Upgrade a Cluster Centrally on Panorama with an Internet
WildFire appliances in a cluster can be upgraded in parallel when they are managed by Panorama. If Panorama has a direct connection to the Internet, you can check and download new releases directly from Panorama.
Panorama can only manage WildFire appliances and appliance clusters operating the same software version or a later software version.
- Upgrade Panorama to an equal or later release than the target software release you want to install on the WildFire cluster.
- Temporarily suspend sample analysis.
- Stop firewalls from forwarding any new samples to the WildFire appliance.
- Log in to the firewall web interface.
- SelectDevice > Setup > WildFireand editGeneral Settings.
- Clear theWildFire Private Cloudfield.
- Confirm that analysis for samples the firewalls already submitted to the appliance is complete:
If you do not want to wait for the WildFire appliance to finish analyzing recently-submitted samples, you can continue to the next step. However, consider that the WildFire appliance then drops pending samples from the analysis queue.
- Log in to the Panorama web interface.
- SelectPanorama > Managed WildFire ClustersandViewthe cluster analysis environmentUtilization.
- Verify that theVirtual Machine Usagedoes not show any sample analysis in progress.
- Install the latest WildFire appliance content update.These updates equip the appliance with the latest threat information to accurately detect malware.
- Download the WildFire content update:
- SelectPanorama > Device Deployment > Dynamic Updates.
- Select a WildFire content update release package and clickDownload.
- Select the WildFire cluster(s) or individual appliances that you want to upgrade.
- ClickOKto start the installation.
- Download the PAN-OS software version to the WildFire appliance.You cannot skip any major release version when upgrading the WildFire appliance. For example, if you want to upgrade from PAN-OS 6.1 to PAN-OS 7.1, you must first download and install PAN-OS 7.0.
- Download the WildFire software upgrade:
- SelectPanorama > Device Deployment > Software.
- ClickCheck Nowto retrieve an updated list of releases.
- Select the WildFire release that you wish to install and clickDownload.
- ClickCloseto exit theDownload Softwarewindow
- Select the WildFire cluster(s) that you want to upgrade.
- Select an install mode:
- (8.0.2 and later)Select Reboot device after install.
- (8.0.1 and later) SelectUpload only.
- ClickOKto start the installation.
- (Optional) Monitor installation progress on Panorama.
- (8.0.1 only) After the upgrade package finishes uploading, install the upgrade on each node:
- admin@WF-500 (passive-controller)>request system software install version 8.0.2
- Confirm that the upgrade is complete. Run the following command and look for the job typeInstalland statusFIN:admin@WF-500(passive-controller)>show jobs allEnqueued Dequeued ID Type Status Result Completed ---------------------------------------------------- 14:53:15 14:53:15 5 Install FIN OK 14:53:19
- Gracefully restart the appliance:admin@WF-500(passive-controller)>request cluster reboot-local-nodeThe upgrade process could take 10 minutes or over an hour, depending on the number of samples stored on the WildFire appliance.
- Repeat for each WildFire worker node in the cluster.
- (Optional) View the status of the reboot tasks on the WildFire controller node.On the WildFire cluster controller, run the following command and look for the job typeInstalland StatusFIN:admin@WF-500(active-controller)>show cluster task pending
- Check that the WildFire appliance is ready to resume sample analysis.
- Verify that the sw-version field shows 8.0.1:admin@WF-500(passive-controller)>show system info | match sw-version
- Confirm that all processes are running:admin@WF-500(passive-controller)>show system software status
- Confirm that the auto-commit (AutoCom) job is complete:admin@WF-500(passive-controller)>show jobs all