Strata Copilot
    PAN-OS Upgrade Guide
    : Orchestrated Upgrade
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade PAN-OS
    5. Upgrade the Firewall to PAN-OS 11.1 and Later Releases
    6. Upgrade an HA Firewall Pair
    7. Orchestrated Upgrade
    Download PDF

    PAN-OS Upgrade Guide

    Orchestrated Upgrade

    Table of Contents

    Orchestrated Upgrade

    1. (Best Practice) Save a backup of the current configuration file.
      Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.
      Perform these steps on each firewall in the pair:
      1. Select DeviceSetupOperations and click Export named configuration snapshot.
      2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
    2. (Best Practice) Select DeviceSupport and Generate Tech Support File.
      Click Yes when prompted to generate the tech support file.
    3. (Best Practice) Determine the Upgrade Path to PAN-OS 11.1 and later releases
      Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the Release Notes and Upgrade/Downgrade Considerations for each release through which you pass as part of your upgrade path.
    4. (Best Practices) If you are leveraging Strata Logging Service, install the device certificate on each HA peer.
      The firewall automatically switches to using the device certificate for authentication with Strata Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1 or later.
      If you do not install the device certificate prior to upgrade to PAN-OS 11.1 or later, the firewall continues to use the existing logging service certificates for authentication.
    5. Download images to firewalls.
      1. Select PanoramaSoftwareDevice DeploymentActionValidate to view the dependencies.
      2. Download the intermediate and base software images and the required dynamic content.
    6. (Best Practices) Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
      1. Select DeviceHigh Availability and edit the Election Settings.
      2. If enabled, disable (clear) the Preemptive setting and click OK.
      3. Commit the change.
    7. (PAN-OS 12.1.2 and later releases) Initiate orchestrated upgrade on an HA firewall pair running PAN-OS 10.2.x or a later release.
      Before initiating the upgrade, select HA Pair Status to filter for firewalls in a high-availability configuration. This ensures that you are targeting the correct devices for the upgrade.
      When you select HA Upgrade Orchestration, the system automatically enables Group HA Peers and Reboot device after install. This ensures both firewalls are managed as a single entity and all necessary reboots are handled automatically.
      1. Select HA Upgrade Orchestration.
      2. Select the firewall HA pairs that you want to upgrade, and click OK.
      3. A set of recommendations appear.
        Before you continue, review the provided recommendations and best practices. Additionally, you can adjust the following timers as required:
        1. Specify the maximum time within which a single firewall has to complete the software upgrade. Default is 3600 seconds.
        2. Specify the wait time after the HA switchover and before initiating the upgrade on the second firewall. Default is 300 seconds.
        3. Specify the time to wait before the system attempts to start the second firewall in the HA pair. The default is 120 seconds.
      4. Click Continue to start the orchestrated upgrade.
      5. In the Install Software dialog, click View Details to view the status of the upgrade.
    8. After the upgrade completes, re-enable preemption on the HA peer where it was disabled.
      1. Select DeviceHigh Availability and edit the Election Settings.
      2. Enable (check) the Preemptive setting and click OK.
      3. Commit the change.
    9. Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.
      On upgrade to PAN-OS 12.1.2, it is required that all certificates meet the following minimum requirements:
      • RSA 2048 bits or greater, or ECDSA 256 bits or greater
      • Digest of SHA256 or greater
      See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
    10. (Best Practices) Verify that both peers are passing traffic as expected.
      In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
      Run the following CLI commands to confirm that the upgrade succeeded:
      • (Active peers only) To verify that active peers are passing traffic, run the show session all command.
      • To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Interface counters on the CPU table are increasing as follows:
        • In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
          If you enabled HA2 keep-alive, the interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
        • In an active/active configuration, you will see packets received and packets transmitted on both peers.

    © 2025 Palo Alto Networks, Inc. All rights reserved.