so slowly but surely I'm upgrading a large number of palo alto's from versions 7.1.x to eventualy version 8.1.6( or higher)
In my palo alto training. and from some upgrades done before of pavm100 specifically. I always loved the fact that you can basically skip the install of a base image(though not recommended)
I don't like to do it with x.0.y version. as the .0 versions usually introduce new features. but 8.0 to 8.1x I don't see a major issue)
however my upgrade procedure has been:
from 7.1.x --> install version 8.0.0
from 8.0.0 --> download 8.1.0 and 8.1.x but install directly 8.1.x
I know palo alto recommends always installing the base image. however I would like to know what peoples real experiences are (with skipping base images, not going to the latest patch, etc)
am I dodging bullets so far( had no issues yet)
or do more people ignore this recommended part?
if we really want to follow all best practices it would be:
7.1.x to latest 7.1.y
7.1.y to 8.0.0.
8.0.0 to latest 8.0.x
8.0.x to 8.1.0
8.1.0 to latest 8.1.x
--> with a palo alto vm-100 add in a 3-5 more reboots between 7.1.y and 8.0.0 because you need to expand the memory, upgrade, shutdown, add a 60gb disk, copy disk, shutdown, remove old disk)
So just wanted to know. who does what when upgrading palo alto's?
--> always install baseimage every time?
--> always upgrade to latest patchrelease before upgrade
--> differnces between pa-vm and hardware appliances?
Thanks. and keep it friendly please.
So essentially the reason the new recommendation came to be due to smaller devices running out of disk space. When you skip the install of the base image, the firewall still needs to explode both images to piece together a working image to actually install the requested maintenance image.
The issue with the above process is that as PAN-OS has grown in size, the smaller devices simply don't have enough disk space to ensure that the device can actually do the above process. Now when the firewall has to explode images to piece together a working image, the firewall can't easily verify the disk space required for that process. This caused the firewall to fail piecing everything together again as it couldn't build a big enough temp file to build the install image.
I still highly recommend you don't actually skip the base image install process, regardless of what model of firewall you have or even if you know enough to verify your firewall has the space required to build a working install image. Piecing together an install image can still cause issues to pop up because the firewall has nothing to verify the image hasn't been messed up in the process.
You can certainly follow the old method with larger firewalls and not run into any issues, but keep in mind that there were enough issues reported that Palo Alto needed to change the process. This wasn't something PAN did to make us all scratch our heads, it was due to the number of issues people ran into on PA-200s and PA-500s; there was even a few issues on the 3000 series reported.
I like to live fast and dangerous: Congrats, feel free to follow the old method and hope you don't run into any issues.
I like to not cause extended maintenance windows or outages: Follow the new process.
I know you have to download the base image.
my question was not if it's possible and how. more a discussing if anybody had bad experiences doing it.
(there probably is a reason why PAN now recommends installing the base image)
the example you gave I think you made a typo perhaps. as I don't believe it is possible installing 8.1.x without installing 8.1.0
but seeing as you don't mention any bad experiences I assume you've done upgrades without installing the base image before with no problems.
so that means I'm not the only one doing it. and so far no bad experiences as well.
thanks for the feedback.
so far I've also done it a few times. each time with new setups( eg upgrading before the firewalls are in production environments)
still wonder why the pan best practices guide now says to install the base image as recommended. but possibly this is of course to cover their bases.
it only has to go wrong once to have a unhappy customer claiming PAn documentation is bad.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!