04-12-2019 06:49 AM
so slowly but surely I'm upgrading a large number of palo alto's from versions 7.1.x to eventualy version 8.1.6( or higher)
In my palo alto training. and from some upgrades done before of pavm100 specifically. I always loved the fact that you can basically skip the install of a base image(though not recommended)
I don't like to do it with x.0.y version. as the .0 versions usually introduce new features. but 8.0 to 8.1x I don't see a major issue)
however my upgrade procedure has been:
from 7.1.x --> install version 8.0.0
from 8.0.0 --> download 8.1.0 and 8.1.x but install directly 8.1.x
I know palo alto recommends always installing the base image. however I would like to know what peoples real experiences are (with skipping base images, not going to the latest patch, etc)
am I dodging bullets so far( had no issues yet)
or do more people ignore this recommended part?
if we really want to follow all best practices it would be:
7.1.x to latest 7.1.y
7.1.y to 8.0.0.
8.0.0 to latest 8.0.x
8.0.x to 8.1.0
8.1.0 to latest 8.1.x
--> with a palo alto vm-100 add in a 3-5 more reboots between 7.1.y and 8.0.0 because you need to expand the memory, upgrade, shutdown, add a 60gb disk, copy disk, shutdown, remove old disk)
So just wanted to know. who does what when upgrading palo alto's?
--> always install baseimage every time?
--> always upgrade to latest patchrelease before upgrade
--> differnces between pa-vm and hardware appliances?
Thanks. and keep it friendly please.
04-14-2019 05:56 PM
So essentially the reason the new recommendation came to be due to smaller devices running out of disk space. When you skip the install of the base image, the firewall still needs to explode both images to piece together a working image to actually install the requested maintenance image.
The issue with the above process is that as PAN-OS has grown in size, the smaller devices simply don't have enough disk space to ensure that the device can actually do the above process. Now when the firewall has to explode images to piece together a working image, the firewall can't easily verify the disk space required for that process. This caused the firewall to fail piecing everything together again as it couldn't build a big enough temp file to build the install image.
I still highly recommend you don't actually skip the base image install process, regardless of what model of firewall you have or even if you know enough to verify your firewall has the space required to build a working install image. Piecing together an install image can still cause issues to pop up because the firewall has nothing to verify the image hasn't been messed up in the process.
You can certainly follow the old method with larger firewalls and not run into any issues, but keep in mind that there were enough issues reported that Palo Alto needed to change the process. This wasn't something PAN did to make us all scratch our heads, it was due to the number of issues people ran into on PA-200s and PA-500s; there was even a few issues on the 3000 series reported.
I like to live fast and dangerous: Congrats, feel free to follow the old method and hope you don't run into any issues.
I like to not cause extended maintenance windows or outages: Follow the new process.
04-15-2019 01:13 AM
thanks for this clear explanation.
it is basically what I was hoping for. as this explains why the recommendation is now to install base images.
in which case I'll modify my own procedures as well.
for non production installs/new installs I'll probably keep skipping the base image install. purely because there is no impact if it goes wrong. and new installs tend to have a fairly empty disk.
(especially vm's as if it goes wrong it's possible to fairly quickly make a new vm.)
for production environments. due to risk of impact I'll have to install the base image. jsut to be on the safe side.
it does extend the maintenance window needed to do it.
however I prefer having to request a maintenance window of 2+ hours and having no impact then requesting a 1hour window but breaking a cluster member and causing possible impact/higher risk of impact)
06-15-2021 07:29 AM
With this being an old thread, are you aware if Palo has returned to the "skip the base image install" stance? I notice 2 years later, that their: Best Practices for PAN-OS Upgrade indicates:
– Download 8.1.0 (base version).
– Download and install the latest preferred 8.1.x maintenance release, and reboot to complete the upgrade.
From your concise explanation, it would appear that this document just hasn't been updated yet? Thoughts?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!