Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Revert PAN-OS to the last installed software using CLI. - Knowledge Base - Palo Alto Networks

How to Revert PAN-OS to the last installed software using CLI.

78463
Created On 12/10/19 05:06 AM - Last Modified 10/24/23 09:16 AM


Objective


To Revert back to the last successful installed software when upgraded software is not working as expected.

Environment


  • Any Palo Alto Firewall.
  • Any Panorama
  • PAN-OS 8.0, 9.0 and 10.0
Note: For 10.1, 10.2 and higher. Read the note in the "Additional Information" section.
 


Procedure


  1. Use debug swm status to display the new and old PAN-OS versions. In the example below. 9.0.2 is the newly loaded PAN-OS and 8.1.0 is the previous successful working PAN-OS
admin@Lab-PA-VM(active)> debug swm status
Partition         State             Version
--------------------------------------------------------------------------------
sysroot0          RUNNING-ACTIVE    9.0.2
sysroot1          REVERTABLE        8.1.0
maint             READY             9.0.2
  1. Use the command debug swm revert to revert back to the older code version.
IMPORTANT: This is not a recommended procedure for downgrade between major versions as there is no migration of logs or configuration, but can be a good way to recover extremely quickly from a failed upgrade or downgrade
admin@Lab-PA-VM(active)> debug swm revert
Reverting from 9.0.2 (sysroot0) to 8.1.0 (sysroot1)
  1. Recheck using the debug swm status command, the display will state as  pending-revert.
admin@Lab-PA-VM(active)> debug swm status

Partition         State             Version
--------------------------------------------------------------------------------
sysroot0          RUNNING-ACTIVE    9.0.2
sysroot1          PENDING-REVERT    8.1.0
maint             READY             9.0.2

  1. Reboot the Firewall using request restart system.
admin@Lab-PA-VM(active)> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)
  1. Once rebooted, the device will reboot with the last successful code. In the above example 8.1.0 version of code. This can be verified using debug swm status and show system info.
admin@Lab-PA-VM> debug swm status

Partition         State             Version
--------------------------------------------------------------------------------
sysroot0          REVERTABLE        9.0.2
sysroot1          RUNNING-ACTIVE    8.1.0
maint             READY             9.0.2

admin@Lab-PA-VM> show system info

hostname: Lab-PA-VM
ip-address: x.x.x.96
public-ip-address: unknown
netmask: 255.255.255.192
default-gateway: x.x.x.65
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::250:56ff:fe81:124f/64
ipv6-default-gateway:
mac-address: 00:50:56:81:12:4f
time: Mon Dec  9 20:56:41 2019
uptime: 0 days, 0:08:28
family: vm
model: PA-VM
serial: 007000000021360
vm-mac-base: E4:A7:49:0A:4D:00
vm-mac-count: 256
vm-uuid: 42010F61-7F07-4ED2-7FC4-DA442FEC698D
vm-cpuid: ESX:D2060200FFFBAB1F
vm-license: VM-100
vm-mode: VMWare ESXi
cloud-mode: non-cloud
sw-version: 8.1.0
...
<Output Omitted>

 


Additional Information


PAN-OS 10.2 introduced new plugin architecture that is not supported on 10.1 or earlier releases. When you downgrade Panorama from the web UI, the downgrade is blocked if the 10.1-compatible plugin versions are not downloaded prior to downgrade. 

This does not happen when using the debug swm revert command from the CLI. PANOS downgrade is not blocked if the 10.1-compatible plugin versions are not downloaded prior to downgrade. This will leave Panorama in a bad system state that requires the user to uninstall the plugins currently running a 10.2-compatible plugin version after downgrade to 10.1.

Download the 10.1 compatible plugin versions for all plugins currently installed on Panorama prior to downgrade to 10.1.

Refer



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNnJCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language