Strata Copilot
    PAN-OS Upgrade Guide
    : Install a PAN-OS Software Patch
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade Panorama
    5. Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama
    6. Install a PAN-OS Software Patch
    Download PDF

    PAN-OS Upgrade Guide

    Install a PAN-OS Software Patch

    Table of Contents

    Install a PAN-OS Software Patch

    Install critical bug and Common Vulnerability and Exposure (CVE) fixes for your managed NExt-Gen firewalls and Dedicated Log Collectors from your Panorama™ management server.
    Where Can I Use This?What Do I Need?
    • Panorama-managed Next-Gen firewall
      CN-Series firewalls are not supported
    • Panorama-managed WildFire appliance
    • Device management license
    • Support license
    • PAN-OS 11.1.3 or later 11.1 release
    • Outbound internet access
    Review the PAN-OS 11.1 Release Notes and then use the following procedure to install a PAN-OS software patch to address bugs and Common Vulnerability and Exposures (CVE) in the PAN-OS release currently running on your managed devices from your Panorama™ management server. Installing a PAN-OS software patch applies fixes to bugs and CVEs without the need to schedule a prolonged maintenance and allows you to strengthen your security posture immediately without introducing any new known issues or changes to default behaviors that may come with installing a new PAN-OS release. Additionally, you can revert the currently installed software patch to uninstall the bug and CVE fixes applied when you installed the software patch.
    A system log is generated (MonitorLogsSystem) when a PAN-OS software patch is installed or reverted. An outbound internet connection is required to download the PAN-OS software patch from the Palo Alto Networks Customer Support Portal. For air-gapped managed devices, Panorama must still have internet access to download the PAN-OS software patch, but an outbound internet connection is not required to install and apply them to the managed devices.

    Install

    Install critical bug and Common Vulnerability and Exposure (CVE) fixes for your managed devices when your Panorama™ management server has outbound internet access.
    1. Log in to the Panorama web interface.
    2. Select PanoramaDevice DeploymentSoftware and Check Now to retrieve the latest PAN-OS software patches from the Palo Alto Networks Update Server.
    3. Check (enable) Include Patch to display all available PAN-OS software patches.
    4. Locate the software patch for the PAN-OS release currently installed on your managed devices.
      A software patch is denoted by a Patch label displayed alongside the Version name.
    5. View More Info to review the software patch details such as the critical bug and CVE fixes and whether your managed devices need to be restarted for the fixes to be applied.
    6. Download the software patch.
      (HA only) Check (enable) Sync to HA Peer and Continue Download to download the PAN-OS software patch.
      Click Close after the software patch successfully downloaded.
    7. Install the software patch.
      After the software patch has successfully installed, click Close.
    8. Select the managed devices on which you want to install the PAN-OS software patch and click OK.
      (HA only) If you are installing a software patch on a pair of managed devices in a high availability (HA) configuration, you must select and install the software patch on both HA peers.
    9. Apply the software patch.
      Click Apply when prompted to confirm you want to apply the installed PAN-OS software patch to your managed devices.
      A status bar is displayed showing the current progress of the PAN-OS software patch application. Click Close after the patch is successfully applied.
      At this point, the firewall automatically reboots if a reboot is required to complete applying the PAN-OS software patch to your managed devices.

    Revert

    Revert critical bug and Common Vulnerability and Exposure (CVE) fixes for your Panorama-managed devices.
    1. Log in to the Panorama web interface.
    2. Select PanoramaDevice DeploymentSoftware and Check Now to retrieve the latest PAN-OS software patches from the Palo Alto Networks Update Server.
    3. Revert the software patch.
    4. Select the managed devices for which you want to revert the PAN-OS software patch and click OK.
      Only eligible managed devices are displayed.
      (HA only) If you are installing a software patch on a pair of managed devices in a high availability (HA) configuration, you must select and install the software patch on both HA peers.
    5. Click Revert when prompted to confirm you want to revert the installed PAN-OS software patch from the selected managed devices.
      A status bar is displayed showing the current progress of the PAN-OS software patch application. Click Close after the patch is successfully applied.
      At this point, the firewall automatically reboots if a reboot is required to complete applying the PAN-OS software patch to Panorama.

    © 2025 Palo Alto Networks, Inc. All rights reserved.