04-14-2019 05:56 PM
So essentially the reason the new recommendation came to be due to smaller devices running out of disk space. When you skip the install of the base image, the firewall still needs to explode both images to piece together a working image to actually install the requested maintenance image.
The issue with the above process is that as PAN-OS has grown in size, the smaller devices simply don't have enough disk space to ensure that the device can actually do the above process. Now when the firewall has to explode images to piece together a working image, the firewall can't easily verify the disk space required for that process. This caused the firewall to fail piecing everything together again as it couldn't build a big enough temp file to build the install image.
I still highly recommend you don't actually skip the base image install process, regardless of what model of firewall you have or even if you know enough to verify your firewall has the space required to build a working install image. Piecing together an install image can still cause issues to pop up because the firewall has nothing to verify the image hasn't been messed up in the process.
You can certainly follow the old method with larger firewalls and not run into any issues, but keep in mind that there were enough issues reported that Palo Alto needed to change the process. This wasn't something PAN did to make us all scratch our heads, it was due to the number of issues people ran into on PA-200s and PA-500s; there was even a few issues on the 3000 series reported.
I like to live fast and dangerous: Congrats, feel free to follow the old method and hope you don't run into any issues.
I like to not cause extended maintenance windows or outages: Follow the new process.
