Best practices - Multi large upgrades pan-os Firewall HA
Good afternoon, as usual, thank you very much for your support and collaboration.
We have the possibility with a customer to perform multiple upgrades in one day, maintenance window.
We need to move from 8.1 to 9.1, i.e. 8.1.x to 9.0.x and from 9.0.x to 9.1.x.
So the question is the following:
1.- What is the best practice when it comes to make that jump, that intermediate upgrade from 9.0, for example when going from 8.1.x to ""9.0.x"" ( PAN-OS Intermediate, transitive ) final 9.1.x.
That intermediate jump, what is the best practice: I mean, for example, the current version 8.1.5, download and install the base 9.0.0? or is it recommended to download the base (9.0.0) and download and install (the recommended version of 9.0.x (9.0.16-h2), although it is say the intermediate transition version? to reach the recommended version 9.1.
2.- Also in relation to the same, the recommendation is still, in each jump, for example when moving to the same intermediate version 9.0, love or reassemble the HA and then continue with the upgrade ? or is it possible to apply both upgrades to a node and then on the other node ? I would understand that the best practice is to re-amplify the HA at each stage of the upgrade.
Please give me your comments, advice, recommendations and suggestions.
Thank you very much
Best regards
1. It's recommended to download 9.0.0 and download+install+reboot 9.0.preferred Then download 9.1.0, download+install+reboot 9.1.preferred (If you're on a pa-200/220, or a 3000 series you may need to install and possibly even reboot the base images as well as these systems have too small hard disks) 2. If you can go for a hard cutover you can upgrade one system all the way and then do the other one. If you want to do it gracefully you will need to lockstep your upgrades on both members