01-14-2026 02:44 PM
Hello,
I have 1 Panorama VM on 10.2.12.-h2
2 FW on 10.2.11-h2
Needing to update PANOS to 11.2.3-h3 due to support for some azure Firewalls net new. They are much higher version software than I have on prem so need to update PANOS so I can manage them.
How or what are steps to update to PANOS 11.2.3-h3?
Looking for where in Panorma to get updates and how to do this. Also nervous about Panorama not working after the update so anything I should do before hand incase I have to roll back?
How would I roll back if I am not able to manage firewalls afterwards?
We also push configs to Prisma from Panorama so worried something will not work for that once I update. Is there anything I can check to make sure that part will still work? I'm thinking of any Gotchas here.
Thank you for any help!
01-14-2026 07:17 PM
Hi @JasonFerris ,
Before you upgrade any device, please review the release notes for any known issues, changes in default behavior, and specific considerations for your environment. Here are the 11.2 release notes.
**Always remember that Panorama is running the same or a later PAN-OS version than the managed firewalls you intend to upgrade.** You are good to go here since you have 2 FWs on 10.2.11-h2 and the VM-series you are planning to add are 11.2.3-h3.
Verify that your Panorama virtual appliance meets the minimum hardware resource requirements (CPU, memory) for PAN-OS 11.2. If running in Panorama mode, it's recommended to increase memory to 64GB after upgrading to PAN-OS 11.1 or 11.0 to avoid performance issues. Also confirm that your hypervisor is compatible with your target version.
Once you've verified all that information, create a backup config. From the Panorama web interface, navigate to Panorama -> Setup -> Operations and click Export Panorama and devices config bundle.
Next, download the versions of all currently installed plugins that are compatible with PAN-OS 11.2. The Panorama upgrade can be blocked if supported plugin versions are not downloaded. You can take a look at the Compatibility Matrix here.
Now, youre at a good point to upgrade. To go from 10.2.x to 11.2.x, you can perform a direct upgrade that leverages the "skip software version upgrade" feature. This allows you to bypass intermediate feature releases like 11.0 and 11.1. This means that you will download 11.2.0 base image. Once that is complete, you can download and install (this requires a reboot once install is completed) 11.2.3-h3. **If you have HA w/ Panorama, complete these steps on the passive device first. After the passive peer is upgraded and reboots, it will be in a non-functional state until the active peer is also upgraded.
If you're wondering where on Panorama to accomplish this download, navigate to Panorama -> Device Deployment -> Software. Click Check Now for the latest release versions. You'll see a list of images there.
After the upgrade is complete, you can proceed to add your VM-series FWs to Panorama and test pushing config to your on-prem FWs, VM-Series, and remote locations/remote users. If you run into behavior that necessitates rolling back, you can revert the config to the backup you exported.
Hope this helps! and please schedule a proper maintenance period for this. The more time the better.
01-15-2026 08:22 AM
@JayGolf Thank you for the detailed response. I have a few more questions here if you don't mind. For downloading software I thought it was just Panorama->Software vs Panorma->Device Deployment->Software? I only plan on updating Panorama OS at this point as I will probably gradually update the on prem FW's from 10.2.11-h2. What is the difference on both of those "Software" locations for downloading?
Currently my Panorama VM has 32GB memory assigned. Can I simply power down the Panorama VM and add more mem and power up or is there some other process I have to do to add memory within Panorama? We are using VMware 8 at the moment and it appears this is supported for our Panorama current and future versions.
For this, Next, download the versions of all currently installed plugins that are compatible with PAN-OS 11.2. The Panorama upgrade can be blocked if supported plugin versions are not downloaded. You can take a look at the Compatibility Matrix here.
I am unsure of the plugins that are in use. Is there an easy way to see what is installed and being used? If I look in Panorama tab and click on "Plugins" on the left side. I can see plugins on the right but the only plugin I show we have downloaded along with the installed one is the Cloud_Services plugin. We are using 5.1.0-h47 currently. Does this mean this is the only plugin we have? Is this current cloud_services plugin compatible with 11.2 PANOS? Searching around but getting confused on what i'm finding. Since we have 5.1.0-h47 it seems its compatible with 11.2 so maybe don't need to do anything here?
We also only have 1 panorama and not running and HA pair for this.
What would rollback entail for process? to get me back to before the Upgrade to 11.1 and 11.2? I would run the backup procedures after each respective update so I would have a backup for reverting back to 10.2 from 11.1 and also back to 10.2 from 11.2 as well. Or 11.1 if that was working ok.
I would probably power down the Panorama and do a vm snapshot as well. Could I revert to the VM snapshot if the upgrade didn't go as planned as well? Instead of restoring configuration? Or I guess what is preferred revert process?
NOTE: I am planning on going to Panorama 11.1 first and then going to 11.2.
Thank you for feedback!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
