How to upgrade software in firewalls when firewalls are managed by panorama

cancel
Showing results for 
Search instead for 
Did you mean: 

How to upgrade software in firewalls when firewalls are managed by panorama

L1 Bithead


1.if firewalls are managed by panorama, Should we need to upgrade only from Panorama or can also upgrade from firewall as well ?

2. if firewalls are managed by panorama, how to backup config for the specific firewall ?

should we need to take config backup only from panorama or can also take backup from firewall as well ?

3.if firewalls are managed by panorama, Should we need to push software and content update only from Panorama or can also direclty download from firewall as well?

4. if firewalls are managed by panorama, how to roll back software or content upgrade in firewalls incase of any issues after the upgarde ?

5.if firewalls are managed by panorama, how to perfrom staging ( having software version and latest content version ready) before we upgrade a firewall?

6. Before we do software upgarde on a firewall, only content update is enough or do we also need to do antivirus and wildfire update as well ?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Thank you for posting question @perumalj

 

1. Both options are possible. If Firewall is managed by Panorama it is not must to upgrade Firewall by Panorama, you can upgrade it locally as well.

2. Once Firewall is registered in Panorama, the configuration is backup up automatically after each commit. You can check it from: Panorama > Managed Devices > Summary > Backups > Manage > Committed Configurations, however I recommend to take configuration backup manually from Firewall by going to: Device > Setup > Operations > Export named configuration snapshot > running-config.xml

3. Both options are possible. If Firewall is managed by Panorama it is not must to push content update by Panorama. You can let each of the Firewall to download it directly from Palo Alto, however if there is use case that Firewall does not have access to Internet to download the content update, pushing it from Panorama would be the way around it.

4. You can roll both locally from Firewall. In the case of emergency, here is the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcYCAS

5. Technically, the only hard requirement is to have Panorama running the same or higher PAN-OS version than managed Firewall. Regarding staging, I personally upgrade Panorama first, then I choose one of the Firewall that is not critical and upgrade it to the same version and observe it for a few days, then follow up with upgrade for other Firewalls.

6. To my knowledge Applications and Threat is enough. Some of the PAN-OS versions have hard requirement to have certain version installed otherwise, it is not possible to proceed with PAN-OS upgrade. Here is KB reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluOCAS From my point of you there is no reason not not update Antivirus content a well.

 

Kind Regards

Pavel

Pavel Kucera

View solution in original post

1 REPLY 1

L4 Transporter

Thank you for posting question @perumalj

 

1. Both options are possible. If Firewall is managed by Panorama it is not must to upgrade Firewall by Panorama, you can upgrade it locally as well.

2. Once Firewall is registered in Panorama, the configuration is backup up automatically after each commit. You can check it from: Panorama > Managed Devices > Summary > Backups > Manage > Committed Configurations, however I recommend to take configuration backup manually from Firewall by going to: Device > Setup > Operations > Export named configuration snapshot > running-config.xml

3. Both options are possible. If Firewall is managed by Panorama it is not must to push content update by Panorama. You can let each of the Firewall to download it directly from Palo Alto, however if there is use case that Firewall does not have access to Internet to download the content update, pushing it from Panorama would be the way around it.

4. You can roll both locally from Firewall. In the case of emergency, here is the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcYCAS

5. Technically, the only hard requirement is to have Panorama running the same or higher PAN-OS version than managed Firewall. Regarding staging, I personally upgrade Panorama first, then I choose one of the Firewall that is not critical and upgrade it to the same version and observe it for a few days, then follow up with upgrade for other Firewalls.

6. To my knowledge Applications and Threat is enough. Some of the PAN-OS versions have hard requirement to have certain version installed otherwise, it is not possible to proceed with PAN-OS upgrade. Here is KB reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluOCAS From my point of you there is no reason not not update Antivirus content a well.

 

Kind Regards

Pavel

Pavel Kucera

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!