1. Home
    2. CN-Series
    3. CN-Series Deployment Guide
    4. Upgrade the CN-Series Firewall
    5. Migrate the CN-Series Firewall to PAN-OS 10.1

    Migrate the CN-Series Firewall to PAN-OS 10.1

    There is no direct upgrade path for the CN-Series when going from PAN-OS 10.0. to PAN-OS 10.1. Instead, you must delete your existing CN-Series firewall deployment and then redeploy.
    Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version.
    You must ensure that you download the correct combination of files for your CN-Series firewall deployment. For more information, see CN-Series Firewall Image and File Compatibility.
    1. Delete the existing CN-MGMT and CN-NGFW pods.
      1. kubectl delete -f pan-cn-mgmt.yaml
      2. kubectl delete -f pan-cn-ngfw.yaml
    2. Verify that the pods are deleted.
      1. kubectl get pods -n kube-system -l app=pan-mgmt
      2. kubectl get pods -n kube-system -l app=pan-ngfw
    3. Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
      1. Use
        kubectl -n kube-system get pvc -l appname=pan-mgmt-sts
         to find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.
        pan-mgmt-sts
         is the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:
        NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
        panconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15h
        panconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15h
        panlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        panlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        panplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15
        panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15
        panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15h
        panplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15h
        varcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        varcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        varlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        varlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        • For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.
          Use the command
          rm -rf /mnt/pan-local1/*
          for deleting the PVs for pan-local 1 through 6.
        • For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.
    4. Uninstall the Kubernetes Plugin on Panorama to remove your old configuration.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo