Support FAQ: Upgrading PAN-OS and Upgrade Paths

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
100% helpful (1/1)

Let’s discuss upgrading your PAN-OS. It might sound routine, but without proper planning, it can turn into a real nightmare.

 

Consider this: Do you actually need to upgrade?

 

On many occasions, I talked with customers that were upgrading just for the sake of upgrading. Think about these first: Do you absolutely need the new features from the latest release, or are the current ones meeting your needs just fine? Are you happy with how stable your current version is running? Are you actually vulnerable to the vulnerability that was addressed in the newer version? Installing the latest releases can come with risks. 

 

Knowing why you're upgrading and understanding the potential impacts is crucial. Maybe you’re ironing out bugs with a maintenance release or unlocking new features with a major update. Either way, your first stop should be the release notes—they’re your goldmine for all the updates and fixes.

 

 

Utilizing Feature Guides and Security Advisories

Leverage the available resources such as the Feature Guide and Security Advisories. These tools offer detailed insights into new features, bug fixes, and security patches for each release.

TechDocs: Release Notes

TechDocs: PAN-OS New Features Guide

LIVEcommunity: PAN-OS Software Release Guidance

 

 

Navigate Release Notes for Critical Updates 

 

Skimming through the release notes can save you from unpleasant surprises. Changes in default behavior and new features could mean significant shifts in how things work. A feature that behaved one way in version A might behave differently in version B.

 

TechDocs: Changes to Default Behavior in PAN-OS 11.2

 

 

Upgrade Considerations and Compatibility Checks

 

Additionally you’ll need to look into the upgrade/downgrade considerations. These will help you prepare for any unexpected twists and ensure you’re ready for anything. It’s also essential to check the support matrix to confirm that all integrated products—like GlobalProtect clients and various plugins—are compatible with your new version.

 

TechDocs: Upgrade/Downgrade Considerations

TechDocs: Palo Alto Networks Compatibility Matrix

 

 

Preparation Strategies for Firewall Upgrades

 

Preparation is the name of the game. Think of it like getting ready for a big match. You wouldn't jump in without warming up, right? The same goes for your firewall upgrade. Back up your configurations, capture tech support files before and after the upgrade, and take detailed snapshots like routing tables and interface statuses. This ensures you can revert to a previous state if something goes wrong. Schedule time for application testing and have a rollback plan in place, just in case.


If possible, test the upgrade in a lab environment to catch any potential issues before they affect your production systems.


Plan to perform the upgrades during off-peak hours to minimize the impact on your users.

 

TechDocs: Manage Configuration Backups

KB: How to Generate a Tech Support File via CLI

TechDocs: Downgrade PAN-OS

 

 

Executing Firewall Upgrades

 

When it’s time to execute the upgrade, stick to your plan. Avoid shortcuts and keep in mind that network changes are expected. This is especially true in high availability setups. Pre-upgrade state information can be a lifesaver if you need to troubleshoot later. If you have a high availability environment, test failover before diving into the upgrade to ensure everything’s working as it should. Start with one firewall to validate that everything's functioning properly before committing fully.

 

TechDocs: Verify Failover

 

 

Critical Considerations in Choosing Your Upgrade Path

 

When it comes to actually upgrading your PAN-OS, choosing the right upgrade path is absolutely critical. 

 

How to Select the Right Upgrade Path:

 

  1. Identify Your Current Version

    Start by pinpointing your current PAN-OS version. You can find this information in the General Information section of your dashboard. Knowing your starting point is crucial for planning the upgrade journey.

  2. Understand the Release Sequence

    PAN-OS versions are structured in a sequence denoted as X.Y.Z (for example, 10.0.5):

    X is the major software release number.
    Y is the feature version release.
    Z is the maintenance release number.

    Each major version begins with a base image (x.x.0), which contains the core functionalities. Subsequent maintenance releases (x.x.1, x.x.2, etc.) focus on bug fixes and incremental improvements.

  3. Plan the Upgrade Steps

    You can find detailed steps of the preferred upgrade paths here:

    1. Determine the Upgrade Path to PAN-OS 10.1
    2. Determine the Upgrade Path to PAN-OS 10.2
    3. Determine the Upgrade Path to PAN-OS 11.0
    4. Determine the Upgrade Path to PAN-OS 11.1

NOTE: You can now use the Skip Software Version Upgrade feature to skip software versions when upgrading your device from PAN-OS 10.1 or later releases.

LIVE: Upgrade PAN OS from 10.1 to 11.1
LIVE: Panorama from 10.2.8 to 11.1.x

 


Post-Upgrade Validation for Firewall Stability

 

Once the upgrade is complete, don’t forget to validate that everything is working correctly. This part varies greatly on your setup. Data centers might need extensive application testing, while smaller setups could get by with basic checks. Start with the dashboard to assess the overall health of the firewall. Check system logs for any irregularities and review session and traffic logs to ensure normal operation. For critical environments, comparing pre- and post-upgrade data helps maintain consistency and prevents any surprises down the road.



Additional Resource Links:

 

Forum: Best Practices for PAN-OS Upgrade Without Downtime

Article: Upgrading PAN-OS Versions

Blog: Best Practices for Palo Alto Networks Devices

Blog: Determining Which Code is Right for You

PodCast: PANCast Episode 1 - Four Things You Must Do When Upgrading Your Firewall

 

 

Rate this article:
(2)
Comments
L2 Linker

Hi all,

 

we are currently on 10.2.8-h3 and want goto 11.1.2-h3.

 

what is the best way to upgrade ?  searching through the forum and seem to have different approach.

 

download 11.0.0

download 11.0.4.-h2 (Prefered version)/install/reboot

download 11.1.0

download 11.1.2-h3/install/reboot

 

(some suggest download 10.2.9-h1/install/reboot?)

Any advise much appreciated.

QL

 

Community Team Member

Hi @Qui ,

 

If you are already running a PAN-OS 10.2 release, you can upgrade directly to PAN-OS 11.1

 

Just ensure that the firewall is running the latest content release version.

Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 11.1 release.

 

Source: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

From Panorama: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

 

 

L2 Linker

Hi Kiwi,

We did a long way via 10.2.9-h1 as suggested by a another member and it worked nicely for us.

A bit worry of this direct approach.

Thank you .

L1 Bithead

Hello,
Currently we are on 110.4.h2,
I need path upgrade to 11.1.2 or later versions.
NOTE: Running HA

I appreciate your help..

Community Team Member

Hi @Kardokh ,

 

Since you're already running PAN-OS 11.0, you can upgrade directly to PAN-OS 11.1

 

You can follow the set of instructions for Upgrade an HA Firewall Pair

 

Cheers,

-Kim.

 

  • 7950 Views
  • 5 comments
  • 4 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎06-27-2024 03:33 AM
Updated by: