PA 3050 PAN-OS Upgrade Path

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted

PA 3050 PAN-OS Upgrade Path

I am currently looking to upgrade my HA pair of 3050s from 7.1.10 to 8.1.6 and per Palo Alto's best practices guide, it is recommended to upgrade to the latest maintenance release prior going to the next major one. As it stands per that best practice guide, I would be to going to 7.1.22, 8.0, 8.0.16, 8.1, 8.1.6 and I am wondering if anyone has done a multiple major release upgrade and how they approached it? The two different upgrade paths I have in my head are:

 

1. Upgrade the active firewall via the best practices method shown above, but don't upgrade the passive firewall until after so many days until confidence is reached that there are no issues then upgrade the passive. If there are issues during the testing phase, I could just switch my passive to active.

 

2. Upgrade the active/passive firewalls in a staggered approach across multiple days/weeks. For example, upgrade the active/passive firewall to 8.0 > test for x amount of days > upgrade  > test.

 

Any recommendations on this would greatly be appreciated.


Accepted Solutions
Highlighted
L5 Sessionator

Hi Justin,

 

Start to upgrade the passiv one first. Then you will save on failover :-)

After compltion of all upgrade path on the passiv one, failover, test the new release during couple of days then, if test is ok, upgrade the other cluster's member else downgrade the fw.

Carefull: during this procedure, freeze your configuration. 

 

Hope help.

 

v.

View solution in original post

Highlighted
L2 Linker

That's correct. No need to run 8.0 or 8.1 but it must be downloaded before run 8.0.X or 8.1.X.

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

Yep that is pretty much the path you will take.

 

Cheers!

Highlighted
L5 Sessionator

Hi Justin,

 

Start to upgrade the passiv one first. Then you will save on failover :-)

After compltion of all upgrade path on the passiv one, failover, test the new release during couple of days then, if test is ok, upgrade the other cluster's member else downgrade the fw.

Carefull: during this procedure, freeze your configuration. 

 

Hope help.

 

v.

View solution in original post

Highlighted

Thanks!

Highlighted
L2 Linker

I thought you could go from 7.1.x directly to the latest 8.0.16, and then directly to 8.1.7. You need to download the 8.0 and 8.1 base, but they can be deployed with the latest 0.0.x update.

Highlighted
L2 Linker

That's correct. No need to run 8.0 or 8.1 but it must be downloaded before run 8.0.X or 8.1.X.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!