Upgrade the CN-Series Firewall

Upgrade the CN-Series firewalls in your Kubernetes cluster.
The CN-MGMT pods (management plane) and the CN-NGFW pods (data plane) must always be on the same PAN-OS version. There are two ways to upgrade or downgrade your CN-Series firewall deployment. For either method, you must schedule the upgrade or downgrade during a planned maintenance window.
  • —Delete your existing CN-Series firewall deployment and replace the existing deployment completely. In this workflow, you must plan for a longer maintenance window because all the firewalls will be offline at the same time, and all the secured application traffic will be impacted until the firewalls pods are up again.
  • —Use the new version to deploy a new CN-MGMT statefulset and service in the cluster, so you have two pairs of CN-MGMT pods running simultaneously while you perform a rolling upgrade of the CN-NGFW pods on each node. When the CN-NGFW pod is upgraded it registers to the new CN-MGMT pods and when the process completes for all secured nodes in your cluster, you can delete the old CN-MGMT statefulset and service in the cluster.
Both these methods create a new serial number for the CN-MGMT pods, and you must install the dynamic content updates for the subscriptions you have purchased. Review the Release Notes for the PAN-OS version to verify the minimum content version that is required and install it on the CN-MGMT pods.

Recommended For You