How to Revert PAN-OS to the last installed software using CLI.
78463
Created On 12/10/19 05:06 AM - Last Modified 10/24/23 09:16 AM
Objective
To Revert back to the last successful installed software when upgraded software is not working as expected.
Environment
- Any Palo Alto Firewall.
- Any Panorama
- PAN-OS 8.0, 9.0 and 10.0
Procedure
- Use debug swm status to display the new and old PAN-OS versions. In the example below. 9.0.2 is the newly loaded PAN-OS and 8.1.0 is the previous successful working PAN-OS
admin@Lab-PA-VM(active)> debug swm status
Partition State Version
--------------------------------------------------------------------------------
sysroot0 RUNNING-ACTIVE 9.0.2
sysroot1 REVERTABLE 8.1.0
maint READY 9.0.2
- Use the command debug swm revert to revert back to the older code version.
IMPORTANT: This is not a recommended procedure for downgrade between major versions as there is no migration of logs or configuration, but can be a good way to recover extremely quickly from a failed upgrade or downgrade
admin@Lab-PA-VM(active)> debug swm revert
Reverting from 9.0.2 (sysroot0) to 8.1.0 (sysroot1)
- Recheck using the debug swm status command, the display will state as pending-revert.
admin@Lab-PA-VM(active)> debug swm status
Partition State Version
--------------------------------------------------------------------------------
sysroot0 RUNNING-ACTIVE 9.0.2
sysroot1 PENDING-REVERT 8.1.0
maint READY 9.0.2
- Reboot the Firewall using request restart system.
admin@Lab-PA-VM(active)> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)
- Once rebooted, the device will reboot with the last successful code. In the above example 8.1.0 version of code. This can be verified using debug swm status and show system info.
admin@Lab-PA-VM> debug swm status Partition State Version -------------------------------------------------------------------------------- sysroot0 REVERTABLE 9.0.2 sysroot1 RUNNING-ACTIVE 8.1.0 maint READY 9.0.2 admin@Lab-PA-VM> show system info hostname: Lab-PA-VM ip-address: x.x.x.96 public-ip-address: unknown netmask: 255.255.255.192 default-gateway: x.x.x.65 ip-assignment: static ipv6-address: unknown ipv6-link-local-address: fe80::250:56ff:fe81:124f/64 ipv6-default-gateway: mac-address: 00:50:56:81:12:4f time: Mon Dec 9 20:56:41 2019 uptime: 0 days, 0:08:28 family: vm model: PA-VM serial: 007000000021360 vm-mac-base: E4:A7:49:0A:4D:00 vm-mac-count: 256 vm-uuid: 42010F61-7F07-4ED2-7FC4-DA442FEC698D vm-cpuid: ESX:D2060200FFFBAB1F vm-license: VM-100 vm-mode: VMWare ESXi cloud-mode: non-cloud sw-version: 8.1.0 ... <Output Omitted>
Additional Information
PAN-OS 10.2 introduced new plugin architecture that is not supported on 10.1 or earlier releases. When you downgrade Panorama from the web UI, the downgrade is blocked if the 10.1-compatible plugin versions are not downloaded prior to downgrade.
This does not happen when using the debug swm revert command from the CLI. PANOS downgrade is not blocked if the 10.1-compatible plugin versions are not downloaded prior to downgrade. This will leave Panorama in a bad system state that requires the user to uninstall the plugins currently running a 10.2-compatible plugin version after downgrade to 10.1.
Download the 10.1 compatible plugin versions for all plugins currently installed on Panorama prior to downgrade to 10.1.
Refer