- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-08-2021 08:09 PM
I want to upgrade PA-3220 (Active - Passive) from 8.1.14 to 9.1.10
Is this upgrade method correct or not?
1.Download and install PanOS 9.0.0 (no reboot) Should I upgrade PanOS to 8.1.19 (Preferred release) or not?
2.Download and install PanOS 9.0.13 and reboot
3.Download and install PanOS 9.1.0 (no reboot)
4.Download and install PanOS 9.1.10 and reboot
I'm not sure the step to rollback 9.1.10 to 8.1.14. Can you help recommend steps to downgrade?
08-09-2021 02:21 AM
Hi @jirasith
(Firewall A = currently active firewall, firewall B = currently passive firewall)
To make sure that you can downgrade in case of any problems export the configuration at all of the following steps on both firewalls:
08-09-2021 02:21 AM
Hi @jirasith
(Firewall A = currently active firewall, firewall B = currently passive firewall)
To make sure that you can downgrade in case of any problems export the configuration at all of the following steps on both firewalls:
08-09-2021 09:23 PM
@Remo Thank you for the advice. If I have to downgrade the firmware version from 9.1.10 to 8.1.19. Can I revert the upgrade path such as
1.Download and install 9.0.13
2.Download and install 9.0.0 and reboot
3.Download and install 8.1.19 and reboot
or Can I directly download and install 8.1.19?
08-09-2021 11:47 PM
@jirasith In case of a downgrade you first go to 9.0.13 and then to 8.1.19. You don't need the step to install and reboot for the version 9.0.0.
11-03-2022 03:06 PM
Our company went through a ton of changes and I found out that I'm responsible for 4 sites with a PA-220 device at each location. I'm not familiar with this hardware or the upgrade processes. I've read what has been posted here and it is very helpful but I would like to ask a few clarifying questions if I could.
Our 4 site have PA-220 devices on Software Version 8.1.9. Reading over everything including the Palo alto upgrade information here are my questions.
1. With all 4 locations in separate areas of town, I assume I complete onsite upgrade at a time, correct?
2. With the firewalls at 8.1.9, if I understand the process correctly I can go straight to 8.1.24?
3. Above
* Step 3 is listed Download PAN-OS 9.0.0 to firewall, but it does not say install it.
* At step 4 you have Download PAN-OS 9.0.13, install it and reboot firewall.
* My question here is, you download the 9.0.0 but do not need to install it, you automatically download the next highest 9.0.x and install that one?
* I see now that 9.0.16-h3 is the highest in the 9.0.x versions. I take it that's what I would install, correct?
4. Reading over your steps above after that I would then go to 9.1.0, then 9.1.15 and so on, correct?
The steps above appear that you only download the next new version 9.0.x, 9.1.x, 10.0.x, etc but you do not install those, you only install when you hit the highest version in those ranges.
One last question. I would assume that I do want to go into each firewall and go into Devices > Setup > Operations and I want to do the following: Save named configuration snapshot & Export named configuration snapshot ?
Thanks in advance!
11-03-2022 04:03 PM
1. Depends on how comfortable you are with upgrading each PA. Technically, there is nothing that is required to be onsite for, so you could do al the upgrades remotely... though there is always the unknown/unseen problem that can pop up.
2. Yes, you can proceed from 8.1.x directly to 8.1.24.
3. The x.x.0 package contains the entire PAN-OS install needed for the major version. The .1, .2, etc. packages contain just the updates from the .0 base package. The recommended upgrade path is to install the base package, reboot, then install the update package and reboot. Though if you download both packages and install just the update, the PA will actually install the base package before installing the update. You can go from 9.0.0 to 9.0.16-h3 (minor revisions are updates/features, -h revisions are hot patches to address major security issues).
4. Yes, if you want to upgrade to 9.1.x chain then you will need to install 9.1.0 and then 9.1.15
And yes, you will want to saved a named config and then export that named config before upgrading, in case something goes wrong and you need to roll back to a previous version. Generally the PA should handle config format changes between revisions, but if all goes wrong you can default the config, roll back, and apply the previous saved configuration.
Also... a potential gotcha that may or may not affect you. PAN-OS 8.x uses the PAN-DB format database for URL filtering (if you have the URL Filtering and Threat Prevention licensing). This is for classifying websites based on content and allowing/restricting certain categories. PAN-OS 9.x moved to the URL-Cloud format database (different provider, slightly different update model, same categories). When you upgrade to 9.x it deletes the current database and initializes the new database. There are 2 URL categories to pay special attention to: "not-resolved" and "unknown". The default PA site access for these categories is "allow". However, if you are using a custom URL Filter and changed these categories to "block", then the new database can't download the initial values as everything is currently "unknown". So if your filters block those by default you need to "allow" temporarily to populate the initial database (once populated the PA update servers are known in the Computer&InternetInfo category).
11-04-2022 10:52 AM
I appreciate the reply to this, that's very helpful information, Now to schedule this with each site and tackle it.
Thanks!
11-10-2022 07:35 AM
Unless you're on one of the older chassis I wouldn't bother with installing the base and rebooting before moving forward with the maintenance release
i.e. download base, download latest recommended maint, install maint, reboot
The reason the older platforms may need the base step in between is that by default the system simply unpacks the base, and then also unpacks the maint to install both in one go. Older systems don't have enough disk space to support this "double unpack"
For this case it would be good to first install (not even reboot) the base and then move forward with the upgrade
Contemporary chassis/VMs fully support going from one major to the next major+maintenance in one swift install
(Just an FYI 🙂 )
11-10-2022 08:54 AM
I appreciate the feedback that has been provided. Now I just need to schedule this with the sites and jump in and get it done. Of course I will pick the site with the least impact if something happens just encase on the first one.
03-28-2023 08:43 PM
I thought I would come back and thank everyone for the assistance, although I was suppose to have this done before the end of last year, well other projects etc did not allow time. I just went through it and it went so smooth. Of course I stopped at 10.0.11h1 and I already know I need to get up to 10.2.x now but I've scheduled this out on a schedule now so I can get and stay caught up with limited impact to the staff. I did find that just downloading the base then the latest update, then installing the update worked great. With download, install, reboot took about 45 minutes per site.
Because this was my first run with this, I did add one step in between each big update I did another snapshot export. I also created myself a check sheet so I could stay on track what where I was at each site.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!