A valid support subscription enables access to the Panorama software image and release notes. To take advantage of the latest fixes and security enhancements, it is a good idea to upgrade to the latest software update or to the update version that your reseller or a Palo Alto Networks Systems Engineer recommends. The procedure to install software and content updates depends on whether Panorama has a direct connection to the internet and whether it has a high availability (HA) configuration.
Panorama, Log Collector, and Firewall Version Compatibility
Palo Alto Networks highly recommends running the same Panorama release on both the Panorama management server and the Dedicated Log Collectors. Panorama can manage firewalls that are running the same or an earlier PAN-OS release with the caveat that Panorama 6.1 and later versions cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3.
Additionally, you should ensure that the content release version on the Panorama management server is the same (or earlier) version than the content release version on any Dedicated Log Collectors or managed firewalls.
Palo Alto Networks recommends installing the same Applications database version on Panorama as on the Dedicated Log Collectors and firewalls.
Regardless whether your subscriptions include the Applications database or Applications and Threats database, Panorama installs only the Applications database. Panorama and Dedicated Log Collectors do not enforce policy rules so they do not require the threat signatures in the Threats database. The Applications database contains threat metadata (such as threat IDs and names) that you use on Panorama and Dedicated Log Collectors when defining policy rules to push to managed firewalls and when interpreting threat information in logs and reports. However, firewalls do require the full Applications and Threats database to match the identifiers recorded in logs with the corresponding threat, URL, or application names. Refer to the Release Notes for the minimum content release version required for a Panorama release.
Install Updates for Panorama in an HA Configuration
To ensure a seamless failover when you update the Panorama software in a high availability (HA) configuration, the active and passive Panorama peers must be running the same Panorama release with the same Applications database version. The following example describes how to upgrade an HA pair (active peer is Primary_A and passive peer is Secondary_B).
Install Updates for Panorama in an HA Configuration
Upgrade the Panorama software on the Secondary_B (passive) peer. Perform one of the following tasks on the Secondary_B peer: Install Updates for Panorama with an Internet Connection Install Updates for Panorama without an Internet Connection After the upgrade, this Panorama peer transitions to a non-functional state because the peers are no longer running the same software release.
Suspend the Primary_A peer to force a failover. On the Primary_A peer: In the Operational Commands section ( Panorama > High Availability), Suspend local Panorama. Verify that state is suspended (displayed on bottom-right corner of the web interface). The resulting failover should cause the Secondary_B peer to transition to active state.
Upgrade the Panorama software on the Primary_A (currently passive) peer. Perform one of the following tasks on the Primary_A peer: Install Updates for Panorama with an Internet Connection Install Updates for Panorama without an Internet Connection After you reboot, the Primary_A peer first transitions to the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state. If you disabled preemption, manually Restore the Primary Panorama to the Active State.
Verify that both peers are now running any newly installed content release versions and the newly installed Panorama release. On the Dashboard of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
Install Updates for Panorama with an Internet Connection
If Panorama has a direct connection to the internet, perform the following steps to install Panorama software updates. If Panorama is deployed in a high availability (HA) configuration, you must upgrade the Panorama software on each peer as described when you Install Updates for Panorama in an HA Configuration.
As a best practice, before you upgrade software on an M-Series appliance, ensure that Panorama has a local Log Collector ( Panorama > Managed Collectors) that is assigned to a Collector Group ( Panorama > Collector Groups). For details, see Configure a Managed Collector.
Install Updates for Panorama with an Internet Connection
Verify that the updates you plan to install are appropriate for your Panorama deployment. Refer to the Release Notes for the minimum content release version required for a Panorama software release. If you intend to upgrade Log Collectors and firewalls to a particular release, you must first upgrade Panorama to that (or a later) release. For a Panorama virtual appliance that runs on an ESXi server, ensure that the server meets the requirements (see Setup Prerequisites for the Panorama Virtual Appliance).
Save a backup of the current Panorama configuration file that you can use to restore the configuration if you have problems with the upgrade. Although Panorama automatically creates a backup configuration, best practice is to create and externally store a backup before you upgrade. Save named Panorama configuration snapshot ( Panorama > Setup > Operations), enter a Name for the configuration, and click OK. Export named Panorama configuration snapshot, select the Name of the configuration you just saved, click OK, and save the exported file to a location that is external to Panorama.
( As needed ) Install content updates. If Panorama is not running the minimum content versions required for the Panorama release to which you intend to upgrade, you must update content versions to the minimum (or later) versions before you install the software updates. Refer to the Release Notes for the minimum content release version you must install for a Panorama release. Palo Alto Networks highly recommends that Panorama, Log Collectors, and all managed firewalls run the same content release version. Additionally, we recommend that you schedule automatic, recurring updates so that you are always running the latest content versions ( Step 7). Check Now ( Panorama > Dynamic Updates) for the latest updates. If the value in the Action column is Download, an update is available. Ensure that Panorama is running the same but not a later content release version than is running on managed firewalls and Log Collectors. ( As needed ) Before you update the content release version on Panorama, be sure to upgrade managed firewalls and then Log Collectors (see Deploy an Update to Log Collectors when Panorama is Internet-connected) to the same (or a later) content release version. If you do not need to install content updates at this time, then skip ahead to Step 4. Install content updates in the following sequence. When an installation completes, the Currently Installed column displays a check mark. Download and Install the Applications or Applications and Threats update. Regardless of your subscription, Panorama installs and needs only the Applications content update, not the Threats content. For details, see Panorama, Log Collector, and Firewall Version Compatibility. Download and Install any other updates (Antivirus, WildFire, or URL Filtering) as needed, one at a time, and in any sequence.
Determine the software upgrade path. You cannot skip installation of any major release versions in the path to your target release. For example, if you intend to upgrade from Panorama 6.0.13 to Panorama 7.1.3, you must: Download and install Panorama 6.1.0 and reboot. Download and install Panorama 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release; not 7.0.0). Download Panorama 7.1.0. Optionally, install this base image and reboot before you install the target maintenance release. Download and install Panorama 7.1.3 and reboot. Check which version has a check mark in the Currently Installed column ( Panorama > Software) and proceed as follows: If a Panorama 7.0 release is currently installed, skip ahead to Step 6 to upgrade to a Panorama 7.1 release. If a release earlier than Panorama 7.0 is installed, proceed to Step 5 and follow the upgrade path to Panorama 7.0.1 before you upgrade to a Panorama 7.1 release. We highly recommend that you review the known issues and changes to default behavior in the Release Notes and upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
Use the upgrade path identified in Step 4 to upgrade to a Panorama 7.0 release. Repeat the following procedure until the appliance is running a Panorama 7.0 release—do not skip installation of any major release version in the path to your target Panorama 7.1 release. Check Now ( Panorama > Software) for the latest updates. If an update is available, the Action column displays Download. For each release in your upgrade path, Download the model-specific file for the release version to which you are upgrading. For example, to upgrade an M-Series appliance to Panorama 7.0.1, download the Panorama_m-7.0.1 image; to upgrade a Panorama virtual appliance to Panorama 7.0.1, download the Panorama_pc-7.0.1 image. After a successful download, the Action column changes from Download to Install for the downloaded image. By default, you can download a maximum of two software or content updates of each type on a Panorama appliance and if you download a third update of the same type, Panorama will delete the update for the earliest version of that type. If you need to upload more than two software updates or content updates of a single type, use the set max-num-images count < number > CLI command to increase the maximum. Install the software update. If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the username and password you specified during initial configuration. If you are not prompted to reboot, Reboot Panorama from the Device Operations section ( Panorama > Setup > Operations). Repeat these steps for each release in your upgrade path.
Install Panorama 7.1. Check Now ( Panorama > Software) for the latest updates. If an update is available, the Action column displays Download. If you are upgrading to a Panorama 7.1 maintenance release (a release other than the Panorama 7.1.0 base image), first download the Panorama 7.1.0 release. Locate and Download the model-specific file for the release version to which you are upgrading. For example, to upgrade an M-Series appliance to Panorama 7.1.0, download the Panorama_m-7.1.0 image; to upgrade a Panorama virtual appliance to Panorama 7.1.0, download Panorama_pc-7.1.0 . After a successful download, the Action column changes from Download to Install for the downloaded image. ( Required for the target release; optional for the base-image—PAN-OS 7.1.0 release—if upgrading to a maintenance release ) Install the downloaded image and then reboot. Install the image. As a best practice, when upgrading to a Panorama 7.1 maintenance release (Panorama 7.1.1 or later release), install the Panorama 7.1.0 base image and reboot the appliance before you download and install the maintenance release. After the installation completes successfully, reboot using one of the following methods: If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the username and password you specified during initial configuration. If you are not prompted to reboot, Reboot Panorama from the Device Operations section ( Panorama > Setup > Operations). ( Required only if upgrading to a PAN-OS 7.1 maintenance release ) After completing the above steps for the PAN-OS 7.1.0 base image, repeat steps 1 through 3 to upgrade to the target maintenance release.
( Best Practice ) Schedule recurring, automatic content updates. Panorama does not synchronize content update schedules across HA peers. You must perform this task on both the active and passive Panorama. In the header row for each update type ( Panorama > Dynamic Updates), the Schedule is initially set to None. Perform the remaining steps for each update type. Click None and select the update frequency ( Recurrence). The frequency options depend on the update type. Select the schedule action: Download And Install ( Best Practice )—Panorama automatically installs updates after downloading them. Download Only —You must manually install updates after Panorama downloads them. Based on the best practices for the security posture of your organization, configure a delay ( Threshold) after an update becomes available before Panorama downloads the update. Click OK to save your changes. Select Commit > Commit to Panorama and Commit your changes.
( Only if upgrading from a release earlier than Panorama 5.1 to a Panorama 5.1 or later release running on an ESXi server ) Configure the Panorama virtual appliance settings on the VMware ESXi server. After Panorama reboots, complete the following tasks: Access the VMware vSphere Client and select go to the Virtual Machines tab. Right-click the Panorama virtual appliance and select Power > Power Off. Right-click the Panorama virtual appliance again and Edit Settings as follows: Select the Hardware tab and allocate Memory based on how many firewalls Panorama manages: 1–10 managed firewalls: 4GB 11–50 managed firewalls: 8GB 51–1,000 managed firewalls: 16GB Set the SCSI Controller to LSI Logic Parallel. Go to the Options tab, select General Options, set the Guest Operating System to Linux, and set the Version to Other Linux (64-bit). Click OK. Right-click the Panorama virtual appliance and select Power > Power On.
Install Updates for Panorama without an Internet Connection
If Panorama does not have a direct connection to the internet, perform the following steps to install content and software updates. If Panorama is deployed in a high availability (HA) configuration, you must upgrade each peer as described when you Install Updates for Panorama in an HA Configuration.
As a best practice, before you upgrade software on an M-Series appliance, ensure that Panorama has a local Log Collector ( Panorama > Managed Collectors) that is assigned to a Collector Group ( Panorama > Collector Groups). For details, see Configure a Managed Collector.
Install Updates for Panorama without an Internet Connection
Verify that the updates you plan to install are appropriate for your Panorama deployment. Refer to the Release Notes for the minimum content release version you must install for a Panorama software release. If you intend to upgrade Log Collectors and firewalls to a particular release, you must first upgrade Panorama to that (or a later) release. For a Panorama virtual appliance that runs on an ESXi server, ensure that the server meets the requirements (see Setup Prerequisites for the Panorama Virtual Appliance).
Save a backup of the current Panorama configuration file that you can use to restore the configuration if you have problems with the upgrade. Although Panorama automatically creates a backup of the configuration, best practice is to create and externally store a backup before you upgrade. Save named Panorama configuration snapshot ( Panorama > Setup > Operations), enter a Name for the configuration, and click OK. Export named Panorama configuration snapshot, select the Name of the configuration you just saved, click OK, and save the exported file to a location that is external to Panorama.
Determine which content updates you need to install. You must install content updates before software updates. Palo Alto Networks highly recommends that Panorama, Log Collectors, and all managed firewalls run the same content release version. For each content update, determine whether you need updates and which content updates you need to download in Step 4. Ensure that Panorama is running the same but not a later content release version than is running on managed firewalls and Log Collectors. ( As needed ) To ensure that you can update Panorama to the latest content updates, first upgrade managed firewalls to the latest updates.
( As needed ) Download content updates to a host that can connect and upload content to Panorama either over SCP or HTTPS. If you do not need to install content updates at this time, skip ahead to Step 6. Use a host that has internet access to log in to the Palo Alto Networks Customer Support website. Download content updates as needed: If Panorama is not running the minimum content versions required for the Panorama release to which you intend to upgrade, refer to the Release Notes for the minimum content release version you must install before you update the Panorama software. Palo Alto Networks highly recommends that Panorama, Log Collectors, and all managed firewalls run the same content release version. Click Updates > Dynamic Updates in the Resources section. Download the appropriate content updates and save the files to the host. Perform this step for each content type you need to update.
Install content updates as needed. You must install content updates before software updates and you must install the content updates on firewalls first and then install the content updates on Log Collectors before you install them on the Panorama management server. Install the Applications or Applications and Threats update first, and then install any other updates (Antivirus, WildFire, and URL Filtering) as needed, one at a time, and in any sequence. Regardless whether your subscription includes both Applications and Threats content, Panorama installs and needs only the Applications content. For details, see Panorama, Log Collector, and Firewall Version Compatibility. In Panorama ( Panorama > Dynamic Updates), perform the following steps for each content type: Click Upload, select content Type, Browse to the location on the host to which you downloaded the update, select the update, and click OK. Install From File, select the Package Type, and click OK.
Determine the software upgrade path. You cannot skip installation of any major release versions in the path to your target release. For example, if you intend to upgrade from Panorama 6.0.13 to Panorama 7.1.3, you must: Upload and install Panorama 6.1.0 and reboot. Upload and install Panorama 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release; not 7.0.0). Upload Panorama 7.1.0. Optionally, install this base image and reboot before you install the target maintenance release. Upload and install Panorama 7.1.3 and reboot. Check which version has a check mark in the Currently Installed column ( Panorama > Software) and make a list of all versions in your upgrade path that you need to download from the Palo Alto Networks update server so that you can upload each to the appliance as needed when you upgrade. We highly recommend that you review the known issues and changes to default behavior in the Release Notes and upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
Download software updates to a host that can connect and upload content to Panorama either over SCP or HTTPS. Use a host with internet access to log in to the Palo Alto Networks Customer Support website. Download software updates: On the main page of Palo Alto Networks Customer Support website, click Updates > Software Updates (Resources section). For the first (or next) Panorama release in your upgrade path, identify the model-specific file. For example, to upgrade an M-Series appliance to Panorama 7.0.1, download the Panorama_m-7.0.1 image; to upgrade a Panorama virtual appliance to Panorama 7.0.1, download the Panorama_pc-7.0.1 image. You can quickly locate Panorama images by selecting Panorama M Images (M-Series appliances) or Panorama Updates (virtual appliances) from the Filter By drop-down. Click the filename and save the file to the host. Repeat steps b and c for any additional release versions in your upgrade path as determined in Step 6.
Install the software updates. For each release in your upgrade path (starting with the earliest), perform the following steps: Click Upload ( Panorama > Software). Browse to the location on the host to which you downloaded the update, select the update, Sync To Peer if Panorama is in an HA configuration (to push the software image to the secondary peer), and click OK. ( Required for each base image release in the upgrade path except the base-image—PAN-OS 7.1.0 release—if upgrading to a PAN-OS 7.1 maintenance release ) Install the software image and reboot. For an HA configuration, Install Updates for Panorama in an HA Configuration ; otherwise: Install the downloaded image. As a best practice, when upgrading to a Panorama 7.1 maintenance release (Panorama 7.1.1 or a later Panorama 7.1 release), install the Panorama 7.1.0 base image and reboot the appliance before you upload and install the maintenance release. After the installation completes successfully, reboot using one of the following methods: If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the username and password you specified during initial configuration. If you are not prompted to reboot, Reboot Panorama from the Device Operations section ( Panorama > Setup > Operations). Repeat steps 1 through 3 for each release in your path.
( Only if upgrading from a release earlier than Panorama 5.1 to a Panorama 5.1 or later release running on an ESXi server ) Configure the Panorama virtual appliance settings on the VMware ESXi server. After Panorama reboots, complete the following tasks: Access the VMware vSphere Client and go to the Virtual Machines tab. Right-click the Panorama virtual appliance and select Power > Power Off. Right-click the Panorama virtual appliance and Edit Settings: Select the Hardware tab and allocate Memory based on how many firewalls Panorama manages: 1 to 10 managed firewalls: 4GB 11 to 50 managed firewalls: 8GB 51 to 1,000 managed firewalls: 16GB Set the SCSI Controller to LSI Logic Parallel. Go to the Options tab, select General Options, set the Guest Operating System to Linux, and set the Version to Other Linux (64-bit). Click OK. Right-click the Panorama virtual appliance and select Power > Power On.

Related Documentation