How to Upgrade PAN-OS on a Palo Alto Networks Device

Printer Friendly Page

This article is outdated, please refer to Best Practices for PAN-OS Upgrade

 

Overview

This document shows how to upgrade to the latest version on a Palo Alto Networks device.

 

Steps

  1. From the WebGUI, go to Device > Software, or on Panorama, Panorama > Software on the left pane to open the software page.
    2016-04-18_sw.png

  2. In the lower left corner, click "Check Now" to update the list of latest software releases available from Palo Alto Networks.

  3. Download and install the new release. Refer to the Base Version Note below about base versions.

To install a new release from the download site:

    1. Click Download next to the release to be installed. When the download is complete, a check mark is displayed in the Downloaded column.
    2. Click Install next to the release to initiate the installation. During installation, an option is available to have the device automatically reboot when installation is complete.
    3. When the installation is complete, a prompt displays to restart the device.

 

To manually download the software and install onto the device:

    1. Navigate to the Palo Alto Networks Support Portal on a web browser.
    2. Go to the Software Updates page and download the appropriate PAN-OS release for your device.
    3. On the WebUI of the device, navigate to Device > Software and click "Upload." Browse to locate the downloaded software package, then click OK to upload the file to the device.
    4. Click "Install from File" and select the uploaded file.
    5. Click OK to initiate the upgrade.

 Requirements:

  • Ensure the device or Panorama is connected to a reliable power source as a loss of power during the upgrade could make the device unusable.
  • Save a backup of the current configuration file by clicking Save named config snapshot on the Device tab of the GUI underSetup or Panorama tab under Setup.
  • Read the Upgrade/Downgrade Procedures in the Release Notes to determine if there is a minimum Content version required in order to perform the upgrade.
  • If upgrading devices from Panorama, perform the upgrade to Panorama first by following the steps under Panorama Upgrade.
  • Following the PAN-OS upgrade, you may need to upgrade associated software. See the Associated Software Versions chart in the Release Notes to make a determination.

Base Version Note: The base version (first release of a major version, such as 5.0.0, 6.0.0, 6.1.0, 7.0.0 or 7.1.0) must be downloaded onto the device first, for the version that it is being upgraded to.  Once the base version is downloaded and the 'ACTION' appears as 'Install', the latest release on the same branch can be downloaded and installed.

 

For Example

If upgrading a Palo Alto Networks device from PAN-OS 6.0.6 to 7.0.5:

Note: Direct upgrade from 6.0.x to 7.0.x is not possible. It has to be a stepped upgrade from 6.0.x to 6.1.x and then to 7.0.x.

  1. First download and install only the 6.1.0 base version. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect. Please do that now.
  2. After the reboot, download only the 7.0.0 base version. The action PAN-OS 7.0.0 changes from "download" to "install." Please Do not install now.
  3. Download and install 7.0.5. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect.

 

Release Notes: To view a description of the changes in each release, including known issues, version features, and resolved issues, click "Release Notes" next to the release.

 

Deleting old versions

Older versions of the PAN-OS software can be deleted as long as you are no longer running that version, nor have any plans on reverting. If running 6.1.6, then it is OK to delete all 6.0.x and older software versions, even the base versions.

To delete a version click on the 2016-04-18_sw2.pngto the right hand side of each version downloaded.

 

Panorama

If upgrading Panorama itself, then the instructions will be the same as above.

If using Panorama to deploy new software to a Palo Alto Networks Device, reference the following documents for more information:

- How to Install Software Image that was Pushed from Panorama

- PAN-OS Software Does Not Appear on Device GUI when Pushed from Panorama

- How to use Deployment in Panorama

 

owner: ukhapre

Comments

What is the benefit of downloading/keeping the base version saved on the device if you're not going to install it (or after you've upgraded to a newer version)? I've never heard that recommendation until now.

The base version has to be there... the latest PANOS version is basically a "diff" against the base version as I understand it.

So you have to have 5.0.0 present (but you don't need it installed) before you install 5.0.8 for example.

You cannot skip a feature release and must have a base image downloaded before upgrading from one feature release to a maintenance release in a higher feature release.

This is due to the fact that the maintenance release does not contain the full software build, only changes made since the base image release, so the base image is needed for the upgrade.

I'm upgrading from 5.0.8 to 5.0.13.  We use Panorama and was wondering if Panorama needs to be done first?  Also I've read upgrading notes and such but don't see anything related to risk.  I'm assuming a reboot is necessary.

Thank you

Treese,

From your comment I understand that you are trying to use deployment option available on panorama to push software image to a managed device. If that is the case you don't have to upgrade the panorama. Reboot is necessary after every upgrade.

Please refer to:

How to use Deployment in Panorama

PAN-OS Software Does Not Appear on Device GUI when Pushed from Panorama

How to Install Software Image that was Pushed from Panorama

Treese,

The Panorama upgrade is recommended but not required your your case.  The Panorama upgrade is required when moving from a major version like from 4 to 5 or from 5 to 6.  The upgrade is recommended to track with the minor releases.  As the minor releases come out the Panorama is also updated to that version specific features are available in the Panorama interface.  But within a major release these are generally few in number.

Reboots are always required to activate new version installs.

Thank you for your help, this explains it.

Thank you too.

Which is the latest recommended version?

Is there any links to base images for each version? I only see Software Updates in Tools which contains Latest Release only!

My bad! Just had to sort PAN-OS by Version in Software Updates.

Can anyone suggest stable version for PA 2020 HA pair and PA 3020 HA Pair. Both device are in active--assive mode.

Current version - 7.1.8

 

hi @Deepak_Khirit

at this time 7.1.14 and 7.1.15 are recommended releases in the 7.1 code train

 

if you consider upgrading, 8.0.6-h3, 8.0.7 and 8.0.8 are recommended releases in the 8.0 code train (i'd suggest 8.0.8)