Upgrade a Standalone Firewall
Table of Contents
10.1
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Downgrade from Panorama 10.1
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade a Standalone Firewall
Follow these steps to upgrade a standalone firewall to
PAN-OS 10.1.
Review the PAN-OS 10.1 Release Notes and
then use the following procedure to upgrade a firewall that is not
in an HA configuration to PAN-OS 10.1.
If your firewalls
are configured to forward samples to a WildFire appliance for analysis,
you must upgrade the WildFire appliance before
upgrading the forwarding firewalls.
To
avoid impacting traffic, plan to upgrade within the outage window. Ensure
the firewall is connected to a reliable power source. A loss of
power during an upgrade can make the firewall unusable.
- Save a backup of the current configuration file.Although the firewall automatically creates a configuration backup, it is a best practice to create and externally store a backup before you upgrade.
- Select DeviceSetupOperations and click Export named configuration snapshot.
- Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
- Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
- (Optional) If you have enabled User-ID, after
you upgrade, the firewall clears the current IP address-to-username
and group mappings so that they can be repopulated with the attributes
from the User-ID sources. To estimate the time required for your
environment to repopulate the mappings, run the following CLI commands
on the firewall.
- For IP address-to-username mappings:
- show user user-id-agent state all
- show user server-monitor state all
- For group mappings: show user group-mapping statistics
- Ensure that the firewall is running the latest content
release version.Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 10.1 release. Make sure to follow the Best Practices for Applications and Threats Content Updates.
- Select DeviceDynamic Updates and see which Applications or Applications
and Threats content release version is Currently Installed.
- If the firewall is not running the minimum required content release version or a later version required for PAN-OS 10.1, Check Now to retrieve a list of available updates.
- Locate and Download the desired
content release version. After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
- Install the update.
- Select DeviceDynamic Updates and see which Applications or Applications
and Threats content release version is Currently Installed.
- Determine the Upgrade Path to PAN-OS 10.1 You cannot skip the installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 10.1Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the Release Notes and Upgrade/Downgrade Considerations for each release through which you pass as part of your upgrade path.
- (Best Practices) If you are leveraging Cortex
Data Lake (CDL), install the device certificate. The firewall automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.1.If you do not install the device certificate prior to upgrade to PAN-OS 10.1, the firewall continues to use the existing logging service certificates for authentication.
- Upgrade
to PAN-OS 10.1.If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Customer Support Portal and then manually Upload it to your firewall.
- Select DeviceSoftware and
click Check Now to display the latest PAN-OS updates. Only the versions for the next available PAN-OS release are displayed. For example, if the PAN-OS 10.0 is installed on the firewall, then only PAN-OS 10.1 releases are displayed.
- Locate and Download PAN-OS
10.1.0. If you encounter a file download error, click Check Now again to refresh the list of PAN-OS images.
- After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
- After
the installation completes successfully, reboot using one of the
following methods:
- If you are prompted to reboot, click Yes.
- If you are not prompted to reboot, select DeviceSetupOperations and click Reboot Device.
At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings. - If you have enabled User-ID, use the following CLI
commands to verify that the firewall has repopulated the IP address-to-username
and group mappings before allowing traffic.
- show user ip-user-mapping all
- show user group list
- Select DeviceSoftware and
click Check Now to display the latest PAN-OS updates.
- Verify that the firewall is passing traffic.Select MonitorSession Browser and verify that you are seeing new sessions.