10-19-2021 06:37 PM
Thank you for posting question @perumalj
1. Both options are possible. If Firewall is managed by Panorama it is not must to upgrade Firewall by Panorama, you can upgrade it locally as well.
2. Once Firewall is registered in Panorama, the configuration is backup up automatically after each commit. You can check it from: Panorama > Managed Devices > Summary > Backups > Manage > Committed Configurations, however I recommend to take configuration backup manually from Firewall by going to: Device > Setup > Operations > Export named configuration snapshot > running-config.xml
3. Both options are possible. If Firewall is managed by Panorama it is not must to push content update by Panorama. You can let each of the Firewall to download it directly from Palo Alto, however if there is use case that Firewall does not have access to Internet to download the content update, pushing it from Panorama would be the way around it.
4. You can roll both locally from Firewall. In the case of emergency, here is the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcYCAS
5. Technically, the only hard requirement is to have Panorama running the same or higher PAN-OS version than managed Firewall. Regarding staging, I personally upgrade Panorama first, then I choose one of the Firewall that is not critical and upgrade it to the same version and observe it for a few days, then follow up with upgrade for other Firewalls.
6. To my knowledge Applications and Threat is enough. Some of the PAN-OS versions have hard requirement to have certain version installed otherwise, it is not possible to proceed with PAN-OS upgrade. Here is KB reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluOCAS From my point of you there is no reason not not update Antivirus content a well.
Kind Regards
Pavel
