Panorama HA Firewall PAN-OS Upgrade Clarification...
cancel
Showing results for 
Search instead for 
Did you mean: 

Panorama HA Firewall PAN-OS Upgrade Clarification...

L0 Member

My apologies for the length of this post...I am trying to understand how to best upgrade PAN-OS through multiple major releases on a configured HA set and I may not be explaining myself effectively...here it goes.

 

I am preparing to upgrade a PA-220 HA set from 8.1.7 to 9.1.2 using Panorama to manage this upgrade...

 

I am looking for clarification on the process in regards to the version by version upgrade process and the version to version upgrade process.  These firewalls are not using a template in Panorama so the configuration is on each device.  A configuration backup will be the first thing done prior to the PAN-OS upgrade so this is more a question about process and order more than a question on procedure.  I have read the KB on this but it doesn't specifically reference multiple Major Release transitions that I was able to readily identify.

= = = = = = = =

First:  Using Panorama...Is it required to upgrade step by step or do I go through to 9.1.2 at one sitting per device?

 

For clarification:

Step by Step: 

Secondary Unit 8.1.7 upgraded to 9.0.0...then Primary Unit 8.1.7 upgraded to 9.0.0...then move to next step...

Secondary Unit 9.0.0 to 9.1.0...then Primary Unit 9.0.0 to 9.1.0...then move to the next step...

Secondary Unit 9.1.0 to 9.1.2...then Primary Unit 9.1.0 to 9.1.2...then move to the next step...

 

One Sitting:

Secondary Unit loading 9.0.0, 9.1.0 and 9.1.2 and applying them using Panorama...once complete

Primary Unit loading 9.0.0, 9.1.0 and 9.1.2 and applying them using Panorama...then re-enable HA functionality

= = = = = = = =

Second:  I have been informed that I need to update the PAN-OS in two different manners...by different techs...which is correct?

 

For clarification:

 

Upgrade Path 8.17 to Last 8.1.<Final Version>...then 8.1.<Final> to 9.0.0...then 9.0.0 to 9.0.<Final>...then 9.0.<Final> to 9.1.0...then 9.1.0 to 9.1.<Final version>

 

Or does the following yield the same result, which I have also been told is a valid upgrade path to follow:

Upgrade Path 8.17 to 9.0.0...then 9.0.0 to 9.1.0...then 9.1.0 to 9.1.2

 

I am thinking the second path would be the best / quickest.  Additionally, doesn't the installation a major releases (9.0.0 and 9.1.0) include all of the updates from each previous release category (8.1.<Final> and 9.0.<Final>) when you go to the 9.0.x and 9.1.x or are there updates the 8.1.<Final> and 9.0.<Final> required to be loaded due to updates that the next major release doesn't have?

= = = = = = = =

Thank you for your assistance...it is appreciated more than you know.

1 REPLY 1

L2 Linker

Hi Mate,

 

Its not about teh quickest, but the safest way should be preferred.

 

Better option is option 1, upgrade both firewalls one by one before moving to the next version. This will help you test failover at each step and also ensure you are not hitting any issues. With option 2, if there are any issues with upgrade on version 9.1.2, you will have to downgrade again all the way to 8.1.7.

 

here is the document that will help you:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/upgrade-to-pan-os-91/upgrade-the-fi...

 

Step 6 & 7 needs to repeated for every interim version you upgrade to till the final target version.

 

Regards,

Varun Rao



Thanks & Regards,
Varun Rao
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!