Migrate the CN-Series Firewall to PAN-OS 10.1

There is no direct upgrade path for the CN-Series when going from PAN-OS 10.0. to PAN-OS 10.1. Instead, you must delete your existing CN-Series firewall deployment and then redeploy.
Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version.
  • PAN-OS 10.1.2 or later requires YAML 2.0.2
  • PAN-OS 10.1.0 and 10.1.1 require YAML 2.0.0 or 2.0.1
  1. Delete the existing CN-MGMT and CN-NGFW pods.
    1. kubectl delete -f pan-cn-mgmt.yaml
    2. kubectl delete -f pan-cn-ngfw.yaml
  2. Verify that the pods are deleted.
    1. kubectl get pods -n kube-system -l app=pan-mgmt
    2. kubectl get pods -n kube-system -l app=pan-ngfw
  3. Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
    1. Use
      kubectl -n kube-system get pvc -l appname=pan-mgmt-sts
      to find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.
      pan-mgmt-sts
      is the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:
      NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
      panconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15h
      panconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15h
      panlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      panlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      panplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15
      panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15
      panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15h
      panplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15h
      varcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      varcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      varlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      varlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      • For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.
        Use the command
        rm -rf /mnt/pan-local1/*
        for deleting the PVs for pan-local 1 through 6.
      • For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.
  4. Uninstall the Kubernetes Plugin on Panorama to remove your old configuration.

Recommended For You