How to Upgrade a PA-7050 to PAN-OS 7.0.1 when only Option 1 (QSFP/SFP+) NPCs are Available

How to Upgrade a PA-7050 to PAN-OS 7.0.1 when only Option 1 (QSFP/SFP+) NPCs are Available

15447
Created On 09/25/18 17:42 PM - Last Modified 08/05/19 20:11 PM


Resolution


Overview

When deploying a new PA-7050 and only "Option 1" Network Processor Cards (NPCs) are used, the system cannot be directly upgraded to the required PAN-OS 7.0 software.

 

This document describes the one-time process (per PA-7050) needed so that the system can load into PAN-OS 7.0.1, or higher, as required by the Option 1 card. Once the system has been upgraded to 7.0.1 or higher, the Option 1 NPCs can be inserted and the system can be fully configured.

This procedure will also be needed if an RMA is needed on the Switch Management Card (SMC).

Note: If an Option 2 NPC is present, this procedure is not needed and the upgrade can proceed by using only the Option 2 NPC.

 

For reference:

NPC option 1: 2x40 Gig QSFP, 12x10 Gig SFP+ (part: PAN-PA-7000-20GQ-NPC)

NPC option 2: 12x10/100/1000, 8x1 Gig SFP, 4x10 Gig SFP+ (part: PAN-PA-7000-20G-NPC)

 

Steps

Assumptions:

  • Either an SSH or serial connection is available to the PA-7000 series firewall
  • The management IP is 172.16.5.10
  • The management netmask is 255.255.255.0 (/24)
  • The management default gateway is 172.16.5.1
  • The DNS server is 8.8.8.8

 

1. In CLI, enter the following commands:

> debug management-server client disable device

> debug management-server client disable useridd

> configure

# set deviceconfig system ip-address 172.16.5.10 netmask 255.255.255.0 default-gateway 172.16.5.1

# set deviceconfig system dns-setting servers primary 8.8.8.8

# commit force

 

2. Once the system has rebooted, GUI access is available, and the following items must be done:

Device > Licenses > "Retrieve license keys from license server"

Device > Dynamic Updates > "Check Now" at the bottom. Then download the latest "Applications" or "Applications and Threats", depending on your license. Either will work for this procedure.

Device > Software > "Check Now" at the bottom. Download, then install PAN-OS 6.1.0. When prompted, reboot the system.

Note: It may be necessary to re-run the following commands after the initial reboot to 6.1.0:

> debug management-server client disable device

> debug management-server client disable useridd

> configure

# commit force

 

3. Once the system has rebooted to 6.1.0, log back into the GUI:

Device > Software > "Check Now" at the bottom. Download, then install PAN-OS 7.0.1. When prompted, reboot the system.

 

Once rebooted to 7.0.1, all components can be configured and deployed.

 

Below are the previously available steps to do the same operation. These are not required if the above process is done instead, but are kept here for archive purposes.

 

Assumptions:
 • PAN-OS 6.1.0 image is called "panos6.1.0"
 • PAN-OS 7.0.1 image is called "panos7.0.1"
 • Content file is called "content_curr"
 • The user configured on the SCP server is "username"
 • The computer used for this process is Windows 7, 8, or 10

Steps to upgrade a PA-7050 from 6.0.6 to 7.0.1 when only the newer "Que" NPC is available. This procedure is not needed if even one standard NPC is available.

 1. Download the following files:
   a. PAN-OS 6.1.0
   b. PAN-OS 7.0.1
   c. Threat license key
   d. Current content version
 2. Download and install SCP server software
   a. One example is SolarWinds free SCP server: http://www.solarwinds.com/products/freetools/free_tftp_server.aspx
 3. Configure a computer to IP address as follows:
   a. IP: 192.168.1.2
   b. Netmask: 255.255.255.0
   c. Default GW: Not needed (can be 192.168.1.3 if desired)
   d. DNS: Not needed (can use any, such as 8.8.8.8 if desired)
 4. Ensure there is SSH software, such as PuTTY, installed
 5. Connect your Ethernet cable to the management port on the PA-7050
 6. SSH to the management IP, 192.168.1.1. The default credentials are:
   a. Username: admin
   b. Password: admin
 7. Open the threat license key file in a plain text editor (notepad, textpad, notepad++, editpad, etc.)
 8. Enter the following:
   a. request license install
   b. Paste the key into the console window (PuTTY's default paste key is right-click)
   c. Hit <enter> two times
 9. Enter the following:
   a. scp import content from username@192.168.1.2:/content_curr
   b. Enter the password (if configured) for your SCP server
 10. Enter the following:
   a. scp import software from username@192.168.1.2:/panos6.1.0
   b. Enter the password (if configured) for your SCP server
 11. Enter the following:
   a. request content upgrade install file content_curr
 12. Enter the following:
   a. request system software install file panos6.1.0
 13. Reboot the system, wait until it finishes booting to 6.1.0
 14. SSH back into the firewall
 15. Enter the following:
   a. scp import software from username@192.168.1.2:/panos7.0.1
   b. Enter the password (if configured) for your SCP server
 16. Enter the following:
   a. request system software install file panos7.0.1
 17. Reboot the system

At this point, the system will be booted to PAN-OS 7.0.1, the NPC(s) will be able to boot and run, and any additional configuration changes can be done.
 

owner: gwesson
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClITCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language