Upgrade the VM-Series PAN-OS Software (Standalone)
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade the VM-Series PAN-OS Software (Standalone)
How do I upgrade a standalone VM-Series firewall?
Review
the new features, addressed issues, and known issues and then use
the following procedure to upgrade a firewall that is not in an HA
configuration.
To avoid impacting traffic,
plan to upgrade within the outage window. Ensure the firewall is
connected to a reliable power source. A loss of power during an
upgrade can make the firewall unusable.
- Verify that enough hardware resources are available to the VM-Series firewall.Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.Save a backup of the current configuration file.Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade.
- Select DeviceSetupOperations and click Export named configuration snapshot.Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
- For IP address-to-username mappings:
- show user user-id-agent state all
- show user server-monitor state all
- For group mappings: show user group-mapping statistics
Ensure that the firewall is running the latest content release version.- Select DeviceDynamic Updates and see which Applications or Applications and Threats content release version is Currently Installed.If the firewall is not running the minimum required content release version or a later version required for PAN-OS, Check Now to retrieve a list of available updates.Locate and Download the desired content release version.After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.Install the update.Upgrade the VM-Series plugin.
- Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.Do not install an upgrade that does not apply to your environment.Log in to the VM-Series firewall and check the dashboard to view the plugin version.Select DevicePlugins to view the plugin version. Use Check Now to check for updates.Select the version of the plugin and click Install in the Action column to install the plugin.Upgrade PAN-OS.If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Customer Support Portal and then manually Upload it to your firewall.
- Select DeviceSoftware and click Check Now to display the latest PAN-OS updates.(PAN-OS 10.2.10 and later 10.2 releases) By default, the preferred releases and the corresponding base releases are displayed. To view the preferred releases only, disable (clear) the Base Releases checkbox. Similarly, to view the base releases only, disable (clear) the Preferred Releases checkbox.Locate and Download the target PAN-OS version.After you download the image (or, for a manual upgrade, after you upload the image), Install the image.After the installation completes successfully, reboot using one of the following methods:
- If you are prompted to reboot, click Yes.
- If you are not prompted to reboot, select DeviceSetupOperations and click Reboot Device.
At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings.If you have enabled User-ID, use the following CLI commands to verify that the firewall has repopulated the IP address-to-username and group mappings before allowing traffic.- show user ip-user-mapping all
- show user group list
If you are upgrading to an XFR release for the first time, repeat this step to upgrade to the corresponding XFR release.Verify that the firewall is passing traffic.Select MonitorSession Browser and verify that you are seeing new sessions.