How to Upgrade PAN-OS and Panorama
This article is outdated, please refer to Best Practices for PAN-OS Upgrade
This document shows how to upgrade PAN-OS and Panorama. Major and minor releases introduce new features and fix issues from earlier releases. A maintenance release fixes issues. A major release is indicated by the first digit of the release (for example, 6.0.0), a minor release by the first and second digits (6.1.0) and a maintenance release is indicated by the third digit (6.1.1).
|Release type||What it offers||How to identify|
|Major||Features & fixes||6.0.0|
|Minor||Features & fixes||6.1.0|
Note: Always read the release notes before performing an upgrade.
The following procedures are discussed:
The Palo Alto Networks firewall or Panorama must be registered with a current support subscription to access the latest PAN-OS software. To register a device and activate subscriptions, go to the Customer Support Portal.
- To upgrade to a new PAN-OS major release, the firewall or Panorama must be running PAN-OS in a feature release immediately preceding it, such as 6.0.x -> 6.1.x. Generally, any version in the earlier release set can be upgraded to the new feature release. As an example, PAN-OS 6.0.5 can be upgraded to PAN-OS 6.1 without downloading later PAN-OS 6.0.x versions. Attempts to upgrade to PAN-OS 6.1 from a PAN-OS 5.0.x version will be blocked. As long as the hardware has support and a working connection to the Internet, the currently supported versions will be listed when the 'Check Now' option is selected in the lower left of the Device > Software page.
- Ensure the device or Panorama is connected to a reliable power source, as a loss of power during the upgrade could make the device unusable.
- Save a backup of the current configuration file by clicking Save named config on the Device tab of the GUI under Setup or the Panorama tab under Setup.
- Read the Upgrade/Downgrade Procedures in the release notes to determine if there is a minimum content version required in order to perform the upgrade.
- The PAN-OS base image for the feature release must be downloaded to the device or Panorama before downloading and installing a later version in that release. The base image is the earliest version available and is generally the x.x.0 version. It does not need to be installed on the device, just downloaded before downloading and installing the current PAN-OS version. For example, if upgrading a Palo Alto Networks device from PAN-OS 5.0.8 to 6.1.3:
- Download but do not install the 6.0.0 base release.
- Download and install the latest 6.0.x maintenance release, for example 6.0.13, then reboot.
- Download but do not install the 6.1.0 base release.
- Download and install the latest 6.1.x maintenance release, for example, 6.1.3, then reboot.
Note: After the installation, the Palo Alto Networks device requires a reboot for any new OS to take effect.
- If upgrading devices from Panorama, perform the upgrade to Panorama first by following the steps under Panorama Upgrade.
- Following the PAN-OS upgrade, you may need to upgrade associated software. See the Associated Software Versions chart in the release notes to make a determination.
- Go to Device > Software.
- Click 'Check Now' (lower left) to view the latest software releases available from Palo Alto Networks. Click 'Release Notes' to view a description of the changes in that release.
- Download and install PAN-OS.
- Directly from the Web UI:
- Click Download next to the release to be installed. When the download is complete, a check mark displays in the Downloaded column.
- Click Install next to the release to initiate the installation. During installation, an option is available to have the device automatically reboot when installation is complete. If the option is enabled, the firewall restarts when the installation is complete.
- Note: A reboot is not required at this time. However, the new software upgrade will not take effect until the reboot is performed.
- Manually download the software and install:
- Navigate to the Palo Alto Networks Support Portal on a web browser.
- Go to the Software Updates page and download the appropriate PAN-OS release for the designated device.
- On the Web UI of the device, navigate to Device > Software and click Upload. Browse to locate the downloaded software package, then click OK to upload the file to the device.
- Click 'Install from File' and select the uploaded file.
- Click OK to initiate the upgrade.
- Directly from the Web UI:
Note: To delete an outdated release, go to Device > Software and click 'X' next to the release. Do not delete the base PAN-OS releases.
In the event the device needs to be downgraded, please refer to the following document: How to Downgrade PAN-OS
- Inside the Panorama GUI, click the Panorama tab, then the Software tab. Note: Make sure you are not on Panorama > Device Deployment > Software.
- Click Check Now to retrieve the currently available releases that can be installed.
- Locate the latest release and download it to Panorama by clicking the Download link in the row corresponding to that release. (If using VMware ESX, choose that image.)
- After downloading, click the 'Install' link to perform the upgrade and reboot when prompted.
- Browse to the Panorama tab, click Device Deployment > Software and click 'Check Now' for the latest PAN-OS versions available. Click Download to download the appropriate software for the device type to be upgraded. The Platforms list displays. The same rules for the software versions apply, as stated above.
- After the correct image is downloaded, click Install, then select the device where you want to install the software. Notice the options at the bottom to 'Upload only to device (do not install)' and 'Reboot device after install.'
3. There is another way to install the software on a managed device by going to Panorama > Managed Devices. Select the 'Install' option at the bottom.
When you click the 'install' option, you will be directed to the same install page as in the above step.
For information on upgrading an HA pair of firewalls, refer to the following document:
To fall back before upgrading the second device:
- Suspend the upgraded device. The passive device then becomes active and the suspended unit can be downgraded. Follow the procedures here: How to Downgrade PAN-OS
- After the downgrade completes, make sure the unit is active in the GUI to enable the admin to load up a shared configuration.
Sometimes an upgrade path requires installing an intermediate operating system to reach the final intended operating system, for example, to upgrade from 6.0 to 7.0, first install 6.1.
We recommend installing the latest maintenance release version available in the intermediate release to prevent issues during the upgrade process, for example, 6.0.5 to 6.1.13 to 7.0.6.