For details on cookie usage on our site, read our Privacy Policy
- LIVEcommunity
- Discussions
- Best Practice Assessment Discussions
- Who rated this post
Who rated this post
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2022 01:22 PM - edited 09-01-2022 09:00 AM
I don't believe either posted is quite right (at least the way I would do it). PaloAlto recommends you upgrade to the latest maintenance before upgrading further, though if there is not a specific config problem fixed between your current 10.0.x and the latest 10.0.x then I don't see the point. You do need to download/install the major.minor.0 version though, before you can update to the latest maintenance release in that minor release chain.
So your most direct upgrade path would be:
10.0.10 -> 10.1.0
10.1.0 -> 10.1.6-h6
Technically you can combine the major.minor.0 and major.minor.x maintenance upgrades into a single step (download both the .0 and .x and then install the .x) and I have done that before... though I wouldn't do it for something critical/that can't be down for a full rebuild.
In upgrading my HA pair between major/minor revisions it has been my practice to upgrade the secondary peer to the new chain. Perform a failover to the secondary unit. Upgrade the primary peer to the new chain, then upgrade to the latest maintenance release. Perform a failover back to the primary unit. Then upgrade the secondary to the latest maintenance release. I have had to do a manual config resync when going between major releases, so I save that for last, ensure the primary is operating as expected on the new release and then push its config to the secondary.
Various upgrade docs:
