0 -> 10.1.6-h6
Technically you can combine the major.minor.0 and major.minor.x maintenance upgrades into a single step (download both the .0 and .x and then install the .x) and I have done that before... though I wouldn't do it for something critical/that can't be down for a full rebuild.
In upgrading my HA pair between major/minor revisions it has been my practice to upgrade the secondary peer to the new chain. Perform a failover to the secondary unit. Upgrade the primary peer to the new chain, then upgrade to the latest maintenance release. Perform a failover back to the primary unit. Then upgrade the secondary to the latest maintenance release. I have had to do a manual config resync when going between major releases, so I save that for last, ensure the primary is operating as expected on the new release and then push its config to the secondary.
Various upgrade docs:
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2022 04:18 AM
Thanks for the info. I read your post but I'm not following what you are referring to as the "new chain"? Then you refer to the new chain and upgrade as if they are the a seperate process. I've always followed the upgrade HA pair guide you posted and it has worked for me.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2022 06:23 AM
@Adrian_Jensen I see you mentioned downloading 10.1 and 10.1.6-h6 but only installing 10.1.6-h6. Is there an article explaining that process? How does downloading but not installing a package have any affect on the package I end up installing?
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2022 08:58 AM
Sorry if I didn't make it clear. The PANOS releases are numbered in the form "major.minor.maintenance-hotfix" (or "major.feature.maintenance-hotfix"). The "major.minor" portion of the release number is the "chain"; 9.1, 10.0, 10.1 are all distinct PANOS development/feature paths and switching from one to the other is considered a major change (x.0 is a feature/testing chain and x.1 is a long-term stable chain). I don't think PA uses the word "chain" anywhere to describe releases, but it is commonly used in other device OSes, such as Cisco, to describe different development paths. The "maintenance" portion of the release number indicates development updates and general fixes. The "hotfix" portion indicates emergency fixes.
When changing between release paths (chains), you need to install the .0 maintenance release package first as it contains additional base files and setup not found in the maintenance updates. This can be seen in the package file sizes:
9.1.0 - 857MB
9.1.1 - 334MB
9.1.2 - 335MB
9.1.3 - 344MB
9.1.3-h1 - 344MB
So the official upgrade path is to download and install the .0 version in the chain (e.g. 10.1.0). Then, after rebooting, download and install the .x version (e.g. 10.1.5). It is technically possible to download the .0 and .x version at the same time and then click install on the .x version only, the PA will find the .0 package and install all the necessary parts from that first, then install the .x version over the top, in one upgrade cycle. But again, I DO NOT RECOMMEND this for an HA pair or standalone firewalls with limited downtime windows... though I have done it on a standalone firewall without issue. PA recommended doing it as individual steps in a support call.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2022 11:52 AM
Thanks again @Adrian_Jensen . This explanation really brought it together for me.
Dan
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2022 08:27 AM
I did the 10.0.10 to 10.1.0 migration and my firewall sync got out of whack. The dlp plugin version became a mismatch. So I had to uninstall the 1.0.4 version on my active side 10.1.0 and then they were able to sync. The problem I'm encoutering now is when I failover to my passive device which is a match on all green checks on the HA stats, it drops traffic immedietly. Now after opening a ticket with a 3rd party TAC agency they advised moving passive device to 10.1.6h-6 and it is also dropping traffic to the outside. Hopefully they can help me out but I'm not holding my breath.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2022 12:03 PM
DLP became a mismatch between the active/passive when they were running different releases or the same release?
There have been several threads about people switching to the 10.1 chain and having sync problems between HA pairs. I wonder if this is a case and the passive unit has corrupted the config?
There was a longer thread in the forums that ended up having to isolate the active/passive units, copy the active config onto the passive unit and then change all the pasive-specific unit settings to be correct, then reconnect the units. But I can't seem to find that thread at the moment.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-24-2023 12:03 PM
This is a great post. However it is mistaken that the recommended steps are to download and install the major.minor.0 version. There used to be a KB article which appeared to suggest this without careful reading but it's not the case. The current docs are clearer that after additional maintenance fixes are released you should download but not install the major.minor.0, download the target major.minor.x release, then install the target release. Of course, there could be other reasons you were given advice otherwise.
> So the official upgrade path is to download and install the .0 version in the chain (e.g. 10.1.0). Then, after rebooting, download and install the .x version (e.g. 10.1.5).
Supporting document: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
