PAN-OS Upgrade Guide
    : Upgrade a ZTP Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade Panorama
    5. Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama
    6. Upgrade a ZTP Firewall
    Download PDF

    PAN-OS Upgrade Guide

    Upgrade a ZTP Firewall

    Table of Contents
    End-of-Life (EoL)

    Upgrade a ZTP Firewall

    Automatically upgrade your a ZTP firewall.
    After you successfully add a ZTP firewall to the Panorama™ management server, configure the target PAN-OS version of the ZTP firewall. Panorama checks whether PAN-OS version installed on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP firewall is less than the target PAN-OS version, then the ZTP firewall enters an upgrade cycle until target PAN-OS version is installed.
    1. Log in to the Panorama Web Interface as an admin user.
    2. Add a ZTP Firewall to Panorama.
    3. Select PanoramaDevice DeploymentUpdates and Check Now for the latest PAN-OS releases.
    4. Select PanoramaManaged DevicesSummary and select one or more ZTP firewalls.
    5. Reassociate the selected ZTP firewall(s).
    6. Check (enable) Auto Push on 1st Connect.
    7. In the To SW Version column, select the target PAN-OS version for the ZTP firewall.
    8. Click OK to save your configuration changes.
    9. Select Commit and Commit to Panorama.
    10. Power on the ZTP firewall.
      When the ZTP firewall connects to Panorama for the first time, it automatically upgrades to the PAN-OS version you selected.
      • Panorama running PAN-OS 11.0.0—If you are upgrading managed firewalls across PAN-OS major or maintenance releases, the intermediary PAN-OS releases on your upgrade path are installed first before the target PAN-OS release is installed.
        For example, you configured the target To SW Version for the managed firewall as PAN-OS 11.0.0 and the firewall is running PAN-OS 10.1. On first connection to Panorama, PAN-OS 10.2.0 is installed on the managed firewall first. After PAN-OS 10.2.0 successfully installs, the firewall is automatically upgraded to the target PAN-OS 11.0.0 release.
      • Panorama running PAN-OS 11.0.1 and later releases—If you are upgrading managed firewalls across PAN-OS major or maintenance releases, the intermediary PAN-OS major releases on your upgrade path are installed and the base PAN-OS major release is downloaded before the target PAN-OS maintenance release is installed.
        For example, you configured the target To SW Version for the managed firewall as PAN-OS 11.0.1 and the firewall is running PAN-OS 10.0. On first connection to Panorama, PAN-OS 10.1.0 and PAN-OS 10.2.0 are installed on the managed firewall. After the managed firewall reboots, PAN-OS 11.0.0 is downloaded and then the firewall automatically installs to the target PAN-OS 11.0.1 release.
    11. Verify the ZTP firewall software upgrade.
      1. Log in to the Panorama Web Interface.
      2. Select PanoramaManaged DevicesSummary and navigate to the ZTP firewall(s).
      3. Verify the Software Version column displays the correct target PAN-OS release.
    12. For all future PAN-OS upgrades, see Upgrade the Firewall to PAN-OS 11.0 from Panorama.

    © 2025 Palo Alto Networks, Inc. All rights reserved.