≡ Menu

5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console

PaloAlto releases software updates on an on-going basis. It’s essential that you stay current with the latest stable release of firewall.

On a high-level the following are 5 easy steps to upgrade PaloAlto firewall:

  1. Pre-install: Verify current software version
  2. Check Available Software Versions
  3. Download Latest Version of PaloAlto
  4. Install the Latest version of Firewall Software
  5. Post-install: Reboot and verify new software version

Apart from upgrading from CLI, this tutorial also explains how to upgrade PAN-OS from PaloAlto console.

1. Pre-install: Verify current software version- from CLI

First, login to the PaloAlto firewall from CLI using ssh as shown below.

$ ssh -i thegeekstuff.pem admin@192.168.101.111

Next, execute the following show system info command to get the current version of your software.

admin@PA-VM> show system info | match sw-version
sw-version: 9.0.0

In the above example, the current version is 9.0.0. Let us upgrade this to the latest version of 9.0.x

2. Check Available Software Versions – from CLI

Execute the following request system software check command, which will get all the available version of PaloAlto software for your device.

admin@PA-VM> request system software check

Version               Size          Released on Downloaded
-------------------------------------------------------------------------
9.0.2                354MB 2019/05/09  07:57:11         no
9.0.1                345MB 2019/03/28  08:43:16         no
9.0.0                759MB 2019/02/06  08:54:03        yes
8.1.8                465MB 2019/05/08  12:18:31         no
8.1.7                464MB 2019/03/18  22:01:25         no
..
..

In the above output:

  • Version column – This shows all available software version. The latest version will be on the top. The current latest version in this example is 9.0.2
  • Downloaded column – The “yes” in this column indicates that this particular version of the software is downloaded. Currently it says “yes” only to 9.0.0.

3. Download Latest Version of PaloAlto – from CLI

Next, execute the request system software download command, which will download the given version.

In the following example, this command will schedule a background job to download the 9.0.2 version of the software.

admin@PA-VM> request system software download version 9.0.2

Download job enqueued with jobid 10
10

The output of the previous download command will give you a job id. In the previous step, our job id is 10.

View the status of this particular job as shown below.

admin@PA-VM> show jobs id 10

Enqueued              Dequeued           ID  Type  Status Result Completed
---------------------------------------------------------------------------
2019/05/22 23:57:18   23:57:18   10  Downld   ACT   PEND        21%
Warnings:
Details:

Note: Once the output of the above command shows 100% completed, move on to the next step.

Please note that upgrading the PANOS will not modify/remove any of your existing configurations including security and NAT policies.

On a related note, to master paloalto CLI, refer to: 15 PaloAlto CLI Examples to Manage Security and NAT Policies

4. Install the Latest version of Firewall Software – from CLI

Finally, execute the following request system software install command as show below to install the latest version of the software.

admin@PA-VM> request system software install version 9.0.2

The above command will give this info message. Say “y” to the following prompt.

Executing this command will install a new version of software. It will not take effect until system is restarted. Downgrading from PAN-OS 9.0 to an earlier release requires downgrading the logging infrastructure. After downgrade, you must migrate your log data to the previous format. For more information, please refer to Downgrade from Panorama 9.0 in https://docs.paloaltonetworks.com/downgrade-panorama. Do you want to continue? (y or n) y

Software install job enqueued with jobid 12. Run ‘show jobs id 12’ to monitor its status. Please reboot the device after the installation is done.
12

View the status of the installation using the job id from the above output.

admin@PA-VM> show jobs id 12

Enqueued              Dequeued           ID    Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2019/05/22 23:00:49   23:00:49           12    SWInstall    ACT   PEND        71%
Warnings:
Details:
admin@PA-VM> show jobs id 12

Enqueued              Dequeued           ID    Type  Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2019/05/22 23:00:49   23:00:49           12   SWInstall  FIN     OK 23:04:24
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.

Note: I’ve noticed a strange behavior in the download completed percentage. When it reaches, 71% it started going down to 66%, and then started going up again.

5. Post-install: Reboot and verify new software version – from CLI

Now, reboot the firewall using restart system command as shown below to start the new version.

admin@PA-VM> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Note: The above will disconnect you from the SSH CLI session that you are connected to the PaloAlto firewall.

Broadcast message from root (pts/1) (Wed May 22 23:05:30 2019):

The system is going down for reboot NOW!
Connection to 192.168.101.111 closed.
bash-3.2$

Finally, after the reboot, execute the show system info command to make sure the firewall software is upgraded to the latest version.

admin@PA-VM> show system info | match sw-version
sw-version: 9.0.2
admin@PA-VM>

Console – Verify Current version

Login to PaloAlto console from a browser. From Dashboard, Under General Information section, you can see the current version of your PANOS as shown in the example below. In this example, the current version is 9.0.0

[PaloAlto PanOS Before Upgrade Current Version]

Console – Install the Latest version of PANOS

From the PaloAlto console, click on “Device” tab, from the left side menu, click on Software as shown below. First time, you might not see list of available softwares. You may have to click on “Check Now” button that is located at the bottom of this screen as shown below.

[PaloAlto PanOS Device Software Check Now]

This will display all PAN-OS software versions available. In this example, since our current version is 9.0.0, it says “Downloaded” right next to it. The “Installed” column will have a check-mark next to the version that is currently installed.

The latest available version will be displayed at the top of the list. In this example, the latest version is 9.0.2. In your case, you might see something newer than this. Click on “Download” under “Action” column for the latest version, which will start the download.

[PaloAlto PanOS Device Download Software]

Once the software is downloaded, the available column will show “Downloaded”, and the action column will show “Install” as show below. Click on install, which will start installing the latest version. Installing the latest version will have a small downtime, as the device will reboot after installing. Perform the upgrade only during a scheduled maintenance window.

[PaloAlto PanOS Device Install Software]

Console – Verify New Version of PANOS

After the reboot, login to the PaloAlto console, and under Dashboard, in the General Information section, you’ll now see the current version of the PANOS as shown below.

[PaloAlto PanOS After Upgrade New Version]

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment