Upgrading PAN-OS 8.1.x to 9.1.10

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Upgrading PAN-OS 8.1.x to 9.1.10

L1 Bithead

I want to upgrade PA-3220 (Active - Passive) from 8.1.14 to 9.1.10

 

Is this upgrade method correct or not?
1.Download and install PanOS 9.0.0 (no reboot)        Should I upgrade PanOS to 8.1.19 (Preferred release) or not?
2.Download and install PanOS 9.0.13 and reboot
3.Download and install PanOS 9.1.0 (no reboot)
4.Download and install PanOS 9.1.10 and reboot


I'm not sure the step to rollback 9.1.10 to 8.1.14. Can you help recommend steps to downgrade?

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @jirasith 

(Firewall A = currently active firewall, firewall B = currently passive firewall)

  1. Download PAN-OS 8.1.19 to both firewalls
  2. Install 8.1.19 and reboot firewall B
  3. Download PAN-OS 9.0.0 to firewall B
  4. Download PAN-OS 9.0.13, install it and reboot firewall B
  5. Install PAN-OS 8.1.19 on firewall A and reboot (when you click reboot a failover is done to firewall B)
  6. Download PAN-OS 9.0.0 to firewall A
  7. Download PAN-OS 9.0.13, install it and reboot firewall A
  8. Download PAN-OS 9.1.0 to both firewalls
  9. Download PAN-OS 9.1.10 to both firewalls
  10. Install PAN-OS 9.1.10 on firewall A and reboot (when you click reboot a failover is done to firewall B)
  11. Install PAN-OS 9.1.10 on firewall B and reboot

To make sure that you can downgrade in case of any problems export the configuration at all of the following steps on both firewalls:

  • Installation of 8.1.19
  • Installation of 9.0.13

 

View solution in original post

10 REPLIES 10

L7 Applicator

Hi @jirasith 

(Firewall A = currently active firewall, firewall B = currently passive firewall)

  1. Download PAN-OS 8.1.19 to both firewalls
  2. Install 8.1.19 and reboot firewall B
  3. Download PAN-OS 9.0.0 to firewall B
  4. Download PAN-OS 9.0.13, install it and reboot firewall B
  5. Install PAN-OS 8.1.19 on firewall A and reboot (when you click reboot a failover is done to firewall B)
  6. Download PAN-OS 9.0.0 to firewall A
  7. Download PAN-OS 9.0.13, install it and reboot firewall A
  8. Download PAN-OS 9.1.0 to both firewalls
  9. Download PAN-OS 9.1.10 to both firewalls
  10. Install PAN-OS 9.1.10 on firewall A and reboot (when you click reboot a failover is done to firewall B)
  11. Install PAN-OS 9.1.10 on firewall B and reboot

To make sure that you can downgrade in case of any problems export the configuration at all of the following steps on both firewalls:

  • Installation of 8.1.19
  • Installation of 9.0.13

 

@Remo Thank you for the advice. If I have to downgrade the firmware version from 9.1.10 to  8.1.19.  Can I revert the upgrade path such as 

1.Download and install 9.0.13  

2.Download and install 9.0.0 and reboot

3.Download and install 8.1.19 and reboot

 

or Can I directly download and install  8.1.19?

@jirasith In case of a downgrade you first go to 9.0.13 and then to 8.1.19. You don't need the step to install and reboot for the version 9.0.0.

@RemoThanks a lot.

Our company went through a ton of changes and I found out that I'm responsible for 4 sites with a PA-220 device at each location. I'm not familiar with this hardware or the upgrade processes. I've read what has been posted here and it is very helpful but I would like to ask a few clarifying questions if I could.

 

Our 4 site have PA-220 devices on Software Version 8.1.9. Reading over everything including the Palo alto upgrade information here are my questions.

 

1. With all 4 locations in separate areas of town, I assume I complete onsite upgrade at a time, correct?

2. With the firewalls at 8.1.9, if I understand the process correctly I can go straight to 8.1.24?

3. Above

        * Step 3 is listed Download PAN-OS 9.0.0 to firewall, but it does not say install it.

        * At step 4 you have Download PAN-OS 9.0.13, install it and reboot firewall.  

       * My question here is, you download the 9.0.0 but do not need to install it, you automatically download the next highest 9.0.x and install that one? 

        * I see now that 9.0.16-h3 is the highest in the 9.0.x versions. I take it that's what I would install, correct?

4. Reading over your steps above after that I would then go to 9.1.0, then 9.1.15 and so on, correct?

 

The steps above appear that you only download the next new version 9.0.x, 9.1.x, 10.0.x, etc but you do not install those, you only install when you hit the highest version in those ranges. 

 

One last question. I would assume that I do want to go into each firewall and go into Devices > Setup > Operations and I want to do the following: Save named configuration snapshot & Export named configuration snapshot ?

 

Thanks in advance!

 

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902

1. Depends on how comfortable you are with upgrading each PA. Technically, there is nothing that is required to be onsite for, so you could do al the upgrades remotely... though there is always the unknown/unseen problem that can pop up.

 

2. Yes, you can proceed from 8.1.x directly to 8.1.24.

 

3. The x.x.0 package contains the entire PAN-OS install needed for the major version. The .1, .2, etc. packages contain just the updates from the .0 base package. The recommended upgrade path is to install the base package, reboot, then install the update package and reboot. Though if you download both packages and install just the update, the PA will actually install the base package before installing the update. You can go from 9.0.0 to 9.0.16-h3 (minor revisions are updates/features, -h revisions are hot patches to address major security issues).

 

4. Yes, if you want to upgrade to 9.1.x chain then you will need to install 9.1.0 and then 9.1.15

 

And yes, you will want to saved a named config and then export that named config before upgrading, in case something goes wrong and you need to roll back to a previous version. Generally the PA should handle config format changes between revisions, but if all goes wrong  you can default the config, roll back, and apply the previous saved configuration.

 

Also... a potential gotcha that may or may not affect you. PAN-OS 8.x uses the PAN-DB format database for URL filtering (if you have the URL Filtering and Threat Prevention licensing). This is for classifying websites based on content and allowing/restricting certain categories. PAN-OS 9.x moved to the URL-Cloud format database (different provider, slightly different update model, same categories). When you upgrade to 9.x it deletes the current database and initializes the new database. There are 2 URL categories to pay special attention to: "not-resolved" and "unknown". The default PA site access for these categories is "allow". However, if you are using a custom URL Filter and changed these categories to "block", then the new database can't download the initial values as everything is currently "unknown". So if your filters block those by default you need to "allow" temporarily to populate the initial database (once populated the PA update servers are known in the Computer&InternetInfo category).

I appreciate the reply to this, that's very helpful information, Now to schedule this with each site and tackle it.

 

Thanks!

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902

Cyber Elite
Cyber Elite

Unless you're on one of the older chassis I wouldn't bother with installing the base and rebooting before moving forward with the maintenance release

 

i.e. download base, download latest recommended maint, install maint, reboot

 

The reason the older platforms may need the base step in between is that by default the system simply unpacks the base, and then also unpacks the maint to install both in one go. Older systems don't have enough disk space to support this "double unpack" 

For this case it would be good to first install (not even reboot) the base and then move forward with the upgrade

 

Contemporary chassis/VMs fully support going from one major to the next major+maintenance in one swift install

 

(Just an FYI 🙂 )

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

I appreciate the feedback that has been provided. Now I just need to schedule this with the sites and jump in and get it done. Of course I will pick the site with the least impact if something happens just encase on the first one.

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902

L1 Bithead

I thought I would come back and thank everyone for the assistance, although I was suppose to have this done before the end of last year, well other projects etc did not allow time. I just went through it and it went so smooth. Of course I stopped at 10.0.11h1 and I already know I need to get up to 10.2.x now but I've scheduled this out on a schedule now so I can get and stay caught up with limited impact to the staff. I did find that just downloading the base then the latest update, then installing the update worked great. With download, install, reboot took about 45 minutes per site.

 

Because this was my first run with this, I did add one step in between each big update I did another snapshot export. I also created myself a check sheet so I could stay on track what where I was at each site. 

 

Checklist Sample.png

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902
  • 1 accepted solution
  • 7861 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!