Upgrade PAN-OS
Save a backup of the current configuration file.
Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.
|
Perform these steps on each firewall in the pair:
Select
Device > Setup > Operations
and
Export named configuration snapshot.
Select the XML file that contains your running configuration (for example,
running-config.xml) and click
OK
to export the configuration file.
Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
|
Make sure each device is running content release version 564 or later.
|
Select
Device > Dynamic Updates.
Check the
Applications and Threats
or
Applications
section to determine what update is currently running.
If the firewall is not running the minimum required update,
Check Now
to retrieve a list of available updates.
Locate and
Download
the content release version you intend to install.
After the download completes,
Install
the update.
|
Determine the upgrade path.
You cannot skip installation of any major releases in the path to your desired PAN-OS version. Therefore, if you intend to upgrade to a version that is more than one major release away, you must download, install, and reboot the firewall for each intermediate major PAN-OS releases along the upgrade path.
For example, if you want to upgrade from PAN-OS 6.0.13 to PAN-OS 7.1.1, you must:
Download and install PAN-OS 6.1.0 and reboot.
Download PAN-OS 7.0.1 (7.0.1 is the base image for the 7.0 release; not 7.0.0).
Although we recommend that you install PAN-OS 7.0.1 before you upgrade to PAN-OS 7.0.9 or a later PAN-OS 7.0 release, do not reboot the firewall after installing this image in an HA configuration.
Download and install PAN-OS 7.0.9 or a later PAN-OS 7.0 release and reboot.
Download PAN-OS 7.1.0 (you do not need to install it).
Download and install PAN-OS 7.1.1 and reboot.
|
Select
Device > Software.
Check which version has a check mark in the Currently Installed column and proceed as follows:
If PAN-OS 7.0.9 or a later release is currently installed, continue to
Step 4.
If a version earlier than PAN-OS 7.0.9 is currently installed, follow the upgrade path to PAN-OS 7.0.9 or a later PAN-OS 7.0 release before you upgrade to PAN-OS 7.1.Refer to the
Release Notes
for your currently installed PAN-OS version for upgrade instructions.
|
Install PAN-OS 7.1 on the passive device (active/passive) or on the active-secondary device (active/active).
If your firewall does not have Internet access from the management port, you can download the software update from the
Palo Alto Networks Support Portal. You can then manually
Upload
it to your firewall.
|
Check Now
for the latest updates.
Locate and
Download
the version to which you intend to upgrade.
After the download completes,
Install
the update.
After the installation completes successfully, reboot using one of the following methods:
If you are prompted to reboot, click
Yes.
If you are not prompted to reboot, select
Device > Setup > Operations
and
Reboot Device
(Device Operations section). After the reboot, the device will not be functional until the active/active-primary device is suspended.
|
Suspend the active/active-primary firewall.
|
On the active (active-passive) or active-primary (active-active) peer, select
Device > High Availability > Operational Commands.
Suspend local device.
Select
Dashboard
and verify that the state of the passive device changes to active in the High Availability widget.
Verify that the firewall that took over as active (or active-primary) and is passing traffic (
Monitor > Session Browser).
(
Optional
) If you have session synchronization enabled and you are currently running a PAN-OS version prior to 6.1.0, run the
set session tcp-reject-non-syn no
operational command. This will rebuild the session table so that sessions that started prior to the upgrade will continue.
|
Install PAN-OS 7.1 on the other peer in the pair.
If your firewall does not have Internet access from the management port, you can download the software update from the
Palo Alto Networks Support Portal. You can then manually
Upload
it to your firewall.
|
Check Now
for the latest updates.
Locate and
Download
the version to which you intend to upgrade.
After the download completes,
Install
the update.
After the installation completes successfully, reboot using one of the following methods:
If you are prompted to reboot, click
Yes.
If you are not prompted to reboot, select
Device > Setup > Operations
and
Reboot Device
in the Device Operations section. After the reboot, the device will not be functional until the active/active-primary device is suspended.
(
Optional
) If you configured the firewall to temporarily allow non-syn-tcp traffic in order to enable the firewall to rebuild the session table in
Step 4, revert back by running the
set session tcp-reject-non-syn yes
command.
If the preemptive option is configured, the current passive peer will revert to active when state synchronization is complete.
|
Verify that the firewalls are passing traffic as expected.
In an active/passive deployment, the active peer (only) should be passing traffic while both peers should be passing traffic in an active/active deployment.
|
Run the following CLI commands to confirm that the upgrade succeeded:
(
Active peer(s) only
) To verify that active peers are passing traffic, run the
show session all
command.
To verify session synchronization, run the
show high-availability interface ha2
command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received.
If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional which means that both peers transmit HA2 keep-alive packets.
In an active/active configuration, you will see packets received and packets transmitted on both peers.
|