08-12-2022 12:35 PM
Hello community
I am upgrading a PANOS 8.0.7 to version 9.1.14-h1
I would like to know if in the transit versions, you download and install only the base 9.0.0.0 or is recommended to download the base 9.0.0 and install the recommended 9.0.16-h2
for example:
Go from 8.1.x to 9.0.0 (transit version) and continue from 9.0.0 to 9.1.x.
or
Go from 8.1.x download base 9.0.0 (transit version) download and install version 9.0.6-h2 and continue from 9.0.6-h2 to 9.1.x.
Would there be any problem in case of only downloading and installing the base of the next jump and continue in the same way until reaching the 9.1.14-h1?
Thanks for your help.
Brian Mendoza.
08-12-2022 02:18 PM - edited 08-12-2022 02:35 PM
I updated a standalone from 8.1.x to 9.1.x. When doing that one I downloaded the 9.0.0 and the 9.0.x updates and did it in one update to 9.0.x. Then a second download/update cycle to 9.1.x. Seemed to work fine.
For my HA pair I was advised not to do that by PA support, to download/install the 9.0.0 and reboot, then the 9.0.x and reboot, etc...Until you got to the final 9.1.x version. Probably for the best as updating broke the config syncing between active and passive units. So I updated the secondary unit to 9.0.0, then to 9.0.x. Failed over traffic to the secondary unit. Upgraded the primary to 9.0.0, 9.0.x, 9.1.0, and then finally 9.1.x. Checked all the config appeared to be OK and failed back to the primary unit. Updated the secondary unit to 9.1.x in stages. Then did forced config sync from the primary to secondary units.
Overall it wasn't too painful, just took a long time waiting for reboots.
Edit: Also, a potential trap... When updating from 8.x to 9.x, the Threat/App/URL databases format/provider changes. In my case the "Unknown" URL category is set to block instead of allow (the default). That meant after going to 9.0.0 I could no longer download system/dynamic updates, or confirm licenses, because the databases had been reset in the upgrade and every URL was now "Unknown". Had to bypass to be able to initialize the threat databases and continue updating.
08-12-2022 02:18 PM - edited 08-12-2022 02:35 PM
I updated a standalone from 8.1.x to 9.1.x. When doing that one I downloaded the 9.0.0 and the 9.0.x updates and did it in one update to 9.0.x. Then a second download/update cycle to 9.1.x. Seemed to work fine.
For my HA pair I was advised not to do that by PA support, to download/install the 9.0.0 and reboot, then the 9.0.x and reboot, etc...Until you got to the final 9.1.x version. Probably for the best as updating broke the config syncing between active and passive units. So I updated the secondary unit to 9.0.0, then to 9.0.x. Failed over traffic to the secondary unit. Upgraded the primary to 9.0.0, 9.0.x, 9.1.0, and then finally 9.1.x. Checked all the config appeared to be OK and failed back to the primary unit. Updated the secondary unit to 9.1.x in stages. Then did forced config sync from the primary to secondary units.
Overall it wasn't too painful, just took a long time waiting for reboots.
Edit: Also, a potential trap... When updating from 8.x to 9.x, the Threat/App/URL databases format/provider changes. In my case the "Unknown" URL category is set to block instead of allow (the default). That meant after going to 9.0.0 I could no longer download system/dynamic updates, or confirm licenses, because the databases had been reset in the upgrade and every URL was now "Unknown". Had to bypass to be able to initialize the threat databases and continue updating.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
