Upgrading your Palo Alto Networks firewall, often referred to as an Alto Auto due to its automated features, can be a complex process. This article delves into the intricacies of upgrading from PAN-OS 9.1.x to 10.0.x and from 10.0.x to 10.1.x, highlighting potential challenges and providing insights based on real-world experiences.
Upgrading from PAN-OS 9.1.x to 10.0.x
When upgrading from 9.1.x to 10.0.x, a RAID rebuild on the 2TB log disks is initiated. Palo Alto Networks attributes this to a file system change during the upgrade process. While some documentation suggests this occurs in 10.1, experience and consultations with Palo Alto Networks’ Technical Assistance Center (TAC) indicate it happens in the 10.0.x upgrade as well.
During an upgrade of a high-availability pair of PA-5250 firewalls, the auto-commit phase finished relatively quickly. However, the RAID rebuild took 12 hours to complete. It’s crucial to avoid rebooting the firewalls during this rebuild process and to proceed with the upgrade to 10.1.x only after the rebuild is fully finished. Rebooting during the process can lead to data corruption or system instability.
Another potential issue is an “auto-commit error: ‘Configured traffic quota of 0 MB is less than the minimum 32 MB'” after upgrading to 10.1.4 or later versions. This error requires specific troubleshooting steps outlined in Palo Alto Networks’ knowledge base. You can find more details in the provided link.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkxPCAQ
Upgrading from PAN-OS 10.0.x to 10.1.x
Upgrading from 10.0.x to 10.1.x introduces an automatic File System Consistency Check (FSCK). This disk integrity check runs every eighth reboot or if the firewall hasn’t been rebooted in over 90 days. Palo Alto Networks TAC can verify the status of this check through root access.
While official documentation estimates the FSCK process to take 60-90 minutes, real-world experience suggests it can take considerably longer, sometimes exceeding 5 hours. The duration directly correlates with the volume of logs stored on the disk. The more log data accumulated, the longer the FSCK process will take. This is an important consideration for planning maintenance windows.
This process is documented in the “Upgrade/Downgrade Considerations for 10.1” for PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls. Consulting this document before initiating the upgrade is highly recommended.
Conclusion
Upgrading an Alto auto firewall requires careful planning and understanding of the underlying processes. While the auto-commit feature automates many aspects, lengthy RAID rebuilds and FSCK checks can significantly extend the overall upgrade time. Consulting Palo Alto Networks documentation and engaging with TAC for guidance can help mitigate potential issues and ensure a smooth upgrade process. Understanding the potential time commitment for these procedures is crucial for minimizing disruption to network operations.
