Palo Alto Upgrade

Support PAN-OS Software Release Guidance 

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304

Standalone Firewall Upgrade from 9.1 to 10.2.5

0.install latest content release.

1. patch 9.1 to 9.1.16

2. download 10.0 NO install

3. download 10.0.11-h1 and install

4. download 10.1 NO install

5. download 10.1.10-h2 and install

6. download 10.2.0

7. download 10.2.5 failed, 10.2 image disappeared. tried multiple times, same result, even with other 10.2.x images

7a. downlead 10.2.0 and install

8. downlead 10.2.5 and install

HA Firewall Upgrade from 9.1 to 10.2.x

HA Firewall Upgrade from 9.1.0 to 10.2.x

FW-A has priority 50, preemptive is Enabled, status is Active; FW-B has priority 100, preemptive is Enabled, status is Passive.

• Backup configuration.
• Install latest content release on both units. Verify HA status and configuration is in sync.
• ======Patch to 9.1.x=========
• FW-A, disable preemptive, submit the change.
• FW-A, download 9.1.x (synch to peer)
• Suspect FW-A, check HA status: FW-A is Suspended / FW-B is Active
• FW-A install 9.1.x then reboot.
• When FW-A is back up, verify version is 9.1.x, HA status: FW-A is Passive/ FW-B is Active.
• Suspend FW-B, check HA status: FW-A is Active  / FW-B is Suspended.
• FW-B install 9.1.x then reboot.
• When FW-B is back up, verify version is 9.1.x, HA status: FW-A is Active / FW-B is Passive.
• ======Upgrade to 10.0.x=========
• FW-A, download 10.0 (synch to peer), No install, download 10.0.x  (synch to peer)
• Suspend FW-A, check HA status: FW-A is Suspended / FW-B is Active
• FW-A install 10.0.x then reboot.
• When FW-A is back up, verify version is 10.0.x, HA status: FW-A is Passive / FW-B is Active.
• Suspend FW-B, check HA status: FW-A is Active/ FW-B is Suspended.
• FW-B install 10.0.x then reboot
• When FW-B is back up, verify version is 10.0.x, HA status: FW-A is Active / FW-B is Passive.
• ======Upgrade to 10.1.x=========
• FW-A, download 10.1 (synch to peer), No install, download 10.1.x  (synch to peer).
• Suspect FW-A,  check HA status: FW-A is Suspended / FW-B is Active.
• FW-A install 10.1.x then reboot.
• When FW-A is back up, verify version is 10.1.x, HA status: FW-A is Active/ FW-B is Non-functional (version mismatch).
• FW-B install 10.1.x then reboot
• When FW-B is back up, verify version is 10.1.x, HA status: FW-A is Active / FW-B is Passive.
• ======Upgrade to 10.2.0===============
  for some reason, download 10.2.0 then download 10.2.x cause both downloaded images disappear.
• FW-A download 10.2.0  (synch to peer)
• Suspect FW-A,  check HA status: FW-A is Suspended / FW-B is Active.
• FW-A install 10.2.0 then reboot.
• When FW-A is back up, verify version is 10.2.0, HA status: FW-A is Passive / FW-B is Active.
• Suspend FW-B,  check HA status: FW-A is Active/ FW-B is Suspended.
• FW-B, install 10.2.0 then reboot.
• When FW-B is back up, verify version is 10.2.0, HA status: FW-A is Active / FW-B is Passive
• ======Upgrade to 10.2.x===============
• FW-A download 10.2.x  (synch to peer)
• Suspect FW-A,  check HA status: FW-A is Suspended / FW-B is Active.
• FW-A install 10.2.x then reboot.
• When FW-A is back up, verify version is 10.2.x, HA status: FW-A is Passive / FW-B is Active.
• Suspend FW-B,  check HA status: FW-A is Active/ FW-B is Suspended.
• FW-B, install 10.2.x then reboot.
• When FW-B is back up, verify version is 10.2.x, HA status: FW-A is Active / FW-B is Passive
• FW-A, enable preemptive, submit the change.

Upgrade from CLI

it is recommended to bring your current Feature release to the latest recommended maintenance release before proceeding next Feature release.

1. Current is 9.1.6, download 9.1.11 image:

2. Put the image on SCP or TFTP server which can be accessed from PA MGMT.

3. If use SCP:

admin@PA-VM> scp import software from admin@172.16.1.10:/PanOS_vm-9.1.11

The authenticity of host '172.16.1.10 (172.16.1.10)' can't be established.

RSA key fingerprint is 80:b7:bb:06:c6:b9:ed:20:a4:7b:d0:49:b1:e9:15:35.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.10' (RSA) to the list of known hosts.

admin@172.16.1.10's password:

PanOS_vm-9.1.11                                                              88%  353MB  20.9MB/s   00:02 ETA

PanOS_vm-9.1.11 saved

admin@PA-VM>

4. Install the new image

admin@PA-VM> request system software install version

  9.1.11   9.1.11

  <value>  Upgrade to a software package by version

admin@PA-VM> request system software install version 9.1.11

Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 3. Run 'show jobs id 3' to monitor its status. Please reboot the device after the installation is done.

3

admin@PA-VM> 

admin@PA-VM> show jobs id 3

Enqueued              Dequeued           ID                              Type                         Status Result Completed

------------------------------------------------------------------------------------------------------------------------------

2021/09/22 09:40:35   09:40:35            3                         SWInstall                            ACT   PEND        0%

Warnings:

Details:Loading into software manager

admin@PA-VM> show jobs id 3

Enqueued              Dequeued           ID                              Type                         Status Result Completed

------------------------------------------------------------------------------------------------------------------------------

2021/09/22 09:40:35   09:40:35            3                         SWInstall                            ACT   PEND        54%

Warnings:

Details:Loading into software manager

Successfully loaded image into software manager

admin@PA-VM> show jobs id 3

Enqueued              Dequeued           ID                              Type                         Status Result Completed

------------------------------------------------------------------------------------------------------------------------------

2021/09/22 09:40:35   09:40:35            3                         SWInstall                            FIN     OK 09:50:50

Warnings:

Details:Loading into software manager

Successfully loaded image into software manager

Software installation successfully completed. Please reboot to switch to the new version.

==============HA Upgrade=============

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair

IMPORTANT NOTE:
When upgrading a HA Active/Passive firewall pair across multiple feature releases, for example from 9.0.14 to 10.0.7, it has to be made sure that both Firewalls in HA are upgraded to the same Feature release every time before moving on the next feature release. 
If Firewall-A has been upgrade to 9.1.x as the intermediate step, then Firewall-B also has to be upgraded to 9.1.x before Firewall-A can be upgraded to 10.0.7 
If there is more than 1 version of difference between the HA pairs,  "Peer version too old" issue will happen.

1. Disable Preempt

Lower Preempt number has higher priority

Traffic failover test must have been conducted before the start of upgrade process to make sure both Firewalls are capable of passing traffic without issues. Disable Preemption if enabled.

• Disable Preemption on High Availability settings to avoid unexpected failover.
• Disabling preempt configuration change must be committed on both peers.
• Once upgrade is completed, re-enabling must be committed on both peers.

2. Auto download or Upload image to both FWs

    Device > Software

=========

https://indepthtechnology.org/2020/07/05/palo-alto-panorama-and-firewall-upgrade-procedure/