PAN-OS Upgrade Guide
    : Upgrade the VM-Series PAN-OS Software (Standalone)
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade the VM-Series Firewall
    5. Upgrade the VM-Series PAN-OS Software (Standalone)
    Download PDF

    PAN-OS Upgrade Guide

    Upgrade the VM-Series PAN-OS Software (Standalone)

    Table of Contents

    Upgrade the VM-Series PAN-OS Software (Standalone)

    How do I upgrade a standalone VM-Series firewall?
    Review the new features, addressed issues, and known issues and then use the following procedure to upgrade a firewall that is not in an HA configuration.
    To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall is connected to a reliable power source. A loss of power during an upgrade can make the firewall unusable.
    1. Verify that enough hardware resources are available to the VM-Series firewall.
      Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.
      If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.
    2. From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.
      On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.
    3. Save a backup of the current configuration file.
      Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade.
      1. Select DeviceSetupOperations and click Export named configuration snapshot.
      2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
    4. If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
      • For IP address-to-username mappings:
        • show user user-id-agent state all
        • show user server-monitor state all
      • For group mappings: show user group-mapping statistics
    5. Ensure that the firewall is running the latest content release version.
      1. Select DeviceDynamic Updates and see which Applications or Applications and Threats content release version is Currently Installed.
      2. If the firewall is not running the minimum required content release version or a later version required for PAN-OS, Check Now to retrieve a list of available updates.
      3. Locate and Download the desired content release version.
        After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
      4. Install the update.
    6. Upgrade the VM-Series plugin.
      1. Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.
        For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.
        Do not install an upgrade that does not apply to your environment.
      2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
      3. Select DevicePlugins  to view the plugin version. Use Check Now to check for updates.
      4. Select the version of the plugin and click Install in the Action column to install the plugin.
    7. Upgrade PAN-OS.
      If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Customer Support Portal and then manually Upload it to your firewall.
      1. Select DeviceSoftware and click Check Now to display the latest PAN-OS updates.
        (PAN-OS 10.2.10 and later 10.2 releases) By default, the preferred releases and the corresponding base releases are displayed. To view the preferred releases only, disable (clear) the Base Releases checkbox. Similarly, to view the base releases only, disable (clear) the Preferred Releases checkbox.
      2. Locate and Download the target PAN-OS version.
      3. After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
      4. After the installation completes successfully, reboot using one of the following methods:
        • If you are prompted to reboot, click Yes.
        • If you are not prompted to reboot, select DeviceSetupOperations and click Reboot Device.
        At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings.
      5. If you have enabled User-ID, use the following CLI commands to verify that the firewall has repopulated the IP address-to-username and group mappings before allowing traffic.
        • show user ip-user-mapping all
        • show user group list
      6. If you are upgrading to an XFR release for the first time, repeat this step to upgrade to the corresponding XFR release.
    8. Verify that the firewall is passing traffic.
      Select MonitorSession Browser and verify that you are seeing new sessions.

    © 2025 Palo Alto Networks, Inc. All rights reserved.