>
    Strata Copilot
    Upgrade PAN-OS
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. Upgrade PAN-OS
    Download PDF
    VM-Series

    Upgrade PAN-OS

    Table of Contents

    Upgrade PAN-OS

    Follow these steps to upgrade a VM-Series firewall.
    Where Can I Use This?What Do I Need?
    • VM-Series firewall deployment
    • VM-Series 10.2.x or above
    • Panorama running PAN-OS 10.2.x or above

    Upgrade the PAN-OS Software Version (Standalone Version)

    Review the new features, addressed issues, and known issues and then use the following procedure to upgrade a firewall that isn't in an HA configuration.
    To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall is connected to a reliable power source. A loss of power during an upgrade can make the firewall unusable.
    1. Verify that enough hardware resources are available to the VM-Series firewall.
      Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.
      If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.
    2. From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.
      On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.
    3. Save a backup of the current configuration file.
      Although the firewall automatically creates a configuration backup, it's a best practice to create and externally store a backup before you upgrade.
      1. Select DeviceSetupOperations and click Export named configuration snapshot.
      2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
    4. If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
      • For IP address-to-username mappings:
        • show user user-id-agent state all
        • show user server-monitor state all
      • For group mappings: show user group-mapping statistics
    5. Ensure that the firewall is running the latest content release version.
      1. Select DeviceDynamic Updates and see which Applications or Applications and Threats content release version is Currently Installed.
      2. If the firewall isn't running the minimum required content release version or a later version required for PAN-OS, Check Now to retrieve a list of available updates.
      3. Locate and Download the desired content release version.
        After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
      4. Install the update.
    6. Upgrade the VM-Series plugin.
      1. Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.
        For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.
        Don't install an upgrade that does not apply to your environment.
      2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
      3. Select DevicePlugins  to view the plugin version. Use Check Now to check for updates.
      4. Select the version of the plugin and click Install in the Action column to install the plugin.
    7. Upgrade PAN-OS.
      If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Customer Support Portal and then manually Upload it to your firewall.
      1. Select DeviceSoftware and click Check Now to display the latest PAN-OS updates.
      2. Locate and Download the target PAN-OS version.
      3. After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
      4. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, select DeviceSetupOperations and click Reboot Device.
        At this point, the firewall clears the User-ID mappings, then connects to the User-ID sources to repopulate the mappings.
      5. If you have enabled User-ID, use the following CLI commands to verify that the firewall has repopulated the IP address-to-username and group mappings before allowing traffic.
        • show user ip-user-mapping all
        • show user group list
      6. If you're upgrading to an XFR release for the first time, repeat this step to upgrade to the corresponding XFR release.
    8. Verify that the firewall is passing traffic.
      Select MonitorSession Browser and verify that you're seeing new sessions.

    Upgrade the PAN-OS Software Version (HA Pair)

    Use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations.
    To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time: For active/active firewalls, it does not matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-secondary peer first). For active/passive firewalls, you must upgrade the passive peer first, suspend the active peer (fail over), update the active peer, and then return that peer to a functional state (fail back). To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
    To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewalls are connected to a reliable power source. A loss of power during an upgrade can make firewalls unusable.
    1. Verify that enough hardware resources are available to the VM-Series firewall.
      Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.
      If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.
    2. From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.
      On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.
    3. Save a backup of the current configuration file.
      Although the firewall automatically creates a backup of the configuration, it's a best practice to create and externally store a backup before you upgrade.
      Perform these steps on each firewall in the pair:
      1. Select DeviceSetupOperations and click Export named configuration snapshot.
      2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
    4. If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
      • For IP address-to-username mappings:
        • show user user-id-agent state all
        • show user server-monitor state all
      • For group mappings: show user group-mapping statistics
    5. Ensure that each firewall in the HA pair is running the latest content release version.
      Refer to the release notes for the minimum content release version you must install for a PAN-OS 11.0 release. Make sure to follow the Best Practices for Application and Threat Updates.
      1. Select DeviceDynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed.
      2. If the firewalls are not running the minimum required content release version or a later version required for the software version you're installing, Check Now to retrieve a list of available updates.
      3. Locate and Download the desired content release version.
        After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
      4. Install the update. You must install the update on both peers.
    6. Upgrade the VM-Series plugin.
      1. Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.
        For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.
        Don't install an upgrade that does not apply to your environment.
      2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
      3. Select DevicePlugins  to view the plugin version. Use Check Now to check for updates.
      4. Select the version of the plugin and click Install in the Action column to install the plugin.
        When installing the plugin on VM-Series firewalls in an HA pair, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a nonfunctional state. Installing the plugin on the active peer returns the passive peer to a functional state.
    7. Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
      1. Select DeviceHigh Availability and edit the Election Settings.
      2. If enabled, disable (clear) the Preemptive setting and click OK.
      3. Commit the change.
    8. Install the PAN-OS release on the first peer.
      To minimize downtime in an active/passive configuration, upgrade the passive peer first. For an active/active configuration, upgrade the secondary peer first. As a best practice, if you're using an active/active configuration, we recommend upgrading both peers during the same maintenance window.
      If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
      1. On the first peer, select DeviceSoftware and click Check Now for the latest updates.
      2. Locate and Download the target PAN-OS version.
        If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually Upload it to your firewall.
      3. After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
      4. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, select DeviceSetupOperations and Reboot Device.
      5. After the device finishes rebooting, view the High Availability widget on the Dashboard and verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.
    9. Install the PAN-OS release on the second peer.
      1. (Active/passive configurations only) Suspend the active peer so that HA fails over to the peer you upgraded .
        1. On the active peer, select DeviceHigh AvailabilityOperational Commands and click Suspend local device.
        2. View the High Availability widget on the Dashboard and verify that the state changes to Passive.
        3. On the other peer, verify that it's active and is passing traffic (MonitorSession Browser).
      2. On the second peer, select DeviceSoftware and click Check Now for the latest updates.
      3. Locate and Download the target PAN-OS version.
      4. After you download the image, Install it.
      5. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, select DeviceSetupOperations and Reboot Device.
      6. (Active/passive configurations only) From the CLI of the peer you upgraded, run the following command to make the firewall functional again:
        request high-availability state functional
    10. Verify that both peers are passing traffic as expected.
      In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
      Run the following CLI commands to confirm that the upgrade succeeded:
      • (Active peers only) To verify that active peers are passing traffic, run the show session all command.
      • To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
        • In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
          If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional, which means that both peers transmit HA2 keep-alive packets.
        • In an active/active configuration, you will see packets received and packets transmitted on both peers.
    11. If you disabled preemption prior to the upgrade, reenable it now.
      1. Select DeviceHigh Availability and edit the Election Settings.
      2. Select Preemptive and click OK.
      3. Commit the change.

    Upgrade the PAN-OS Software Version Using Panorama

    Use the following procedure to upgrade the firewalls that you manage with Panorama. This procedure applies to standalone firewalls and firewalls deployed in a high availability (HA) configuration.
    If Panorama is unable to connect directly to the update server, follow the procedure for deploying updates to firewalls when Panorama is not internet-connected so that you can manually download images to Panorama and then distribute the images to firewalls.
    Before you can upgrade firewalls from Panorama, you must:
    • Make sure Panorama is running the same or a later PAN-OS version than you're upgrading to. You must upgrade Panorama and its Log Collectors to 9.1 before upgrading the managed firewalls to this version. In addition, when upgrading log collectors to 9.1, you must upgrade all log collectors at the same time due to changes in the logging infrastructure.
    • Plan for an extended maintenance window of up to six hours when upgrading Panorama to 9.1. This release includes significant infrastructure changes, which means that the Panorama upgrade will take longer than in previous releases.
    • Ensure that firewalls are connected to a reliable power source. A loss of power during an upgrade can make a firewall unusable.
    1. After upgrading Panorama, commit and push the configuration to the firewalls you're planning to upgrade.
    2. Verify that enough hardware resources are available to the VM-Series firewall.
      Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.
      If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.
    3. From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.
      On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.
    4. Save a backup of the current configuration file on each managed firewall you plan to upgrade.
      Although the firewall automatically creates a configuration backup, it's a best practice to create and externally store a backup before you upgrade.
      1. From the Panorama web interface, select PanoramaSetupOperations and click Export Panorama and devices config bundle to generate and export the latest configuration backup of Panorama and of each managed appliance.
      2. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
    5. Update the content release version on the firewalls you plan to upgrade.
      Refer to the Release Notes for the minimum content release version required for PAN-OS 11.0. Make sure to follow the Best Practices for Application and Threat Updates when deploying content updates to Panorama and managed firewalls.
      1. Select PanoramaDevice DeploymentDynamic Updates and Check Now for the latest updates. If an update is available, the Action column displays a Download link.
      2. If not already installed, Download the latest content release version.
      3. Click Install, select the firewalls on which you want to install the update, and click OK. If you're upgrading HA firewalls, you must update content on both peers.
    6. (HA firewall upgrades only) If you will be upgrading firewalls that are part of an HA pair, disable preemption. You need only disable this setting on one firewall in each HA pair.
      1. Select DeviceHigh Availability and edit the Election Settings.
      2. If enabled, disable (clear) the Preemptive setting and click OK.
      3. Commit your change. Make sure the commit is successful before you proceed with the upgrade.
    7. Download the target PAN-OS release image.
      1. Select PanoramaDevice DeploymentSoftware and Check Now for the latest release versions.
      2. Download the firewall-specific file (or files) for the release version to which you're upgrading. You must download a separate installation file for each firewall model (or firewall series) that you intend to upgrade.
    8. Install the PAN-OS software update on the firewalls.
      1. Click Install in the Action column that corresponds to the firewall models you want to upgrade.
      2. In the Deploy Software file dialog, select all firewalls that you want to upgrade. To reduce downtime, select only one peer in each HA pair. For active/passive pairs, select the passive peer; for active/active pairs, select the active-secondary peer.
      3. (HA firewall upgrades only) Make sure Group HA Peers isn't selected.
      4. Select Reboot device after install.
      5. To begin the upgrade, click OK.
      6. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, select DeviceSetupOperations and Reboot Device.
      7. After the firewalls finish rebooting, select PanoramaManaged Devices and verify the Software Version is 9.1.0 for the firewalls you upgraded. Also verify that the HA status of any passive firewalls you upgraded is still passive.
    9. (HA firewall upgrades only) Upgrade the second HA peer in each HA pair.
      1. (Active/passive upgrades only) Suspend the active device in each active/passive pair you're upgrading.
        1. Switch context to the active firewall.
        2. In the High Availability widget on the Dashboard, verify that the Local firewall state is Active and the Peer is Passive).
        3. Select DeviceHigh AvailabilityOperational CommandsSuspend local device.
        4. Go back to the High Availability widget on the Dashboard and verify that Local changed to Passive and Peer changed to Active.
      2. Go back to the Panorama context and select PanoramaDevice DeploymentSoftware.
      3. Click Install in the Action column that corresponds to the firewall models of the HA pairs you're upgrading.
      4. In the Deploy Software file dialog, select all firewalls that you want to upgrade. This time select only the peers of the HA firewalls you just upgraded.
      5. Make sure Group HA Peers isn't selected.
      6. Select Reboot device after install.
      7. To begin the upgrade, click OK.
      8. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, select DeviceSetupOperations and Reboot Device.
      9. (Active/passive upgrades only) From the CLI of the peer you upgraded, run the following command to make the firewall functional again:
        request high-availability state functional
    10. (PAN-OS XFR upgrade only) Upgrade the first peer and second peer to PAN-OS XFR by repeating Step 8 and step 9.
    11. Verify the software and content release version running on each managed firewall.
      1. On Panorama, select PanoramaManaged Devices.
      2. Locate the firewalls and review the content and software versions in the table.
        For HA firewalls, you can also verify that the HA Status of each peer is as expected.
    12. (HA firewall upgrades only) If you disabled preemption on one of your HA firewalls before you upgraded, then edit the Election Settings (DeviceHigh Availability) and reenable the Preemptive setting for that firewall and then Commit the change.

    © 2026 Palo Alto Networks, Inc. All rights reserved.