Best practice to upgrade PAN-OS 6.1 to 8.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best practice to upgrade PAN-OS 6.1 to 8.1

L1 Bithead

Hello,

 

Could you please let me know the best practice to upgrading two PaloAlto FW (Ative - Passive) with HA.

PAN-OS 6.1.5 to 8.1.6

 

Appricate your feedback

 

Thanks

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@DPWorld ,

Man you're gonna have a fun time. 

Ensure that you have downloaded the following PAN-OS images. You might want to do so locally to a laptop or something you'll actually be doing the upgrade from, depending on how much free space you have on the device you might run out of space. 

  • 6.1.21 (Latest Maintenance release for your current release)
  • 7.0.1 (Base Release image for 7.0)
  • 7.0.19 (Latest Maintenance release for the 7.0 release)
  • 7.1.0 (Base Image)
  • 7.1.22 (Maintenance Release)
  • 8.0 (Base Image)
  • 8.0.16 (Latest Maintenance Release)
  • 8.1 (Base Image)
  • 8.1.* (Whatever your target release is in the 8.1 release)

Basic install practices remain the same, ensure you have free disk space, ensure you disable preempt, take a backup of your configuration. 

 

You'll then perform the upgrade like so.

  1. 6.1.5 -> 6.1.21
  2. 6.1.21 -> 7.0.1
  3. 7.0.1 -> 7.0.19
  4. 7.0.19 -> 7.1.0
  5. 7.1.0 -> 7.1.22
  6. 7.1.22 -> 8.0
  7. 8.0 -> 8.0.16
  8. 8.0.16 -> 8.1
  9. 8.1 -> 8.1.* (Whatever target maintenance release)

 

You should be okay with upgrading just a single HA member through all steps before moving to the next, but you are moving through a lot of images. I would recommend that you actually break (not suspend) HA temporarily to ensure that the one you are in the middle of upgrading doesn't become active. This would envolve ensuring all cables are unplugged so that even if the device becomes "active" it isn't actually processing any traffic. 

I've put this entire upgrade path on the latest recommended upgrade model which didn't really become a thing until 8.0; not knowing to model of firewall you are upgrading or your comfort in trully verifying disk space I would recommend you follow this model instead of the old model which would be fewer steps to avoid any issues.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@DPWorld ,

Man you're gonna have a fun time. 

Ensure that you have downloaded the following PAN-OS images. You might want to do so locally to a laptop or something you'll actually be doing the upgrade from, depending on how much free space you have on the device you might run out of space. 

  • 6.1.21 (Latest Maintenance release for your current release)
  • 7.0.1 (Base Release image for 7.0)
  • 7.0.19 (Latest Maintenance release for the 7.0 release)
  • 7.1.0 (Base Image)
  • 7.1.22 (Maintenance Release)
  • 8.0 (Base Image)
  • 8.0.16 (Latest Maintenance Release)
  • 8.1 (Base Image)
  • 8.1.* (Whatever your target release is in the 8.1 release)

Basic install practices remain the same, ensure you have free disk space, ensure you disable preempt, take a backup of your configuration. 

 

You'll then perform the upgrade like so.

  1. 6.1.5 -> 6.1.21
  2. 6.1.21 -> 7.0.1
  3. 7.0.1 -> 7.0.19
  4. 7.0.19 -> 7.1.0
  5. 7.1.0 -> 7.1.22
  6. 7.1.22 -> 8.0
  7. 8.0 -> 8.0.16
  8. 8.0.16 -> 8.1
  9. 8.1 -> 8.1.* (Whatever target maintenance release)

 

You should be okay with upgrading just a single HA member through all steps before moving to the next, but you are moving through a lot of images. I would recommend that you actually break (not suspend) HA temporarily to ensure that the one you are in the middle of upgrading doesn't become active. This would envolve ensuring all cables are unplugged so that even if the device becomes "active" it isn't actually processing any traffic. 

I've put this entire upgrade path on the latest recommended upgrade model which didn't really become a thing until 8.0; not knowing to model of firewall you are upgrading or your comfort in trully verifying disk space I would recommend you follow this model instead of the old model which would be fewer steps to avoid any issues.

Thank you @BPry 🙂

Really appricate your help

I have tried this after running a factory reset on a PA-3020 and reverting back to 6.0.8.  The latest maintenance release is now 6.1.22.  I tried to upgrade to 7.0.1 and got the following error: "Failed to install PanOS_3000-7.0.1 with the following errors. SW version is 7.0.1 Error: Upgrading from 6.1.21 to 7.0.1 requires a content version of 497 or greater and found 451-2337. Failed to install version 7.0.1 type panos" I tried from 6.1.22 as well and got the same error. This particular firewall is in a secure, offline location, so dynamic updates are not possible.  The oldest dynamic update on the website today is only a month old, and 6.1.21/22 doesn't even recognize the file as valid.  How is one supposed to acquire content version 497?

  • 1 accepted solution
  • 6775 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!