Upgrade from 9.1.x, to 10.1.x, 10.2.x, 11.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Upgrade from 9.1.x, to 10.1.x, 10.2.x, 11.x

L4 Transporter

Upgrade to from 9.1.X, to 11, 10.2.X, 10.1.X ?

 

Hello, good afternoon, how are you? I have a question regarding which is the recommended version to update from PAN-OS 9.1.X.

Personally I consider that version 10.1.X ( 10.1.8-h2 ) is the recommended version, I feel that version 10.2.X is very recent and version 11, well you know, is much, much more recent.

 

Now I want to know your opinion, I see comments in certain forums, communities, etc., where they indicate that 10.1.x ( 10.1.8-h2 ) is the better stable option, another 10.2 or 11.

 

I feel that the 10.2.X version needs to mature, it is still in its 10.2.3h2 version, that is, very few maintenance versions, vs 10.1.X ( 10.1.8-h2 ). I consider that a version of PAN-OS already has a certain maturity, although of course all of them may be prone to certain failures, bugs, etc., but I think that it is just after the maintenance version X.X.7 or X.X.8, it is taking The PAN-OS version matures and stability, at least based on my experience and other people who have told me. Well this is not at all written, there is no exact and official manual that confirms this, but based on the different experiences of colleagues, friends, forums, communities, clients, etc.

 

What do you think, based on your experiences?

 

I am very attentive to your comments

 

Best regards

High Sticker
4 REPLIES 4

Cyber Elite
Cyber Elite

Do you have stand alone firewalls or push config from Panorama?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello @Raido_Rattameister 

 

Hello, thanks for the prompt response.

 

Well, a Mix.

 

Costumers with Panorama in 9.1.X and their StandAlone firewalls and in HA 9.1.X. And others with only firewalls, without PANORAMA, in HA and standalone version pan-os 9.1.14.

 

I stay tuned, regards

High Sticker

Cyber Elite
Cyber Elite

10.1 is generally quite good.

If you push templates from Panorama and use firewall built in UserID then don't go to 10.2 before 10.2.4 comes out as this part is broken in 10.2.

SaaS reports have glitches all across 10.1, 10.2 and also in 11.

So all depends on how complex the setup is.

None of those issues have affected packet processing (dataplane) part though.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L0 Member

Hello,

 

I was about to post a similar question (this is my first time and post here, be gentle :).   I have been handed the task to upgrade 2 sets of PA-820 firewalls which are both in Active-Passive configuration.   

 

- Both sets are used in a 24/7 environment and there is no better time than another to perform upgrades/changes. 

- Both sets have no connection to the internet and are not using any smart/application type filtering and are completely stand alone

- One set is running 9.1.11-h3

- One set is running 10.2.4-h2

- The aim is to upgrade them all to the 11.x version

 

I've been getting familiar with the Palo Alto process and have read a number of guides and have put together this table and would really appreciate any insight from others who know more about this than me to see if I'm on the right path:

 

Upgrade Path from 9.1.x to 11

Version

Release Date

Alternate

Download and install the latest preferred PAN-OS 9.1 maintenance release and reboot.

PanOS_800-9.1.16

04/05/2023

 

Download PAN-OS 10.0.0.

PanOS_800-10.0.0

07/16/2020

 

Download and install the latest preferred PAN-OS 10.0 maintenance release and reboot.

PanOS_800-10.0.11-h1

08/17/2022

Or use 10.0.12 (3/24/23) ?

Download PAN-OS 10.1.0

PanOS_800-10.1.0

06/02/2021

Jump back to 2021 release?

Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.

PanOS_800-10.1.10-h2

08/03/2023

 

Download PAN-OS 10.2.0

PanOS_800-10.2.0

02/27/2022

Or use 10.2.0-h1 ?

Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.

PanOS_800-10.2.5

08/17/2023

 

Proceed to Upgrade the Firewall to PAN-OS 11.0.

PanOS_800-11.0.0

11/17/2022

 

Latest Pan-OS 11

PanOS_800-11.0.2-h1

08/16/2023

 

 

The 9.1 set of firewalls looks like I have to do 9 version upgrades along the way whilst the 10.2 set can be upgraded directly to 11 and then its latest update.

 

Am I on the right path here?  Do i start downloading the relevant 9 PanOS files and after capturing backup config, routing tables etc just go for it upgrading and failing over each HA pair?

 

I've used the following for guidance:

 

https://live.paloaltonetworks.com/t5/pancast/pancast-episode-1-four-things-you-must-do-when-upgradin...

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

 

Much appreciate any feedback before kicking this off.

 

Cheers, Terry.

 

  • 5713 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!