Install a PAN-OS Software Patch
Table of Contents
PAN.OS 10.2
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Install a PAN-OS Software Patch
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Install a PAN-OS Software Patch
- Revert Content Updates from Panorama
-
Install a PAN-OS Software Patch
Install critical bug and Common Vulnerability and Exposure (CVE) fixes for your
managed NExt-Gen firewalls and Dedicated Log Collectors from your Panorama™ management
server.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Review the PAN-OS 10.2 Release Notes and then use the
following procedure to install a PAN-OS software patch to address bugs and Common
Vulnerability and Exposures (CVE) in the PAN-OS release currently running on your
managed devices from your Panorama™ management server. Installing a PAN-OS software
patch applies fixes to bugs and CVEs without the need to schedule a prolonged
maintenance and allows you to strengthen your security posture immediately without
introducing any new known issues or changes to default behaviors that may come with
installing a new PAN-OS release. Additionally, you can revert the currently
installed software patch to uninstall the bug and CVE fixes applied when you
installed the software patch.
A system log is generated () when a PAN-OS software patch is installed or reverted. An outbound
internet connection is required to download the PAN-OS software patch from the Palo
Alto Networks Customer Support Portal. For air-gapped managed devices, Panorama must
still have internet access to download the PAN-OS software patch, but an outbound
internet connection is not required to install and apply them to the managed
devices.
Monitor
Logs
System
Install
Install critical bug and Common Vulnerability and Exposure (CVE) fixes for your
managed devices when your Panorama™ management server has outbound internet
access.
- SelectandPanoramaDevice DeploymentSoftwareCheck Nowto retrieve the latest PAN-OS software patches from the Palo Alto Networks Update Server.
- Check (enable)Include Patchto display all available PAN-OS software patches.
- Locate the software patch for the PAN-OS release currently installed on your managed devices.A software patch is denoted by aPatchlabel displayed alongside theVersionname.
- ViewMore Infoto review the software patch details such as the critical bug and CVE fixes and whether your managed devices need to be restarted for the fixes to be applied.
- Downloadthe software patch.(HA only) Check (enable) Sync to HA Peer andContinue Downloadto download the PAN-OS software patch.ClickCloseafter the software patch successfully downloaded.
- Installthe software patch.After the software patch has successfully installed, clickClose.
- Select the managed devices on which you want to install the PAN-OS software patch and clickOK.(HA only) If you are installing a software patch on a pair of managed devices in a high availability (HA) configuration, you must select and install the software patch on both HA peers.
- Applythe software patch.ClickApplywhen prompted to confirm you want to apply the installed PAN-OS software patch to your managed devices.A status bar is displayed showing the current progress of the PAN-OS software patch application. ClickCloseafter the patch is successfully applied.At this point, the firewall automatically reboots if a reboot is required to complete applying the PAN-OS software patch to your managed devices.
Revert
Revert critical bug and Common Vulnerability and Exposure (CVE) fixes for your
Panorama-managed devices.
- SelectandPanoramaDevice DeploymentSoftwareCheck Nowto retrieve the latest PAN-OS software patches from the Palo Alto Networks Update Server.
- Revertthe software patch.
- Select the managed devices for which you want to revert the PAN-OS software patch and clickOK.Only eligible managed devices are displayed.(HA only) If you are installing a software patch on a pair of managed devices in a high availability (HA) configuration, you must select and install the software patch on both HA peers.
- ClickRevertwhen prompted to confirm you want to revert the installed PAN-OS software patch from the selected managed devices.A status bar is displayed showing the current progress of the PAN-OS software patch application. ClickCloseafter the patch is successfully applied.At this point, the firewall automatically reboots if a reboot is required to complete applying the PAN-OS software patch to Panorama.