: Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release
Focus
Focus

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Table of Contents

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Before upgrading the SD-WAN plugin, you need to take the backup of the configuration file, generate a technical support file, and install a compatible content release version.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • SD-WAN
  • SD-WAN plugin license
It’s imperative to ensure that an existing network infrastructure remains up to date and is capable of upgrading its features to unlock new functionalities. The SD-WAN upgrade guide helps the network administrators to upgrade the Panorama management server and Palo Alto Networks firewalls that are compatible with the SD-WAN plugin release.
It is important that you have a proper upgrade or downgrade plan before starting actual upgrade or downgrade procedure. Refer the valid upgrade and downgrade paths for your currently installed SD-WAN plugin version.
Before proceeding with the upgrade process, ensure the following:
  • Take a backup of all the configurations on each device.
  • Refer Panorama Plugin Compatibility Matrix to review the features introduced in each version of the Panorama plugin for SD-WAN.
  • You have administrator access to the Palo Alto Networks devices.

Prerequisites

Before you upgrade the Panorama HA pair, it's important to save the configuration files, create a technical support file, and check for the compatible content release version for your device.

Back up Your Configuration File

Make a backup of the current configuration file. It's recommended to make a backup of your current Panorama and firewall configurations:
If you have problems with the upgrade, you can use these backups to restore the configuration by loading the configuration backup on the firewall managed by the Panorama management server.

Generate a Technical Support File

It's important to generate the technical support file for debugging purposes.
  1. Select DeviceSupport and Generate Tech Support File.
    The technical support file must be generated on both the HA pair for debugging purposes.
    It may take a few minutes to generate a technical support file and the time taken to generate would vary.
  2. Click Yes when prompted to generate the tech support file.
  3. Click Download Tech Support File to save it in the firewall or Panorama.

Install Compatible Content Release Version

Ensure that each firewall and Panorama HA pair is running the latest content release (Applications and Threats) version.
All the firewalls and the Panorama must have the same version of Applications and Threats downloaded and installed for the upgrade to be successful.
Refer to the corresponding Release Notes for the minimum content release (such as, Applications and Threats) version you must install for a corresponding PAN-OS release. Make sure to follow the best practices for applications and threat content updates.
Your firewall and the Panorama running a specific PAN-OS version must contain the minimum content release (Applications and Threats) version that’s compatible with the PAN-OS version.
Use the following workflow to download and install the content release version that’s compatible with the PAN-OS version:
  1. For the firewall, select DeviceDynamic Updates and for Panorama select PanoramaDynamic Updates to check the version information of the Applications and Threats.
  2. Check Now to retrieve a list of available updates.
  3. Locate and Download the appropriate content release version. After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
  4. Install the update on the Palo Alto Networks devices.

Important Considerations for Upgrading Panorama

The following are the important considerations for upgrading the SD-WAN plugin version on your Panorama management server:
  • (HA Deployments only) Both the active and passive Panorama must have the same Panorama software and SD-WAN plugin versions.
  • (HA Deployments only) Maintain the same HA states for both Panorama and Palo Alto Networks Next-Generation Firewalls after upgrade and before commit or commit all, so that the configuration changes are minimal.
  • Always ensure that the Panorama software version is higher than the PAN-OS version.
  • For MongoDB synchronization status for an SD-WAN plugin version, refer to MongoDB Synchronization Status with SD-WAN Database Collections.
  • (HA Deployments only) You must upgrade both active and passive Panorama HA pairs simultaneously.
  • After completing the SD-WAN plugin upgrade, you must perform a commit force through the CLI command (in configuration mode) on the Palo Alto Networks device. If you perform commit all instead of commit force, then you will lose all the SD-WAN configurations on that device.
After the upgrade is complete, note the changes after the upgrade.