11-23-2023 09:38 AM
I currently run 9.1.16 on our 3000 series firewalls. I need to upgrade to 9.1.16-H3 to resolve the cert expiry issue.
Are the H releases cumulative? Or do I need to install H1, H2, H3?
Will this require a reboot? Or as the term 'hotfix' implies, will it install on a live firewall? We run the firewalls as an Active/Passive pair.
11-23-2023 10:05 AM
Hi @IanLinwood
Q: Are the H releases cumulative?
A: Yes, they are. You don't have to install intermiediate maintenance releases (this includes hotfixes as well). You can just go straight to the release you want.
Q: Will this require a reboot?
A: Yes. Every firmware upgrade, no mater if it is hotfix, maintenance or majort release, require reboot. The reason for that is firewall is creating separate partion and mounting the new image to that partion. And reboot is required so firmware to be loaded from that partition.
Q: as the term 'hotfix' implies, will it install on a live firewall?
A: Palo Alto generally have two type of releases: major and maintenance. Major version are released one a year and introduce new features. Maintenance versions are released every couple of months and main purpose is to introduce bug fixes and patches. Hotfixs are exactly the same as maintenance releases, but introduce urgent fixes that cannot way for the standard maintenance release cycle. so they are released earlier as hotfix version.
https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy
Q: We run the firewalls as an Active/Passive pair.
A: You need to upgrade each member separately. Palo Alto firewalls does not have function to auto-upgrade both member in the cluster.Once you upgrade one of the members it will detect that it is running newer version and automatically will enter standby mode and will not cause split-brain. More details you can find in the following link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...
11-23-2023 10:05 AM
Hi @IanLinwood
Q: Are the H releases cumulative?
A: Yes, they are. You don't have to install intermiediate maintenance releases (this includes hotfixes as well). You can just go straight to the release you want.
Q: Will this require a reboot?
A: Yes. Every firmware upgrade, no mater if it is hotfix, maintenance or majort release, require reboot. The reason for that is firewall is creating separate partion and mounting the new image to that partion. And reboot is required so firmware to be loaded from that partition.
Q: as the term 'hotfix' implies, will it install on a live firewall?
A: Palo Alto generally have two type of releases: major and maintenance. Major version are released one a year and introduce new features. Maintenance versions are released every couple of months and main purpose is to introduce bug fixes and patches. Hotfixs are exactly the same as maintenance releases, but introduce urgent fixes that cannot way for the standard maintenance release cycle. so they are released earlier as hotfix version.
https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy
Q: We run the firewalls as an Active/Passive pair.
A: You need to upgrade each member separately. Palo Alto firewalls does not have function to auto-upgrade both member in the cluster.Once you upgrade one of the members it will detect that it is running newer version and automatically will enter standby mode and will not cause split-brain. More details you can find in the following link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
