PaloAlto releases software updates on an on-going basis. It’s essential that you stay current with the latest stable release of firewall.
On a high-level the following are 5 easy steps to upgrade PaloAlto firewall:
- Pre-install: Verify current software version
- Check Available Software Versions
- Download Latest Version of PaloAlto
- Install the Latest version of Firewall Software
- Post-install: Reboot and verify new software version
Apart from upgrading from CLI, this tutorial also explains how to upgrade PAN-OS from PaloAlto console.
1. Pre-install: Verify current software version- from CLI
First, login to the PaloAlto firewall from CLI using ssh as shown below.
$ ssh -i thegeekstuff.pem admin@192.168.101.111
Next, execute the following show system info command to get the current version of your software.
admin@PA-VM> show system info | match sw-version sw-version: 9.0.0
In the above example, the current version is 9.0.0. Let us upgrade this to the latest version of 9.0.x
2. Check Available Software Versions – from CLI
Execute the following request system software check command, which will get all the available version of PaloAlto software for your device.
admin@PA-VM> request system software check Version Size Released on Downloaded ------------------------------------------------------------------------- 9.0.2 354MB 2019/05/09 07:57:11 no 9.0.1 345MB 2019/03/28 08:43:16 no 9.0.0 759MB 2019/02/06 08:54:03 yes 8.1.8 465MB 2019/05/08 12:18:31 no 8.1.7 464MB 2019/03/18 22:01:25 no .. ..
In the above output:
- Version column – This shows all available software version. The latest version will be on the top. The current latest version in this example is 9.0.2
- Downloaded column – The “yes” in this column indicates that this particular version of the software is downloaded. Currently it says “yes” only to 9.0.0.
3. Download Latest Version of PaloAlto – from CLI
Next, execute the request system software download command, which will download the given version.
In the following example, this command will schedule a background job to download the 9.0.2 version of the software.
admin@PA-VM> request system software download version 9.0.2 Download job enqueued with jobid 10 10
The output of the previous download command will give you a job id. In the previous step, our job id is 10.
View the status of this particular job as shown below.
admin@PA-VM> show jobs id 10 Enqueued Dequeued ID Type Status Result Completed --------------------------------------------------------------------------- 2019/05/22 23:57:18 23:57:18 10 Downld ACT PEND 21% Warnings: Details:
Note: Once the output of the above command shows 100% completed, move on to the next step.
Please note that upgrading the PANOS will not modify/remove any of your existing configurations including security and NAT policies.
On a related note, to master paloalto CLI, refer to: 15 PaloAlto CLI Examples to Manage Security and NAT Policies
4. Install the Latest version of Firewall Software – from CLI
Finally, execute the following request system software install command as show below to install the latest version of the software.
admin@PA-VM> request system software install version 9.0.2
The above command will give this info message. Say “y” to the following prompt.
Executing this command will install a new version of software. It will not take effect until system is restarted. Downgrading from PAN-OS 9.0 to an earlier release requires downgrading the logging infrastructure. After downgrade, you must migrate your log data to the previous format. For more information, please refer to Downgrade from Panorama 9.0 in https://docs.paloaltonetworks.com/downgrade-panorama. Do you want to continue? (y or n) y
Software install job enqueued with jobid 12. Run ‘show jobs id 12’ to monitor its status. Please reboot the device after the installation is done.
12
View the status of the installation using the job id from the above output.
admin@PA-VM> show jobs id 12 Enqueued Dequeued ID Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------ 2019/05/22 23:00:49 23:00:49 12 SWInstall ACT PEND 71% Warnings: Details:
admin@PA-VM> show jobs id 12 Enqueued Dequeued ID Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------ 2019/05/22 23:00:49 23:00:49 12 SWInstall FIN OK 23:04:24 Warnings: Details:Software installation successfully completed. Please reboot to switch to the new version.
Note: I’ve noticed a strange behavior in the download completed percentage. When it reaches, 71% it started going down to 66%, and then started going up again.
5. Post-install: Reboot and verify new software version – from CLI
Now, reboot the firewall using restart system command as shown below to start the new version.
admin@PA-VM> request restart system Executing this command will disconnect the current session. Do you want to continue? (y or n)
Note: The above will disconnect you from the SSH CLI session that you are connected to the PaloAlto firewall.
Broadcast message from root (pts/1) (Wed May 22 23:05:30 2019): The system is going down for reboot NOW! Connection to 192.168.101.111 closed. bash-3.2$
Finally, after the reboot, execute the show system info command to make sure the firewall software is upgraded to the latest version.
admin@PA-VM> show system info | match sw-version sw-version: 9.0.2 admin@PA-VM>
Console – Verify Current version
Login to PaloAlto console from a browser. From Dashboard, Under General Information section, you can see the current version of your PANOS as shown in the example below. In this example, the current version is 9.0.0
![[PaloAlto PanOS Before Upgrade Current Version]](https://static.thegeekstuff.com/wp-content/uploads/2020/06/1-paloalto-panos-cur-version.png)
Console – Install the Latest version of PANOS
From the PaloAlto console, click on “Device” tab, from the left side menu, click on Software as shown below. First time, you might not see list of available softwares. You may have to click on “Check Now” button that is located at the bottom of this screen as shown below.
![[PaloAlto PanOS Device Software Check Now]](https://static.thegeekstuff.com/wp-content/uploads/2020/06/2-paloalto-panos-device-software-check.png)
This will display all PAN-OS software versions available. In this example, since our current version is 9.0.0, it says “Downloaded” right next to it. The “Installed” column will have a check-mark next to the version that is currently installed.
The latest available version will be displayed at the top of the list. In this example, the latest version is 9.0.2. In your case, you might see something newer than this. Click on “Download” under “Action” column for the latest version, which will start the download.
![[PaloAlto PanOS Device Download Software]](https://static.thegeekstuff.com/wp-content/uploads/2020/06/3-paloalto-panos-download-software.png)
Once the software is downloaded, the available column will show “Downloaded”, and the action column will show “Install” as show below. Click on install, which will start installing the latest version. Installing the latest version will have a small downtime, as the device will reboot after installing. Perform the upgrade only during a scheduled maintenance window.
![[PaloAlto PanOS Device Install Software]](https://static.thegeekstuff.com/wp-content/uploads/2020/06/4-paloalto-panos-install-software.png)
Console – Verify New Version of PANOS
After the reboot, login to the PaloAlto console, and under Dashboard, in the General Information section, you’ll now see the current version of the PANOS as shown below.
![[PaloAlto PanOS After Upgrade New Version]](https://static.thegeekstuff.com/wp-content/uploads/2020/06/5-paloalto-panos-new-version.png)
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about