How to Manually Import and Install PAN-OS from the CLI

Printer Friendly Page


This document describes the steps to manually import and install PAN-OS on a Palo Alto Networks device from the CLI.



  1. Download the PAN-OS image from the Palo Alto Networks support portal (
  2. View the checksum by clicking on the Show MD5 link:
  3. The checksum can be verified once downloaded using utilities, such as, md5sum (Linux) or WinMD5Free (Windows):
    • Example of md5 checking on linux:
      # md5sum PanOS_200-5.0.5
      d52609c93335e5321b3069a757e28620  PanOS_200-5.0.5

    • Example of md5 checking on Windows using WinMD5Free:
  4. Once software is staged on the appropriate server for import, run the following command via CLI:
    > scp import software from
      <value>  Source (username@host:path)

    Following example shows a sample path assuming hosted on a Windows SCP Server:
    > scp import software from user@
    user@'s password: ****

    PanOS_200-5.0.5                       99%  180MB   2.7MB/s   00:00 ETA
    PanOS_200-5.0.5                      100%  181MB   2.4MB/s   01:15
    PanOS_200-5.0.5 saved

  5. Once uploaded, you can then initiate an install.
    Note: Software that is retrieved/downloaded directly from the update server (for example, imports with SCP/TFTP) will NOT populate the list of available/downloadable images.



> request system software install file <value>
  PanOS_200-5.0.5      2013/05/30 18:27:51   185051.1K

  <value>              Upgrade to a software package by filename



Go to Device > Software and click Install From File. Then, manually scroll for the imported image in the drop-down menu.


Note: The step to import the PAN-OS image (Step 4 above) can also be performed with TFTP using the following command:

> tftp import software from <tftp host> file <Source path>


The following lines show a complete example:

> tftp import software from file PanOS_200-5.0.5

mode set to octet

Connected to (, port 69

getting from to /tmp/cli.tmp.MX0Ilu [octet]

Received 189492288 bytes in 269.5 seconds [5624095 bit/s]


Step 5 for the PAN-OS install procedure still applies regardless of import method.


Note:  Download the base image. Do not install at this time. Next download and install the minor release. Reboot device.


owner: bryan


Bryan,  the documentation is a bit cryptic regarding whether the "install from file" (item 5 above) will add the software image to the list of available software versions or if it will install the software as the running image, thereby causing a reboot.  Can you help clarify?


Hi Wes,

If the software is not retrieved directly via the WebUI "Check Now" function, it will not be displayed as an available/downloaded option via the WebUI. Software bypassing this feature (imported via SCP or TFTP), will only be visible when selecting the "Install from file" option & scrolling through the drop-down menu for the CLI imported image.



Did as posted, worked just fine for me. My PA-200 went crazy, only accessible from CLI and I managed to upgrade this way.

WES's question is still unanswered - does the "request system software install version <blah>" (where <blah> = 8.0.2 in my case) install the software as available, mark it as preferred on next boot, actuall reboot into the new version or some combination of these?

Well, curiosity got the better of me:


"request system software install version 8.0.2" gets the software installed and flagged as active for next boot

"request  restart system" rebootes the firewall and you get the new version when it completes


your mileage may vary of course ;) 

Hi @MatthewSabin

thanks for figuring this out yourself :D


the install option will physically install the operating system on the inactive root partition (we have 1 active and 1 inactive, to accomodate in-line upgrades without a terrible amount of downtime)


these are the options available:

admin@myNGFW> request system software 
> check      Get information from PaloAlto Networks server
> download   Download software packages
> info       Show information about available software packages
> install    Install a downloaded software package

'check' will simply request the latest list of available software from the update server

'download' will go and fetch the installer package and place it in the repository

'info' will show you which packages are available, when they were released and which have been downloaded

'install' will go and install the package to harddisk

For some reason I could not download 7.1.16 directly from the GUI, it kept getting an error.  The manual download from the Palo Alto support page and upload process via the web GUI worked fine.  When I uploaded it via the web GUI, it showed up at the bottom of the list rather than the top, that had me confused for a little bit.  Once I realized it was at the bottom I hit install and that worked.  Upgrade was from 7.1.14 to 7.1.16. 

hi @j.bronson

Usually when downloading from the GUI doesn't work, you either need to run 'check now', or ensure your dns and outgoing update connections are being alowed out (policy, routing, service route,..)


If an image shows up at the bottom you may have column sorting set (you can click a column header to sort the table)