: Upgrade a ZTP Firewall
Focus
Focus

Upgrade a ZTP Firewall

Table of Contents

Upgrade a ZTP Firewall

Automatically upgrade your a ZTP firewall.
After you successfully add a ZTP firewall to the Panorama™ management server, configure the target PAN-OS version of the ZTP firewall. Panorama checks whether PAN-OS version installed on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP firewall is less than the target PAN-OS version, then the ZTP firewall enters an upgrade cycle until target PAN-OS version is installed.
When upgrading ZTP firewalls from PAN-OS 10.1 to PAN-OS 11.1 or later versions, do not use the To SW Version column to set a target PAN-OS version. Using the To SW Version column causes the upgrade flow to download and install an intermediary base version with an expired root certificate, causing the firewall to lose connection with Panorama.
Instead, after onboarding the ZTP firewall, manually upgrade to the target PAN-OS version that includes a valid root certificate.
  1. Select PanoramaDevice DeploymentUpdates and Check Now for the latest PAN-OS releases.
  2. Select PanoramaManaged DevicesSummary and select one or more ZTP firewalls.
  3. Reassociate the selected ZTP firewall(s).
  4. Check (enable) Auto Push on 1st Connect.
  5. In the To SW Version column, select the target PAN-OS version for the ZTP firewall.
  6. Click OK to save your configuration changes.
  7. Select Commit and Commit to Panorama.
  8. Power on the ZTP firewall.
    When the ZTP firewall connects to Panorama for the first time, it automatically upgrades to the PAN-OS version you selected. If you are upgrading to a PAN-OS maintenance release, the base PAN-OS image is installed first before the target maintenance release is installed.
    For example, you configured the target To SW Version for the managed firewall as PAN-OS 10.1.5. On first connection to Panorama, PAN-OS 10.1.0 is installed on the managed firewall first. After PAN-OS 10.1.0 successfully installs, the firewall is automatically upgraded to the target PAN-OS 10.1.5 release.
  9. Verify the ZTP firewall software upgrade.
    1. Select PanoramaManaged DevicesSummary and navigate to the ZTP firewall(s).
    2. Verify the Software Version column displays the correct target PAN-OS release.
  10. For all future PAN-OS upgrades, see Upgrade Firewalls Using Panorama.