What happens when a base image is deleted from PAN OS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

What happens when a base image is deleted from PAN OS

L4 Transporter

Hi All,

My colleague deleted the base image  10.2.0 whilst being on the 10.2.3-h4. There is no issue with the device (VM series).

Is this a normal practice? Will it ever effect the working of the firewall?

FYI: This was an attempt to clear the root partition and it dramatically decreased the space from 99 to 72 percentage. He had deleted other version too but only with this one the space on root got significantly lowered.

This is confusing. Any suggestion on this experts?

Kind Regards,

P

@BPry 

 

 

PrasKtmBoy
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Pras wrote:

Hi All,

My colleague deleted the base image  10.2.0 whilst being on the 10.2.3-h4. There is no issue with the device (VM series).

Is this a normal practice? Will it ever effect the working of the firewall?

FYI: This was an attempt to clear the root partition and it dramatically decreased the space from 99 to 72 percentage. He had deleted other version too but only with this one the space on root got significantly lowered.

This is confusing. Any suggestion on this experts?

Kind Regards,

P

@BPry 

 

 


There's really no reason to keep the base image and it can be safely removed once you are on your target maintenance release. In the event that you are going back a single version (say you installed 10.1.9-h1 previously and then upgraded to 10.2.3-h4 directly) you would simply issue the 'debug swm revert' command to revert the active partition back to the previously running 10.1.9-h1 partition. Removing the base image will never affect the firewall from a functional standpoint.

If you're jumping multiple versions in a single upgrade (say 9.1.15-h1 to 10.2.3-h4) you might keep the base images because you can't simply rely on the other partition to downgrade in the event it's required anymore. In those situations I'd keep the required images to perform a potential downgrade on the firewall for a few weeks as long as it had the required space available to do so. You could just as easily remove them and re-download them if you actually perform the downgrade in the event you didn't have the space available to keep all of the images stored.

 

One thing to keep in mind when running 'show system disk-space' is that it's not a real-time check. I've always experienced a delay between removing images and that space being reflected in /opt/panrepo. The base images being the largest image available to download however, you would expect a larger amount of space returned upon their removal.

Regardless of platform the base image is always larger when compared to a maintenance release, but the difference between the size will differ by platform. On a PA-220 for instance the base image is ~220MB larger, go up to a PA-440 and you're looking at ~300MBs, expand that to a PA-5220 and it's ~600MB larger.

View solution in original post

3 REPLIES 3

L4 Transporter

Hi there,

Unless you intend to rollback to the base image, it is safe to delete.

It is good practice to retain the software images which would allow you to rollback after an upgrade, but after several months on a new version with sufficient testing it would be safe to delete it if you were having disk capacity issues.

 

cheers,

Seb.

Cyber Elite
Cyber Elite

@Pras wrote:

Hi All,

My colleague deleted the base image  10.2.0 whilst being on the 10.2.3-h4. There is no issue with the device (VM series).

Is this a normal practice? Will it ever effect the working of the firewall?

FYI: This was an attempt to clear the root partition and it dramatically decreased the space from 99 to 72 percentage. He had deleted other version too but only with this one the space on root got significantly lowered.

This is confusing. Any suggestion on this experts?

Kind Regards,

P

@BPry 

 

 


There's really no reason to keep the base image and it can be safely removed once you are on your target maintenance release. In the event that you are going back a single version (say you installed 10.1.9-h1 previously and then upgraded to 10.2.3-h4 directly) you would simply issue the 'debug swm revert' command to revert the active partition back to the previously running 10.1.9-h1 partition. Removing the base image will never affect the firewall from a functional standpoint.

If you're jumping multiple versions in a single upgrade (say 9.1.15-h1 to 10.2.3-h4) you might keep the base images because you can't simply rely on the other partition to downgrade in the event it's required anymore. In those situations I'd keep the required images to perform a potential downgrade on the firewall for a few weeks as long as it had the required space available to do so. You could just as easily remove them and re-download them if you actually perform the downgrade in the event you didn't have the space available to keep all of the images stored.

 

One thing to keep in mind when running 'show system disk-space' is that it's not a real-time check. I've always experienced a delay between removing images and that space being reflected in /opt/panrepo. The base images being the largest image available to download however, you would expect a larger amount of space returned upon their removal.

Regardless of platform the base image is always larger when compared to a maintenance release, but the difference between the size will differ by platform. On a PA-220 for instance the base image is ~220MB larger, go up to a PA-440 and you're looking at ~300MBs, expand that to a PA-5220 and it's ~600MB larger.

L4 Transporter

@BPry   This is really really helpful. I'd like to thank you for the detailed explanation.

PrasKtmBoy
  • 1 accepted solution
  • 3075 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!