Upgrade the VM-Series for NSX Without Disrupting Traffic

Learn how to use Panorama to upgrade your VM-Series Firewall NSX edition firewalls without disrupting traffic.
Use the following procedure to upgrade the PAN-OS version of the VM-Series firewalls in your VMware NSX environment. This procedure allows you to perform the PAN-OS upgrade without disrupting traffic by migrating VMs to different ESXi hosts.
  1. Save a backup of the current configuration file on each managed firewall that you plan to upgrade.
    Although the firewall will automatically create a backup of the configuration, it is a best practice to create a backup prior to upgrade and store it externally.
    1. Select
      Device
      Setup
      Operations
      and click
      Export Panorama and devices config bundle
      . This option is used to manually generate and export the latest version of the configuration backup of Panorama and of each managed device.
    2. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. Check the Release Notes to verify the Content Release version required for the PAN-OS version.
    The firewalls you plan to upgrade must be running the Content Release version required for the PAN-OS version.
    1. Select
      Panorama
      Device Deployment
      Dynamic Updates
      .
    2. Check for the latest updates. Click Check Now (located in the lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. If a version is available, the
      Download
      link displays.
      content_updates.PNG
    3. Click
      Download
      to download a selected version. After successful download, the link in the
      Action
      column changes from
      Download
      to
      Install
      .
    4. Click
      Install
      and select the devices on which you want to install the update. When the installation completes, a check mark displays in the
      Currently Installed
      column.
  3. Download the PAN-OS image to all VM-Series firewalls in the cluster.
    1. Login to Panorama.
    2. Select
      Panorama
      Device Deployment
      Software
      .
    3. Click
      Refresh
      to view the latest software release and also review the
      Release Notes
      to view a description of the changes in a release and to view the migration path to install the software.
      nsx-pan-os-image-download.png
    4. Click
      Download
      to retrieve the software then click
      Install
      .
      Do not reboot the VM-Series firewalls after installing the new software image.
    5. Select the managed devices to be upgraded.
    6. Clear the
      Reboot device after install
      check box.
      nsx-pan-os-upgrade.png
    7. Click
      OK
      .
  4. Upgrade the VM-Series firewall on the first ESXi host in the cluster.
    1. Login to vCenter.
    2. Select
      Hosts and Clusters
      .
    3. Right-click the host and select
      Maintenance Mode
      Enter Maintenance Mode
      .
    4. Migrate (automatically or manually) all VMs, except the VM-Series firewall, off of the host.
    5. Power off the VM-Series firewall. This should happen automatically upon entering maintenance mode on the host.
    6. (Optional) Assign additional CPUs or memory to the VM-Series firewall before continuing with the upgrade process.
      Verify that enough hardware resources are available to the VM-Series firewall. Refer to the VM-Series System Requirements to see the new resource requirements for each VM-Series model.
    7. Right-click the host and select
      Maintenance Mode
      Exit Maintenance Mode
      . Exiting maintenance mode causes the NSX ESX Agent Manager (EAM) to power on the VM-Series firewall. The firewall reboots with the new PAN-OS version.
    8. Migrate (automatically or manually) all VMs back to the original host.
  5. Repeat this process for each VM-Series firewall on each ESXi host.
  6. Verify the software and Content Release version running on each managed device.
    1. Select
      Panorama
      Managed Devices
      .
    2. Locate the device(s) and review the content and software versions on the table.

Recommended For You