Upgrade the VM-Series for NSX by Changing the OVF URL

Learn how to change the service definition OVF URL to upgrade the VM-Series NSX edition firewalls.
You can upgrade the PAN-OS version of your VM-Series firewall for NSX by changing the OVF URL in the service definition. If you do not change the OVF URL, any firewalls deployed in the future will be running the currently installed version of PAN-OS and require an additional upgrade. Changing the service definition requires you to redeploy the firewalls, which causes a disruption of service. Therefore, Palo Alto Networks recommends that you perform this upgrade during a maintenance window.
  1. Save a backup of the current configuration file of the firewalls that you plan to upgrade.
    Although the firewall will automatically create a backup of the configuration, create a backup prior to upgrade and store it externally.
    1. Select
      Device
      Setup
      Operations
      and click
      Export Panorama and devices config bundle
      . This option is used to manually generate and export the latest version of the configuration backup of Panorama and of each managed device.
    2. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. Check the Release Notes to verify the Content Release version required for the new PAN-OS version.
    The firewalls you plan to upgrade must be running the Content Release version required for the PAN-OS version.
    1. Select
      Panorama
      Device Deployment
      Dynamic Updates
      .
    2. Check for the latest updates. Click Check Now (located in the lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. If a version is available, the
      Download
      link displays.
      content_updates.PNG
    3. Click
      Download
      to download a selected version. After successful download, the link in the
      Action
      column changes from
      Download
      to
      Install
      .
    4. Click
      Install
      and select the devices on which you want to install the update. When the installation completes, a check mark displays in the
      Currently Installed
      column.
  3. Download the new PAN-OS base image file.
    1. Register your VM-Series firewall and obtain the OVA file from the Palo Alto Networks Customer Support web site.
      Select the ovf file that matches the VM-Series model you plan to deploy. For the VM-200, use vm100.ovf. For the VM-1000-HV, use vm300.ovf.
    2. Unzip the image file to extract and save the .ovf, mf, and .vmdk files to a directory accessible to NSX Manager. Place all three files in the same directory. These files are used to deploy each instance of the firewall.
      If needed, modify the security settings on the server so that you can download the file types. For example, on the IIS server modify the Mime Types configuration; on an Apache server edit the .htaccess file.
  4. Add the new OVF URL to your service definition configuration.
    1. Select
      Panorama
      VMware NSX
      Service Definitions
      , and select the service definition you want to edit.
    2. In
      VM-Series OVF URL
      , add the location of the web server that hosts the new ovf file. Both http and https are supported protocols. For example, enter https://acme.com/software/PA-VM-NSX.9.0.0.ovf.
      You can use the same ovf version or different versions across service definitions. Using different ovf versions across service definitions allows you to vary the PAN-OS version on the VM-Series firewalls in different ESXi clusters
      .
    3. Click
      OK
      .
    4. Select
      Commit
      Commit to Panorama
      Commit
      .
      Changing the OVF URL and committing it to Panorama triggers a configuration mismatch on NSX Manager. In vCenter, you must resolve the mismatch to redeploy the firewalls tied to the service definition.
  5. Manually deactivate the VM-Series for NSX license. Complete this task through the Panorama CLI or web interface.
  6. Redeploy the firewalls. Redeploying your firewalls will interrupt any traffic moving across the firewalls.
    1. Log in to vSphere.
    2. Select
      Network & Security
      Installation
      Service Deployments
      .
    3. Click the
      Failed
      icon in the Installation Status column to display the System Alarm window.
    4. Click
      Resolve
      . Clicking Resolve redeploys the firewalls with the new ovf.
      Redeploying your firewalls will interrupt traffic that is redirected to the firewalls.
      multi-nsx-redeploy-fw-nsx.png
  7. Verify that your firewalls have redeployed successfully.
    1. Select
      Network & Security
      Installation
      Service Deployments
      .
    2. Verify that the Installation Status now displays Successful.

Recommended For You