Upgrade the CN-Series firewalls in your Kubernetes cluster.
The CN-MGMT pods (management plane) and the
CN-NGFW pods (data plane) must always be on the same PAN-OS version.
There are two ways to upgrade or downgrade your CN-Series firewall
deployment. For either method, you must schedule the upgrade or
downgrade during a planned maintenance window.
your existing CN-Series firewall deployment and replace the existing
deployment completely. In this workflow, you must plan for a longer
maintenance window because all the firewalls will be offline at
the same time, and all the secured application traffic will be impacted
until the firewalls pods are up again.
new version to deploy a new CN-MGMT statefulset and service in the
cluster, so you have two pairs of CN-MGMT pods running simultaneously
while you perform a rolling upgrade of the CN-NGFW pods on each
node. When the CN-NGFW pod is upgraded it registers to the new CN-MGMT
pods and when the process completes for all secured nodes in your
cluster, you can delete the old CN-MGMT statefulset and service
in the cluster.
Both these methods create a new serial
number for the CN-MGMT pods, and you must install the dynamic content updates for
the subscriptions you have purchased. Review the Release Notes for
the PAN-OS version to verify the minimum content version that is required
and install it on the CN-MGMT pods.