- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2018 09:03 AM
I just got off the phone with Palo support as I'm doing an upgrade from 8.0.9 to 8.1.4. They said all I need to do is download (not install) the base 8.1.0 image, then download and install 8.1.4
While on the line with them, I came across this from documentation
If you are already running a PAN-OS 8.0 release, download and install the latest PAN-OS 8.0 maintenance release and reboot
and then this
You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 8.1.0.
I asked support if I should download and install 8.0.13 first but they insist its not necessary. The first upgrade as they suggested did work, but the documentation says otherwise. I have about 30 more to do
11-12-2018 08:27 AM
Wait, wait, wait... TAC should have never told you to not follow the current install recommendations. The recommendation was put into place because the old process caused issues for some customers, saying to ignore it is plainly stupid from a TAC standpoint.
The current recommendation would be the following process.
current release -> Latest maintenance release (Download and Install)
Latest Maintenance Release -> Base Major Version Release (Download and install)
Base Major Version -> Target Maintenance Release (Download and install)
The entire reason the recommendation was made was due to older platforms running into space issues when you tried to explode both images on disk and build a single install image. Since you are doing this on production deployments I definately recommend following the recommended install paths.
11-11-2018 02:47 PM
Hi @ce1028,
I would say everyinthing in your post is correct:
- If you run 8.0.9 you can upgrade straight to the latest maintenance release - 8.0.13
- If you want to upgrade to 8.1.4 from 8.0.x you need to follow supprot instructions (only download 8.1.0 and download and isntall 8.1.4)
- In your case the feature release is 8.1.0, that is why you need first to download this image before installing latest 8.1.4
Each maintenace release image (the last number) contains only the changes since the previous maintenace release. When you want to upgrade between major version - 8.0.x to 8.1.x you need first to download the base image for the target version. Of cource you can always donwload and install 8.1.0 first and then download and upgrade to 8.1.4, but PAN FW is doing this for you and make your life easer requiring only on reboot.
I am provisioning virtual PAN FWs in hybrid cloud and the template I am using is 8.0.5. So I am have done so many upgrades that I can't count. Yes they are almost on non-productions firewall, but I can assure you that the upgrade is exactly as support team has told you. I will add only one more think:
- Download and install the latest App and Threat package (or at least make sure you are running the four digit versions)
- Download only PanOS 8.1.0. No need to install it, just download it. That way you will have the base OS for the new major version
- Download the latest maintenance release.
- During maintenance window install and reboot the firewall
Installing the latest patch for 8.0.x is recommended from the documentations, but it is not actualy required
11-11-2018 07:56 PM
@aleksandar.astardzhiev thanks for the reply. I was thinking it was required to download and install 8.0.13 first, since it's the latest maintenance release.
11-12-2018 04:39 AM
Hi @MikeC,
In most of the time I am doing the upgrade during the provisioning/deployment phase and the firewalls are almost empty from configuration point of view. So I have never bother upgrading to the latest maintenance release before duing the feature or major version upgrade.
That is why I am 100% sure that you are not required to upgrade to 8.0.13 first.
I believe the only reason Palo Alto recommending upgrade to the latest maintenace release before during major is only enure that you don't hit any of the known bug fixed in the latest maintenance release.
11-12-2018 08:27 AM
Wait, wait, wait... TAC should have never told you to not follow the current install recommendations. The recommendation was put into place because the old process caused issues for some customers, saying to ignore it is plainly stupid from a TAC standpoint.
The current recommendation would be the following process.
current release -> Latest maintenance release (Download and Install)
Latest Maintenance Release -> Base Major Version Release (Download and install)
Base Major Version -> Target Maintenance Release (Download and install)
The entire reason the recommendation was made was due to older platforms running into space issues when you tried to explode both images on disk and build a single install image. Since you are doing this on production deployments I definately recommend following the recommended install paths.
11-12-2018 07:30 PM
@BPry this is frustrating. Support engineer even put me on hold to confirm. His instructions were to
download base 8.1.0
download 8.1.4
install 8.1.4
Palo documentation is not really clear, because while it does say download and install the latest maintenance first, it does not say 8.1.0 needs to be downloaded and installed prior to 8.1.x?
Based on your recommendation, it would be 3 upgrades to go from 8.0.9 to 8.1.4?
11-12-2018 07:51 PM
With bigger platforms download-download-install works fine but as @BPry mentioned there are issues with small appliances.
Although not needed I always install latest maintenance release before upgrade to new version to be sure I don't run any bug during upgrade that have been fixed at some point.
11-12-2018 08:15 PM
So current recommendation is what I stated about; it's recommended that you actually download and install the base image prior to installing the target maintenance release. As @Raido_Rattameister pointed out this recommendation was really created for smaller/older platforms that have space limitations when you attempt to simply download the base image and install direct to the maintenance release.
It's quite possible that TAC took a look at all of your devices and, seeing as they were all newer hardware, made the determination that you would be fine just downloading the base image and installing direct to the target maintenance release. My issue with this process, if it is indeed what TAC did, is that they should never recommend something deviate from published recommendations. Even on newer hardware instances of the same issues that caused the recommendation to be made were found to acure when bad storage practices were used, leaving even the larger platforms with storage constraints.
So to follow the current recommended install process, regardless of platform and needing to know what each device was sitting at for available storage, the upgrade would look like the following on each firewall.
8.0.9 -> 8.0.13 (Download and install)
8.0.13 -> 8.1.0 (Download and install)
8.1.0 -> 8.1.4 (Download and install)
Not knowing your platforms I would schedule the upgrades based off of expected PA-200 upgrade times.
8.0.9 -> 8.0.13 (45 Minutes)
8.0.13 -> 8.1.0 (60 Minutes)
8.1.0 -> 8.1.4 (45 Minutes)
Relistically I would expect the maintenace updates even on a PA-200 to take about 30 minutes, and the feature update to take about 45-50 depending on the amount of log files. Hopefully that gives you a rough timeline.
11-12-2018 08:26 PM - edited 11-12-2018 08:27 PM
@BPry Maybe in the OP case that's what was done. In my case, the TAC engineer never even asked what type of firewalls I have. I have a mix of 200,820 and 3020's.
It seems TAC needs to be trained, Palo is slipping a little bit lately. My co-worker called first, was told same exact thing as OP. I said that's incorrect and described the way you suggested, so I said, let's call back. We called back together, and again TAC said only thing needed is download 8.1.0 and install 8.1.4
11-12-2018 08:40 PM
Ya, that's not the case. Especially on 200s you'd really want to follow the recommendation, the 820s and 3020s you could chance it if you really looked at the available space on the drives and knew what you were potentially signing up for, because having to fix it when things go wrong ain't fun.
In fairness to TAC, one of the issues that Palo Alto really seems to struggle with is actually keeping all of the documentation up-to-date and actually relevant. That's one of the big reasons that you'll see a lot of the documentation merging onto the knowledgebase website, as it makes everything a tad bit easier to keep up to date. You are right though, this has been a recommendation for coming up to a year, if not past a year, so TAC should be well informed at this point.
11-12-2018 08:53 PM - edited 11-12-2018 08:53 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!