11-11-2020 02:06 AM
Hi,
I am upgrading so PA firewalls from 8.1.7 and 8.1.9 to 8.1.13, normally I wouldnt ask these questions but since these firewalls are extremely critical I need to be extra cautious.
been looking at the upgrade Matrix and couldnt see a clear answer but based on my experience I believe its a straight upgrade to 8.1.13 without any path, is that correct?
secondly, these firewalls have bgp going through them (only static routing on the firewalls though with about 18 VRs), do yo recommend any specific checks?
finally, these firewalls are decrypting traffic and have multiple Vsys's as well so do you recommend any specific extra checks?
thanks in advance.
Regards,
11-12-2020 04:50 AM
Hi @qasim02 ,
No need to reboot firewalls before upgrade. Just check HA Failover functionality before upgrade as already stated in my earlier post. Coming to the additional checks, there is nothing as such specific due to the multi vsys environment. I have done several upgrades before this which had multi vsys on 5220 HA firewalls, and i followed the same steps that i had given till now. Everytime it went well. Having said that, you can check few health checks like disk utilization, DP & MP CPU utilization before upgrade. If anything is observed abnormal, check it before proceeding for the upgrade. Otherwise, you should be good to proceed.
11-11-2020 03:14 AM
Yes in your case, you can directly upgrade firewalls to version 8.1.13. Just make sure, keep base version 8.1.0 downloaded which should be present currently.
As these firewalls are very critical, so before upgrade please take the configuration backup of both the firewalls and export it locally on your system. Along with it, keep device state and Tech-Support file (generate new one first then export) exported too on local system. These files will help you in case of any disaster situations.
Also I will recommend you to check HA-Failover first. This will confirm you that failover works fine and other firewall unit is handling traffic w/o any issues.
You can also check same by upgrading current Active unit first by doing HA failover & put traffic on other unit first. So you will not require to do extra task given in bold.
NOTE : I hope, you have already gone through the release notes of your target version before upgrade.
For more best practices, you can go through below article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK
All the best!
11-12-2020 02:32 AM
Thanks @SutareMayur
That's much appreciated.
Do you recommend I reboot the firewalls as well before I upgrade them?
Also what are you thoughts on checks I.e. what pre-post checks will be Vital? As there ate multiple VSYSes, DPI etc.
11-12-2020 04:50 AM
Hi @qasim02 ,
No need to reboot firewalls before upgrade. Just check HA Failover functionality before upgrade as already stated in my earlier post. Coming to the additional checks, there is nothing as such specific due to the multi vsys environment. I have done several upgrades before this which had multi vsys on 5220 HA firewalls, and i followed the same steps that i had given till now. Everytime it went well. Having said that, you can check few health checks like disk utilization, DP & MP CPU utilization before upgrade. If anything is observed abnormal, check it before proceeding for the upgrade. Otherwise, you should be good to proceed.
11-16-2020 05:22 AM
Cheers mate. Much appreciated
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
