Is it possible to upgrade PAN-OS without a license?

Printer Friendly Page

Yes, PAN-OS versions can be upgraded without a support license if it's done manually.

 

In order to download PAN-OS software images directly from the update server, the Palo Alto Networks firewall needs to have a support license activated on the support portal (it is not required to have the license installed on the firewall for PAN-OS image installs) and have internet access to download the software packages. 

 

However, in certain environments customers's devices will not have access to the internet, but would still need to perform software upgrades.

In such cases, PAN-OS updates can be downloaded from the support portal and brought into the OutOfBand network to be installed manually

 

It is recommended to first manually upload and install the latest content version (App) and then manually upload and install the desired PAN-OS version.

 

 

Note: PAN-OS software must be downloaded from the Palo Alto Networks Support Portal (Software Updates) and then manually uploaded and installed on the firewall.

 

caveat: VM series firewalls cannot be upgraded in this way as they need to be activated before use and activation requires a support license.

 

Other helpful articles:

How to Upgrade PAN-OS on a Palo Alto Networks Device

How to Manually Install Antivirus, Content, and WildFire Updates on the Firewall

Comments
Operation
Software Install
 
Status
Completed
 
Result
Failed
 
Details
  • Base license is not valid. Please renew license and try again

Hi @prospectfr

 

Could you elaborate on what you are doing exactly? (is this a vm, a firewall a panorama, what version is installed, what version are you installing, ....)

 

 

thanks!

Hi reaper, it's a freshly downloaded VM, not licensed ("Failed to install licenses. Model incompatible: feature model is VM100 while the device model is AMI-VM300") :)

Trying to go from 7.1.0 to 7.1.6.

Ah: the VM requires you to activate it so the 'capacity' (vm100/200/300) can be set. This capacity is needed to determine which update file to fetch etc 

activation can only be achieved through a support license, so this is a bit of an exception

Shouldn't I be able to fetch an eval license ? What's the deal with AMI-VM300 vs VM100 ?  Thanks for your help.

you'll need to discuss eval licences with your sales contact. The ami-vm300 and vm100 are the unactivated base system and the default update file not matching each other

Let's say TP, Support, and URL-filtering licenses expired on a Firewall anad the Firewall does not have the internet connection at all, how do we fix support license and remain supported in this case? Given we are buying all of the licenses after the fact.

@rk20ta when you mention 'expired' this will mean the VM will already have been activated in the past. once your VM was activated you'll be able to upgrade the device regardless of the state of your support license as described in the article above (the only exception is when the VM has not been activated yet)

 

afterward the support license does not need to be on the device for it to allow upgrading it's PAN-OS.

 

 

TP and URL are outside of the scope of this KB article, so please post followup questions in the discussion forum. These licences follow a different methodology than the support license

In a similar situation, I attempted to do a manual upgrade myself.  From 6.1.4 to 7.0, however, when looking for the file to download under "Software Updates" in the Support portal, no files were listed at all.  

 

How does one proceed from there?


@bwallisch you need to have a valid support license registered on the support portal to be eligible to download software and content updates

This license does not need to be on the firewall for the software to install properly but one is required to download packages

Hi,

 

I downloaded content(app) from software portal and installed it on device. Now it shows content is installed.

I tried to upload OS file, however it does not list in software lists.

 

Any suggestions.

 

Regards,

Raghav

Hi @RbadigerCY

 

Did the upload job complete succesfully? You may need to click 'check now' before the image appears as downloaded

Yes upload completed, I did 'Check Now' also. 

 

Here is what may be wrong:

 

Device's threat license is expired, when I do chekc now, it gives me error that "Device not Supported".

 

Can we upgrade in this case also?

 

Regards,

Raghav

A threat license is not required to upgrade the PAN-OS

Did the upload complete without an error message? please check if there may be too little disk space available, and delete some old PAN-OS to make room, then upload and 'check now' again

Did the upload complete without an error message?  - yes, no error faced.

 

please check if there may be too little disk space available, and delete some old PAN-OS to make room, then upload and 'check now' again

 

I do not see any OS when I do check now on the device.

On CLI - Where do i find the OS packages to delete.

Any other way to upgrade the OS?

 

Regards,

Raghav

in the GUI, look for 'downloaded', there will be a little x to the right that allows you to delete

 

In the CLI you can do 'delete software version' and then hit <tab> to see what's available: don't delete the base image x.x.0 unless you're currently running on a different major OS (eg running 8.0 is ok to delete 7.1.0, running 7.1.x, not ok to delete 7.1.0)

 

reaper@myNGFW> delete software version 
  8.0.0       8.0.0
  8.0.4       8.0.4
  8.0.8       8.0.8
  8.1.0       8.1.0
  <value>     Version

other way to upgrade OS is connect mgmt interface to the internet (securely through security policy) and download/install from web

In GUI, I do not find any OS listed in the Software tab.

 

On CLI, when I run 'delete software version and hit <tab> i do not see any version listed.

 

How do I know which file to delete.

@reaper,

 

If we transfer licenses from an existing PA, will it stop getting updates?

hi @Farzana

 

Typically a license is only transferred in case of an RMA, the defective device will lose its licenses and they'll get transferred over to the replacement device

The defective device will, however, get a temporary license to allow for a smooth transfer for as far as this is possible (in case it is still somewhat functional) so it will still get updates during this 'grace period'

 

After that it will no longer receive updates because it no longer has a license

 

tl;dr yes