Upgrade 9.1.0 to 10.0.0 PA220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Upgrade 9.1.0 to 10.0.0 PA220

L2 Linker

Hello, im experiencing issues with upgradeing my PA220 from 9.1.x to 10.0.0.

The new software installs, but autocommit fails after upgrade.

 

So i figured i had something in my config that is either changed or not supported in 10.0.0, so i wiped my box clean with

a debug command and booted it up in 9.1.0 without config. Then tried to upgrade to 10.0.0 from CLI. But the autocommit

still failes after removing all the config.

 

Iv done this before and never had any issue.

 

Any tips would be welcome!

Thanks!

 

/MAH

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @149999mah3 ,

 

First, you need to lookup the auto-commit in the Task Manager and find the reason for the failure.  Typically, it is a config that wasn't correctly reformatted for the new PAN-OS.  Then, you can work on fixing the specific error.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@149999mah3,

Initially if you've been able to reproduce the issue again I'm actually leaning towards content ID minimum versions not being met. What is your Application and Threat content version at when you attempt to do the upgrade, is it at least 8332 or higher? 

L2 Linker

Did you ever resolve this? We are trying to upgrade multiple 220s from 9.1.13 to 10.0.X and it's failing on the auto commit

Cyber Elite
Cyber Elite

Hi @JoshuaSanders ,

 

I have been able to resolve all my auto-commit errors through looking up the auto-commit in the Task Manager and finding the reason for the failure.  I am either able to fix the syntax error in the CLI or, worst case, modify the HTML and reload.

 

For your case with multiple upgrades, maybe wait until a newer version of 10.0.X fixes the error.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

yeah, the only EDLs we are currently using are the predefined high-risk IPs, bulletproof IPs, that kind of thing and we tried with the most recent flavor of 10.0.10h1. Unfortunately, 10.0 is EOL next month and we are trying to get to 10.1 which you can't do without going through 10.0 first. We aren't using any custom EDLs with strange characters in them. All I'm getting when I look at the task that is failing in the GUI is.

 

Error: Profile compiler : invalid profile name default
Error: Profile compiler : Global section error
Error: Profile compiler : parsing config error
(Module: device)
Commit failed
Failed to commit policy to device

 

Back to Google I guess.

Yes, the problem was EDLs. So i removed all EDLs from the configuration and it was ok.

 

Marius

Great, thank you. In case anyone else is experiencing the same issue we are, here is our resolution. We were able to resolve our issue by getting a PA engineer (after escalating with 2 others) with root access to the box and delete the .global-fin file under /opt/pancfg/mgmt/global/ from root shell followed by a management server restart. Still no word on why that was necessary. One of the engineers told us that upgrading our FWs through Panorama is not recommended and that they should only be upgraded through the FW UI itself. We aren't sure why that is being suggested since PA specifically refers to upgrading via Panorama in their documentation and are seeking more information on the case.

  • 5518 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!