Migrate the CN-Series Firewall to PAN-OS 10.2
Table of Contents
Expand all | Collapse all
-
- CN-Series Deployment Checklist
- CN-Series Prerequisites
- Install a Device Certificate on the CN-Series Firewall
- Create Service Accounts for Cluster Authentication
- Install the Kubernetes Plugin and Set up Panorama for CN-Series
- Get the Images and Files for the CN-Series Deployment
- Editable Parameters in CN-Series Deployment YAML Files
- Enable Horizontal Pod Autoscaling on the CN-Series
- Secure 5G With the CN-Series Firewall
- Enable Inspection of Tagged VLAN Traffic
- Enable IPVLAN
- Uninstall the Kubernetes Plugin on Panorama
- Features Not Supported on the CN-Series
Migrate the CN-Series Firewall to PAN-OS 10.2
You can upgrade the CN-Series firewall from PAN-OS 10.1.x to PAN-OS 10.2.x. However, there is no
direct upgrade path for the CN-Series when going from PAN-OS 10.0. to PAN-OS 10.2.
Instead, you must delete your existing CN-Series firewall deployment and then
redeploy.
Before
you begin, ensure the CN-Series YAML file version is compatible
with the PAN-OS version.
You must ensure that you download
the correct combination of files for your CN-Series firewall deployment.
For more information, see CN-Series Firewall Image and
File Compatibility.
- Delete the existing CN-MGMT and CN-NGFW pods.
- kubectl delete -f pan-cn-mgmt.yaml
- kubectl delete -f pan-cn-ngfw.yaml
- Verify that the pods are deleted.
- kubectl get pods -n kube-system -l app=pan-mgmt
- kubectl get pods -n kube-system -l app=pan-ngfw
- Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
- Usekubectl -n kube-system get pvc -l appname=pan-mgmt-ststo find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.pan-mgmt-stsis the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGEpanconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15hpanconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15hpanlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hpanlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15hpanplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15hpanplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15hvarcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hvarcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15hvarlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hvarlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
- For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.Use the commandrm -rf /mnt/pan-local1/*for deleting the PVs for pan-local 1 through 6.
- For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.
- Uninstall the Kubernetes Plugin on Panorama to remove your old configuration.