How to perform PANOS upgrade from CLI?

How to perform PANOS upgrade from CLI?

90755
Created On 12/11/19 03:20 AM - Last Modified 07/21/20 00:21 AM


Objective


Upgrade PAN-OS using CLI commands.

Environment


  • Palo Alto Firewall.
  • Any PAN-OS.

Procedure


  1. Use show system info to check the current version. The example below is 9.0.3 version. 
admin@Lab-5250> show system info

hostname: Lab-5250
ip-address: x.x.x.x
public-ip-address: unknown
netmask: 255.255.254.0
default-gateway: x.x.x.1
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::a66:1fff:fe01:17b7/64
ipv6-default-gateway:
mac-address: 08:66:1f:01:17:b7
time: Tue Dec 10 16:41:04 2019
uptime: 0 days, 0:53:14
family: 5200
model: PA-5250
serial: 013101004385
cloud-mode: non-cloud
sw-version: 9.0.3
  1. Use request system software check to check which PAN-OS are downloaded on the firewall.
admin@Lab-5250> request system software check

Version               Size          Released on Downloaded
-------------------------------------------------------------------------
9.0.5                871MB 2019/11/14  00:55:23         no
9.0.4                821MB 2019/09/26  11:28:03         no
9.0.3                816MB 2019/07/12  10:34:48        yes
9.0.3-h3             816MB 2019/08/20  21:09:09        yes
9.0.3-h2             816MB 2019/08/08  13:14:10         no
9.0.2                812MB 2019/05/09  07:55:14         no
9.0.2-h4             816MB 2019/06/27  11:47:18        yes
9.0.1                796MB 2019/03/28  08:40:39        yes
9.0.0               1375MB 2019/02/06  00:37:57        yes
8.1.11               926MB 2019/10/16  08:36:54        yes
8.1.10               926MB 2019/08/29  00:31:57        yes
8.1.9                925MB 2019/07/05  19:02:42         no
.....
<Output Omitted>
  1. Use request system software download command to download the required PAN-OS version. In this example version 9.0.4 is being downloaded.
admin@Lab-5250> request system software download version 9.0.4
Download job enqueued with jobid 33590
  1. Check the status of the download using the job number displayed in the above step. Once the software is downloaded Successfully loaded message is seen.
admin@Lab-5250> show jobs id 33590

Enqueued              Dequeued           ID                              Type                         Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2019/12/10 14:50:00   14:50:00        33590                            Downld                            FIN     OK 14:50:10
Warnings:
Details:Successfully downloaded
Preloading into software manager
Successfully loaded into software manager
  1. Using request system software info again displays the new version being downloaded as yes. In this case 9.0.4 version is downloaded.
admin@Lab-5250> request system software info

Version               Size          Released on Downloaded
-------------------------------------------------------------------------
9.0.5                871MB 2019/11/14  00:55:23         no
9.0.4                821MB 2019/09/26  11:28:03        yes
9.0.3                816MB 2019/07/12  10:34:48        yes
9.0.3-h3             816MB 2019/08/20  21:09:09        yes
9.0.3-h2             816MB 2019/08/08  13:14:10         no
9.0.2                812MB 2019/05/09  07:55:14         no
.....
<Output Omittted>
  1. The downloaded software can be now be installed using request system software install command. In this example 9.0.4 version is being installed.
admin@Lab-5250> request system software install version 9.0.4
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 33591. Run 'show jobs id 33591' to monitor its status. Please reboot the device after the ins
tallation is done.
 
  1. Verify the installation is completed using show jobs id command. The job number is seen in the output of previous command. The installation may take few minutes to be completed.
admin@Lab-5250> show jobs id 33591

Enqueued              Dequeued           ID                              Type                         Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2019/12/10 14:53:05   14:53:05        33591                         SWInstall                            FIN     OK 14:54:20
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
 
  1. Use request restart system to reboot so that the new version takes into effect.
admin@Lab-5250> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Tue Dec 10 19:02:22 2019):
The system is going down for reboot NOW!
  1. The firewall now boots with the new version of software.
admin@Lab-5250> show system info

hostname: Lab-5250
ip-address: 10.46.34.144
public-ip-address: unknown
netmask: 255.255.254.0
default-gateway: 10.46.34.1
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::a66:1fff:fe01:17b7/64
ipv6-default-gateway:
mac-address: 08:66:1f:01:17:b7
time: Tue Dec 10 16:41:04 2019
uptime: 0 days, 0:53:14
family: 5200
model: PA-5250
serial: 013101004385
cloud-mode: non-cloud
sw-version: 9.0.4
......
<Output Omitted>




 

Additional Information


PAN-OS upgrade is normally done using GUI. The procedure documented above using CLI is used when GUI upgrade is not possible. Best Practice for PAN-OS upgrade has detailed information on the upgrade checklist, dependencies and the procedure both on Panorama and Firewalls.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNns&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language