>
    Migrate the CN-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Upgrade the CN-Series Firewall
    4. Migrate the CN-Series Firewall
    Download PDF
    CN-Series

    Migrate the CN-Series Firewall

    Table of Contents

    Migrate the CN-Series Firewall

    Where Can I Use This?What Do I Need?
    • CN-Series upgrade
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    You can upgrade the CN-Series firewall from PAN-OS 10.1.x to PAN-OS 10.2.x.,11.0.x or 11.1.x. You can also upgrade CN-Series firewall from PAN-OS 10.2.x to 11.0.x or 11.1.x. However, there is no direct upgrade path for the CN-Series when going from PAN-OS 10.0. to PAN-OS 10.2. Instead, you must delete your existing CN-Series firewall deployment and then redeploy.
    Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version.
    You must ensure that you download the correct combination of files for your CN-Series firewall deployment. For more information, see CN-Series Firewall Image and File Compatibility.
    1. Delete the existing CN-MGMT and CN-NGFW pods.
      1. kubectl delete -f pan-cn-mgmt.yaml
      2. kubectl delete -f pan-cn-ngfw.yaml
    2. Verify that the pods are deleted.
      1. kubectl get pods -n kube-system -l app=pan-mgmt
      2. kubectl get pods -n kube-system -l app=pan-ngfw
    3. Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
      1. Use kubectl -n kube-system get pvc -l appname=pan-mgmt-sts to find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.
        pan-mgmt-sts is the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:
        NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
        panconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15h
        panconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15h
        panlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        panlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        panplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15
        panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15
        panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15h
        panplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15h
        varcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        varcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        varlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
        varlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
        • For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.
          Use the command rm -rf /mnt/pan-local1/* for deleting the PVs for pan-local 1 through 6.
        • For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.
    4. Uninstall the Kubernetes Plugin on Panorama to remove your old configuration.
    5. Upgrade Panorama.
    6. Install the kubernetes plugin for CN-Series.
    7. Deploy the CN-Series firewall.

    © 2024 Palo Alto Networks, Inc. All rights reserved.