Upgrade the CN-Series Firewall—Redeploy
Delete and remove your PVs before you redeploy your CN-Series
firewalls to a different version.
This option enables you to deploy the CN-Series
firewalls afresh with an updated PAN-OS version (upgrade or downgrade
to a supported PAN-OS version). This workflow is the simpler of
the two options although it requires a little more downtime.
Before you begin, ensure the
CN-Series YAML file version is compatible with the PAN-OS version.
- PAN-OS 10.1.2 or later requires YAML 2.0.2
- PAN-OS 10.1.0 and 10.1.1 require YAML 2.0.0 or 2.0.1
Delete the Existing CN-Series Firewall Deployment
- Delete the existing CN-MGMT and CN-NGFW pods.
- kubectl delete -f pan-cn-mgmt.yaml
- kubectl delete -f pan-cn-ngfw.yaml
- Verify that the pods are deleted.
- kubectl get pods -n kube-system -l app=pan-mgmt
- kubectl get pods -n kube-system -l app=pan-ngfw
- Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
- Usekubectl -n kube-system get pvc -l appname=pan-mgmt-ststo find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.pan-mgmt-stsis the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGEpanconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15hpanconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15hpanlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hpanlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15hpanplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15hpanplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15hvarcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hvarcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15hvarlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15hvarlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
- For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.Use the commandrm -rf /mnt/pan-local1/*for deleting the PVs for pan-local 1 through 6.
- For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.
Update the CN-Series Docker Images
- Upload the new images, for the version to which you want to upgrade, to the container registry.
- Update the image and image path on the CN-MGMT and CN-NGFW yaml files.Image path for the CN-NGFW container image in the pan-cn-ngfw.yamlcontainers: - name: pan-ngfw-container image: <your-private-registry-image-path>Image path for the CN-MGMT container image in the pan-cn-mgmt.yamlImage Path for the CN-MGMT image containers: - name: pan-mgmt image: <your-private-registry-image-path>
- Required only if the images are updated for the PAN-OS versionUpdate the init container and pan-cni images.Image path for the Init container image in the pan-cn-mgmt.yaml for the CN-MGMT firewallinitContainers: - name: pan-mgmt-init image: <your-private-registry-image-path>Image path for the PAN-CNI container image in the pan-cni.yaml.containers: name: install-pan-cni image: <your-private-registry-image-path>
Deploy the CN-Series Firewalls
For details on the YAML files and information
on the set up, see Editable Parameters in CN-Series Deployment YAML Files and CN-Series Prerequisites.
The
pan-cn-mgmt.yaml and pan-cn-ngfw.yaml are required to redeploy the CN-Series
firewall, and you need to redeploy other yaml files only if you
have changes. When deploying, begin with the pan-cni.yaml, pan-cn-mgmt.yaml
and the last file you deploy is the pan-cn-ngfw.yaml.
- Deploy the yaml files.
- Only required if you made changes, to these files:kubectl apply -f pan-cn-mgmt-configmap.yamlkubectl apply -f pan-cn-mgmt-secret.yamlkubectl apply -f pan-cn-mgmt-slot-cr.yamlkubectl apply -f pan-cn-mgmt-slot-crd.yamlkubectl apply -f pan-cn-ngfw-configmap.yamlkubectl apply -f pan-cn-ngfw-svc.yamlkubectl apply -f pan-cn-storage-class.yamlkubectl apply -f pan-cni-configmap.yamlkubectl apply -f pan-cni-serviceaccount.yamlkubectl apply -f plugin-serviceaccount.yamlkubectl apply -f pan-mgmt-serviceaccount.yaml
- Only required if you have statically provisioned PVs:kubectl apply -f pan-cn-pv-local.yaml
- Only required if you modified the pan-cni.yaml:kubectl apply -f pan-cni.yamlThis command triggers a rolling update, and the pan-cni daemonset is updated on one node at a time.The cni takes 30-45 seconds to restart and become available on a node. During this restart, there is no impact to the applications and CN-NGFW pods that are running. Traffic from any new application pods that start on a node in this period are not be secured by the CN-NGFW pod.
- kubectl apply -f pan-cn-mgmt.yaml
- kubectl apply -f pan-cn-ngfw.yaml
- Get the Serial Number for the CN-MGMT pods.kubectl exec -it pan-mgmt-sts-0 -n kube-system -- su adminWarning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.admin@pan-mgmt-sts-0>
- Install the dynamic content updates for the subscriptions you have purchased.You can either install it manually or set up a schedule. Verify the serial numbers of the CN-MGMT pods when selecting them for the dynamic updates.
or on a recurring schedule.
