Upgrade 9.1.0 to 10.0.0 PA220

149999mah3 · ‎02-06-2022

Hello, im experiencing issues with upgradeing my PA220 from 9.1.x to 10.0.0.

The new software installs, but autocommit fails after upgrade.

So i figured i had something in my config that is either changed or not supported in 10.0.0, so i wiped my box clean with

a debug command and booted it up in 9.1.0 without config. Then tried to upgrade to 10.0.0 from CLI. But the autocommit

still failes after removing all the config.

Iv done this before and never had any issue.

Any tips would be welcome!

Thanks!

/MAH

TomYoung · ‎02-06-2022

Hi @149999mah3 ,

First, you need to lookup the auto-commit in the Task Manager and find the reason for the failure. Typically, it is a config that wasn't correctly reformatted for the new PAN-OS. Then, you can work on fixing the specific error.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

BPry · ‎02-06-2022

@149999mah3,

Initially if you've been able to reproduce the issue again I'm actually leaning towards content ID minimum versions not being met. What is your Application and Threat content version at when you attempt to do the upgrade, is it at least 8332 or higher?

JoshuaSanders · ‎06-29-2022

Did you ever resolve this? We are trying to upgrade multiple 220s from 9.1.13 to 10.0.X and it's failing on the auto commit

TomYoung · ‎06-30-2022

Hi @JoshuaSanders ,

I have been able to resolve all my auto-commit errors through looking up the auto-commit in the Task Manager and finding the reason for the failure. I am either able to fix the syntax error in the CLI or, worst case, modify the HTML and reload.

For your case with multiple upgrades, maybe wait until a newer version of 10.0.X fixes the error.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

JoshuaSanders · ‎06-30-2022

yeah, the only EDLs we are currently using are the predefined high-risk IPs, bulletproof IPs, that kind of thing and we tried with the most recent flavor of 10.0.10h1. Unfortunately, 10.0 is EOL next month and we are trying to get to 10.1 which you can't do without going through 10.0 first. We aren't using any custom EDLs with strange characters in them. All I'm getting when I look at the task that is failing in the GUI is.

Error: Profile compiler : invalid profile name default
Error: Profile compiler : Global section error
Error: Profile compiler : parsing config error
(Module: device)
Commit failed
Failed to commit policy to device

Back to Google I guess.

149999mah3 · ‎07-15-2022

Yes, the problem was EDLs. So i removed all EDLs from the configuration and it was ok.

Marius

JoshuaSanders · ‎07-15-2022

Great, thank you. In case anyone else is experiencing the same issue we are, here is our resolution. We were able to resolve our issue by getting a PA engineer (after escalating with 2 others) with root access to the box and delete the .global-fin file under /opt/pancfg/mgmt/global/ from root shell followed by a management server restart. Still no word on why that was necessary. One of the engineers told us that upgrading our FWs through Panorama is not recommended and that they should only be upgraded through the FW UI itself. We aren't sure why that is being suggested since PA specifically refers to upgrading via Panorama in their documentation and are seeking more information on the case.

Upgrade 9.1.0 to 10.0.0 PA220

Upgrade 9.1.0 to 10.0.0 PA220

Show your appreciation!