Review the PAN-OS 7.1 Release Notes and then use the following procedure to upgrade firewalls that Panorama manages. This procedure applies to standalone firewalls and firewalls deployed in a high availability (HA) configuration.
When upgrading firewalls that you manage with Panorama, you must upgrade Panorama and its Log Collectors before you upgrade the firewalls.
Upgrade Firewalls Using Panorama
Save a backup of the current configuration file on each managed firewall you plan to upgrade. Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade. Log in to Panorama, select Panorama > Setup > Operations, and Export Panorama and devices config bundle to generate and export the latest configuration backup of Panorama and of each managed device. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
Install the content updates. Make sure the firewalls you plan to upgrade are running content release version 564 or later. Select Panorama > Device Deployment > Dynamic Updates. Check Now (located in the lower left-hand corner of the window) to check for the latest updates. If an update is available, the Action column displays a Download link. Download the desired version. After a successful download, the link in the Action column changes from Download to Install. Click Install, select the devices on which you want to install the update, and click OK.
Determine the software upgrade path. You cannot skip installation of any major release versions in the path to your target PAN-OS release. For example, if you intend to upgrade from PAN-OS 6.0.13 to PAN-OS 7.1.20, you must: Download and install PAN-OS 6.1.0 and reboot. Download and install PAN-OS 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release; not 7.0.0). Download and install PAN-OS 7.0.9 or a later PAN-OS 7.0 release and reboot. Download PAN-OS 7.1.0 (you do not need to install it). Download and install PAN-OS 7.1.20 and reboot. To access the web interface of the firewall you intend to upgrade, use the Context drop-down in Panorama or log in to the firewall directly. Select Device > Software. Check which version has a check mark in the Currently Installed column and proceed as follows: If PAN-OS 7.0.9 or later is currently installed, continue to Step 4. If a version earlier than PAN-OS 7.0.9 is currently installed, follow the upgrade path to PAN-OS 7.0.9 or a later PAN-OS 7.0 release before you upgrade to PAN-OS 7.1. Refer to the Release Notes for your currently installed PAN-OS version for upgrade instructions.
Download the software updates. On Panorama, select Panorama > Device Deployment > Software and Check Now for the latest updates. If an update is available, the Action column displays a Download link. Download the file or files that correspond to the Platform of the firewalls to which you are upgrading and the version to which you need to upgrade (including any intermediate major release versions). You must download a separate installation file for each platform you intend to upgrade. For example, to upgrade your PA-3050 firewalls and PA-5060 firewalls to 7.1.0, download the images that have filename PanOS_3000-7.1.0 and PanOS_5000-7.1.0. After a successful download, the Action column changes to Install for that image.
Install the software updates on the firewalls. To avoid downtime when updating the software on firewalls in an HA configuration, update one peer at a time. For firewalls in an active/active configuration, it doesn’t matter which HA peer you update first. For an active/passive configuration, you must update the passive peer first, suspend the active peer (fail over), update the active peer, and then return the active peer to a functional state (fail back). Perform the steps that apply to your firewall deployment: Non-HA Firewalls Click Install in the Action column for the appropriate update, select all firewalls you intend to update, Reboot device after install, and click OK. Active/Active HA Firewalls Click Install, clear Group HA Peers, select either of the HA peers, Reboot device after install, and click OK. Wait for the firewall to finish rebooting before you proceed. Click Install, clear Group HA Peers, select the HA peer that you didn’t update in the previous step, Reboot device after install, and click OK. Active/Passive HA Firewalls In this example, the active firewall is named fw1 and the passive firewall is named fw2: Click Install in the Action column for the appropriate update, clear Group HA Peers, select fw2, Reboot device after install, and click OK. Wait for fw2 to finish rebooting before you proceed. Access fw1, select Device > High Availability > Operational Commands, and Suspend local device. Access fw2 and, on the Dashboard High Availability widget, verify that the Local firewall state is active and the Peer firewall is suspended. Access Panorama, select Panorama > Device Deployment > Software, click Install in the Action column for the appropriate update, clear Group HA Peers, select fw1, Reboot device after install, and click OK. Wait for fw1 to finish rebooting before you proceed. Access fw1, select Device > High Availability > Operational Commands, and click Make local device functional. Wait two minutes before you proceed. On fw1, select the Dashboard tab and, in the High Availability widget, verify that the Local firewall state is active and the Peer firewall is passive.
Verify the software and content release version running on each managed firewall. On Panorama, select Panorama > Managed Devices. Locate the firewalls and review the content and software versions in the table.

Related Documentation