Upgrade the CN-Series firewalls in your Kubernetes cluster.
Where Can I Use
What Do I Need?
CN-Series 10.1.x or above Container Images
running PAN-OS 10.1.x or above
The CN-MGMT pods (management plane) and the
CN-NGFW pods (data plane) must always be on the same PAN-OS version. There
are two ways to upgrade or downgrade your CN-Series firewall deployment.
For either method, you must schedule the upgrade or downgrade during
a planned maintenance window.
—You can upgrade the CN-Series from PAN-OS 10.1.x to 10.2.x, 11.0.x. You can
also upgrade from 10.2.x to 11.0.x. However, you cannot upgrade the CN-Series
from PAN-OS 10.0.x to PAN-OS 10.1.x or 10.2.x; instead, you must redeploy the
CN-Series. Additionally, you cannot upgrade directly from a CN-Series as a
DaemonSet deployment to a CN-Series as a Service deployment. You must redeploy
the CN-Series to move from one deployment method to another.
your existing CN-Series firewall deployment and replace the existing
deployment completely. In this workflow, you must plan for a longer
maintenance window because all the firewalls will be offline at
the same time, and all the secured application traffic will be impacted
until the firewalls pods are up again.
and Rolling update with Additional CN-MGMT StatefulSet methods create
a new serial number for the CN-MGMT pods, and you must install the
dynamic content updates for
the subscriptions you have purchased. Review the Release Notes for
the PAN-OS version to verify the minimum content version that is
required and install it on the CN-MGMT pods.