Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Upgrade 6.1.x to 7.0.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Upgrade 6.1.x to 7.0.x

L4 Transporter

In the release notes of 7.0.5-h2 there is now this information:

 

Before you upgrade to PAN-OS 7.0.3 or a later PAN-OS 7.0 release, you should review the information about how to upgrade
a firewall to PAN-OS 7.0. Additionally, if virtual system (vsys) configuration is not enabled on your firewall or appliance, you
must reboot your firewall or appliance after you install PAN-OS 7.0.1 and before you upgrade to PAN-OS 7.0.3 or a later
release.

 

Does anybody have practical experience with upgrading to 7.0.x? Do you really have to install the base release 7.0.1 (with its bugs and vulnerabilities), reboot into it, then install latest bug fix release (e.g. 7.0.5-h2) and reboot again? With previous major versions you could just download the base release and latest bug fix release, then directly install latest bug fix release and reboot just one time.

10 REPLIES 10

L2 Linker

You don't have to install the 7.0.1 version. You just download it as a base image and only install a desired version (for example 7.0.5) so you only need to reboot once.

L5 Sessionator

You can direclty install 7.0.x and you have to download 7.0.1

L2 Linker

Hello,

 

Yes, if virtual system (vsys) configuration is not enabled on your firewall or appliance, you must upgarde to 7.0.1 or 7.0.2 first before moving to later versions.

 

To upgrade from 6.1.x to 7.0.x (e.g.7.0.5-h2) please follow the following procedure,

6.1.x -> 7.0.1/7.0.2 -> 7.0.x (e.g.7.0.5-h2)

Upgrade to 7.0.1 or 7.0.2 first and then only upgrade to 7.0.x (e.g.7.0.5-h2)

- Download the base image for 7.0 version. Either install the base image or download and install 7.0.2. After the install, reboot the device.

- Download and install 7.0.x and then again perform reboot to bring the device up with the latest PAN-OS.

 

Hope this helps.


@mvidic wrote:

You don't have to install the 7.0.1 version. You just download it as a base image and only install a desired version (for example 7.0.5) so you only need to reboot once.



Did you read the release notes?

What evidence do you have that Palo Alto's recommendation is in fact incorrect?

Why would they make this recommendation if it is not required?


@Pankaj.kumar wrote:

You can direclty install 7.0.x and you have to download 7.0.1


Did you read the release notes?

What evidence do you have that Palo Alto's recommendation is in fact incorrect?

Why would they make this recommendation if it is not required?


@akamat wrote:

Hello,

 

Yes, if virtual system (vsys) configuration is not enabled on your firewall or appliance, you must upgarde to 7.0.1 or 7.0.2 first before moving to later versions.

 

To upgrade from 6.1.x to 7.0.x (e.g.7.0.5-h2) please follow the following procedure,

6.1.x -> 7.0.1/7.0.2 -> 7.0.x (e.g.7.0.5-h2)

Upgrade to 7.0.1 or 7.0.2 first and then only upgrade to 7.0.x (e.g.7.0.5-h2)

- Download the base image for 7.0 version. Either install the base image or download and install 7.0.2. After the install, reboot the device.

- Download and install 7.0.x and then again perform reboot to bring the device up with the latest PAN-OS.

 

Hope this helps.


 

Thank you, I wonder why the other responders to this thread are ignoring what the Release Notes say.

We all know that usually you can go to X.Y.Z, where Z is greater than 0, as long as X.Y.0 is downloaded, but Palo Alto has explicitly stated in the release notes that you need to go via 7.0.1 in this case.

 

I would like an explanation from Palo Alto as to why this is the case in this instance.

 

I also note that the software upgrade manager does not actually prevent you from going from 6.1.x to 7.0.5-h2 directly.

This is not ideal, as not everyone reads the release notes.

Hi Jeremy,

 

in the release notes for 7.0.x  you will find that 7.0.0 was revoked and 7.0.1 is base OS version for 7.0... this is a copy of text from RN: "The following table lists the issues that are fixed in the PAN-OS® 7.0.1 release. (As the base PAN-OS 7.0 image, this release and the list below also include all issues initially addressed for PAN-OS 7.0.0.)"

 

That being said, detailed upgrade plan from above mentioned release notes is applicable if you experience issues post-upgrade first time, some number of devices that met above conditions (non-multi-vsys enabled devices) experienced problems (described in release notes as well) and this workaround is safe way to upgrade.

Should you experience problems (as described in release notes and in first post) you can revert to your previous OS version (from whatever you upgraded) and than follow described detailed step-by-step (restart-by-restart) upgrade. That advice is not in the release notes, that is a "common sense" recommendation, please take that with grain of salt - if you are in production with high stakes, don't play around but do as release notes say (seriously).

 

Last, but not the least; when in doubt or when you need timely answer - I would always seek confirmation also through TAC case rather than only on forums - at least you can be sure about answers (not that mvidic or pankay were wrong, but anyhow).

 

Best regards

 

Luciano

I opened a support ticket and asked for clarification. I was told this is a bug (90982) which will be fixed in later version, allowing direct upgrade to 7.0.X from 6.1.X again without issues.

I would be leary of that. I encourneted that bug at a customer and was told it wasnt being fixed till 7.0.6. We had a workaround of modifying the XML code by hand to address it but the solution was to go to 7.0.2 and then upgrade above that  the same way it was mentioned above. 

Hey Luciano,

 

Thanks, I am aware that 7.0.1 is the base release, I see that that may not have been clear in my posts.

On most of my upgrades from 6.1.x to 7.0.5-h2 I went via 7.0.1 just to be safe.
It can't hurt anything to be a little cautious, and it's a hell of a lot quicker than going from 6.1.x to 7.0.5-h2 and then realising that you need to revert and do the upgrade procedure again!

 

 

Regards,

  • 7330 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!