Testing during Palo Alto 3000 cluster upgrade from 8.1.15-h3 to 9.1.11

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Testing during Palo Alto 3000 cluster upgrade from 8.1.15-h3 to 9.1.11

L1 Bithead



I would like to know if an upgrade that traverses multiple major versions requires testing after an upgrade to each major version?


Our upgrade path is:  8.1.15-h3 -> 8.1.20 -> 9.0 -> 9.0.14 -> 9.1 -> 9.1.11


Ideally, we would only upgrade one appliance in the cluster all the way to 9.1.11, though I know this is not recommended because appliances in a cluster should not be further than 1 major version apart.


So, the conservative path would be to break this into two stages: upgrade entire cluster to 9.0.14 and fully test?  Then proceed to 9.1.11?


Thanks for any advice!




Cyber Elite
Cyber Elite

Hi @landoa ,


I would upgrade the entire cluster to 9.0.14, then upgrade it again to 9.1.11.


I would not test for the interim version since it is only temporary.  I would implement the full test plan for 9.1.11.  The TAC recommended releases are very stable.







Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite


While testing never hurts, I have yet to have an upgrade break existing things.


L1 Bithead

Thanks for this feedback.


I've done a few upgrades in the past and also never encountered problems.


However, when planning major changes, its always good to have a rollback option.  If we do the upgrade in two steps (testing after each major release), I like that we can easily, and quickly, failover to the other cluster member on the old software version.


In case of problems, we have the option to rollback software, but this requires more downtime and is more intensive than a simple failover.  


So, I need to decide if we want to take a bit more time with the two-step approach, or run the risk, albeit minimal, that we have to rollback.


Thanks again for your two cents!







L0 Member

I wouldn't test for the interim version as it's only temporary. I would follow the full test strategy for 9.1.11. The TAC suggested releases are extremely stable. See Palo Alto Networks exams. I'm 100% agree with you, you should need to see following paloaltonetworks link to more clear.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!