Upgrading PAN-OS Versions

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Last Reviewed: 05-30-2023 01:21 AM
Audited By: kiwi
Community Team Member
No ratings

This article is based on a discussion which was picked up again recently, Upgrading PAN-OS 8.1.x to 9.1.10, by @FMA-Admin and answered by @Adrian_Jensen and @reaper. Read on to see the discussion and solution!



Our 4 sites have PA-220 devices on Software Version 8.1.9. Reading over everything including the Palo Alto Networks upgrade information, here are my questions:


1. With all 4 locations in separate areas of town, I assume I complete onsite upgrade at a time, correct?

2. With the firewalls at 8.1.9, if I understand the process correctly I can go straight to 8.1.24?

3. From the upgrade information:

        * Step 3 is listed Download PAN-OS 9.0.0 to firewall, but it does not say install it.

        * At step 4 you have Download PAN-OS 9.0.13, install it and reboot firewall.  

       * My question here is, you download the 9.0.0 but do not need to install it, you automatically download the next highest 9.0.x and install that one? 

        * I see now that 9.0.16-h3 is the highest in the 9.0.x versions. I take it that's what I would install, correct?

4. Reading over your steps above after that I would then go to 9.1.0, then 9.1.15 and so on, correct?


The steps above appear that you only download the next new version 9.0.x, 9.1.x, 10.0.x, etc but you do not install those, you only install when you hit the highest version in those ranges. 


One last question. I would assume that I do want to go into each firewall and go into Devices > Setup > Operations and I want to do the following: Save named configuration snapshot & Export named configuration snapshot ?


Thanks in advance!



1. Depends on how comfortable you are with upgrading each PA. Technically, there is nothing that is required to be onsite for, so you could do all the upgrades remotely... though there is always the unknown/unseen problem that can pop up.


2. Yes, you can proceed from 8.1.x directly to 8.1.24.


3. The x.x.0 package contains the entire PAN-OS install needed for the major version. The .1, .2, etc. packages contain just the updates from the .0 base package.  You can go from 9.0.0 to 9.0.16-h3 (minor revisions are updates/features, -h revisions are hot patches to address major security issues).


4. Yes, if you want to upgrade to 9.1.x chain then you will need to download 9.1.0 and then install 9.1.15.


And yes, you will want to save a named config and then export that named config before upgrading, in case something goes wrong and you need to roll back to a previous version. Generally the PA should handle config format changes between revisions, but if all goes wrong  you can default the config, roll back, and apply the previous saved configuration.


The reason that older platforms may need the base version actually installed is that by default the system unpacks the base, and then also unpacks the maintenance version to install both in one go. Older systems don't have enough disk space to support this "double unpack".  For this case, it would be good to first install (not even reboot) the base and then move forward with the upgrade.


Contemporary chassis/VMs fully support going from one major to the next major+maintenance in one swift install.


Also... a potential gotcha that may or may not affect you: PAN-OS 8.x uses the PAN-DB format database for URL filtering (if you have the URL Filtering and Threat Prevention licensing). This is for classifying websites based on content and allowing/restricting certain categories. PAN-OS 9.x moved to the URL-Cloud format database (different provider, slightly different update model, same categories). When you upgrade to 9.x it deletes the current database and initializes the new database. There are 2 URL categories to pay special attention to: "not-resolved" and "unknown". The default PA site access for these categories is "allow". However, if you are using a custom URL Filter and changed these categories to "block", then the new database can't download the initial values as everything is currently "unknown". So if your filters block those by default you need to "allow" temporarily to populate the initial database (once populated the PA update servers are known in the Computer&InternetInfo category).

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎11-10-2022 09:07 AM
Updated by: