07-23-2023 11:29 AM
Hello
I'm currently planning to upgrade my Palo Alto Networks firewall from version 9.0 to 10.1. As this is a critical operation, I want to ensure a smooth transition without any disruptions to our network and security policies. Before proceeding with the upgrade, I'd like to seek advice and insights from the community on the best practices to follow. Are there any critical points, potential challenges, or known issues that I should be aware of before initiating the upgrade process? Any tips or recommendations regarding pre-upgrade preparations, backup procedures, and post-upgrade verification would be greatly appreciated.
Thank you in advance for your valuable input and experiences!
07-23-2023 03:12 PM
Hello there.
I would be glad to give you some pointers, and others may chime in as well.
Are you using HA in your environment? If so, then please make sure you failover to your secondary, and upgrade the primary FW (not the other way around). This is so that, after the primary reboots.. if anything did occur, you can failback to your old 9.0 software that is on your backup box. this is one recommendation.
You only need to put in the base software (meaning, you will upgrade 9.0 to 9.1.0, there is no need to put in a higher 9.0.x prior to going to 9.1.0.
If 9.1.0 on your primary is good, then upgrade 9.1.0 on the other FW. Do NOT try and upgrade fully from 9.0 to 10.1.x (you really should go to 10.2.x, not sure why you are limiting yourself to 10.1.x.. the 10.2.4-hotfixes are good/stable. I run them in my production network. Anyways... again, do not try to quickly upgrade one side of your HA to 10.1.x, as you will have sync issues.
For each version, I would be saving a named snapshot file from the primary, and after you upgrade the secondary, I would import the primary FW config onto your secondary box (to ensure 100% accurate configuration).. granted you will need to reconfig the HA settings back, so they do not overlap.
Always move forward. If you have an issue, keep with the current version and get TAC on the phone. I have seen many times, where engineers are a little nervous at any little hiccup.
Once you have 9.1.0, install 10.0.0, but do NOT reboot. I would pick a higher version (10.0.16 or something).. I had issues with the 10.0.0.
Also, keep in mind that as your upgrade, your FW is going to go into "autocommit mode", where the firewall is in a "NOT READY" state, as seen by the task bar of your FW. Let the FW do its stuff. Autocommit and NOT READY have been seen for 20 min+.
Take your time, and all will be fine.
Proactively has a PANW TAC case created 48 hours before, so that they can assign an engineer during the times you are doing your upgrades. This is a best practice recommendation from PANW TAC directly.
If possible, and it is hard.. but try to stay more current with your PANW software upgrades... meaning, upgrade every 6 months, so 2 upgrades per year, so that you do not fall too far behind. Easier said than done, I understand... just a recommendation. 😛
Good Luck!!
07-25-2023 06:37 AM
Something to be mindful of when you're upgrading from this old of a major release, is that you'll have new signatures that you just haven't had active before the upgrade. So new vulnerability signatures and app-id signatures that you previously just haven't been exposed to will become active.
This can cause issues with traffic if you start identifying traffic differently post upgrade due to a new signature activation, and obviously the same thing for vulnerability signatures that haven't been active previously. Just something to be mindful of post-upgrade and something you may want to proactively keep an eye on the next little bit after the upgrade to ensure you don't encounter any issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
