: Upgrade a Standalone Firewall to PAN-OS 9.1
Focus
Focus

Upgrade a Standalone Firewall to PAN-OS 9.1

Table of Contents

Upgrade a Standalone Firewall to PAN-OS 9.1

Follow these steps to upgrade a standalone firewall to PAN-OS 9.1.
Review the PAN-OS 9.1 Release Notes and then use the following procedure to upgrade a firewall that is not in an HA configuration to PAN-OS 9.1.
If your firewalls are configured to forward samples to a WildFire appliance for analysis, you must upgrade the WildFire appliance before upgrading the forwarding firewalls.
To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall is connected to a reliable power source. A loss of power during an upgrade can make the firewall unusable.
  1. Save a backup of the current configuration file.
    Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade.
    1. Select
      Device
      Setup
      Operations
      and click
      Export named configuration snapshot
      .
    2. Select the XML file that contains your running configuration (for example,
      running-config.xml
      ) and click
      OK
      to export the configuration file.
    3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
    • For IP address-to-username mappings:
      • show user user-id-agent state all
      • show user server-monitor state all
    • For group mappings:
      show user group-mapping statistics
  3. Ensure that the firewall is running the latest content release version.
    Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 9.1 release. Make sure to follow the Best Practices for Application and Threat Updates.
    1. Select
      Device
      Dynamic Updates
      and see which
      Applications
      or
      Applications and Threats
      content release version is Currently Installed.
    2. If the firewall is not running the minimum required content release version or a later version required for PAN-OS 9.1,
      Check Now
      to retrieve a list of available updates.
    3. Locate and
      Download
      the desired content release version.
      After you successfully download a content update file, the link in the Action column changes from
      Download
      to
      Install
      for that content release version.
    4. Install
      the update.
  4. You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 9.1.0.
    Review the known issues and changes to default behavior in the Release Notes and upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
  5. Upgrade to PAN-OS 9.1.
    If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks  Customer  Support  Portal and then manually
    Upload
    it to your firewall.
    1. Select
      Device
      Software
      and click
      Check Now
      to display the latest PAN-OS updates.
    2. Locate and
      Download
      PAN-OS 9.1.0.
    3. After you download the image (or, for a manual upgrade, after you upload the image),
      Install
      the image.
    4. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click
        Yes
        .
      • If you are not prompted to reboot, select
        Device
        Setup
        Operations
        and click
        Reboot Device
        .
      At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings.
    5. If you have enabled User-ID, use the following CLI commands to verify that the firewall has repopulated the IP address-to-username and group mappings before allowing traffic.
      • show user ip-user-mapping all
      • show user group list
  6. Verify that the firewall is passing traffic.
    Select
    Monitor
    Session Browser
    and verify that you are seeing new sessions.

Recommended For You