Panorama automatically upgrades the firewall

Panorama automatically upgrades the firewall

3946
Created On 11/07/22 06:35 AM - Last Modified 12/07/24 02:08 AM


Symptom


  • Firewall managed by Panorama
  • The firewall was downgraded to a specific version by the admin user, system logs show the new version, and the system restart requested by an 'admin user'

GUI: Monitor > Logs > System

18:59:52 high     general        general 0  System restart requested by admin
18:59:21 info     general        general 0  Installed panos software version 10.1.6-h3
  • When the firewall connected back to Panorama, the firewall was upgraded to another PAN-OS version. System logs indicate the new PAN-OS version was installed and a system restart was requested by 'panorama'

GUI: Monitor > Logs > System

19:20:33 high     general        general 0  System restart requested by panorama
19:20:24 info     general        general 0  Installed panos software version 10.2.0
19:12:23 info     general        general 0  Connected to Panorama Server.
19:12:23 high     general        system- 1  The system is starting up.
  • Panorama configuration shows 'to-sw-version' field was selected for the specific firewall when it was added to Panorama
SSH to Panorama
panorama>set cli config-output-format set
panorama>configure
panorama#show | match to-sw-version
<mgt-config><devices><entry name="fw-serial-numver"><to-sw-version>: 10.2.0 

Environment


  • Panorama managed Firewalls
  • PAN-OS 10.0 and above.
  • Upgrade/Downgrade

Cause


  • Starting from PAN-OS 10.0.x onwards, when a firewall is added to Panorama as a managed device, there is an option to select a PAN-OS version in the 'To SW Version' column. Refer to Step 5 of Add Firewall as managed Device.
  • If this field is selected then every time when the firewall connects to Panorama with a PAN-OS version lower than the one mentioned in the 'To SW Version' field, then the firewall will be automatically upgraded to this specific version by Panorama.

Resolution


This is working as expected. In case the firewall needs to be downgraded to a version lower than what is defined in Panorama, then the 'To SW Version' field needs to be cleared from Panorama. There are 2 ways to do it:
  1.  From the Panorama GUI
    • Login to Panorama GUI
    • Go to Panorama ==> Managed Devices ==> Summary
    • Select the firewall that needs to be downgraded
    • Click on 'reassociate', this will take you to the 'device association' configuration
    • Clear the 'To SW Version' field and click OK
    • Click on 'commit' to commit the changes on Panorama
  2. From the Panorama CLI
    • Login to Panorama CLI
panorama>configure
panorama#delete mgt-config devices 'firewall serial number' to-sw-version
panorama#commit

Note : replace firewall serial number - to the actual serial number of the firewall which you want to downgrade

 

Additional Information



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF5TCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language