Home
Security
Upgrade Palo Alto Firewalls with Panorama (Internet-connected)

Upgrade Palo Alto Firewalls with Panorama (Internet-connected)

Kerry Cordero
Security
3 min read

The process to upgrade firewalls when Panorama is Internet-connected involves several steps:

 

  1. Review the PAN-OS 10.2 Release Notes: Understand the updates and changes in the new release.

 

  1. Upgrade Preparations: Make sure Panorama is running the same or a later PAN-OS version than you are upgrading to. Upgrade Panorama and its Log Collectors to 10.2 before upgrading the managed firewalls to this version. When upgrading Log Collectors to 10.2, you must upgrade all Log Collectors at the same time due to changes in the logging infrastructure. Ensure that firewalls are connected to a reliable power source. Decide whether to stay in Legacy mode if the Panorama virtual appliance is in Legacy mode on upgrade to PAN-OS 10.2.

 

  1. Log in to the Panorama web interface: The first step to begin the upgrade process.

 

  1. Save a backup of the current configuration file: This is done on each managed firewall you plan to upgrade. It’s a best practice to create and externally store a backup before you upgrade.

 

  1. Update the content release version on the firewalls you plan to upgrade: Refer to the Release Notes for the minimum content release version required for PAN-OS 10.2. Make sure to follow the Best Practices for Applications and Threats Content Updates when deploying content updates to Panorama and managed firewalls.

 

  1. Determine the Upgrade Path to PAN-OS 10.2: You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 10.2.0.

 

  1. Install the device certificate if you are leveraging Cortex Data Lake (CDL): The firewall automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.2.

 

  • If you are leveraging Cortex Data Lake (CDL), install the device certificate. The firewall automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.2. If you do not install the device certificate prior to upgrade to PAN-OS 10.2, the firewall continues to use the existing logging service certificates for authentication.

 

  1. Disable preemption (HA firewall upgrades only): If you will be upgrading firewalls that are part of an HA pair, disable preemption. You need only disable this setting on one firewall in each HA pair.

 

    • If you will be upgrading firewalls that are part of an HA pair, disable preemption. You need only disable this setting on one firewall in each HA pair.
    1. Log in to the firewall web interface of one of the firewall HA peers.
    2. Select Device High Availability and edit the Election Settings.
    3. If enabled, disable (clear) the Preemptive setting and click OK.
    4. Commit your change. Make sure the commit is successful before you proceed with the upgrade.

 

  1. Suspend the primary HA peer to force a failover (HA firewall upgrades only): For firewalls in an active/passive HA configuration, suspend and upgrade.

 

  • Suspend the primary HA peer to force a failover.
  • (Active/passive firewalls) For firewalls in an active/passive HA configuration, suspend and upgrade.

 

  1. Download the target PAN-OS 10.2.0 release image: You must download a separate installation file for each firewall model (or firewall series) that you intend to upgrade.

 

  1. Install the PAN-OS 10.2 software update on the firewalls: To preserve an accurate status for your SD-WAN links, you must upgrade your hub firewalls to PAN-OS 10.2 before you upgrade your branch firewalls. Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data and for SD-WAN links to erroneously display as down.

 

    • To preserve an accurate status for your SD-WAN links, you must upgrade your hub firewalls to PAN-OS 10.2 before you upgrade your branch firewalls. Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data (Panorama SD-WAN Monitoring) and for SD-WAN links to erroneously display as down.
    1. Click Install in the Action column that corresponds to the firewall models you want to upgrade. For example, if you want to upgrade your PA-220 firewalls, click Install in the row that corresponds to PanOS_220-10.2.0.
    2. In the Deploy Software file dialog, select all firewalls that you want to upgrade. (HA firewall upgrades only) To reduce downtime, select only one peer in each HA pair. For active/passive pairs, select the passive peer; for active/active pairs, select the active-secondary peer.
    3. (HA firewall upgrades only) Make sure Group HA Peers is not selected.

 

 

It’s important to note that when upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each HA peer to the same feature PAN-OS release on your upgrade path before continuing. For example, if you’re upgrading HA peers from PAN-OS 10.0 to PAN-OS 10.2, you must upgrade both HA peers to PAN-OS 10.1 before you can continue upgrading to the target PAN-OS 10.2 release.

© 2023 cordero.me • All Rights Reserved