Troubleshoot Your PAN-OS Upgrade
Table of Contents
Expand all | Collapse all
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.1
- Troubleshoot Your Panorama Upgrade
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
- PAN-OS Upgrade Checklist
- Upgrade/Downgrade Considerations
- Troubleshoot Your PAN-OS Upgrade
- Upgrade the VM-Series PAN-OS Software (Standalone)
- Upgrade the VM-Series PAN-OS Software (HA Pair)
- Upgrade the VM-Series PAN-OS Software Using Panorama
- Upgrade the VM-Series Model
- Upgrade the VM-Series Model in an HA Pair
- Downgrade a VM-Series Firewall to a Previous Release
Troubleshoot Your PAN-OS Upgrade
What troubleshooting can I do for my PAN-OS upgrade?
To troubleshoot your PAN-OS upgrade, use the following table to review possible issues and how to resolve them.
The software warranty license expired.
From the CLI, delete the expired license key:
The latest PAN-OS software versions were not available.
You can only see software versions that are one feature release ahead of the current installed version. For example, if you have an 9.1 release installed, only 10.0 releases will be available to you. To see 11.1 releases, you first have to upgrade to 10.1.
Checking for dynamic updates failed.
No valid device certificate was found.
In PAN-OS 9.1.3 and later versions, a device certificate must be installed if you are leveraging a Palo Alto Networks cloud service. To install the device certificate:
The software image file failed to load onto the software manager due to an image authentication error.
To update the software image list, click
Check Now. This establishes a new connection to the update server.
The VMware NSX plugin version was not compatible with the new software version.
The VMware NSX plugin was automatically installed upon upgrade to 8.0. If you are not using the plugin, you can uninstall it.
The reboot time after upgrading to PAN-OS 9.1 was longer than expected.
Upgrade to Applications and Threats Content Release Version 8221 or later. For more information on minimum software and content versions, see <xref to 11.1 Associated Software and Content Versions>.
The device did not have support even when licenses are active.
This updates the licensing information on the firewall by establishing a new connection to the update server.
If this does not work from the web interface, use
request system software check.
The firewall did not have a DHCP address assigned to it by the DHCP server.
Configure a security policy rule allowing the traffic from the ISP DHCP server to the internal networks.
The firewall continuously boots into maintenance mode.
In the CLI, Access the Maintenance Recovery Tool (MRT). In the MRT window, select
. Select either
Reinstall <current version>or
Revert to <previous version>. Once the revert or reinstall operation completes, select
In an HA configuration, the firewall goes into a suspended state after upgrading the peer firewall with an error that the firewall is too old.
Upgrading one firewall to a version that is more than one major release ahead will result in a network outage. You must upgrade both firewalls only one major release ahead before upgrading to the next major release.
Downgrade the peer firewall to the version that the suspended firewall stopped at.