04-07-2025
04:47 AM
- last edited on
04-07-2025
10:38 AM
by
banand
Hi there,
Can you tell me what would be the recommended Upgrade path to 11.2.5 from 11.0.0 on an HA Firewall Pair PA-410, please?
FW firmware Current ver.: 11.0.0
1. PAN-OS 11.1.0
2. PAN-OS 11.2.0
3. PAN-OS 11.2.5
In PAN-OS 11.0, you can now skip up to three software versions when upgrading or downgrading standalone devices or Panorama managed devices running PAN-OS 10.1 or a later release. This feature builds on the Simplified Software Upgrade process introduced in PAN-OS 10.2, which includes capabilities such as a multi-image download option and a pre-install validation check, to make the upgrade process even faster.
Thanks
04-07-2025 08:32 AM
Hi @A.Otsu ,
As you mentioned, with the Skip Software Version Upgrade feature of 11.0, you can upgrade directly from 11.0 to 11.2. This Upgrade Path is for 11.1 and later.
Thanks,
Tom
04-07-2025 11:59 AM - edited 04-07-2025 10:16 PM
Hello @A.Otsu ,
The Skip Software Version Upgrade is referring to "standalone devices or Panorama managed devices running PAN-OS 10.1 or a later release".
For HA pair there is another statement saying that: "When HA peers are two or more feature releases apart, the firewall with the older release installed ...".
In the past the same page was more explicit, see this post: https://live.paloaltonetworks.com/t5/next-generation-firewall/upgrade-path-from-10-2-3-h14-to-11-1-4... where I post the previous sentence about upgrading HA pair firewalls.
Based on all of the above, my suggestion is first to bring both HA firewalls to the latest preferred version of 11.1.x and only after to proceed with upgrade on 11.2.5.
04-07-2025 12:34 PM
That is a great point, @CosminM !
I wonder if ...
You could then "Make local device functional" and it would become active?
I guess currently there is no HA support for the Skip Software Version Upgrade feature.
Thanks,
Tom
04-08-2025 01:15 AM
Based on suggestion this would be the path
1. download 11.1.0
2. download 11.1.6-h3 (the latest preferred release from 11.1) + install
3. reboot the first firewall
4. repeat steps 1-2 for second firewall and reboot second firewall
4. download 11.2.0
5. download 11.2.5 or 11.2.13-h5 (the latest preferred release from 11.2) + install
6. second reboot for first firewall
7. repeat steps 5-6 for second firewall
8. second reboot for the second firewall
Each HA peer will have 2 reboots.
04-08-2025 03:44 AM
Hello @A.Otsu ,
Since you are starting from 11.0.0 I recommend first to install the latest preferred version from 11.0.0 (i guess it's 11.0.4-h6, you can check that on the Customer Support Portal -> Updates for your device series) on both firewall and only after to go to 11.1.x as you describe.
At this time there is no preferred version for 11.2.x but you find the updated info on: Support PAN-OS Software Release Guidance .
Do you have any special request to upgrade up to 11.2.x?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
