Upgrade a Cluster Locally without an Internet Connection
To upgrade a cluster locally, you must individually upgrade each WildFire appliance enrolled in a cluster. When an appliance finishes upgrading, it automatically re-enrolls into the cluster that it was originally assigned to.
- Temporarily suspend sample analysis.
- Stop firewalls from forwarding any new samples to the WildFire appliance.
- Log in to the firewall web interface.
- SelectDevice > Setup > WildFireand editGeneral Settings.
- Clear theWildFire Private Cloudfield.
- Confirm that analysis for samples the firewalls already submitted to the appliance is complete:admin@WF-500(passive-controller)>show wildfire latest samplesIf you do not want to wait for the WildFire appliance to finish analyzing recently-submitted samples, you can continue to the next step. However, consider that the WildFire appliance then drops pending samples from the analysis queue.
- Retrieve the content update file from the update server.
- Log in to the Palo Alto Networks Support Portal and clickDynamic Updates.
- In the WildFire Appliance section, locate the latest WildFire appliance content update and download it.
- Copy the content update file to an SCP-enabled server and note the file name and directory path.
- Install the content update on the WildFire appliance.
- Log in to the WildFire appliance and download the content update file from the SCP server:admin@WF-500>scp import wf-content from username@host:pathFor example:admin@WF-500>scp import wf-content from firstname.lastname@example.org:c:/updates/panup-all-wfmeta-2-253.tgzIf your SCP server is running on a non-standard port or if you need to specify the source IP, you can also define those options in thescp importcommand.
- Install the update:admin@WF-500>request wf-content upgrade install file panup-all-wfmeta-2-253.tgz
- View the status of the installation:admin@WF-500>show jobs all
- Verify the content update.Verify the content version:admin@WF-500>show system info | match wf-content-versionThe following output now shows version 2-253:wf-content-version: 2-253
- Verify that the WildFire appliance software version you want to install is available.admin@WF-500(passive-controller)>request system software check
- Download the PAN-OS 9.0 software version to the WildFire appliance.You cannot skip any major release version when upgrading the WildFire appliance. For example, if you want to upgrade from PAN-OS 6.1 to PAN-OS 7.1, you must first download and install PAN-OS 7.0.Download the 9.0.0 software version:
- Navigate to the PaloAlto Networks Support site and in the Tools section, click onSoftware Updates.
- Download the WildFire appliance software image file to be installed to a computer running SCP server software.
- Import the software image from the SCP server:admin@WF-500>scp import software from <username@ip_address>/<folder_name>/<imagefile_name>For example:admin@WF-500>scp import software from email@example.com:/tmp/WildFire_m-9.0.0
- To check the status of the download, use the following command:admin@WF-500>show jobs all
- Confirm that all services are running.admin@WF-500(passive-controller)>show system software status
- Install the 9.0 software version.admin@WF-500(passive-controller)>request system software install version 9.0.0
- Complete the software upgrade.
- Confirm that the upgrade is complete. Run the following command and look for the job typeInstalland statusFIN:admin@WF-500(passive-controller)>show jobs allEnqueued Dequeued ID Type Status Result Completed ---------------------------------------------------- 14:53:15 14:53:15 5 Install FIN OK 14:53:19
- Gracefully restart the appliance:admin@WF-500(passive-controller)>request cluster reboot-local-nodeThe upgrade process could take 10 minutes or over an hour, depending on the number of samples stored on the WildFire appliance.
- Repeat steps 1-9 for each WildFire worker node in the cluster.
- (Optional) View the status of the reboot tasks on the WildFire controller node.On the WildFire cluster controller, run the following command and look for the job typeInstalland StatusFIN:admin@WF-500(active-controller)>show cluster task pending
- Check that the WildFire appliance is ready to resume sample analysis.
- Verify that the sw-version field shows 9.0:admin@WF-500(passive-controller)>show system info | match sw-version
- Confirm that all processes are running:admin@WF-500(passive-controller)>show system software status
- Confirm that the auto-commit (AutoCom) job is complete:admin@WF-500(passive-controller)>show jobs all
- Confirm that data migration has successfully completed. Runshow cluster data-migration-statusto view the progress of the database merge. After the data merge is complete, the completion timestamp displays:100% completed on Mon Sep 9 21:44:48 PDT 2019The duration of a data merge depends on the amount of data stored on the WildFire appliance. Be sure to allot at least several hours for recovery as the data merge can be a lengthy process.
Recommended For You
Recommended videos not found.