There is no direct upgrade path for the CN-Series
when going from PAN-OS 10.0. to PAN-OS 10.1. Instead, you must delete
your existing CN-Series firewall deployment and then redeploy.
Before
you begin, ensure the CN-Series YAML file version is compatible
with the PAN-OS version.
PAN-OS 10.1.2 or later requires
YAML 2.0.2
PAN-OS 10.1.0 and 10.1.1 require YAML 2.0.0 or 2.0.1
Delete the existing CN-MGMT and CN-NGFW pods.
kubectl delete -f pan-cn-mgmt.yaml
kubectl delete -f pan-cn-ngfw.yaml
Verify that the pods are deleted.
kubectl get pods -n kube-system -l app=pan-mgmt
kubectl get pods -n kube-system -l app=pan-ngfw
Delete the existing persistent volume claims (PVCs) and
persistent volumes (PVs)
Use
kubectl -n kube-system get pvc -l appname=pan-mgmt-sts
to
find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.
pan-mgmt-sts
is the default appname
selector for the CN-MGMT pods. If you modified the yaml to specify
a different name, you must replace the appname to match. The following
is a sample output from EKS:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
For statically provisioned PVs, to delete the PVs (typically
used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml
file and the directories that contain data on each node which hosts
the CN-MGMT pods.
Use the command
rm -rf /mnt/pan-local1/*
for
deleting the PVs for pan-local 1 through 6.
For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms,
when you delete the PVCs, the PVs are automatically deleted.