Upgrading Panorama PAN-OS Software

Matt Blackwell -

Time to upgrade Panorama to a newer PAN-OS version!

My EVE-NG lab Panorama has an internet connection that allows me to download software and content updates. And since I'm running in Panorama mode with an integrated log collector, I don't need to upgrade the log collector separately. Palo Alto Networks highly recommends that Panorama, log collectors, and all managed firewalls run the same content release version.

It's good practice to back up the Panorama configuration before the upgrade

  • Log in to the Panorama WebUI
  • Save a named Panorama Configuration snapshot  (Panorama tab ->Setup -> Operations)  enter the name for the config and click OK
  • Export the Panorama Configuration snapshot (save on your device just in case)

A quick check to make sure I'm running the minimum content versions for the Panorama release I'm going to upgrade to. I haven't got round to scheduling automatic, recurring updates yet, this would ensure I'm always running the latest content versions and I probably could have skipped this step.

  • Select Panorama ->Dynamic Updates and Check Now for the latest updates. If an update is available, the Action column displays a Download link.

Now I can download and install each of the content updates that I require in no particular order.

  • Applications or Applications and Threats update
  • Antivirus
  • Wildfire

Now for the main event! Upgrading Panorama. In my lab, I have two Panoramas running in Active/Passive High-Availability mode, so I'm going to do the following steps on the passive (secondary) Panorama first. (Best practice for Production environment)

  • Check Now (Panorama ->Software) for the latest releases.
  • Search for the Panorama software Image I'm after.
  • Install the image

If prompted to reboot hit yes or if not go to Panorama -> Setup -> Operations -> Reboot Panorama

Once the Secondary Panorama has rebooted and is accessible via the WebUI, it's time to repeat the download/install process on the Primary Panorama. But hold on, we need to suspend the Primary Panorama to force a failover so that the Secondary peer becomes the active device.

  • On the Primary Panorama in the Operational -> Commands section (PanoramaHigh Availability), Suspend local Panorama.
  • Check to see if the HA state is suspended (displayed on the bottom-right corner of the web interface).
  • Also, verify in Dashboard Widget that the Secondary Panorama is the Active Peer (Local)

Now we can proceed

Check Now (Panorama ->Software) for the latest releases.

  • Search for the Panorama software Image I'm after.
  • Install the image

If prompted to reboot hit yes or if not go to Panorama -> Setup -> Operations -> Reboot Panorama

When the Primary Panorama reboots, due to preemption being enabled by default, the Primary Panorama should transition to the active state.

Now it's time to verify that both HA peers are both running the new Panorama release. On the Dashboard of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronised. Which can also be verified in the HA widget on the dashboard.