Upgrading Palo Alto Firewalls via Panorama

Overview

Upgrading Palo Alto Networks firewalls through Panorama centralizes and streamlines the process, especially beneficial for managing multiple devices. This guide provides a step-by-step approach to upgrading both standalone and HA pair firewalls using Panorama.

Prerequisites

• Panorama Version: Ensure Panorama is running the same or a later PAN-OS version than the target version for the firewalls.
• Licenses: Verify that all firewalls have valid licenses and are properly connected to Panorama.
• Backups: Export and securely store configuration backups from both Panorama and the firewalls.
• Content Updates: Update the Applications and Threats content to the minimum required version for the target PAN-OS.
• Preemption: For HA pairs, disable preemption to prevent automatic failover during the upgrade process.

Upgrade Steps

1. Check for Updates:
   • Navigate to Panorama > Device Deployment > Software .
   • Click Check Now to retrieve the latest software versions.
2. Download Base Image:
   • Download the base image (e.g., 10.2.0) required for the target maintenance release.
   • In Panorama versions 10.2 and below, use the "Upload Only" option to download without installing.
   • In Panorama 11.0 and above, use the "Validate" option to upload the base image without installing.
3. Download Target Maintenance Release:
   • After the base image is available, download the desired maintenance release (e.g., 10.2.11).
4. Install Software:
   • Click Install next to the target version.
   • Select the firewalls to upgrade. For HA pairs, upgrade one peer at a time, starting with the passive or secondary device.
   • Ensure "Group HA Peers" is unchecked to prevent simultaneous upgrades of both peers.
   • Select "Reboot device after install" to automate the reboot process post-installation.
   • Click OK to initiate the upgrade.
5. Verify Upgrade:
   • After the firewall reboots, navigate to Panorama > Managed Devices to confirm the new software version.
   • For HA pairs, ensure the upgraded device is in the expected HA state (e.g., passive).
6. Repeat for HA Peer:
   • Once the first HA peer is successfully upgraded and stable, repeat the installation steps for the second peer.
7. Re-enable Preemption:
   • After both HA peers are upgraded, re-enable preemption if it was previously disabled.
   • Navigate to Device > High Availability > Election Settings on the primary firewall and enable the "Preemptive" option.
   • Commit the changes.

Mermaid Sequence Diagram

Sample PCNSE Exam Questions

Question You have upgraded Panorama to PAN-OS 10.2 and need to upgrade six Log Collectors. What must you do?

• A. Upgrade the Log Collectors one at a time.
• B. Add Panorama Administrators to each Managed Collector.
• C. Upgrade all the Log Collectors at the same time.
• D. Add a Global Authentication Profile to each Managed Collector.

Correct Answer: C

Explanation: When upgrading Log Collectors to PAN-OS 10.2, all Log Collectors in a collector group must be upgraded simultaneously to avoid log data loss.

Question An engineer is planning to upgrade the company's Palo Alto Networks firewalls to the latest PAN-OS version. The company uses Panorama, Dedicated Log Collectors, and WildFire appliances. What must the engineer consider when planning the deployment?

• A. Only Panorama and Dedicated Log Collectors must be patched before updating the firewalls.
• B. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched before updating the firewalls.
• C. The order of patching does not matter after downloading the target PAN-OS version.
• D. Only Panorama must be patched before updating the firewalls.

Correct Answer: B

Explanation: Before upgrading the firewalls, it's essential to upgrade Panorama, Dedicated Log Collectors, and WildFire appliances to the target PAN-OS version to ensure compatibility and proper functionality.

Question: An administrator plans to upgrade a High Availability (HA) pair of Palo Alto Networks firewalls. What is the recommended procedure to minimize disruption during the upgrade?

• A. Upgrade both firewalls simultaneously.
• B. Upgrade the passive firewall first, then the active firewall.
• C. Upgrade the active firewall first, then the passive firewall.
• D. Suspend both firewalls, upgrade them, and then resume HA.

Correct Answer: B

Explanation: To minimize disruption during an HA pair upgrade, it's recommended to upgrade the passive firewall first. After confirming its stability, fail over to the upgraded firewall and then proceed to upgrade the remaining firewall. This approach ensures continuous availability and service continuity.

References

• PAN-OS 11.0 Upgrade Guide – Upgrade Panorama
• Upgrade Firewalls Using Panorama – PAN-OS 10.2
• Install Updates for Panorama with Internet Connection – PAN-OS 11.0
• Determine the Upgrade Path to PAN-OS 10.1
• Upgrade the Firewall to PAN-OS 10.1
• Upgrade Firewalls Using Panorama – PAN-OS 10.2
• Upgrade Panorama – PAN-OS 11.0
• Install Updates for Panorama with Internet Connection – PAN-OS 11.0