Pre-Install Pan Upgrade with no reboot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pre-Install Pan Upgrade with no reboot

L2 Linker

Does anyone download and install PANOS updates but wait to reboot until a scheduled maintenance window?  I'm wondering how risky this would be and/or how long you can let a firewall sit waiting for a reboot to the installed new version.

 

This would save time during our rather short maintenance windows if I could pre load the install during regular hours and then just come in on a weekend and reboot.

 

Anybody do it this way? If so, have you experieneced any unexpected behavior or outages as a result?

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

I've always pre-loaded a few hours before my scheduled windows and then just let it sit there as I wait for the window to actually hit. I think the longest I've probably let it sit like that was 3 hours roughly? I've only once experianced an issue with it and that was due to a UPS issue that cut the power and essentially restarted the box before I wanted it to; it caused production to be down for a little while since I had preloaded it on both active and passive units and it installed on both of them at the same time. I've learned since then and will update the passive unit like this, perform the update and move traffic over to the upgraded unit, and then take my time upgrading the remaining unit since there really isn't an urgency to doing so anymore.

 

If you only have one unit then the only risk you really take is an extended outage if you have any power issues. Since it takes awhile to actually come up when it's loading the upgrade this could put your production enviroment down for longer than you would like.

View solution in original post

New software version is installed to other partition.

If you reboot the box then it boots into new release. 

Old software is left there also so you can always revert.

 

You can use cli command "debug swm status" to view those partitions and software versions they hold.

It is safe to install and leave it without reboot to wait for maintenance window.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

I've always pre-loaded a few hours before my scheduled windows and then just let it sit there as I wait for the window to actually hit. I think the longest I've probably let it sit like that was 3 hours roughly? I've only once experianced an issue with it and that was due to a UPS issue that cut the power and essentially restarted the box before I wanted it to; it caused production to be down for a little while since I had preloaded it on both active and passive units and it installed on both of them at the same time. I've learned since then and will update the passive unit like this, perform the update and move traffic over to the upgraded unit, and then take my time upgrading the remaining unit since there really isn't an urgency to doing so anymore.

 

If you only have one unit then the only risk you really take is an extended outage if you have any power issues. Since it takes awhile to actually come up when it's loading the upgrade this could put your production enviroment down for longer than you would like.

New software version is installed to other partition.

If you reboot the box then it boots into new release. 

Old software is left there also so you can always revert.

 

You can use cli command "debug swm status" to view those partitions and software versions they hold.

It is safe to install and leave it without reboot to wait for maintenance window.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister,

I think the biggest 'issue' that people run into when doing this is simply the time that the box takes to boot once you have pre-loaded a new software version. In my experiance on multiple different devices it takes a good while longer than simply restarting the box.

Agree that boot time after software install takes longer so in case of power failure environment will be down longer indeed.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Great information here guys. Thanks for the input. 

  • 2 accepted solutions
  • 4492 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!