Upgrade a Standalone Firewall
Follow these steps to upgrade a standalone firewall to PAN-OS 10.2.
Review the PAN-OS 10.2 Release Notes and then use the following procedure to upgrade a firewall that is not in an HA configuration to PAN-OS 10.2.
If your firewalls are configured to forward samples to a WildFire appliance for analysis, you must upgrade the WildFire appliance before upgrading the forwarding firewalls.
To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall is connected to a reliable power source. A loss of power during an upgrade can make the firewall unusable.
- Save a backup of the current configuration file.Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade.
- Selectand clickDeviceSetupOperationsExport named configuration snapshot.
- Select the XML file that contains your running configuration (for example,running-config.xml) and clickOKto export the configuration file.
- Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
- (Optional) If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
- For IP address-to-username mappings:
- show user user-id-agent state all
- show user server-monitor state all
- For group mappings:show user group-mapping statistics
- Ensure that the firewall is running the latest content release version.
- Selectand see whichDeviceDynamic UpdatesApplicationsorApplications and Threatscontent release version is Currently Installed.
- If the firewall is not running the minimum required content release version or a later version required for PAN-OS 10.2,Check Nowto retrieve a list of available updates.
- Locate andDownloadthe desired content release version.After you successfully download a content update file, the link in the Action column changes fromDownloadtoInstallfor that content release version.
- Installthe update.
- You cannot skip the installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 10.2.
- (Best Practices) If you are leveraging Cortex Data Lake (CDL), install the device certificate.The firewall automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.2.If you do not install the device certificate prior to upgrade to PAN-OS 10.2, the firewall continues to use the existing logging service certificates for authentication.
- Upgrade to PAN-OS 10.2.If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Customer Support Portal and then manuallyUploadit to your firewall.
- Selectand clickDeviceSoftwareCheck Nowto display the latest PAN-OS updates.Only the versions for the next available PAN-OS release are displayed. For example, if the PAN-OS 10.2 is installed on the firewall, then only PAN-OS 10.2 releases are displayed.
- Locate andDownloadPAN-OS 10.2.0.If you encounter a file download error, clickCheck Nowagain to refresh the list of PAN-OS images.
- After you download the image (or, for a manual upgrade, after you upload the image),Installthe image.
- After the installation completes successfully, reboot using one of the following methods:
At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings.
- If you are prompted to reboot, clickYes.
- If you are not prompted to reboot, selectand clickDeviceSetupOperationsReboot Device.
- If you have enabled User-ID, use the following CLI commands to verify that the firewall has repopulated the IP address-to-username and group mappings before allowing traffic.
- show user ip-user-mapping all
- show user group list
- Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.On upgrade to PAN-OS 10.2, it is required that all certificates meet the following minimum requirements:
See the PAN-OS Administrator's Guide for more information on regenerating or re-importing your certificates.
- RSA 2048 bits or greater, or ECDSA 256 bits or greater
- Digest of SHA256 or greater
- Verify that the firewall is passing traffic.Selectand verify that you are seeing new sessions.MonitorSession Browser
Recommended For You
Recommended videos not found.