Upgrade a Standalone Firewall to PAN-OS 9.1
Expand all | Collapse all
Upgrade a Standalone Firewall to PAN-OS 9.1
Follow these steps to upgrade a standalone firewall to
PAN-OS 9.1.
Review the
PAN-OS 9.1 Release Notes and then
use the following procedure to upgrade a firewall that is not in
an HA configuration to PAN-OS 9.1.
If your firewalls are
configured to forward samples to a WildFire appliance for analysis,
you must
upgrade the WildFire appliance before upgrading
the forwarding firewalls.
To avoid
impacting traffic, plan to upgrade within the outage window. Ensure
the firewall is connected to a reliable power source. A loss of
power during an upgrade can make the firewall unusable.
Save a backup of the current configuration file.
Although the firewall automatically
creates a configuration backup, it is a best practice to create
and externally store a backup before you upgrade.
Select and
click
Export named configuration snapshot
.
Select the XML file that contains your running configuration (for
example,
running-config.xml
) and click
OK
to
export the configuration file.
Save the exported file to a location external to the
firewall. You can use this backup to restore the configuration if
you have problems with the upgrade.
If you have enabled User-ID, after you upgrade, the firewall clears
the current IP address-to-username and group mappings so that they
can be repopulated with the attributes from the User-ID sources.
To estimate the time required for your environment to repopulate
the mappings, run the following CLI commands on the firewall.
For IP address-to-username mappings:
show user user-id-agent state all
show user server-monitor state all
For group mappings:
show user group-mapping statistics
Ensure that the firewall is running the latest content
release version.
Select and see which
Applications
or
Applications
and Threats
content release version is Currently Installed.
If the firewall is not running the minimum required
content release version or a later version required for PAN-OS 9.1,
Check Now
to
retrieve a list of available updates.
Locate and
Download
the desired content
release version.
After you successfully download a content update file, the
link in the Action column changes from
Download
to
Install
for
that content release version.
You cannot skip installation of any feature release versions
in the path from the currently running PAN-OS version to PAN-OS
9.1.0.
Review the known issues and
changes to default behavior in the
Release Notes and upgrade/downgrade
considerations in the
New Features Guide for
each release through which you pass as part of your upgrade path.
Upgrade
to PAN-OS 9.1.
Select and
click
Check Now
to display the latest PAN-OS
updates.
Locate and
Download
PAN-OS 9.1.0.
After you download the image (or, for a manual upgrade,
after you upload the image),
Install
the
image.
After
the installation completes successfully, reboot using one of the
following methods:
If you are prompted to reboot, click
Yes
.
If you are not prompted to reboot, select and click
Reboot
Device
.
At this point, the firewall
clears the User-ID mappings, then connects to the User-ID sources
to repopulate the mappings.
If you have enabled User-ID, use the following CLI
commands to verify that the firewall has repopulated the IP address-to-username
and group mappings before allowing traffic.
show user ip-user-mapping all
Verify that the firewall is passing traffic.
Select and verify that you are seeing
new sessions.