Strategy for Upgrade Panorama and Firewalls
Good morning, I reiterate, thank you very much for the support and collaboration. Thinking about the correct firewall and Panorama upgrade strategy. There is the following equipment scenario: Panorama StandAlone: 9.1.6 Firewalls in HA: 8.1.9-PAN-OS, firewall 9.1.2-PAN-OS, Firewall 9.0.4-PAN-OS. Thinking about the best Upgrade strategy, what is the recommendation, first example update Panorama to the latest recommended version of 9.1.X (currently 9.1.3.h3) and then proceed to update the rest of the firewalls, or on the contrary the best strategy would it be to update the firewalls first and then Panorama?
In the event of a problem when upgrading Panorama, if Panorama goes offline, will the firewalls continue to operate without any issues? There will be no affectation of the firewall service due to some failure in Panorama, let's say at the time of the Upgrade and that for some reason it generates an error and the Panorama does not come up? Only the centralized management and administration would be lost, the logs received, but the operation of the firewalls would not be lost, I understand, right?
I remain attentive, thank you very much for the support and collaboration. Best regards
That is a VERY bad practice and will lead to not receiving support from TAC if something does go wrong. There is really no excuse for not upgrading panorama first.
@Reaper
Thanks Reaper, as always:
From this point:
Never ever upgrade a firewall to a higher release (major, minor and maintenance) than the panorama.
It is more than clear to me that this is best practice.
But I have seen environments where they have example Panorama 9.1.4 and firewall with version 9.1.13-h3 and they operate without major problems. I understand that the recommendation is harder when it comes to the major and minor version rather than the maintenance version.
I remain attentive to your comments
It is mandatory to upgrade the Panorama first, but don't upgrade it more than 2 major versions away from your firewalls If you, for example, want to go to 10.1, first upgrade panorama to the latest 9.1, then bring your 8.1 and 9.0 firewalls to 9.1, then upgrade panorama to 10.1 and then bring all your firewalls to 10.1 Never ever upgrade a firewall to a higher release (major, minor and maintenance) than the panorama