PAN_OS 10.0.0 upgrade issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PAN_OS 10.0.0 upgrade issue

L1 Bithead

i am going to upgrade pan-os from 9.1.14-h4—>10.0.0–>10.0.11-h1–>10.1.0–>10.1.6-h6 for my pa 3260 device.But when the Pan-os upgraded to 10.0.0, i waited  for two hours and the global protect client can connect the portal and gateway, but it  can't access any network include Paloalto host ip, internal network and external network.  i accessed the device by internal netowrk. i didn't find any special log and it seem normal.   so i was not sure the issue and didn't continue to upgrade pan-os. At last i downgrade the pan-os to 9.1.14-h4,everything was ok.

    So i want to know if  pan-os 10.0.0 has this issue bug? can i continue to upgrade following   9.1.14-h4—>10.0.0–>10.0.11-h1–>10.1.0–>10.1.6-h6 ?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

As a rule of thumb I would always upgrade to the latest maintenance version in a code train, even for 'in between' upgrades

You can even do this without installing the x.x.0 base image, it only needs to be downloaded. i.e. download 10.0.0, download 10.0.11-h1, install 10.0.11-h1, reboot

 

This so you don't run into any old bugs and waste time troubleshooting an old operating system.

 

even if you do run into an issue in 10.0.11-h1, you can easily roll back to your previous version by running a 'debug swm revert' from CLI (which you can't if you first install and reboot into 10.0.0 and then to 10.0.11-h1 and only then figure out there's an issue)

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

As a rule of thumb I would always upgrade to the latest maintenance version in a code train, even for 'in between' upgrades

You can even do this without installing the x.x.0 base image, it only needs to be downloaded. i.e. download 10.0.0, download 10.0.11-h1, install 10.0.11-h1, reboot

 

This so you don't run into any old bugs and waste time troubleshooting an old operating system.

 

even if you do run into an issue in 10.0.11-h1, you can easily roll back to your previous version by running a 'debug swm revert' from CLI (which you can't if you first install and reboot into 10.0.0 and then to 10.0.11-h1 and only then figure out there's an issue)

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Hi,

 

You don't have to follow method you specified. Palo Alto Upgrade requires base version to upgrade first then to next sub code. In your case since you are moving from 9.1.xx to 0.1.6-h6 I would suggest below upgrade path

 

1. Take backup of firewall you are upgrading with (backup of Device State would be a good option from Device > Settings)

2. DO NOT upgrade if you are working remotely, make sure to have access to Management interface by present in office or remote hands assistance

3. Download all require software on firewall, this would help during facing any issue

4. Proceed to Upgrade 9.1.14-h4 => 10.0.0 => 10.1.0 => 10.1.6-h6 (You don't need to upgrade with 10.0.xx sub version)

 

T-SHOOT =

1. Here you might face issue post reboot - like you are not able to login in device using GUI or so, I have seen it sends "session logout error" in some cases, but if you are able to login proceed with next path mentioned above

2. If you face error not able to login or data plane not coming up you might still have access to MGMT interface in CLI. here is a link you can still upgrade firewall using CLI till final code

 

https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNns

 

Hope this will solve your problem

 

Best,

Bharat Rajwanshi

i want to know which version is recommended in 10.1.x?10.1.6-h6 or 10.1.7?

The version which is vulnerability free should be your pick. We upgraded to 10.2.2-h2, and so far no issue or bugs

 

Best,

you can see which version is recommended here : https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

right now 9.1.14-h4, 10.1.6-h6 and 10.2.2-h2 are "preferred"

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

i am going to upgrade an  HA  firewall pair from 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6. 

First method

1).upgrade the secondary  device once from 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6

2) suspend local device in primary device, and then upgrade primary 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6. 
Second method

1)upgrade the secondary  device  from 9.1.6--》9.1.14

2)suspend local device in primary device, and then upgrade primary 9.1.6--》9.1.14

3)upgrade the secondary  device once from 9.1.14--》10.0.11-h1

4)suspend local device in primary device and then upgrade primary 9.1.14--》10.0.11-h1

5)upgrade the secondary  device  from 10.0.11-h1--〉10.1.6-h6.

6)suspend local device in primary device,and then upgrade primary 10.0.11-h1--〉10.1.6-h6.

 

which method is the best one? 

 

L0 Member

Hi,

 

We have 10.0.4 version running in HA  on AWS.
Please suggest which version I need to jump and we need to do the same in both devices?

  • 1 accepted solution
  • 4531 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!