Deploy an Update to Log Collectors when Panorama is not Internet-connected
Before you upgrade Log Collectors, ensure that you are running the appropriate Panorama software release on the Panorama management server.
Palo Alto Networks highly recommends that Panorama and Log Collectors run the same Panorama software release and that Panorama, Log Collectors, and all managed firewalls run the same content release version.
For important software and content compatibility details, see
Panorama, Log Collector, and Firewall Version Compatibility.
|
Panorama must be running the same (or later) software release as Log Collectors but must have the same or an earlier content release version:
Software release version
—If your Panorama management server is not already running the same or a later software release than the release to which you intend to update Log Collectors, then you must install the same or a later Panorama release on Panorama (see
Install Content and Software Updates for Panorama) before you update any Log Collectors.
Content release version
—For content release versions, ensure that all Log Collectors are running the latest content release version or, at minimum, are running a later version than you will install or that is running on Panorama; if not, then first
update managed firewalls (using Panorama)
and then update Log Collectors before you update the content release version on the Panorama management server (see
Install Content and Software Updates for Panorama).
To check the software and content versions:
Panorama management server
—Log in to the Panorama web interface and go to General Information settings (
Dashboard).
Log Collectors
—Log in to the CLI of each Log Collector and run the
show system info
command.
|
Determine which content updates you need to install.
You must install content updates before software updates.
Palo Alto Networks highly recommends that Panorama, Log Collectors, and all managed firewalls run the same content release version.
|
Log in to the CLI of each Log Collector and run the
show system info
command to view the current update versions.
For each content update, determine whether you need updates and take note of which content updates you need to download in
Step 4.
Ensure that Panorama is running the same but not a later content release version than is running on managed firewalls and Log Collectors.
(
As needed
) Before you update content versions on Log Collectors, first
upgrade managed firewalls to the same or later content release versions.
|
|
Determine the software upgrade path for each Log Collector that you intend to upgrade to Panorama 7.1.
You cannot skip installation of any major release versions in the path to your target Panorama release. For example, if you intend to upgrade from Panorama 6.0.12 to Panorama 7.1.3, you must:
Download and install Panorama 6.1.0 and reboot.
Download and install Panorama 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release; not 7.0.0).
Download Panorama 7.1.0.
Optionally, install this base image and reboot before you install the target maintenance release.
Download and install Panorama 7.1.3 and reboot.
|
Log in to Panorama, select
Panorama > Managed Collectors, and note the current Software Version for the Log Collectors you intend to upgrade.
We highly recommend that you review the known issues and changes to default behavior in the
Release Notes
and upgrade/downgrade considerations in the
New Features Guide
for each release through which you pass as part of your upgrade path.
|
|
Download the content and software updates to a host that can connect and upload the files to Panorama either over SCP or HTTPS.
|
Use a host with internet access to log in to the
Palo Alto Networks Customer Support website.
Download content updates:
Click
Updates > Dynamic Updates
in the Resources section.
Download
the desired content updates and save the files to the host. Perform this step for each content type you will update.
Download software updates:
Return to the main page of the Palo Alto Networks Customer Support website and click
Updates > Software Updates
in the Resources section.
Review the Download column to determine the version to install. The update package filenames for M-Series appliances begin with “Panorama_m” followed by the release number: Panorama_m-<release>.
You can quickly locate Panorama images by selecting
Panorama M Images
(for M-Series appliances) from the Filter By drop-down.
Click the appropriate filename and save the file to the host.
|
Install content updates on Log Collectors.
If you need to install content updates, you must do so before you install software updates. Additionally, install content updates on firewalls first and then on Log Collectors before you update the content release version on Panorama.
Refer to the
Release Notes
for the minimum content release version you must install for a Panorama release.
|
Install the Applications or Applications and Threats update first and then install any other updates (Antivirus, WildFire, or URL Filtering) as needed, one at a time, and in any sequence.
Regardless whether your subscription includes both Applications and Threats content, Panorama installs and needs only the Applications content. For details, see
Panorama, Log Collector, and Firewall Version Compatibility.
In Panorama, select
Panorama > Device Deployment > Dynamic Updates.
Click
Upload, select the update
Type,
Browse
to the appropriate content update file on the host, and click
OK.
Click
Install From File, select the update
Type, and select the
File Name
of the update you just uploaded.
Select the Log Collectors.
Click
OK
to start the installation.
Repeat these steps for each content update.
|
|
Install software updates.
|
In Panorama, select
Panorama > Device Deployment > Software.
Click
Upload,
Browse
to the appropriate software update file on the host, and click
OK.
Click
Install
in the Action column for the release you just uploaded.
Select the Log Collectors on which to install the update.
Select one of the following based on the update version you are installing within the upgrade path (
Step 3):
Upload only to device (do not install)
Reboot device after install
As a best practice, when upgrading to a Panorama 7.1 maintenance release (Panorama 7.1.1 or a later Panorama 7.1 release), install the Panorama 7.1.0 base image and reboot the appliance before you upload and install the maintenance release.
Click
OK
to start the installation.
|
|
Verify the software and content versions that are installed on each Log Collector.
|
Log in to the Log Collector CLI and enter the
show system info
operational command. The output will resemble the following:
sw-version: 7.1.3
app-version: 571-1738
app-release-date: 2016/01/29 15:46:03
av-version: 1168-1550
av-release-date: 2016/01/21 14:31:27
threat-version: 548-1738
threat-release-date: 2016/01/29 15:46:03
|
