Upgrade the VM-Series for NSX Without Disrupting Traffic

Use the following procedure to upgrade the PAN-OS version of the VM-Series firewalls in your VMware NSX environment. This procedure allows you to perform the PAN-OS upgrade without disrupting traffic by migrating VMs to different ESXi hosts.
  1. Save a backup of the current configuration file on each managed firewall that you plan to upgrade.
    Although the firewall will automatically create a backup of the configuration, it is a best practice to create a backup prior to upgrade and store it externally.
    1. Select DeviceSetupOperations and click Export Panorama and devices config bundle. This option is used to manually generate and export the latest version of the configuration backup of Panorama and of each managed device.
    2. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. Check the Release Notes to verify the Content Release version required for the PAN-OS version.
    The firewalls you plan to upgrade must be running the Content Release version required for the PAN-OS version.
    1. Select PanoramaDevice DeploymentDynamic Updates.
    2. Check for the latest updates. Click Check Now (located in the lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. If a version is available, the Download link displays.
      content_updates.PNG
    3. Click Download to download a selected version. After successful download, the link in the Action column changes from Download to Install.
    4. Click Install and select the devices on which you want to install the update. When the installation completes, a check mark displays in the Currently Installed column.
  3. Download the PAN-OS image to all VM-Series firewalls in the cluster.
    1. Login to Panorama.
    2. Select PanoramaDevice DeploymentSoftware.
    3. Click Refresh to view the latest software release and also review the Release Notes to view a description of the changes in a release and to view the migration path to install the software.
      nsx-pan-os-image-download.png
    4. Click Download to retrieve the software then click Install.
      Do not reboot the VM-Series firewalls after installing the new software image.
    5. Select the managed devices to be upgraded.
    6. Clear the Reboot device after install check box.
      nsx-pan-os-upgrade.png
    7. Click OK.
  4. Upgrade the VM-Series firewall on the first ESXi host in the cluster.
    1. Login to vCenter.
    2. Select Hosts and Clusters.
    3. Right-click the host and select Maintenance ModeEnter Maintenance Mode.
    4. Migrate (automatically or manually) all VMs, except the VM-Series firewall, off of the host.
    5. Power off the VM-Series firewall. This should happen automatically upon entering maintenance mode on the host.
    6. (Optional) Assign additional CPUs or memory to the VM-Series firewall before continuing with the upgrade process.
      Verify that enough hardware resources are available to the VM-Series firewall. Refer to the VM-Series System Requirements to see the new resource requirements for each VM-Series model.
    7. Right-click the host and select Maintenance ModeExit Maintenance Mode. Exiting maintenance mode causes the NSX ESX Agent Manager (EAM) to power on the VM-Series firewall. The firewall reboots with the new PAN-OS version.
    8. Migrate (automatically or manually) all VMs back to the original host.
  5. Repeat this process for each VM-Series firewall on each ESXi host.
  6. Verify the software and Content Release version running on each managed device.
    1. Select PanoramaManaged Devices.
    2. Locate the device(s) and review the content and software versions on the table.

Related Documentation