PAN-OS Upgrade Checklist
Table of Contents
11.0
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
PAN-OS Upgrade Checklist
What do I need to plan my PAN-OS upgrade?
Planning your PAN-OS upgrade can help
ensure a smoother transition to a newer version of PAN-OS for your
Panorama or firewalls.
- Make sure the device is registered and licensed.
- Verify the available disk space.The disk space required varies based on the PAN-OS release. Select DeviceSoftware and review the target PAN-OS release Size to determine the required disk space.
- Run show system disk-space
- Verify the minimum content release version.
- Identify the preferred release.
- (PAN-OS 11.0.5 and later 11.0 releases)Select DeviceSoftware. By default, the Release Type column displays the preferred and base releases. To view the preferred releases only, disable (clear) the Base Releases checkbox.
- (PAN-OS 11.0.5 and later 11.0 releases)Run request system software info preferred
See the Palo Alto Networks Support Software Release Guidance and End-of-Life Summary for more information. Additionally, review the known and addressed issues, upgrade and downgrade considerations, and limitations for your target PAN-OS release to understand how a PAN-OS upgrade may impact you. - (PAN-OS 11.0.5 and later 11.0 releases)
- Determine the upgrade path.When you upgrade from one PAN-OS feature release version to a later feature release, you cannot skip the installation of any feature release versions in the path to your target release.
- Review the upgrade/downgrade considerations for all releases in your upgrade path.
- (Required for GlobalProtect) Verify the minimum GlobalProtect™ agent version to prevent GlobalProtect users from losing VPN connectivity. GlobalProtect can be upgraded directly to the latest version.
- Verify the minimum plugin release versions on the target release version for any plugins you have installed.
- Verify connectivity from the management interface to the update server.
- Select DeviceTroubleshooting and test the Update Server Connectivity to check that the DNS can resolve the address.If it doesn’t resolve, change the DNS to 8.8.8.8 (you need to use a public DNS server rather than your own DNS server) and ping again.If this doesn’t resolve, change the update server to staticupdates.paloaltonetworks.com and Commit.
- (SD-WAN only) Identify the hub and branch firewalls you intend to upgrade to PAN-OS 10.2.To preserve an accurate status for your SD-WAN links, you must upgrade your hub firewalls to PAN-OS 11.0 before you upgrade your branch firewalls. Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data (PanoramaSD-WANMonitoring) and for SD-WAN links to erroneously display as down.
- If there are any plugins currently installed, download the plugin version supported on PAN-OS 11.0 for all plugins currently installed on Panorama (PanoramaPlugins) or your firewall (DevicePlugins) before upgrade.See the Panorama Plugins Compatibility Matrix for the Panorama plugin version supported on PAN-OS 10.2.This is required to successfully upgrade Panorama and firewall from PAN-OS 11.0 to PAN-OS 10.2. The downloaded plugin version is automatically installed during upgrade to PAN-OS 10.2. Upgrade to PAN-OS 11.0 is blocked if the supported plugin version is not downloaded.