Upgrade the CN-Series Firewall—Redeploy
Focus
Focus
CN-Series

Upgrade the CN-Series Firewall—Redeploy

Table of Contents

Upgrade the CN-Series Firewall—Redeploy

Delete and remove your PVs before you redeploy your CN-Series firewalls to a different version.
Where Can I Use This?What Do I Need?
  • CN-Series upgrade
  • CN-Series deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama running PAN-OS 10.1.x or above version
This option enables you to deploy the CN-Series firewalls afresh with an updated PAN-OS version (upgrade or downgrade to a supported PAN-OS version). This workflow is the simpler of the two options although it requires a little more downtime.
  1. Delete the Existing CN-Series Firewall Deployment
  2. Update the CN-Series Docker Images
  3. Deploy the CN-Series Firewalls
Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version.
  • PAN-OS 10.1.2 or later requires YAML 2.0.2
  • PAN-OS 10.1.0 and 10.1.1 require YAML 2.0.0 or 2.0.1

Delete the Existing CN-Series Firewall Deployment

  1. Delete the existing CN-MGMT and CN-NGFW pods.
    1. kubectl delete -f pan-cn-mgmt.yaml
    2. kubectl delete -f pan-cn-ngfw.yaml
  2. Verify that the pods are deleted.
    1. kubectl get pods -n kube-system -l app=pan-mgmt
    2. kubectl get pods -n kube-system -l app=pan-ngfw
  3. Delete the existing persistent volume claims (PVCs) and persistent volumes (PVs)
    1. Use kubectl -n kube-system get pvc -l appname=pan-mgmt-sts to find all the PVCs and PVs associated with the pan-cn-mgmt.yaml.
      pan-mgmt-sts is the default appname selector for the CN-MGMT pods. If you modified the yaml to specify a different name, you must replace the appname to match. The following is a sample output from EKS:
      NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
      panconfig-pan-mgmt-sts-0 Bound pvc-<id> 8Gi RWO gp2 15h
      panconfig-pan-mgmt-sts-1 Bound pvc-<id> 8Gi RWO gp2 15h
      panlogs-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      panlogs-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      panplugincfg-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15
      panplugincfg-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15
      panplugins-pan-mgmt-sts-0 Bound pvc-<id> 1Gi RWO gp2 15h
      panplugins-pan-mgmt-sts-1 Bound pvc-<id> 1Gi RWO gp2 15h
      varcores-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      varcores-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      varlogpan-pan-mgmt-sts-0 Bound pvc-<id> 20Gi RWO gp2 15h
      varlogpan-pan-mgmt-sts-1 Bound pvc-<id> 20Gi RWO gp2 15h
      • For statically provisioned PVs, to delete the PVs (typically used on-premises deployments) you must explicitly delete the pan-cn-pv-local.yaml file and the directories that contain data on each node which hosts the CN-MGMT pods.
        Use the command rm -rf /mnt/pan-local1/* for deleting the PVs for pan-local 1 through 6.
      • For dynamically provisioned PVs, such as on the Managed Services/Cloud Platforms, when you delete the PVCs, the PVs are automatically deleted.

Update the CN-Series Docker Images

  1. Upload the new images, for the version to which you want to upgrade, to the container registry.
  2. Update the image and image path on the CN-MGMT and CN-NGFW yaml files.
    Image path for the CN-NGFW container image in the pan-cn-ngfw.yaml
    containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
    Image path for the CN-MGMT container image in the pan-cn-mgmt.yaml
    Image Path for the CN-MGMT image containers: - name: pan-mgmt image: <your-private-registry-image-path>
  3. Required only if the images are updated for the PAN-OS version Update the init container and pan-cni images.
    Image path for the Init container image in the pan-cn-mgmt.yaml for the CN-MGMT firewall
    initContainers: - name: pan-mgmt-init image: <your-private-registry-image-path>
    Image path for the PAN-CNI container image in the pan-cni.yaml.
    containers: name: install-pan-cni image: <your-private-registry-image-path>

Deploy the CN-Series Firewalls

For details on the YAML files and information on the set up, see editable parameters in CN-Series deployment yaml files and CN-Series deployment prerequisites.
The pan-cn-mgmt.yaml and pan-cn-ngfw.yaml are required to redeploy the CN-Series firewall, and you need to redeploy other yaml files only if you have changes. When deploying, begin with the pan-cni.yaml, pan-cn-mgmt.yaml and the last file you deploy is the pan-cn-ngfw.yaml.
  1. Deploy the yaml files.
    1. Only required if you made changes, to these files:
      kubectl apply -f pan-cn-mgmt-configmap.yaml
      kubectl apply -f pan-cn-mgmt-secret.yaml
      kubectl apply -f pan-cn-mgmt-slot-cr.yaml
      kubectl apply -f pan-cn-mgmt-slot-crd.yaml
      kubectl apply -f pan-cn-ngfw-configmap.yaml
      kubectl apply -f pan-cn-ngfw-svc.yaml
      kubectl apply -f pan-cn-storage-class.yaml
      kubectl apply -f pan-cni-configmap.yaml
      kubectl apply -f pan-cni-serviceaccount.yaml
      kubectl apply -f plugin-serviceaccount.yaml
      kubectl apply -f pan-mgmt-serviceaccount.yaml
    2. Only required if you have statically provisioned PVs:
      kubectl apply -f pan-cn-pv-local.yaml
    3. Only required if you modified the pan-cni.yaml:
      kubectl apply -f pan-cni.yaml
      This command triggers a rolling update, and the pan-cni daemonset is updated on one node at a time.
      The cni takes 30-45 seconds to restart and become available on a node. During this restart, there is no impact to the applications and CN-NGFW pods that are running. Traffic from any new application pods that start on a node in this period are not be secured by the CN-NGFW pod.
    4. kubectl apply -f pan-cn-mgmt.yaml
    5. kubectl apply -f pan-cn-ngfw.yaml
  2. Get the Serial Number for the CN-MGMT pods.
    kubectl exec -it pan-mgmt-sts-0 -n kube-system -- su admin
    Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.admin@pan-mgmt-sts-0>
  3. Install the dynamic content updates for the subscriptions you have purchased.
    You can either install it manually or set up a schedule. Verify the serial numbers of the CN-MGMT pods when selecting them for the dynamic updates.
    or on a recurring schedule.