Delete and remove your PVs before you redeploy your CN-Series
firewalls to a different version.
Where Can I Use
What Do I Need?
CN-Series 10.1.x or above Container Images
running PAN-OS 10.1.x or above
This option enables you to deploy the CN-Series
firewalls afresh with an updated PAN-OS version (upgrade or downgrade
to a supported PAN-OS version). This workflow is the simpler of
the two options although it requires a little more downtime.
For statically provisioned PVs, to delete the PVs (typically
used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml
file and the directories that contain data on each node which hosts
the CN-MGMT pods.
Use the command
rm -rf /mnt/pan-local1/*
deleting the PVs for pan-local 1 through 6.
For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms,
when you delete the PVCs, the PVs are automatically deleted.
Update the CN-Series Docker Images
Upload the new images, for the version to which
you want to upgrade, to the container registry.
pan-cn-mgmt.yaml and pan-cn-ngfw.yaml are required to redeploy the CN-Series
firewall, and you need to redeploy other yaml files only if you
have changes. When deploying, begin with the pan-cni.yaml, pan-cn-mgmt.yaml
and the last file you deploy is the pan-cn-ngfw.yaml.
Deploy the yaml files.
Only required if you made changes, to these
kubectl apply -f pan-cn-mgmt-configmap.yaml
kubectl apply -f pan-cn-mgmt-secret.yaml
kubectl apply -f pan-cn-mgmt-slot-cr.yaml
kubectl apply -f pan-cn-mgmt-slot-crd.yaml
kubectl apply -f pan-cn-ngfw-configmap.yaml
kubectl apply -f pan-cn-ngfw-svc.yaml
kubectl apply -f pan-cn-storage-class.yaml
kubectl apply -f pan-cni-configmap.yaml
kubectl apply -f pan-cni-serviceaccount.yaml
kubectl apply -f plugin-serviceaccount.yaml
kubectl apply -f pan-mgmt-serviceaccount.yaml
Only required if you have statically provisioned PVs:
apply -f pan-cn-pv-local.yaml
Only required if you modified the pan-cni.yaml:
kubectl apply -f pan-cni.yaml
command triggers a rolling update, and the pan-cni daemonset is
updated on one node at a time.
The cni takes 30-45 seconds
to restart and become available on a node. During this restart,
there is no impact to the applications and CN-NGFW pods that are
running. Traffic from any new application pods that start on a node
in this period are not be secured by the CN-NGFW pod.
kubectl apply -f pan-cn-mgmt.yaml
kubectl apply -f pan-cn-ngfw.yaml
Get the Serial Number for the CN-MGMT pods.
kubectl exec -it pan-mgmt-sts-0 -n kube-system -- su admin
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.admin@pan-mgmt-sts-0>
Install the dynamic content updates for the subscriptions
you have purchased.
You can either install it manually or set up a schedule. Verify the serial
numbers of the CN-MGMT pods when selecting them for the dynamic