08-12-2022 02:18 PM - edited 08-12-2022 02:35 PM
I updated a standalone from 8.1.x to 9.1.x. When doing that one I downloaded the 9.0.0 and the 9.0.x updates and did it in one update to 9.0.x. Then a second download/update cycle to 9.1.x. Seemed to work fine.
For my HA pair I was advised not to do that by PA support, to download/install the 9.0.0 and reboot, then the 9.0.x and reboot, etc...Until you got to the final 9.1.x version. Probably for the best as updating broke the config syncing between active and passive units. So I updated the secondary unit to 9.0.0, then to 9.0.x. Failed over traffic to the secondary unit. Upgraded the primary to 9.0.0, 9.0.x, 9.1.0, and then finally 9.1.x. Checked all the config appeared to be OK and failed back to the primary unit. Updated the secondary unit to 9.1.x in stages. Then did forced config sync from the primary to secondary units.
Overall it wasn't too painful, just took a long time waiting for reboots.
Edit: Also, a potential trap... When updating from 8.x to 9.x, the Threat/App/URL databases format/provider changes. In my case the "Unknown" URL category is set to block instead of allow (the default). That meant after going to 9.0.0 I could no longer download system/dynamic updates, or confirm licenses, because the databases had been reset in the upgrade and every URL was now "Unknown". Had to bypass to be able to initialize the threat databases and continue updating.
