End-of-Life (EoL)
A stack update allows you to modify the resources that the CFT deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters in the CFT:
PAN-OS version—Deploy new VM-Series firewalls with a different PAN-OS version. License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another. Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall.
When you deploy the CFT, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To modify these parameters, you must update the stack and then replace the existing auto scaling group with a new auto scaling group that uses the updated stack parameters to create the launch configuration and deploy new instances with these new parameters; existing instances continue to run with the configuration that they were originally launched with. This phased rollout allows you to verify the updates in one AZ at a time and then complete the changes across the other AZs without disruption. For critical applications, perform a stack update during a maintenance window.
You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update.
Stack Update with VM-Series Auto Scaling Template v1.2
In the AWS CloudFormation console, select the parent stack that you want to update and choose Actions > Update Stack.
Modify the resources that you want to update. PAN-OS version—To modify the PAN-OS version look up the AMI ID for the version you want to use and enter the ID. If you are upgrading to PAN-OS 8.0 make sure to select an instance type that meets the VM-Series System Requirements. License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2. If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See Step 3 and Step 5). If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM-Series firewall. Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall. If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you must generate the API key for the administrative user account, export the configuration from the firewall, rename it to bootstrap.xml and upload it to the S3 bootstrap folder. Uploading the bootstrap file allows you to ensure that new firewall instances are configured with the updated administrative user account.
Acknowledge the notifications and review the changes and click Update to initiate the stack update.
On the EC2 dashboard > Auto Scaling Groups and pick an AZ in which to delete the ASG. Deleting an ASG allows you to replace the existing ASGs (one at a time) with a new ASG that uses the new parameters.
Delete the launch configuration.
Verify that the updated parameters are used to launch the VM-Series firewalls in the new ASG. Test the new ASG thoroughly and ensure it is properly handling traffic. As a best practice, wait one hour before continuing to the next ASG.
Repeat Step 4 through Step 6 to replace the ASGs in the remaining AZs.

Recommended For You