05-10-2018 12:38 PM
I have new PA-220 firewalls that are replacing my old PA-500's. The PA-500's have v7.0.5-h2 of the PANOS installed. The Firewall Migration Guide states that I need to update the PANOS on my old firewalls to match the new firewalls at 8.1.0. The PA-500's are out of support, but I do have access to download the PanOS_220_8.1.0 (and earlier versions) of the software from the website. My question is can I install the PANOS that is labeled for the PA-220 on the PA-500's without causig any problems. The whole point of this is to get the configuration on the old firewall to the correct version so I can export it and import it into the new firewall.
Thanks!
Chris
05-10-2018 12:49 PM
You wouldn't have the proper files to do the update anyways with your current version and the starting version for the 220, as you need to go to the last 7.0.* release, update to 7.1, update to the latest 7.1.* maintenance release, and then finally make the jump to 8.0.* (I wouldn't recommend 8.1 in production just yet).
Talk to your SE and they will be able to provide you with the proper files.
05-10-2018 12:49 PM
You wouldn't have the proper files to do the update anyways with your current version and the starting version for the 220, as you need to go to the last 7.0.* release, update to 7.1, update to the latest 7.1.* maintenance release, and then finally make the jump to 8.0.* (I wouldn't recommend 8.1 in production just yet).
Talk to your SE and they will be able to provide you with the proper files.
05-10-2018 02:42 PM - edited 05-10-2018 03:02 PM
Good point on not having the correct 7.x software from the PA-220. I already have an email out to the SE. Hopefully, I'll hear from him shortly.
Are you aware of any significant issues with OS 8.1.x? The PA-220's either came with that installed or the guy before me updated it already. With that in mind, would you recommend back-reving it to 8.0.x?
Also, as I'm updating the software on the PA-500, can I go from 7.0.5-h2 --> 7.1.latest release --> 8.0.9 (which looks to be the latest release of 8.0.x) or out it be better to go 7.0.5-h2 --> 7.1.0 --> 8.0.0 --> 8.0.9? Just looking for the path of least resistance. It may not matter based on what the SE can get me.
Thanks!
05-10-2018 08:06 PM
8.1.1 doesn't really have any significant issues that I'm aware of at the moment, however it's still a new release and not a lot of people are running it in production just yet. I would give it a while and check back to see if any additional issues have been uncovered, although I would likely still recommend waiting until 8.1.2 and 8.1 actually becomes a recommended software release. I would recommend reverting to 8.0.x for the time being.
As for the update the recommened upgrade back would be the following:
7.0.5-h2 - Latest 7.0.* maintenance release.
7.0.* - 7.1.1 base image (7.1.0 was pulled, 7.1.1 is the base image)
7.1.1 - 7.1.* (Latest Maint Release)
7.1.* - 8.0
8.0 - 8.0.8/9 (I believe 8.0.9 has moved into recommended status; I've been running it for awhile and haven't run into any issues.)
05-11-2018 09:18 AM
Thank you so much for your guidance. One last question - I think. Do you know of any performance issues with running 8.0.x on the PA-500's?
Chris
05-12-2018 07:30 PM
I have no direct experiance with running 8.0.* on the PA-500; however going off of what others have stated and what feedback I have heard, outside of slightly increasing commit times there are no adverse data effects from upgrading the PA-500s to 8.0.*
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
