1. Home
    2. CN-Series
    3. CN-Series Deployment Guide
    4. Upgrade the CN-Series Firewall

    Upgrade the CN-Series Firewall

    Upgrade the CN-Series firewalls in your Kubernetes cluster.
    The CN-MGMT pods (management plane) and the CN-NGFW pods (data plane) must always be on the same PAN-OS version. There are two ways to upgrade or downgrade your CN-Series firewall deployment. For either method, you must schedule the upgrade or downgrade during a planned maintenance window.
    • —Delete your existing CN-Series firewall deployment and replace the existing deployment completely. In this workflow, you must plan for a longer maintenance window because all the firewalls will be offline at the same time, and all the secured application traffic will be impacted until the firewalls pods are up again.
    • —Use the new version to deploy a new CN-MGMT statefulset and service in the cluster, so you have two pairs of CN-MGMT pods running simultaneously while you perform a rolling upgrade of the CN-NGFW pods on each node. When the CN-NGFW pod is upgraded it registers to the new CN-MGMT pods and when the process completes for all secured nodes in your cluster, you can delete the old CN-MGMT statefulset and service in the cluster.
    Both these methods create a new serial number for the CN-MGMT pods, and you must install the dynamic content updates for the subscriptions you have purchased. Review the Release Notes for the PAN-OS version to verify the minimum content version that is required and install it on the CN-MGMT pods.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo