Upgrading your Palo Alto Networks Next-Generation Firewall (NGFW), WF-500 appliance, or Panorama™ management server to a new PAN-OS release introduce new features developed to strengthen your security posture and fix known issues. This requires you to schedule downtime, and potentially introduces changes to default behaviors and additional issues that your security administrator has not yet reviewed or may not want to introduce into your production environment.

In some cases, an identified bug or Common Vulnerability and Exposure (CVE) need to be addressed immediately. PAN-OS software patch deployment allows you to download and install PAN-OS software patches to apply fixes without requiring you to schedule a prolonged maintenance you to install new PAN-OS versions. They are designed to address bugs and CVE only; no new features, functionality, or web interface changes are introduced in a PAN-OS software patch. This allows you to strengthen your security posture immediately without introducing any new known issues or changes to default behaviors that may come with installing a new PAN-OS release. A PAN-OS software patch is deployed directly from the Palo Alto Networks Next-Generation NGFW or Panorama web interface. For Panorama managed firewalls and WF-500 appliances, you can install a PAN-OS software on your managed devices from the Panorama web interface.

PAN-OS software patches are cumulative. This means that more recent versions of a software patch for any given PAN-OS version include all the fixes included in the previous software patches. For example, Palo Alto Networks released the following software patches for PAN-OS 10.2.8; 10.2.8-p1.sb1, 10.2.8-p1.sb2, and 10.2.8-p1.sb3. In this case, 10.2.8-p1.sb3 includes every bug and CVE fixes introduced in 10.2.8-p1.sb1 and 10.2.8-p1.sb2.

PAN-OS software patch deployment is supported on Palo Alto Networks NGFW, WF-500 appliances, and Panorama running PAN-OS 10.2.8 or later 10.2 release. PAN-OS software patches require an outbound internet connection to download from the Palo Alto Networks Update Server. For air-gapped managed devices, Panorama must still have an outbound internet connection to download PAN-OS software patches, but an outbound internet connection isn't required to install and apply them to your managed devices.