Thursday, November 19, 2020
By Charles Buege, Fuel User Group Member
A few weekends ago, I embarked on the adventure of upgrading my PA-220 to PAN-OS 10. With the articles I’ve written in the past and since version 10 has been out for a while now, I wanted to start getting some experience with it myself, so I figured it was time to pull the trigger and upgrade my lab.
I allocated an hour or so one evening to perform the upgrade, but as the old adage goes, “The best laid schemes of mice and men often go awry.” It’s fair to say it took a bit longer than I expected.
As a personal idiosyncrasy, I do not upgrade anything to the X.0 version — I’ve been burned way too many times. I now wait for at least one minor version release, preferably two, before upgrading to a major release, to make sure the worst of the newly introduced issues are taken care of. And as dumb luck would have it — even though I was ready to make an exception with 10.0 because I’d done my homework and had no concerns — 10.0.1 was released just a couple days before I set out on upgrading, keeping my tradition of not deploying an X.0 version of something going.
On my PA-220, I’d been working with an older version of the PAN-OS for quite some time (9.0.5), because it kept working, had all of the capabilities that I needed, and if it isn’t broke, you don’t fix it. So, after going to my firewall’s Device -> Software, I clicked on “Check Now” and waited for the page to refresh, planning to click on “Download” for 10.0.0.
I waited and …. nothing. 10.0.0 and 10.0.1 did not show up. What’s going on here? I didn’t get it.
I was SO certain that everything I’d read said the PA-220 was compatible with version 10. That’s part of the reason I’d gotten this model and not spent the additional money for the next larger model. I went ahead and checked another PA-220 that I had access to and did a “Check Now”’ on its “Software” page, too, and yep — there it is: 10.0.0 and 10.0.1 are listed plain as day.
This only added to my confusion. Did I have an older model of a PA-220? Was my device from an earlier batch that wasn’t version 10 compatible? Were there other people out there that had the same problem as me? What was I missing here? It was time to jump on the interwebs and do some research.
I found a lot of people sharing that the upgrade took upwards of an hour, people who said the new web interface was slow on their PA-220s, and others who realized that they needed to clear out old images to free up space — but no one had my problem.
What did that mean? I was the oddball here. This didn’t surprise me. If there was a way to make something happen in a weird way, I’m good at that, so I set to figure this out. I would do a side by side comparison between the two PA-220s that I have access to, to see what their differences were and why 10.0.0 and 10.0.1 shows up on one but not on the other.
I remembered that when I first activated my PA-220 that if I didn’t have my dynamic update downloaded for my “Application and Threats,” that my “Antivirus” wouldn’t download, so I checked my dynamics updates. Are all of these up to date? I look — yes, within a version or two. Nothing more than a day out of sync. It wasn’t that.
Next, I compared versions of software running on the PA-220s themselves. What are they both running?
Eureka — I was onto something here!
As I mentioned earlier, my lab PA-220 is running 9.0.5, as I’d never needed to upgrade it. Well, the other PA-220 that I had access to is running version 9.1.4. That’s right! When I put THAT PA-220 in place, I specifically wanted to work with version 9.1.X of the PAN-OS, as I’d heard it had so many new capabilities that people said it should have been named 9.5, not 9.1.
Could that be my solution? Could the fact that the PAN-OS won’t let you attempt to upgrade to 10 until you are running at least 9.1.X on it? I had to find out!
I began the download process of getting versions 9.1.0 and 9.1.4 onto the box. Version 9.1.0 is required to be downloaded onto the PA-220 if you are going to install any version higher than 9.1.X. With both versions downloaded, I kicked off the installation of 9.1.4. After the installation, reboot and waiting for the subsequent initialization to complete with version 9.1.4 installed, I logged back into the web interface. I went to Device -> Software, clicked on “Check Now” and — lo and behold — I had 10.0.0 and 10.0.1 available to me!
If you’ve made it through my saga thus far, congrats. One thing that I did learn from this process that you can take right away from this article: You cannot upgrade PAN-OS directly from 9.0.X to 10.X. You must upgrade to 9.1.X first.
Continuing on, I downloaded both images for version 10.0.0 and 10.0.1 and installed version 10.0.1. After the installation, reboot and subsequent initialization to complete, I was able to log into version 10.0.1 of the PAN-OS on my lab PA-220. Upgrade complete.
I want to address a couple of the comments that I came across in my online search as I was trying to figure out my issue earlier:
1. “It took over an hour for my PA-220 to upgrade to 10.0.0.”
I cannot speak to that. When I came across these comments, I decided to time out my process. My PA-220 upgrade from 9.1.4 to 10.0.1 took the following amount of time:
10 minutes from start of 10.0.1 install to first reboot
21 minutes from first reboot to login screen responding and web UI interacting
Total time: 31 minutes
To me, this is acceptable for a lab environment for a major version upgrade. Others may disagree, but that’s my opinion.
2. “The new web interface is a lot slower on my PA-220.”
I am seeing this comment in many places. The web pages do tend to load a little slower, yes. However, we are looking at a more powerful PAN-OS running on an albeit small box doing a lot more stuff. Sacrifices will have to be made for cost savings. Personally, I think the increase in time is very minimal and only in some areas. I’d also recommend that you let each main tab — Dashboard, ACC, Monitor, Policies, Objects, Network, Device — load fully before selecting any options. This will allow any background images to be cached to your local system and will improve subsequent browsing to go faster for you.
3. Some users realized they needed to clear out some old images to make room for version 10.0.
There’s not much I can say to that. Storage is finite and sometimes you need to clear out space. Personally, I only keep the previous version I was using on the system for a week or two after an upgrade in case I need to go back to it quickly. Otherwise, I clear it out to keep the clutter to a minimum. Others may need to keep more images for other reasons, and that is up to them to decide.
As I alluded to at the start of this journey, things almost never go as planned. What I’d planned on being an hour or so of my day ended up taking almost three hours. Here was my overall breakdown in time:
45 minutes: Trying to figure out why I couldn’t get version 10 to show up on my PA-220, trying “Check Now,” verifying DNS information/internet connectivity, performing internet research about the problem
30 minutes: Side-by-side comparison between my PA-220 and second PA-220 I had access to
5 minutes: Download of image 9.1.4
3 minutes: Failed upgrade of 9.1.4 because I forgot I needed 9.1.0 to be downloaded for upgrade to take effect
5 minutes: Download of image 9.1.0
25 minutes: Upgrade of lab PA-220 to 9.1.4
10 minutes: Download of images 10.0.0 and 10.0.1 (I remembered I needed both this time)
30 minutes: Upgrade of lab PA-220 to 10.0.1
10 minutes: Testing of PA-220 web interface, exploring, checking machines behind firewall are working as expected, can access internet, etc.
Total time (approx.): 2 hours, 43 minutes
Thank you for reading my article. I hope, if nothing else, my trials and tribulations during this exercise has brought a smile or two to your day.
Charles Buege is the senior DevOps engineer for Temeda, an Industrial IoT company out of Naperville, Illinois. He currently holds a PCNSA certification and is working towards his PCNSE. He also runs an IT-based Meetup group called “The IT Crowd”.
More to Explore
Check out these Fuel blog posts for further reading: