VMWare ESXi PAN-OS upgrade: from 8.0.7 to 8.1.3 ->Active/Passive HA (without Panorama)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VMWare ESXi PAN-OS upgrade: from 8.0.7 to 8.1.3 ->Active/Passive HA (without Panorama)

L2 Linker

Hi community,

 

Having reviewed:

 

https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-81/upgra...

 

and

 

https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-81/upgra...

 

 

Is this the right upgrade path to be followed?

 

A)

8.0.7 to 8.0.12

8.0.12 to 8.1.1

8.1.1 to 8.1.3

 

or (skipping 8.0.12 to 8.1.1-> unsure whether or not this is required)

 

B)

8.0.7 to 8.0.12

8.0.12 to 8.1.3

 

And lastly, what is a feature realease? :"When you upgrade from one PAN-OS feature release version to a later feature release, you cannot skip the installation of any feature release versions in the path to your target release.

 

Thanks.

5 REPLIES 5

Cyber Elite
Cyber Elite

@ash83,

So you would actually use the following upgrade path. 

8.0.7 -> Whatever the latest maintenance release is for 8.0.x

8.0.x -> 8.1.0 (base) 

8.1.0 -> 8.1.3

 

Palo Alto no longer recommends jumping directly to the target maintenance release within the next major version due to having to explode both images to build the installer. This takes up a lot of disk space and makes it more likely that a bit here or a bit there will get out of place. 

So whenever you install a major software update you'll want to upgrade to whatever the latest maintenance release is; then upgrade to the base of the next major software release, and then finally update to the target maintenance release in that version.

A feature release is a major software version; so 7.0, 7.1, 8.0, 8.1 are all feature releases. 8.1.1 for example would be a maintenance release. What that note is saying is essentially; if you're running 7.0 and you want to upgrade to 8.1, you can't skip 7.1 and 8.0 to get there. 

Interesting and great into.

 

Prior you could go this route.

 

8.0.7 -> whatever the latest maintenance release is for 8.0.x

8.1.0 (base) - download only but not install

8.1.x - install

 

This was always hit or miss, I guess that's why they changed it

 

@ce1028,

That was an old recommendation, and one that Palo Alto has since moved away from. The issue with that install method is that both the 8.1.0 and the 8.1.* maintenance release that you're actually installing need to be exploded onto the disk, and then a functional install image is built with bits and pieces from both images. This takes drastically more disk space then a simple install in the current recommendation and causes a better chance that something will go wrong. 

 

* Just as a side note, most people that had an issue with simply downloading the base image and then installing the maintenance release were using the smaller platforms (PA-200, PA-3000, ect). However it really comes down to available diskspace, to be safe they simply changed the recommendation for everyone. I would still highly recommend you follow the new recommendation. 

@BPry Indeed!  I've been following the procedure you posted for some time now. No issues at all.  Yes, I run a lot of 200s,3000s

Thanks BPry, excellent assistance.

  • 3098 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!