09-17-2022 08:53 PM
i am going to upgrade pan-os from 9.1.14-h4—>10.0.0–>10.0.11-h1–>10.1.0–>10.1.6-h6 for my pa 3260 device.But when the Pan-os upgraded to 10.0.0, i waited for two hours and the global protect client can connect the portal and gateway, but it can't access any network include Paloalto host ip, internal network and external network. i accessed the device by internal netowrk. i didn't find any special log and it seem normal. so i was not sure the issue and didn't continue to upgrade pan-os. At last i downgrade the pan-os to 9.1.14-h4,everything was ok.
So i want to know if pan-os 10.0.0 has this issue bug? can i continue to upgrade following 9.1.14-h4—>10.0.0–>10.0.11-h1–>10.1.0–>10.1.6-h6 ?
09-19-2022 01:33 AM - edited 09-19-2022 01:35 AM
As a rule of thumb I would always upgrade to the latest maintenance version in a code train, even for 'in between' upgrades
You can even do this without installing the x.x.0 base image, it only needs to be downloaded. i.e. download 10.0.0, download 10.0.11-h1, install 10.0.11-h1, reboot
This so you don't run into any old bugs and waste time troubleshooting an old operating system.
even if you do run into an issue in 10.0.11-h1, you can easily roll back to your previous version by running a 'debug swm revert' from CLI (which you can't if you first install and reboot into 10.0.0 and then to 10.0.11-h1 and only then figure out there's an issue)
09-19-2022 01:33 AM - edited 09-19-2022 01:35 AM
As a rule of thumb I would always upgrade to the latest maintenance version in a code train, even for 'in between' upgrades
You can even do this without installing the x.x.0 base image, it only needs to be downloaded. i.e. download 10.0.0, download 10.0.11-h1, install 10.0.11-h1, reboot
This so you don't run into any old bugs and waste time troubleshooting an old operating system.
even if you do run into an issue in 10.0.11-h1, you can easily roll back to your previous version by running a 'debug swm revert' from CLI (which you can't if you first install and reboot into 10.0.0 and then to 10.0.11-h1 and only then figure out there's an issue)
09-19-2022 01:49 AM
Hi,
You don't have to follow method you specified. Palo Alto Upgrade requires base version to upgrade first then to next sub code. In your case since you are moving from 9.1.xx to 0.1.6-h6 I would suggest below upgrade path
1. Take backup of firewall you are upgrading with (backup of Device State would be a good option from Device > Settings)
2. DO NOT upgrade if you are working remotely, make sure to have access to Management interface by present in office or remote hands assistance
3. Download all require software on firewall, this would help during facing any issue
4. Proceed to Upgrade 9.1.14-h4 => 10.0.0 => 10.1.0 => 10.1.6-h6 (You don't need to upgrade with 10.0.xx sub version)
T-SHOOT =
1. Here you might face issue post reboot - like you are not able to login in device using GUI or so, I have seen it sends "session logout error" in some cases, but if you are able to login proceed with next path mentioned above
2. If you face error not able to login or data plane not coming up you might still have access to MGMT interface in CLI. here is a link you can still upgrade firewall using CLI till final code
https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNns
Hope this will solve your problem
Best,
Bharat Rajwanshi
09-19-2022 02:43 AM
i want to know which version is recommended in 10.1.x?10.1.6-h6 or 10.1.7?
09-19-2022 02:53 AM
The version which is vulnerability free should be your pick. We upgraded to 10.2.2-h2, and so far no issue or bugs
Best,
09-19-2022 05:28 AM
you can see which version is recommended here : https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...
right now 9.1.14-h4, 10.1.6-h6 and 10.2.2-h2 are "preferred"
10-25-2022 12:30 AM
i am going to upgrade an HA firewall pair from 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6.
First method
1).upgrade the secondary device once from 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6
2) suspend local device in primary device, and then upgrade primary 9.1.6--》9.1.14--》10.0.11-h1--〉10.1.6-h6.
Second method
1)upgrade the secondary device from 9.1.6--》9.1.14
2)suspend local device in primary device, and then upgrade primary 9.1.6--》9.1.14
3)upgrade the secondary device once from 9.1.14--》10.0.11-h1
4)suspend local device in primary device and then upgrade primary 9.1.14--》10.0.11-h1
5)upgrade the secondary device from 10.0.11-h1--〉10.1.6-h6.
6)suspend local device in primary device,and then upgrade primary 10.0.11-h1--〉10.1.6-h6.
which method is the best one?
12-08-2023 12:23 AM
Hi,
We have 10.0.4 version running in HA on AWS.
Please suggest which version I need to jump and we need to do the same in both devices?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
