>
    Strata Copilot
    Upgrade the VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. Upgrade the VM-Series Firewall
    Download PDF
    VM-Series

    Upgrade the VM-Series Firewall

    Table of Contents

    Upgrade the VM-Series Firewall

    Upgrade the VM-Series firewall.
    Where Can I Use This?What Do I Need?
    • VM-Series firewall deployment
    • VM-Series 10.2.x or above
    • Panorama running PAN-OS 10.2.x or above
    The licensing process for the VM-Series firewall uses the UUID and the CPU ID to generate a unique serial number for each VM-Series firewall. Hence, when you generate a license, the license is mapped to a specific instance of the VM-Series firewall and can't be modified.
    Use the instructions in this section if you're:
    • Migrating from an evaluation license to a production license.
    • Upgrading the model to allow for increased capacity. For example you want to upgrade from the VM-100 to the VM-300 model.
    • Upgrading capacity, which restarts some critical processes on the firewall. An HA configuration is recommended to minimize service disruption; to upgrade the capacity on a HA pair, see Upgrade the VM-Series Model in an HA Pair.
    • In a private or public cloud deployment, if your firewall is licensed with the BYOL option, you must deactivate your VM before you change the instance type or VM type. Upgrading the model or instance changes the UUID and CPU ID, so you must apply for the license.
    1. Allocate additional hardware resources to your VM-Series firewall.
      Before initiating the capacity upgrade, you must verify that enough hardware resources are available to the VM-Series firewall to support the new capacity. The process for assigning additional hardware resources differs on each hypervisor.
      To check the hardware requirements for your new VM-Series model, see VM-Series Models.
      Although the capacity upgrade does not require a reboot of the VM-Series firewall, you need to power down the virtual machine to change the hardware allocation.
    2. Retrieve the license API key from the Customer Support portal.
      1. Log in to the Customer Support Portal.
        Make sure that you're using the same account that you used to register the initial license.
        You must have superuser privileges to retrieve the license API key.
      2. Select ProductsAPI Key Management.
      3. Copy the API key.
    3. On the firewall, use the CLI to install the API key copied in the previous step.
      request license api-key set key <key>
      The VM will reboot after you set the API key inside a VM.
    4. ( If you have internet access) Enable the firewall to Verify Update Server identity on DeviceSetupService.
    5. Commit your changes. Ensure that you have a locally configured user on the firewall. Panorama pushed users might not be available after the deactivation if the configuration exceeds the nonlicensed PA-VM objects limit.
    6. Upgrade the capacity.
      Select DeviceLicensesUpgrade VM Capacity and then activate your licenses and subscriptions in one of the following ways:
      • (Internet) Retrieve license keys from license server—Use this option if you activated your license on the Customer Support portal.
      • (Internet) Use an auth code—Use this option to upgrade the VM-Series capacity using an auth code for licenses that have not been previously activated on the Customer Support Portal. When prompted, enter the Authorization Code and then click OK.
      • (no internet) Manually upload license key—Use this option if your firewall does not have internet connectivity to the Customer Support portal. From a computer with access to the internet, login to the CSP, download a license key file, transfer it to a computer in the same network as the firewall, and upload it to the firewall.
    7. Verify that your firewall is licensed successfully.
      On the ProductsDevices page, verify that the license was successfully activated.

    Upgrade the VM-Series Model in an HA Pair

    Upgrading the VM-Series firewall allows you to increase the capacity on the firewall. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels, and SSL VPN tunnels that the VM-Series firewall is optimized to handle. When you apply a new capacity license on the VM-Series firewall, the model number and the associated capacities are implemented on the firewall.
    Verify the VM-Series System Requirements for your firewall model before you upgrade. If your firewall has less than 5.5GB memory, the capacity (number of sessions, rules, security zones, address objects, etc) on the firewall will be limited to that of the VM-50 Lite.
    This process is similar to that of upgrading a pair of hardware-based firewalls that are in an HA configuration. During the capacity upgrade process, session synchronization continues, if you have it enabled. To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time.
    Don't make configuration changes to the firewalls during the upgrade process. During the upgrade process, configuration sync is automatically disabled when a capacity mismatch is detected and is then reenabled when both HA peers have matching capacity licenses.
    If the firewalls in the HA pair have different major software versions (such as 9.1 and 9.0) and different capacities, both devices will enter the Suspended HA state. Therefore, it's recommended that you make sure both firewalls are running the same version of PAN-OS before upgrading capacity.
    1. Upgrade the capacity license on the passive firewall.
      Follow the procedure to Upgrade the VM-Series Model.
      The new VM-Series model displays on the dashboard after some processes restart on this passive peer. This upgraded peer is now in a non-functional state because of the capacity mismatch with its active peer.
      If you have enabled session synchronization, verify that sessions are synchronized across HA peers before you continue to the next step. To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
      • In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received.
        If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional, which means that both peers transmit HA2 keep-alive packets.
      • In an active/active configuration, you will see packets received and packets transmitted on both peers.
    2. Upgrade the capacity license on the active firewall.
      Follow the procedure to Upgrade the VM-Series Model.
      The new VM-Series model displays on the dashboard after the critical processes restart. The passive firewall becomes active, and this peer (previously active firewall) moves from the initial state to become the passive peer in the HA pair.

    Downgrade a VM-Series Firewall to a Previous Release

    Use the following workflow to restore the configuration that was running before you upgraded to a different feature release. Any changes made since the upgrade are lost. Therefore, it's important to back up your current configuration so you can restore those changes when you return to the newer release.
    Use the following procedure to downgrade to a previous release.
    1. Save a backup of the current configuration file.
      Although the firewall automatically creates a backup of the configuration, it's a best practice to create a backup before you upgrade and store it externally.
      1. Export named configuration snapshot (DeviceSetupOperations).
      2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the downgrade.
    2. Install the previous feature release image.
      Autosave versions are created when you upgrade to a new release.
      1. Check Now (DeviceSoftware) for available images.
      2. Locate the image to which you want to downgrade. If the image isn't already downloaded, then Download it.
      3. After the download completes, Install the image.
      4. Select a Config File for Downgrading, which the firewall will load after you reboot the device. In most cases, you should select the configuration that was saved automatically when you upgraded from the release to which you're now downgrading. For example, if you're running PAN-OS 9.1 and are downgrading to PAN-OS 9.0.3, select autosave-9.0.3.
      5. After the installation completes successfully, reboot using one of the following methods:
        • If you're prompted to reboot, click Yes.
        • If you're not prompted to reboot, go to Device Operations (DeviceSetupOperations) and Reboot Device.
      For more information, see: Licensing the VM-Series Firewall With API key, Upgrade the VM-Series Model in an HA Pair

    © 2026 Palo Alto Networks, Inc. All rights reserved.