Nominated Discussion: Best Practices - Multi Large Upgrades PAN-OS Firewall HA

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This article is based on a discussion, Best practice to allow Internet IPs, posted by @Metgatz and answered by @OtakarKlier . Read on to see the discussion and solution!



Best practices - Multi large upgrades pan-os Firewall HA


Good afternoon, as usual, thank you very much for your support and collaboration.

We have the possibility with a customer to perform multiple upgrades in one day, maintenance window.

We need to move from 8.1 to 9.1, i.e. 8.1.x to 9.0.x and from 9.0.x to 9.1.x.


So the question is the following:

1.- What is the best practice when it comes to make that jump, that intermediate upgrade from 9.0, for example when going from 8.1.x to ""9.0.x"" ( PAN-OS Intermediate, transitive ) final 9.1.x.

That intermediate jump, what is the best practice: I mean, for example, the current version 8.1.5, download and install the base 9.0.0? or is it recommended to download the base (9.0.0) and download and install (the recommended version of 9.0.x (9.0.16-h2), although it is say the intermediate transition version? to reach the recommended version 9.1.


2.- Also in relation to the same, the recommendation is still, in each jump, for example when moving to the same intermediate version 9.0, love or reassemble the HA and then continue with the upgrade ? or is it possible to apply both upgrades to a node and then on the other node ? I would understand that the best practice is to re-amplify the HA at each stage of the upgrade.


Please give me your comments, advice, recommendations and suggestions.


Thank you very much


Best regards




First backup the config. This doc should step you through the process. I forget when they allowed the base release download only and install the preferred release, i.e. just download 9.0 and download and install the latest version of the 9.0.x release. But you can do it with the 9.1, eg download 9.1.0 code but download and install the preferred release 9.1.x.


With an HA pair, do it all on the standby unit first. I when doing large jumps as these, it might be wise to go slow. What I mean is do the first jump on the standby, fail over, then upgrade the other one to the same version. Then keep going until you are up to the version you want to be at. Also make sure you dynamic updates are up to date as well, otherwise the PAN wont let you upgrade the OS.




Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎08-17-2022 09:04 AM
Updated by: