Update software for a new Palo Alto 5260 FW through Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Update software for a new Palo Alto 5260 FW through Panorama

L2 Linker

Hi,
I am fairly new to the game, and in need of some help. 
I have gotten a brand new PA-5260 fw. The plan for this is to have it in backup in case anything would happen to one of the others fw.
My task is to only update the software on the new PA-5260 from 9.1.4 > 10.1.6-h6, which is the version the other fw are running on now. 

On the new PA-5260 fw I have:
- set the MGT IP, MGT subnetmask and MGT Gateway 

- added the license key.

On the Panorama, I have:
added the PA-5260 as a device so I can see it under Managed Device > Summary and it has also been added to the Panorama > Templates 

When I try to install a higher software version from Panorama to the new PA-5260, I get this message: 
<Failed to upload image.Device msg:`Failed to download PanOS_5200-9.1.15-h1. Download error: Problem with the local SSL Certificate.` >

I have tried to install different versions but the same message appears, except from the version number.

I have tried to create a certificate on the new PA-5260 but was not able to save it for some reason. Not sure if that is the reason why it fails? 
Is there anyone who knows what I have forgotten/not done to be able to update to a newer software version or have some links they can share?  

//Richard M
1 accepted solution

Accepted Solutions

Hi @PavelK 
Thank you for your time and answers. It was much appreciated.
 
I read something about the version 9.1.4. In this version there was a bug, that had some kind ssl impact when trying to push a higher software version from Panorama to the local firewall. 
Since software version 9.1.4 already was installed on the local firewall, the solution was to reinstall that version. After this was done, I was able to update the software version.

//Richard 

//Richard M

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello @Richard_M

 

thanks for the post!

 

For the sake of problem elimination, could you confirm below points?

- Does your PA-5260 have in Panorama under Device State the status as "connected"?

- What is you Panorama version?

- Are you able to download the PAN-OS image locally directly from PA-5260?

 

Just in case here is a Link with instructions how to upgrade a Firewall from Panorama.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 

- Yes, in Panorama under Managed Device > Summary,  the Device State = Connected
- Panorama is running on software version 10.1.6-h6
- No, I am not able to download the software locally on the PA-5260. 

Everything's work fine up until step 9.5. For me step 9.6 is not successfully. That's when I get the message for the failed reason when trying to update the software version. 

The Panorama running is a model m-500 and the local fw is a model PA-5260. Do they work together?  

//Richard M

Cyber Elite
Cyber Elite

Hello @Richard_M

 

thank you for reply.

 

There is no compatibility issue between M-500 and PA-5260. The only requirement is Panorama has to run the same PAN-OS version or higher than managed Firewall. Only caution, M-500 had already End of Life announcement 28th February 2025 and 10.1 is highest version you can run.

 

Coming back to your issue. Since you are not able to perform PAN-OS upgrade even locally, I would advice to go through this KB for further troubleshooting. Also, from PAN-OS 9.1.3 and higher a device certificate is required to communicate with Palo Alto cloud services. Could you please refer to these Doc.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 
I looked at the links you attached. The closest symptom I found related to my issues is the "No valid device certification was found" from the KB link

The customer I work for/with don`t have an Customer Support Portal. Don't believe they ever had one because of some restriction(?)

I tried to generate a certificate but doesn't seem to help.  I followed the steps in the other links to install a certificate, but as mentioned above it stops when it comes to generate the One Time Password (OTP) for managed firewalls through Customer Support Portal. 

Is it possible to download the different software versions in another way? 

//Richard M

Cyber Elite
Cyber Elite

Hello @Richard_M

 

thank you for reply.

 

Unfortunately, not having the access to Customer Support Portal will significantly limit you what you can do with Palo Alto products. Here is the manual how to create an account KB.

 

Regarding your question, it is possible to download PAN-OS image from Customer Support Portal, upload it to Firewall and install it. This however requires to have access to Customer Support Portal and Firewall should be covered by support license. Here is the KB on how to do it from CLI. You can do the same from GUI by going to: Device > Software > Upload to upload PAN-OS image, then you can click on install. Here is the upgrade path Doc.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 
Thank you for your time and answers. It was much appreciated.
 
I read something about the version 9.1.4. In this version there was a bug, that had some kind ssl impact when trying to push a higher software version from Panorama to the local firewall. 
Since software version 9.1.4 already was installed on the local firewall, the solution was to reinstall that version. After this was done, I was able to update the software version.

//Richard 

//Richard M
  • 1 accepted solution
  • 1713 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!