>
    Strata Copilot
    Upgrade On-Premises Controller
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Upgrade On-Premises Controller
    Download PDF
    Prisma SD-WAN

    Upgrade On-Premises Controller

    Table of Contents

    Upgrade On-Premises Controller

    Learn to upgrade the on-premises controller.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN
    Upgrade the on-premises controller from the Operator's console dashboard. For the current supported version, refer to the Prisma SD-WAN release notes.
    For any installation or upgrade support, contact Customer Support or the Product Management team.
    Before you begin — backup required:
    1. Trigger a manual backup of the controller configuration and verify the backup file exists at /mnt_ebs/backup_config before proceeding.
    2. Confirm the backup completed successfully and the file is not empty before continuing with the upgrade.
    3. The system retains only the latest 3 qcow files. Once you have upgraded beyond 3 versions, rollback to earlier versions is not possible. Ensure you understand the rollback window before proceeding.
    If the upgrade fails, see the Rollback section at the end of this topic.
    1. Copy the required qcow file of the controller version at the location /mnt_ebs/shared/qcow and ensure the script pre_patch_controller_upgrade.py is present at the location /home/ubuntu.
    2. Export the version to be upgraded and execute the upgrade script.
      Set the UPGRADE_BUNDLE_VERSION environment variable in the same terminal session you will use to run the script, then execute the script:
      export UPGRADE_BUNDLE_VERSION=6.2.3_1.3.54
./pre_patch_controller_upgrade.py all --ng-onprem-env="True"
      The export command must be run in the same terminal session as the script call. Setting this variable in a different shell will cause the upgrade script to use a null or incorrect version. Replace 6.2.3_1.3.54 with the version string for your target release.
      The command extracts the qcow file and places the files in the right folder. The latest 3 qcow files are retained; older files are deleted automatically. During the upgrade process, the Administrator and Operator consoles are not accessible. You may get a server error if you try to access the portals during this time.
    3. On the Dashboard, click Upgrade.
      When the controller upgrade is available, the Upgrade option is clickable.
    4. The Controller Image Upgrade shows the current version and version available for upgrade. Select the required version and click Upgrade.
      After the pre-checks are done, the upgrade process begins. You can track the progress of the upgrade and the log files.
    5. After the upgrade, you get the successful notification.
    6. Click the Back to Dashboard to go back to the Operator console dashboard.

    Rollback

    If the upgrade fails or the controller is in an unusable state after the upgrade, you can revert to a previous version using one of the retained qcow files:
    1. The system automatically retains the latest 3 qcow files in /mnt_ebs/shared/qcow. You can roll back to either of the two previous versions.
    2. Copy the previous qcow file to the same location and re-run the upgrade script with the older version number set in UPGRADE_BUNDLE_VERSION.
    3. If rollback is not possible (more than 3 versions have been applied or the qcow files are missing), contact Palo Alto Networks Customer Support and provide the backup file located at /mnt_ebs/backup_config.
    Rollback is only possible within the 3-version retention window. Upgrades beyond 3 versions without external backup storage may leave no rollback path. Plan accordingly and maintain external backups for compliance-critical deployments.

    © 2026 Palo Alto Networks, Inc. All rights reserved.