PA-VM Upgrade steps

cancel
Showing results for 
Search instead for 
Did you mean: 

PA-VM Upgrade steps

L2 Linker

PA-VM

VM-300

9.0.8 to 9.0.10

vm_series-1.0.11

 

Sorry for the (probably) simple question, but I've never done a Software Version upgrade on a Palo VM before.

 

Other than the usual steps to update, what other considerations do I need to take into account?  How do i know if I need to update the plug-in or not?  If so, do I update the plug0in first?  Any simple coloring book and crayon style step by step instructions would be greatly appreciated. 

 

 

1 REPLY 1

L0 Member

Hello! Appreciate this is an old post and you will have moved on by now but thought I would share an example similar to my past experience of steps which worked for me. Examples below. But most importantly, make sure to follow the official Palo Alto upgrade guides for full information! (links below)

Starting versions:
PAN-OS: 10.0.x
VM-series Plugin: 2.0.x

Target versions:
PAN-OS: 10.1.x
VM-series Plugin: 2.1.x

For the VM-series plugin upgrade, there is no need to follow an upgrade path that I am aware of. You should be able to download and install your desired version and it will automatically remove the old version during the installation process. But you should make sure the vm-series plugin version will be compatible with the software version that you plan to have running together long term (link to vm-series plugin version compatibility below). As you install the vm-series plugin first, you may briefly have incompatible vm-series plugin version and software version but this is fine in the short term while you complete the software upgrade as well.

Upgrade order:
- Download and install VM-series plugin on passive device to 2.1.x from 2.0.x (this should however put passive device into suspended HA state if upgrading an HA pair)

- Download and install VM-series plugin on active device to 2.1.x from 2.0.x (Once vm-series plugin versions match again, HA states should return to functional on passive peer)
- Upgrade to Software version to 10.1.0 on passive device (will require reboot)
- Manually fail over so the now upgraded device is active
- Upgrade to Software version to 10.1.0 on new passive device (will require reboot)
- Fail back to return to original active/passive state

Ultimately follow the Palo Alto guides for all upgrade steps (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-the-vm-series-firewall). I think the main point / answer to this question is - do the vm-series plugin upgrades first, then proceed with the PAN-OS upgrades - at least that's always worked fine for me.

VM-series plugin compatibility reference is here:
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plu...

Regards,
Marcus

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!