Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L6 Presenter

I don't believe either posted is quite right (at least the way I would do it). PaloAlto recommends you upgrade to the latest maintenance before upgrading further, though if there is not a specific config problem fixed between your current 10.0.x and the latest 10.0.x then I don't see the point. You do need to download/install the major.minor.0 version though, before you can update to the latest maintenance release in that minor release chain.


So your most direct upgrade path would be:

10.0.10 -> 10.1.0

10.1.0 -> 10.1.6-h6


Technically you can combine the major.minor.0 and major.minor.x maintenance upgrades into a single step (download both the .0 and .x and then install the .x) and I have done that before... though I wouldn't do it for something critical/that can't be down for a full rebuild.


In upgrading my HA pair between major/minor revisions it has been my practice to upgrade the secondary peer to the new chain. Perform a failover to the secondary unit. Upgrade the primary peer to the new chain, then upgrade to the latest maintenance release. Perform a failover back to the primary unit. Then upgrade the secondary to the latest maintenance release. I have had to do a manual config resync when going between major releases, so I save that for last, ensure the primary is operating as expected on the new release and then push its config to the secondary.


Various upgrade docs:


Who rated this post