Partition
admin@PA-111> show system disk-space
Filesystem Size Used Avail Use% Mounted on
/dev/root 12G 4.5G 6.8G 40% / > root, where OS is installed
none 2.7G 88K 2.7G 1% /dev
/dev/sda5 16G 4.0G 12G 27% /opt/pancfg > where dynamic update file are kept
/dev/sda6 7.9G 2.1G 5.4G 28% /opt/panrepo > downloaded PAN-OS image
tmpfs 2.5G 2.3G 286M 89% /dev/shm
cgroup_root 2.7G 0 2.7G 0% /cgroup
/dev/sda8 11G 111M 11G 2% /opt/panlogs > where log database is stored
tmpfs 12M 0 12M 0% /opt/pancfg/mgmt/lcaas/ssl/private
admin@PA-111>
Filesystem Size Used Avail Use% Mounted on
/dev/root 12G 4.5G 6.8G 40% / > root, where OS is installed
none 2.7G 88K 2.7G 1% /dev
/dev/sda5 16G 4.0G 12G 27% /opt/pancfg > where dynamic update file are kept
/dev/sda6 7.9G 2.1G 5.4G 28% /opt/panrepo > downloaded PAN-OS image
tmpfs 2.5G 2.3G 286M 89% /dev/shm
cgroup_root 2.7G 0 2.7G 0% /cgroup
/dev/sda8 11G 111M 11G 2% /opt/panlogs > where log database is stored
tmpfs 12M 0 12M 0% /opt/pancfg/mgmt/lcaas/ssl/private
admin@PA-111>
/ root partition is actually one of two sysroot partitions. One is mounted at a time, upgrade actually installs new PAN-OS onto the inactive partition.
What Happens During an Upgrade
1. The new PAN‑OS image is installed into the inactive partition
For example:
- If you are currently booted from sysroot1,
→ the upgrade installs PAN‑OS into sysroot2.
This ensures:
- Safe rollback
- No overwrite of the running OS
2. Your running configuration is copied into the new partition
During upgrade, the firewall:
- Copies running config (not startup config)
- Applies schema migration for the new PAN‑OS version
- Stores the migrated version in the new sysroot before reboot
So yes — your config is copied over and upgraded.
3. After reboot, the firewall boots from the new partition
Example:
- Old OS + original config = sysroot1
- New OS + migrated config = sysroot2 (now becomes active)
✔️ Is the original configuration still in the first partition?
Yes.
The original sysroot (the one you were running before upgrade):
- Still contains the old PAN‑OS version
- Still contains the original, pre‑migration configuration
- Is left untouched for rollback
Rollback behavior
If you fail back (using debug swm revert or from the boot menu):
- The firewall boots from the old partition
- With the original PAN‑OS
- And the original configuration (exactly as it was before upgrade)
This is why Palo Alto upgrades are considered non-destructive.
admin@PA-111> debug swm status > software manager
Partition State Version
--------------------------------------------------------------------------------
sysroot0 RUNNING-ACTIVE 11.1.4
sysroot1 EMPTY None
maint READY 11.1.4
Once new OS has been installed, the GRUB bootloader is configured to load the other sysroot partition at the next boot.
Smooth rollback
1. > debug swm revert
2. > request restart system
Show configuration
in configuration mode
change display format:
set cli config-output-format set
set cli config-output-format xml
Delete old software
delete software version
Show Power Supply
show system environment
show system state | match power-supply
Comments
Post a Comment