Nominated Discussion: Removing PAN-OS Base Images

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
100% helpful (2/2)

This Nominated Discussion Article is based on the post "What happens when a base image is deleted from PAN OS" by @Pras . Read on to see Cyber Elite @BPry recommendation!

 

Hi All,

My colleague deleted the base image  10.2.0 whilst being on the 10.2.3-h4. There is no issue with the device (VM series).

Is this a normal practice? Will it ever effect the working of the firewall?

FYI: This was an attempt to clear the root partition and it dramatically decreased the space from 99 to 72 percentage. He had deleted other version too but only with this one the space on root got significantly lowered.

This is confusing. Any suggestion on this experts?

Kind Regards,

P

 

 

Recommendation:

 

There's really no reason to keep the base image and it can be safely removed once you are on your target maintenance release. In the event that you are going back a single version (say you installed 10.1.9-h1 previously and then upgraded to 10.2.3-h4 directly) you would simply issue the 'debug swm revert' command to revert the active partition back to the previously running 10.1.9-h1 partition. Removing the base image will never affect the firewall from a functional standpoint.

 

If you're jumping multiple versions in a single upgrade (say 9.1.15-h1 to 10.2.3-h4) you might keep the base images because you can't simply rely on the other partition to downgrade in the event it's required anymore. In those situations I'd keep the required images to perform a potential downgrade on the firewall for a few weeks as long as it had the required space available to do so. You could just as easily remove them and re-download them if you actually perform the downgrade in the event you didn't have the space available to keep all of the images stored.

 

One thing to keep in mind when running 'show system disk-space' is that it's not a real-time check. I've always experienced a delay between removing images and that space being reflected in /opt/panrepo. The base images being the largest image available to download however, you would expect a larger amount of space returned upon their removal.

 

Regardless of platform the base image is always larger when compared to a maintenance release, but the difference between the size will differ by platform. On a PA-220 for instance the base image is ~220MB larger, go up to a PA-440 and you're looking at ~300MBs, expand that to a PA-5220 and it's ~600MB larger.

 

Rate this article:
  • 1310 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎03-29-2023 03:49 PM
Updated by: