PAN-OS Upgrade Guide

Version 11.1 & later

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2023-2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
October 8, 2024

PAN-OS Upgrade Guide Version 11.1 & later 2 ©2024 Palo Alto Networks, Inc.
Table of Contents
Software and Content Updates......................................................................7
PAN-OS Software Updates.......................................................................................................8
Dynamic Content Updates........................................................................................................ 9
Install Content Updates...........................................................................................................12
Applications and Threats Content Updates........................................................................15
Deploy Applications and Threats Content Updates..............................................16
Tips for Content Updates............................................................................................17
Best Practices for Applications and Threats Content Updates...................................... 19
Best Practices for Content Updates—Mission-Critical......................................... 19
Best Practices for Content Updates—Security-First............................................. 23
Content Delivery Network Infrastructure...........................................................................27

Upgrade Panorama.......................................................................................... 31
Install Content Updates and Software Upgrades for Panorama....................................32
Upgrade Panorama with an Internet Connection.................................................. 32
Upgrade Panorama Without an Internet Connection...........................................38
Install Content Updates Automatically for Panorama without an Internet
Connection.......................................................................................................................44
Upgrade Panorama in an HA Configuration........................................................... 49
Install a PAN-OS Software Patch.............................................................................. 52
Migrate Panorama Logs to the New Log Format.................................................. 53
Upgrade Panorama for Increased Device Management Capacity......................55
Upgrade Panorama and Managed Devices in FIPS-CC Mode............................ 56
Downgrade from Panorama 11.1.............................................................................. 57
Troubleshoot Your Panorama Upgrade............................................................................... 64
Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using
Panorama..................................................................................................................................... 65
What Updates Can Panorama Push to Other Devices?.......................................65
Schedule a Content Update Using Panorama........................................................ 66
Panorama, Log Collector, Firewall, and WildFire Version Compatibility...........67
Upgrade Log Collectors When Panorama Is Internet-Connected......................68
Upgrade Log Collectors When Panorama Is Not Internet-Connected..............72
Upgrade a WildFire Cluster from Panorama with an Internet
Connection.......................................................................................................................77
Upgrade a WildFire Cluster from Panorama without an Internet
Connection.......................................................................................................................79
Upgrade Firewalls When Panorama Is Internet-Connected................................82
Upgrade Firewalls When Panorama Is Not Internet-Connected........................91
Upgrade a ZTP Firewall............................................................................................... 98

PAN-OS Upgrade Guide Version 11.1 & later 3 ©2024 Palo Alto Networks, Inc.
Table of Contents

Install a PAN-OS Software Patch............................................................................100

Revert Content Updates from Panorama..............................................................102

Upgrade PAN-OS.......................................................................................... 103

PAN-OS Upgrade Checklist................................................................................................. 104
Upgrade/Downgrade Considerations................................................................................ 106
Upgrade the Firewall to PAN-OS 11.1..............................................................................117
Determine the Upgrade Path to PAN-OS 11.1................................................... 117
Upgrade a Standalone Firewall................................................................................ 120
Upgrade an HA Firewall Pair....................................................................................124
Upgrade the Firewall to PAN-OS 11.1 from Panorama................................................ 131
Upgrade Firewalls When Panorama Is Internet-Connected............................. 131
Upgrade Firewalls When Panorama Is Not Internet-Connected..................... 140
Upgrade a ZTP Firewall............................................................................................. 147
Install a PAN-OS Software Patch....................................................................................... 150
Downgrade PAN-OS.............................................................................................................. 152
Downgrade a Firewall to a Previous Maintenance Release.............................. 152
Downgrade a Firewall to a Previous Feature Release........................................153
Downgrade a Windows Agent.................................................................................154
Troubleshoot Your PAN-OS Upgrade............................................................................... 155

Upgrade the VM-Series Firewall............................................................... 157

Upgrade the VM-Series PAN-OS Software (Standalone)..............................................158
Upgrade the VM-Series PAN-OS Software (HA Pair)....................................................161
Upgrade the VM-Series PAN-OS Software Using Panorama...................................... 166
Upgrade the PAN-OS Software Version (VM-Series for NSX).................................... 170
Upgrade the VM-Series for NSX During a Maintenance Window.................. 172
Upgrade the VM-Series for NSX Without Disrupting Traffic...........................173
Upgrade the VM-Series Model........................................................................................... 176
Upgrade the VM-Series Model in an HA Pair................................................................. 179
Downgrade a VM-Series Firewall to a Previous Release.............................................. 181

Upgrade Panorama Plugins.........................................................................183

Panorama Plugins Upgrade/Downgrade Considerations.............................................. 184
Upgrade a Panorama Plugin.................................................................................................186
Upgrade the Enterprise DLP Plugin................................................................................... 187
Upgrade the Panorama Interconnect Plugin....................................................................188
Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release........................ 190
Prerequisites................................................................................................................. 190
Upgrade and Downgrade Paths for SD-WAN Plugin.........................................193
Install the SD-WAN Plugin....................................................................................... 197

PAN-OS Upgrade Guide Version 11.1 & later 4 ©2024 Palo Alto Networks, Inc.
Table of Contents

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-

WAN Plugin.................................................................................................................. 198
Upgrade Standalone Panorama Leveraging SD-WAN Plugin........................... 207
Changes to Note After Upgrade............................................................................. 211

CLI Commands for Upgrade....................................................................... 215

Use CLI Commands for Upgrade Tasks............................................................................ 216

APIs for Upgrade........................................................................................... 221

Use the API for Upgrade Tasks.......................................................................................... 222

PAN-OS Upgrade Guide Version 11.1 & later 5 ©2024 Palo Alto Networks, Inc.
Table of Contents

PAN-OS Upgrade Guide Version 11.1 & later 6 ©2024 Palo Alto Networks, Inc.
Software and Content Updates
PAN-OS is the software that runs all Palo Alto Networks next-generation firewalls. Palo Alto
Networks also frequently publishes updates to equip the firewall with the latest security features.
The firewall can enforce policy based on the applications and threat signatures (and more) that
content updates provide, without requiring you to update the firewall configuration.
After you successfully download and install a PAN-OS software update on your physical firewall,
the software update is validated after the physical firewall reboots as part of the software
installation process to ensure the PAN-OS software integrity. This ensures that the new running
software update is known good and that the firewall is not compromised due to remote or
physical exploitation.
• PAN-OS Software Updates
• Dynamic Content Updates
• Install Content Updates
• Applications and Threats Content Updates
• Best Practices for Applications and Threats Content Updates
• Content Delivery Network Infrastructure

7
Software and Content Updates

PAN-OS Software Updates

PAN-OS is the software that runs all Palo Alto Networks next-generation firewalls. The PAN-OS
software version that a firewall is running is displayed on the firewall Dashboard.
You can check for new PAN-OS releases directly in the firewall, or on the Palo Alto Networks
support portal. To upgrade the firewall to the latest version of PAN-OS:
STEP 1 | Review the latest PAN-OS Release Notes to see what’s new. Also take a look at Upgrade/
Downgrade Considerations to make sure you understand all potential changes the PAN-OS
release might introduce.

STEP 2 | Check for new PAN-OS releases:

• On the support portal—Go to support.paloaltonetworks.com and, on the left menu bar,
select Updates > Software Updates. Download and save the release you want to use to
upgrade the firewall.
• On the firewall—Select Device > Software and Check Now for the firewall to check with
the Palo Alto Networks Update Server for new PAN-OS release versions.

Having difficulty checking for software updates? Refer to this article for solutions to
some of the common connectivity issues.

STEP 3 | After you’ve decided the release version you want, follow the complete workflow to
Upgrade the Firewall to PAN-OS 11.1. The steps you’ll take might depend on the release
version you’re currently running, if you’re using HA, and whether or not you’re using
Panorama to manage firewalls.

PAN-OS Upgrade Guide Version 11.1 & later 8 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Dynamic Content Updates

Palo Alto Networks frequently publishes updates that the firewall can use to enforce security
policy, without requiring you to upgrade PAN-OS software or change the firewall configuration.
These updates equip the firewall with the very latest security features and threat intelligence.
Except for application updates and some antivirus updates—which any firewall can receive—
dynamic content updates available to you might depend on your subscriptions. You can set a
schedule for each dynamic content update to define the frequency at which the firewall checks
for and downloads or installs new updates (Device > Dynamic Updates).

Dynamic Content What’s in this package?

Update

Antivirus Antivirus updates are released every 24 hours and include:

• WildFire signatures for newly-discovered malware. To get these
updates every five minutes instead of once daily, you’ll need a
WildFire subscription.
• (Requires Threat Prevention) Automatically-generated command-and-
control (C2) signatures that detect certain patterns in C2 traffic. These
signatures enable the firewall to detect C2 activity even when the C2
host is unknown or changes rapidly.
• (Requires Threat Prevention) New and updated list entries for built-
in external dynamic lists. These lists include malicious, high-risk, and
bulletproof host-provided IP addresses, and can help to protect you
against malicious hosts.
• (Requires Threat Prevention) Updates to the local set of DNS
signatures that the firewall uses to identify known malicious domains.
If you’ve set up DNS sinkholing, the firewall can identify hosts on your
network that try to connect to these domains. To allow the firewall to
check domains against the complete database of DNS signatures, set
up DNS Security.

Applications Application updates provide new and modified application signatures, or

App-IDs. This update does not require any additional subscriptions, but
it does require a valid maintenance/support contract. New application
updates are published only on the third Tuesday of every month, to give
you time to prepare any necessary policy updates in advance.

In rare cases, publication of the update that contains new App-

IDs may be delayed one or two days.

Modifications to App-IDs are released more frequently. While new and

modified App-IDs enable the firewall to enforce your security policy
with ever-increasing precision, resulting changes in security policy
enforcement that can impact application availability. To get the most out

PAN-OS Upgrade Guide Version 11.1 & later 9 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Dynamic Content What’s in this package?

Update
of application updates, follow our tips to Manage New and Modified App-
IDs.

Applications and Includes new and updated application and threat signatures. This update
Threats is available if you have a Threat Prevention subscription (in this case,
you will get this update instead of the Applications update). New threat
updates are published frequently, sometimes several times a week, along
with updated App-IDs. New App-IDs are published only on the third
Tuesday of every month.

In rare cases, publication of the update that contains new App-

IDs may be delayed one or two days.

The firewall can retrieve the latest threat and application updates within
as little as 30 minutes of availability.
For guidance on how to best enable application and threat updates to
ensure both application availability and protection against the latest
threats, review the Best Practices for Applications and Threats Content
Updates.

Device Dictionary The device dictionary is an XML file for firewalls to use in Security policy
rules based on Device-ID. It contains entries for various device attributes
and is completely refreshed on a regular basis and posted as a new file on
the update server. If there are any changes to a dictionary entry, a revised
file will be posted on the update server so that Panorama and firewalls
will automatically download and install it the next time they check the
update server, which they do automatically every two hours.

GlobalProtect Contains the vendor-specific information for defining and evaluating

Data File host information profile (HIP) data returned by GlobalProtect apps. You
must have a GlobalProtect gateway subscription in order to receive these
updates. In addition, you must create a schedule for these updates before
GlobalProtect will function.

GlobalProtect Contains new and updated application signatures to enable Clientless

Clientless VPN VPN access to common web applications from the GlobalProtect
portal. You must have a GlobalProtect subscription to receive these
updates. In addition, you must create a schedule for these updates
before GlobalProtect Clientless VPN will function. As a best practice,
it is recommended to always install the latest content updates for
GlobalProtect Clientless VPN.

WildFire Provides access to malware and antivirus signatures generated by the

WildFire public cloud in real-time. Optionally, you can configure PAN-OS
to retrieve WildFire signature update packages instead. You can set the
firewall to check for new updates as frequently as every minute to ensure
that the firewall retrieves the latest WildFire signatures within a minute

PAN-OS Upgrade Guide Version 11.1 & later 10 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Dynamic Content What’s in this package?

Update
of availability. Without the WildFire subscription, you must wait at least
24 hours for the signatures to be provided in the Antivirus update.

WF-Private Provides near real-time malware and antivirus signatures created as a

result of the analysis done by a WildFire appliance. To receive content
updates from a WildFire appliance, the firewall and appliance must
both be running PAN-OS 6.1 or a later release and the firewall must be
configured to forward files and email links to the WildFire Private Cloud.

PAN-OS Upgrade Guide Version 11.1 & later 11 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Install Content Updates

To ensure that you are always protected from the latest threats (including those that have not yet
been discovered), you must ensure that you keep your firewalls up-to-date with the latest content
and software updates published by Palo Alto Networks. The Dynamic Content Updates available
to you depend on which subscriptions you have.
Follow these steps to install content updates. You can also set a schedule for content updates, to
define the frequency at which the firewall retrieves and installs updates.
Applications and Threats content updates work a little differently than other update types—to get
the most out of the latest application knowledge and threat prevention, follow the guidelines to
Deploy Applications and Threats Content Updates instead of the steps here.
STEP 1 | Ensure that the firewall has access to the update server.
1. By default, the firewall accesses the Update Server at
updates.paloaltonetworks.com so that the firewall receives content updates
from the server to which it is closest. If your firewall has limited access to the Internet,
it might be necessary to configure your allow list to enable access to servers involved
in update downloads. For more information about content update servers, refer to
Content Delivery Network Infrastructure for Dynamic Updates. If you want additional
reference information or are experiencing connectivity and update download issues,
please refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA14u0000001UtRCAU.

If your device is located in mainland China, Palo Alto Networks recommends

using the updates.paloaltonetworks.cn server for update downloads.
2. (Optional) Click Verify Update Server Identity for an extra level of validation to enable
the firewall to check that the server’s SSL certificate is signed by a trusted authority. This
is enabled by default.
3. (Optional) If the firewall needs to use a proxy server to reach Palo Alto Networks update
services, in the Proxy Server window, enter:
• Server—IP address or host name of the proxy server.
• Port—Port for the proxy server. Range: 1-65535.
• User—Username to access the server.
• Password—Password for the user to access the proxy server. Re-enter the password
at Confirm Password.
4. (Optional) Configure up to three reconnection attempts if a connection failure occurs.
Use debug set-content-download-retry attempts to set the number of
connection attempts. The default is 0.

PAN-OS Upgrade Guide Version 11.1 & later 12 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

STEP 2 | Check for the latest content updates.

Select Device > Dynamic Updates and click Check Now (located in the lower left-hand
corner of the window) to check for the latest updates. The link in the Action column indicates
whether an update is available:
• Download—Indicates that a new update file is available. Click the link to begin downloading
the file directly to the firewall. After successful download, the link in the Action column
changes from Download to Install.

You cannot download the antivirus update until you have installed the Application and
Threats update.

• Revert—Indicates that a previously installed version of the content or software version is

available. You can choose to revert to the previously installed version.

STEP 3 | Install the content updates.

Installation can take up to 10 minutes on a PA-220 firewall and up to two minutes on

a PA-5200 Series, PA-7000 Series, or VM-Series firewall.

Click the Install link in the Action column. When the installation completes, a check mark
displays in the Currently Installed column.

STEP 4 | Schedule each content update.

Repeat this step for each update you want to schedule.

Stagger the update schedules because the firewall can only download one update at a
time. If you schedule the updates to download during the same time interval, only the
first download will succeed.

1. Set the schedule of each update type by clicking the None link.

2. Specify how often you want the updates to occur by selecting a value from the
Recurrence drop-down. The available values vary by content type (WildFire updates
are available in Real-time, Every Minute, Every 15 Minutes, Every 30 minutes, or Every
Hour whereas Applications and Threats updates can be scheduled for Weekly, Daily,

PAN-OS Upgrade Guide Version 11.1 & later 13 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Hourly, or Every 30 Minutes and Antivirus updates can be scheduled for Hourly, Daily,
or Weekly).
You can also select None (Manual) for Applications and Threats or for Antivirus updates.
This means there is no recurring schedule for this item and you must manually install
updates. To fully remove the schedule node, select Delete Schedule.
3. Specify the Time and (or, minutes past the hour in the case of WildFire), if applicable
depending on the Recurrence value you selected, Day of the week that you want the
updates to occur.
4. Specify whether you want the system to Download Only or, as a best practice,
Download And Install the update.
5. Enter how long after a release to wait before performing a content update in the
Threshold (Hours) field. In rare instances, errors in content updates may be found. For
this reason, you may want to delay installing new updates until they have been released
for a certain number of hours.

If you have mission critical applications that must be 100% available, set the
threshold for Applications or Applications and Threats updates to a minimum of
24 hours or more and follow the Best Practices for Applications and Threats
Content Updates. Additionally, While scheduling content updates is a one-
time or infrequent task, after you’ve set the schedule, you’ll need to continue to
Manage New and Modified App-IDs that are included in content releases, as
these App-IDs can change how security policy is enforced.
6. (Optional) Enter the New App-ID Thresholds in hours to set the amount of time the
firewall waits before installing content updates that contain new App-IDs.

7. Click OK to save the schedule settings.

8. Click Commit to save the settings to the running configuration.

STEP 5 | Update PAN-OS.

Always update content before updating PAN-OS. Every PAN-OS version has a
minimum supported content release version.

1. Review the Release Notes.

2. Update the PAN-OS software.

PAN-OS Upgrade Guide Version 11.1 & later 14 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Applications and Threats Content Updates

Applications and Threats content updates deliver the very latest application and threat signatures
to the firewall. The applications portion of the package includes new and modified App-IDs
and does not require a license. The full Applications and Threats content package, which also
includes new and modified threat signatures, requires a Threat Prevention license. As the firewall
automatically retrieves and installs the latest application and threat signatures (based on your
custom settings), it starts enforcing security policy based on the latest App-IDs and threat
protection without any additional configuration.
New and modified threat signatures and modified App-IDs are released at least weekly and, often,
more frequently. New App-IDs are released on the third Tuesday of every month.

In rare cases, publication of the update that contains new App-IDs may be delayed one or
two days.

Because new App-IDs can change how the security policy enforces traffic, this more limited
release of new App-IDs is intended to provide you with a predictable window in which you can
prepare and update your security policy. Additionally, content updates are cumulative; this means
that the latest content update always includes the application and threat signatures released in
previous versions.
Because application and threat signatures are delivered in a single package—the same decoders
that enable application signatures to identify applications also enable threat signatures to inspect
traffic—you need to consider whether you want to deploy the signatures together or separately.
How you choose to deploy content updates depends on your organization’s network security and
application availability requirements. As a starting point, identify your organization as having one
of the following postures (or perhaps both, depending on firewall location):
• An organization with a security-first posture prioritizes protection using the latest threat
signatures over application availability. You’re primarily using the firewall for its threat
prevention capabilities. Any changes to App-ID that impact how security policy enforces
application traffic is secondary.
• A mission-critical network prioritizes application availability over protection using the latest
threat signatures. Your network has zero tolerance for downtime. The firewall is deployed
inline to enforce security policy and if you’re using App-ID in security policy, any change a
content releases introduces that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you
can apply a mix of both approaches to meet the needs of the business. Review and consider Best
Practices for Applications and Threats Content Updates to decide how you want to implement
application and threat updates. Then:
Deploy Applications and Threats Content Updates.
Follow our Tips for Content Updates.

While scheduling content updates is a one-time or infrequent task, after you’ve set the
schedule, you’ll need to continue to Manage New and Modified App-IDs that are
included in content releases, as these App-IDs can change how security policy is enforced.

PAN-OS Upgrade Guide Version 11.1 & later 15 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Deploy Applications and Threats Content Updates

Before you take the steps to configure application and threat content updates, learn about how
Applications and Threats Content Updates work and decide how you want to implement Best
Practices for Applications and Threats Content Updates.
Additionally, Panorama enables you to deploy content updates to firewalls easily and rapidly. If
you’re using Panorama to manage firewalls, follow these steps to deploy content updates instead
of the ones below.
STEP 1 | To unlock the full Applications and Threats content package, get a Threat Prevention license
and activate the license on the firewall.
1. Select Device > Licenses.
2. Manually upload the license key or retrieve it from the Palo Alto Networks license
server.
3. Verify that the Threat Prevention license is active.

STEP 2 | Set the schedule for the firewall to retrieve and install content updates.
As you complete the following steps, it’s particularly important that you consider whether your
organization is mission-critical or security-first (or a mix of both), and that you have reviewed
the Best Practices for Applications and Threats Content Updates.
1. Select Device > Dynamic Updates.
2. Select the Schedule for Applications and Threat content updates.
3. Set how frequently (the Recurrence) the firewall checks with the Palo Alto Networks
update server for new Applications and Threat content releases, and on what Day and
Time.
4. Set the Action for the firewall to take when it finds and retrieves a new content release.
5. Set an installation Threshold for content releases. Content releases must be available on
the Palo Alto Networks update server at least this amount of time before the firewall can
retrieve the release and perform the Action you configured in the last step.
6. If yours is a mission-critical network, where you have zero tolerance for application
downtime (application availability is tantamount even to the latest threat prevention),
you can set a New App-ID Threshold. The firewall only retrieves content updates that
contain new App-IDs after they have been available for this amount of time.
7. Click OK to save the Applications and Threats content update schedule, and Commit.

STEP 3 | Set up log forwarding to send Palo Alto Networks critical content alerts to external services
that you use for monitoring network and firewall activity. This allows you to ensure that the
appropriate personnel is notified about critical content issues, so that they can take action as
needed. Critical content alerts are logged as system log entries with the following Type and
Event: (subtype eq content) and (eventid eq palo-alto-networks-message).

STEP 4 | While scheduling content updates is a one-time or infrequent task, after you’ve set the
schedule, you’ll need to continue to Manage New and Modified App-IDs that are included in
content releases, as these App-IDs can change how security policy is enforced.

PAN-OS Upgrade Guide Version 11.1 & later 16 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Tips for Content Updates

Palo Alto Networks application and threat content releases undergo rigorous performance
and quality assurance. However, because there are so many possible variables in a customer
environment, there are rare occasions where a content release might impact a network in an
unexpected way. Follow these tips to mitigate or troubleshoot an issue with a content release, so
that there is as little impact to your network as possible.
Follow the best practices for Application and Threat Content Updates.
Review and implement the Best Practices for Applications and Threats Content Updates. How
you choose to deploy content updates might depend on your network security and application
availability requirements.
Ensure that you’re running the latest content.
Get the latest content update, if you haven’t configured the firewall to download and install it
automatically.
The firewall validates that downloaded content updates are still Palo Alto Networks-
recommended at the time of installation. This check, which the firewall performs by default, is
helpful in cases where content updates are downloaded from the Palo Alto Networks update
server (either manually or on a schedule) ahead of installation. Because there are rare instances
where Palo Alto Networks removes a content update from availability, this option prevents
the firewall from installing a content update that Palo Alto Networks has removed, even if the
firewall has already downloaded it. If you see an error message that the content update you’re
attempting to install is no longer valid, Check Now to get the most recent content update and
install that version instead (Device > Dynamic Updates).
Turn on threat intelligence telemetry.
Turn on the threat intelligence telemetry that the firewall sends to Palo Alto Networks. We use
telemetry data to identify and troubleshoot issues with content updates.
Telemetry data helps us to quickly recognize a content update that is impacting firewall
performance or security policy enforcement in unexpected ways, across the Palo Alto
Networks customer base. The more quickly we can identify an issue, the more quickly we can
help you to avoid the issue altogether or mitigate impact to your network.
To enable the firewall to collect and share telemetry data with Palo Alto Networks:
1. Select Device > Setup > Telemetry.
2. Edit the Telemetry settings and Select All.
3. Click OK and Commit to save your changes.
Forward Palo Alto Networks content update alerts to the right people.
Enable log forwarding for Palo Alto Networks critical content alerts, so that important
messages about content release issues go directly to the appropriate personnel.
Palo Alto Networks can now issue alerts about content update issues directly to the firewall
web interface or—if you have log forwarding enabled—to the external service you use for
monitoring. Critical content alerts describe the issue so that you can understand how it affects
you, and include steps to take action if needed.
In the firewall web interface, critical alerts about content issues are displayed similarly to the
Message of the Day. When Palo Alto Networks issues a critical alert about a content update,

PAN-OS Upgrade Guide Version 11.1 & later 17 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

the alert is displayed by default when you log into the firewall web interface. If you’re already
logged into the firewall web interface, you will notice an exclamation appear over the message
icon on the menu bar located at the bottom of the web interface—click on the message icon to
view the alert.
Critical content update alerts are also logged as system log entries with the Type dynamic-
updates and the Event palo-alto-networks-message. Use the following filter to view these log
entries: ( subtype eq dynamic-updates) and ( eventid eq palo-alto-networks-message).
If needed, use Panorama to rollback to an earlier content release.
After being notified about an issue with a content update, you can use Panorama to quickly
revert managed firewalls to the last content update version, instead of manually reverting the
content version for individual firewalls: Revert Content Updates from Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 18 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Best Practices for Applications and Threats Content

Updates
The best practices to deploy content updates helps to ensure seamless policy enforcement as
the firewall is continually equipped with new and modified application and threat signatures.
Even though application and threat signatures are delivered together in a single content update
package (read more about Applications and Threats Content Updates), you have the flexibility to
deploy them differently based on your network security and availability requirements:
• An organization with a security-first posture prioritizes protection using the latest threat
signatures over application availability. You’re primarily using the firewall for its threat
prevention capabilities.
• A mission-critical network prioritizes application availability over protection using the latest
threat signatures. Your network has zero tolerance for downtime. The firewall is deployed
inline to enforce security policy and if you’re using App-ID in security policy, any change to
content that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you
can apply a mix of both approaches to meet the needs of the business. Consider your approach as
you apply the following best practices to most effectively leverage new and modified threat and
application signatures:
• Best Practices for Content Updates—Mission-Critical
• Best Practices for Content Updates—Security-First

Best Practices for Content Updates—Mission-Critical

The Best Practices for Applications and Threats Content Updates help to ensure seamless policy
enforcement as new application and threat signatures are released. Follow these best practices to
deploy content updates in a mission-critical network, where you have zero tolerance for application
downtime.
Always review Content Release Notes for the list of newly-identified and modified application
and threat signatures that the content release introduces. Content Release Notes also

PAN-OS Upgrade Guide Version 11.1 & later 19 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

describe how the update might impact existing security policy enforcement and provides
recommendations on how you can modify your security policy to best leverage what’s new.
To subscribe to get notifications for new content updates, visit the Customer Support Portal,
edit your Preferences, and select Subscribe to Content Update Emails.

You can also review Content Release Notes for apps and threats on the Palo Alto Networks
Support Portal or directly in the firewall web interface: select Device > Dynamic Updates and
open the Release Note for a specific content release version.

The Notes section of Content Release Notes highlights future updates that Palo Alto
Networks has identified as possibly significantly impacting coverage: for example, new
App-IDs or decoders. Check for these future updates, so that you can account for any
policy impact in advance of the release.
Create a security policy rule to always allow certain categories of new App-IDs, like
authentication or software development applications on which critical business functions rely.
This means that when a content release introduces or changes coverage for an important
business application, the firewall continues to seamlessly allow the application without
requiring you to update your security policy. This eliminates any potential availability impact

PAN-OS Upgrade Guide Version 11.1 & later 20 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

for App-IDs in critical categories, and gives you thirty days (new App-IDs are released on a
monthly basis) to adjust your security policy to allow the mission-critical App-ID(s).
To do this, create an application filter for new App-IDs in critical categories(Objects >
Application Filters), and add the application filter to a security policy rule.

To mitigate any impact to security policy enforcement that is associated with enabling new
application and threat signatures, stagger the roll-out of new content. Provide new content
to locations with less business risk (fewer users in satellite offices) before deploying them to
locations with more business risk (such as locations with critical applications). Confining the
latest content updates to certain firewalls before deploying them across your network also
makes it easier to troubleshoot any issues that arise. You can use Panorama to push staggered
schedules and installation thresholds to firewalls and device groups based on organization or
location (Use Panorama to Deploy Updates to Firewalls).
Schedule content updates so that they download-and-install automatically. Then, set a
Threshold that determines the amount of time the firewall waits before installing the latest
content. In a mission-critical network, schedule up to a 48 hour threshold.

The installation delay ensures that the firewall only installs content that has been available and
functioning in customer environments for the specified amount of time. To schedule content
updates, select Device > Dynamic Updates > Schedule.
Give yourself additional time to adjust your security policy based on new App-IDs before you
install them. To do this, set an installation threshold that applies only to content updates that
contain new App-IDs. Content updates with new App-IDs are released only once a month, and

PAN-OS Upgrade Guide Version 11.1 & later 21 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

installation threshold triggers only at that time. Schedule content updates to configure a New
App-ID Threshold (Device > Dynamic Updates > Schedule).

Always review the new and modified App-IDs that a content release introduces, in order to
assess how the changes might impact your security policy. The following topic describes the
options you can use to update your security policy both before and after installing new App-
IDs: Manage New and Modified App-IDs.

Set up log forwarding to send Palo Alto Networks critical content alerts to external services
that you use for monitoring network and firewall activity. This allows you to ensure that the
appropriate personnel is notified about critical content issues, so that they can take action as
needed. Critical content alerts are logged as system log entries with the following Type and

PAN-OS Upgrade Guide Version 11.1 & later 22 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Event: (subtype eq dynamic-updates) and (eventid eq palo-alto-networks-

message).

PAN-OS 8.1.2 changed the log type for critical content alerts from general to
dynamic-updates. If you’re using PAN-OS 8.1.0 or PAN-OS 8.1.1, critical content
are logged as system log entries with the following Type and Event, and you should set
up forwarding for these alerts using the following filter: (subtype eq general)
and (eventid eq palo-alto-networks-message).
Test new Applications and Threats content updates in a dedicated staging environment before
enabling them in your production environment. The easiest way to test new applications and
threats is to use a test firewall to tap into production traffic. Install the latest content on the
test firewall and monitor the firewall as it processes the traffic copied from your production
environment. You can also use test clients and a test firewall or packet captures (PCAPs) to
simulate production traffic. Using PCAPs works well to simulate traffic for diverse deployments
where firewall security policy varies depending on location.

Best Practices for Content Updates—Security-First

The Best Practices for Applications and Threats Content Updates help to ensure seamless policy
enforcement as new application and threat signatures are released. Follow these best practices to
deploy content updates in a security-first network, where you’re primarily using the firewall for its
threat prevention capabilities and your first priority is attack defense.
Always review Content Release Notes for the list of newly-identified and modified application
and threat signatures that the content release introduces. Content Release Notes also

PAN-OS Upgrade Guide Version 11.1 & later 23 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

describe how the update might impact existing security policy enforcement and provides
recommendations on how you can modify your security policy to best leverage what’s new.
To subscribe to get notifications for new content updates, visit the Customer Support Portal,
edit your Preferences, and select Subscribe to Content Update Emails.

You can also review Content Release Notes for apps and threats on the Palo Alto Networks
Support Portal or directly in the firewall web interface: select Device > Dynamic Updates and
open the Release Note for a specific content release version.

The Notes section of Content Release Notes highlights future updates that Palo Alto
Networks has identified as possibly significantly impacting coverage: for example, new
App-IDs or decoders. Check for these future updates, so that you can account for any
policy impact in advance of the release.
To mitigate any impact to security policy enforcement that is associated with enabling new
application and threat signatures, stagger the roll-out of new content. Provide new content
to locations with less business risk (fewer users in satellite offices) before deploying them to
locations with more business risk (such as locations with critical applications). Confining the
latest content updates to certain firewalls before deploying them across your network also
makes it easier to troubleshoot any issues that arise. You can use Panorama to push staggered
schedules and installation thresholds to firewalls and device groups based on organization or
location (Use Panorama to Deploy Updates to Firewalls).

PAN-OS Upgrade Guide Version 11.1 & later 24 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Schedule content updates so that they download-and-install automatically. Then, set a

Threshold that determines the amount of time the firewall waits before installing the latest
content. In a security-first network, schedule a six to twelve hour threshold.

The installation delay ensures that the firewall only installs content that has been available and
functioning in customer environments for the specified amount of time. To schedule content
updates, select Device > Dynamic Updates > Schedule.

Do not schedule a New App-ID Threshold. This threshold allows mission-critical

organizations extra time to adjust security policy enforcement based on new App-IDs.
However, because this threshold also delays delivery of the latest threat prevention
updates, it is not recommended for organizations with a security-first posture.
Review the new and modified App-IDs that a content release introduces, in order to assess
how the changes might impact your security policy. The following topic describes the options
you can use to update your security policy both before and after installing new App-IDs:
Manage New and Modified App-IDs.

Set up log forwarding to send Palo Alto Networks critical content alerts to external services
that you use for monitoring network and firewall activity. This allows you to ensure that the
appropriate personnel is notified about critical content issues, so that they can take action as
needed. Critical content alerts are logged as system log entries with the following Type and

PAN-OS Upgrade Guide Version 11.1 & later 25 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Event: (subtype eq dynamic-updates) and (eventid eq palo-alto-networks-

message).

PAN-OS 8.1.2 changed the log type for critical content alerts from general to
dynamic-updates. If you’re using PAN-OS 8.1.0 or PAN-OS 8.1.1, critical content
are logged as system log entries with the following Type and Event, and you should set
up forwarding for these alerts using the following filter: (subtype eq general)
and (eventid eq palo-alto-networks-message).

PAN-OS Upgrade Guide Version 11.1 & later 26 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Content Delivery Network Infrastructure

Palo Alto Networks maintains a Content Delivery Network (CDN) infrastructure for delivering
content updates to the Palo Alto Networks firewalls. The firewalls access the web resources in the
CDN to perform various content and application identification functions.
The following table lists the web resources that the firewall accesses for a feature or application:

Resource URL Static Addresses

(If a static server is
required)

Application • updates.paloaltonetworks.com (Global, us-

Database excluding mainland China) static.updates.paloaltonetworks.com
• updates.paloaltonetworks.cn (Mainland Add the following
Threat/Antivirus China only) IPv4 or IPv6 static
Database
Add the following URLs to your firewall allow server address sets
list if your firewall has limited access to the to your firewall allow
Internet: list:

• downloads.paloaltonetworks.com:443 • IPv4—
35.186.202.45:443
• proditpdownloads.paloaltonetworks.com:443 and
As a best practice, set the update server to 34.120.74.244:443
updates.paloaltonetworks.com. This allows the • IPv6—
Palo Alto Networks firewall to receive content [2600:1901:0:669::]:443
updates from the server closest to it in the CDN and
infrastructure. [2600:1901:0:5162::]:443

If you want additional reference Both IP

information or are experiencing addresses
connectivity and update download provided
issues, please refer to: https:// for a
knowledgebase.paloaltonetworks.com/ given
KCSArticleDetail? protocol
id=kA14u0000001UtRCAU type
must be
The Palo Alto Networks ThreatVault database added
includes information about vulnerabilities, to the
exploits, viruses, and spyware threats. Firewall allow
features, including DNS security and the list for
Antivirus profile, use the following resource proper
to retrieve threat ID information to create functionality.
exceptions:
• data.threatvault.paloaltonetworks.com

PAN-OS Upgrade Guide Version 11.1 & later 27 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Resource URL Static Addresses

(If a static server is
required)

PAN-DB URL *.urlcloud.paloaltonetworks.com Static IP addresses

Filtering | are not available.
Resolves to the primary URL
Advanced URL However, you can
s0000.urlcloud.paloaltonetworks.com and is
Filtering manually resolve a
then redirected to the regional server that is
URL to an IP address
closest:
and allow access to
• s0100.urlcloud.paloaltonetworks.com the regional server IP
• s0200.urlcloud.paloaltonetworks.com address.

• s0300.urlcloud.paloaltonetworks.com
• s0500.urlcloud.paloaltonetworks.com

Cloud Services Resolves to hawkeye.services- Static IP addresses

edge.paloaltonetworks.com and is then are not available.
redirected to the regional server that is closest:
• US—us.hawkeye.services-
edge.paloaltonetworks.com
• EU—eu.hawkeye.services-
edge.paloaltonetworks.com
• UK—uk.hawkeye.services-
edge.paloaltonetworks.com
• APAC—apac.hawkeye.services-
edge.paloaltonetworks.com

DNS Security • Cloud— Static IP addresses

dns.service.paloaltonetworks.com:443 are not available.
• Telemetry—
io.dns.service.paloaltonetworks.com:443
When downloading an allow list,
dns.service.paloaltonetworks.com resolves to
the following server:
• static.dns.service.paloaltonetworks.com:443
• data.threatvault.paloaltonetworks.com (used
to create DNS exceptions)

Firewall-based • ml.service.paloaltonetworks.com:443 Static IP addresses

inline ML: are not available.
• URL Filtering
Inline ML

PAN-OS Upgrade Guide Version 11.1 & later 28 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

Resource URL Static Addresses

(If a static server is
required)
• WildFire Inline
ML

WildFire • Cloud (report retrieval)— Static IP addresses

wildfire.paloaltonetworks.com:443 are not available.
WildFire cloud regions:
• Global—wildfire.paloaltonetworks.com
• European Union—
eu.wildfire.paloaltonetworks.com
• Japan—jp.wildfire.paloaltonetworks.com
• Singapore—sg.wildfire.paloaltonetworks.com
• United Kingdom—
uk.wildfire.paloaltonetworks.com
• Canada—ca.wildfire.paloaltonetworks.com
• Australia—au.wildfire.paloaltonetworks.com
• Germany—de.wildfire.paloaltonetworks.com
• India—in.wildfire.paloaltonetworks.com
• Switzerland—
ch.wildfire.paloaltonetworks.com
• Poland—pl.wildfire.paloaltonetworks.com
• Indonesia—id.wildfire.paloaltonetworks.com
• Taiwan—tw.wildfire.paloaltonetworks.com
• France—fr.wildfire.paloaltonetworks.com
• Qatar—qatar.wildfire.paloaltonetworks.com
• South Korea—
krv.wildfire.paloaltonetworks.com
• Israel—il.wildfire.paloaltonetworks.com
• Saudi Arabia—
sa.wildfire.paloaltonetworks.com
• Spain—es.wildfire.paloaltonetworks.com

PAN-OS Upgrade Guide Version 11.1 & later 29 ©2024 Palo Alto Networks, Inc.
Software and Content Updates

PAN-OS Upgrade Guide Version 11.1 & later 30 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama
• Install Content Updates and Software Upgrades for Panorama
• Troubleshoot Your Panorama Upgrade
• Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

31
Upgrade Panorama

Install Content Updates and Software Upgrades for

Panorama
A valid support subscription enables access to the Panorama software image and release notes.
To take advantage of the latest fixes and security enhancements, upgrade to the latest software
and content updates that your reseller or a Palo Alto Networks Systems Engineer recommends
for your deployment. The procedure to install software and content updates depends on whether
Panorama has a direct connection to the internet and whether it has a high availability (HA)
configuration.
• Upgrade Panorama with an Internet Connection
• Upgrade Panorama Without an Internet Connection
• Install Content Updates Automatically for Panorama without an Internet Connection
• Upgrade Panorama in an HA Configuration
• Install a PAN-OS Software Patch
• Migrate Panorama Logs to the New Log Format
• Upgrade Panorama for Increased Device Management Capacity
• Upgrade Panorama and Managed Devices in FIPS-CC Mode
• Downgrade from Panorama 11.1

Upgrade Panorama with an Internet Connection

If Panorama™ has a direct connection to the internet, perform the following steps to install
Panorama software and content updates as needed. If Panorama is running in a high availability
(HA) configuration, upgrade the Panorama software on each peer (see Upgrade Panorama in
an HA Configuration). If you are upgrading Panorama and managed devices in FIPS-CC mode
to PAN-OS® 11.1 from PAN-OS 10.2 or earlier release, you must take the additional steps of
resetting the secure connection status of the devices in FIPS-CC mode if added to Panorama
management while running a PAN-OS 10.2 release. See Upgrade Panorama and Managed Devices
in FIPS-CC Mode for more details on upgrading Panorama and FIPS-CC devices in FIPS-CC mode.
Upgrading the software on the Panorama virtual appliance does not change the system mode;
switching to Panorama mode or Management Only mode is a manual task that requires additional
settings as described when you Set Up the Panorama Virtual Appliance with a Local Log Collector.

PAN-OS Upgrade Guide Version 11.1 & later 32 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Palo Alto Networks introduced new log data formats at different points in your upgrade
path depending on the PAN-OS version you are upgrading from.
• Upgrade from PAN-OS 8.1 to PAN-OS 9.0—PAN-OS 9.0 introduced a new log data
format for local and Dedicated Log Collectors. On your upgrade path to PAN-OS 11.1,
existing log data is automatically migrated to the new format when you upgrade from
PAN-OS 8.1 to PAN-OS 9.0.
• Upgrade from PAN-OS 10.0 to PAN-OS 10.1—PAN-OS 10.1 introduced a new log
format for local and Dedicated Log Collectors. On your upgrade path to PAN-OS 11.1,
logs generated in PAN-OS 8.1 or earlier are no longer available. This includes logs
migrated as part of the upgrade to PAN-OS 9.0. After upgrade to PAN-OS 10.1, you
have the option to recover and migrate these logs to the PAN-OS 10.1 log format.

You must upgrade all Log Collectors in a collector group at the same time to avoid losing log
data loss. No log forwarding or log collection occurs if the Log Collectors in a collector group are
not all running the same PAN-OS version. Additionally, the log data for the Log Collectors in the
collector group is not visible in the ACC or Monitor tabs until all Log Collectors are running the
same PAN-OS version. For example, if you have three Log Collectors in a collector group and
you upgrade two of the Log Collectors, then no logs are forwarded to any Log Collectors in the
collector group.
Before upgrading Panorama, refer to the Release Notes for the minimum content release version
required for PAN-OS® 11.1.
STEP 1 | Determine the Upgrade Path to PAN-OS 11.1.

STEP 2 | (Panorama Interconnect plugin only) Synchronize the Panorama Node with the Panorama
Controller.
Before you begin upgrading a Panorama Node, you must synchronize the Panorama Controller
and Panorama Node configuration. This is required to successfully push the common
Panorama Controller configuration to your Panorama Node after successful upgrade.

STEP 3 | Save a backup of the current Panorama configuration file that you can use to restore the
configuration if you have problems with the upgrade.

Although Panorama automatically creates a backup of the configuration, best practice

is to create and externally store a backup before you upgrade.

1. Log in to the Panorama web interface.

2. Save named Panorama configuration snapshot (Panorama > Setup > Operations), enter
a Name for the configuration, and click OK.
3. Export named Panorama configuration snapshot, select the Name of the configuration
you just saved, click OK, and save the exported file to a location that is external to
Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 33 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | (Best Practices) If you are leveraging Strata Logging Service, install the Panorama device
certificate.
Panorama automatically switches to using the device certificate for authentication with Strata
Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1.

If you do not install the device certificate prior to upgrade to PAN-OS 11.1, Panorama
continues to use the existing logging service certificate for authentication.

STEP 5 | Enable the following TCP ports on your network.

These TCP ports must be enabled on your network to allow inter-Log Collector
communication.
• TCP/9300
• TCP/9301
• TCP/9302

STEP 6 | Install the latest content updates.

If Panorama is not running the minimum content versions required for the Panorama
release to which you intend to upgrade, you must update content versions to the
minimum (or later) versions before you install the software updates. Refer to Release
Notes for minimum content release version for a Panorama release.
If you intend to upgrade Log Collectors and firewalls to a particular release, you
must first upgrade Panorama to that (or a later) release.
For a Panorama virtual appliance that runs on a hypervisor, ensure that the instance
meets the Setup Prerequisites for the Panorama Virtual Appliance.

Palo Alto Networks® highly recommends that Panorama, Log Collectors, and all
managed firewalls run the same content release version. Additionally, we recommend
that you schedule automatic, recurring updates so that you are always running the
latest content versions (refer to 16).

1. Select Panorama > Dynamic Updates and Check Now for the latest updates. If the value
in the Action column is Download, an update is available.

Ensure that Panorama is running the same but not a later content release
version than is running on managed firewalls and Log Collectors.
2. (Before you update the content release version on Panorama, be sure to Upgrade the
Firewall to PAN-OS 11.1 from Panorama and then Log Collectors (see Upgrade Log

PAN-OS Upgrade Guide Version 11.1 & later 34 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Collectors When Panorama Is Internet-Connected) to the same (or a later) content

release version.
If you do not need to install content updates at this time, then skip ahead to the next
step.
3. Install remaining content updates, as needed. When installed, the Currently Installed
column displays a check mark.
1. Download and Install the Applications or Applications and Threats update. Regardless
of your subscription, Panorama installs and needs only the Applications content
update, not the Threats content. For details, see Panorama, Log Collector, Firewall,
and WildFire Version Compatibility.
2. Download and Install other updates (Antivirus, WildFire®, or URL Filtering) as
needed, one at a time, and in any sequence.

STEP 7 | Select Panorama > Plugins and Download the plugin version supported on PAN-OS 11.1 for
all plugins currently installed on Panorama.
See the Compatibility Matrix for the Panorama plugin version supported for your target PAN-
OS 11.1 release.
This is required to successfully upgrade Panorama from PAN-OS 11.0 to PAN-OS 11.1.
Upgrade to PAN-OS 11.1 is blocked if the supported plugin version is not downloaded.

The downloaded plugins required to upgrade to PAN-OS 11.1 automatically install

after Panorama successfully upgrades to PAN-OS 11.1. If a downloaded plugin does
not automatically install, you must manually install the impacted plugin after upgrade
to PAN-OS 11.1.

STEP 8 | Upgrade Panorama to PAN-OS 11.1.

1. Check Now (Panorama > Software) for the latest releases.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Locate and validate the PAN-OS 11.1.0 image.
1. Click Panorama > Software > Action > Validate.
2. Select the required dependencies, and click Download.
3. (Panorama mode only) A notification is displayed if you have local Log Collector that
contains logs generated in PAN-OS 10.0 or earlier releases.
This notification is displayed the first time you attempt to Install PAN-OS 11.1.2 or
later 11.1 release and is not displayed a second time after the notification is closed. It
warns you that logs generated by Panorama or managed devices when running PAN-OS

PAN-OS Upgrade Guide Version 11.1 & later 35 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

10.0 or earlier release are detected and will be deleted on upgrade. This means that the
impacted logs are not viewable or searchable after successful upgrade.
However, you can recover these impacted logs after upgrade. The notification also
provides you with the following information:
• Impacted log types.
• Impacted time frames for each log type.
• Each debug logdb migrate-lc command required to recover the impacted logs
for each log type.
Copy the listed debug logdb migrate-lc before you Close the notification.
Close the notification.
4. Install the downloaded image and then reboot.
1. Install the image.
2. After the installation completes successfully, reboot using one of the following
methods:
• If prompted to reboot, click Yes. If you see a CMS Login prompt, press
Enter without typing a username or password. When the Panorama login
prompt appears, enter the username and password you specified during initial
configuration.
• If you are not prompted to reboot, Reboot Panorama from the Device Operations
section (Panorama > Setup > Operations).
Continue to the next step after Panorama successfully reboots.

STEP 9 | (PAN-OS 11.1.2 and later releases; Panorama mode only) Log in to the Panorama CLI and
recover the impacted logs using the debug logdb migrate-lc commands listed in the
previous step.
These commands must be run sequentially and cannot be run simultaneously. If you didn't
copy the debug logdb migrate-lc commands from the notification window, click Tasks
and view the failed Install job details.

STEP 10 | Verify that your Panorama plugin versions are supported PAN-OS 11.1.
You must verify and install Panorama plugin version supported on PAN-OS 11.1 after you
successfully upgrade Panorama. See the Compatibility Matrix for more information about
supported Panorama plugins supported on PAN-OS 11.1.
1. Log in to the Panorama web interface and review the General Information widget in the
Dashboard to verify the PAN-OS 11.1 compatible plugin versions successfully installed.
You can also log in to the Panorama CLI and enter the command show plugins
installed to view the list of currently installed plugins.
2. Select Panorama > Plugins and search for the plugin that did not install.
3. Install the plugin version supported on PAN-OS 11.1.
4. Repeat the steps above until all plugins installed on Panorama are running the version
supported on PAN-OS 11.1.

PAN-OS Upgrade Guide Version 11.1 & later 36 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | (If local Log Collector is in a Collector Group) Upgrade the remaining Log Collectors in the
Collector Group.
• Upgrade Log Collectors When Panorama Is Internet-Connected
• Upgrade Log Collectors When Panorama Is Not Internet-Connected

STEP 12 | (Panorama and managed devices in FIPS-CC mode) Upgrade Panorama and Managed
Devices in FIPS-CC Mode.
Upgrading Panorama and managed devices in FIPS-CC mode requires you to reset the secure
connection status of the devices in FIPS-CC mode if added to Panorama management while
running a PAN-OS 11.1 release. You need to re-onboard the following managed devices to
Panorama management:
• Managed devices in FIPS-CC mode added to Panorama using the device registration
authentication key.
• Managed devices in the normal operational mode added to Panorama using the device
registration authentication key
You do not need to re-onboard managed devices added to Panorama management while the
managed device was running a PAN-OS 10.0 or earlier release.

STEP 13 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.1. Skip
this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your
certificates.
It is required that all certificates meet the following minimum requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 14 | (Recommended for Panorama mode) Increase the memory of the Panorama virtual appliance
to 64GB.
After you successfully upgrade the Panorama virtual appliance in Panorama mode to
PAN-OS 11.1, Palo Alto Networks recommends increasing the memory of the Panorama
virtual appliance to 64GB to meet the increased system requirements to avoid any logging,
management, and operational performance issues related to an under-provisioned Panorama
virtual appliance.

STEP 15 | Select Commit > Commit and Push and Commit and Push the Panorama managed
configuration to all managed devices.
After you successfully upgrade Panorama and managed devices to PAN-OS 11.1, a full commit
and push of the Panorama managed configuration is required before you can push selective
configuration to your managed devices and leverage the improved shared configuration object
management for multi-vsys firewalls managed by Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 37 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 16 | (Best Practice) Schedule recurring, automatic content updates.

Panorama does not synchronize content update schedules across HA peers. You must
perform this task on both the active and passive Panorama.

In the header row for each update type (Panorama > Dynamic Updates), the Schedule is
initially set to None. Perform the following steps for each update type.
1. Click None and select the update frequency (Recurrence). The frequency options
depend on the update type.
2. Select the schedule action:
• Download And Install (Best Practice)—Panorama automatically installs updates after
downloading them.
Download Only—You must manually install updates after Panorama downloads them.
3. Based on the best practices for the security posture of your organization, configure a
delay (Threshold) after an update becomes available before Panorama downloads the
update.
4. Click OK to save your changes.
5. Select Commit > Commit to Panorama and Commit your changes.

Upgrade Panorama Without an Internet Connection

If Panorama™ does not have a direct connection to the internet, perform the following steps
to install Panorama software and content updates as needed. If Panorama is deployed in a high
availability (HA) configuration, you must upgrade each peer (see Upgrade Panorama in an HA
Configuration). If you are upgrading Panorama and managed devices in FIPS-CC mode to PAN-
OS 11.1 from PAN-OS 10.2 or earlier release, you must take the additional steps of resetting the
secure connection status of the devices in FIPS-CC mode if added to Panorama management
while running a PAN-OS 10.2 release. See Upgrade Panorama and Managed Devices in FIPS-CC
Mode for more details on upgrading Panorama and FIPS-CC devices in FIPS-CC mode.
Upgrading the software on the Panorama virtual appliance does not change the system mode;
switching to Panorama mode or Management Only mode is a manual task that requires additional
settings as described when you Set Up the Panorama Virtual Appliance with a Local Log Collector.

Palo Alto Networks introduced new log data formats at different points in your upgrade
path depending on the PAN-OS version you are upgrading from.
• Upgrade from PAN-OS 8.1 to PAN-OS 9.0—PAN-OS 9.0 introduced a new log data
format for local and Dedicated Log Collectors. On your upgrade path to PAN-OS 11.1,
existing log data is automatically migrated to the new format when you upgrade from
PAN-OS 8.1 to PAN-OS 9.0.
• Upgrade from PAN-OS 10.0 to PAN-OS 10.1—PAN-OS 10.1 introduced a new log
format for local and Dedicated Log Collectors. On your upgrade path to PAN-OS 11.1,
logs generated in PAN-OS 8.1 or earlier are no longer available. This includes logs
migrated as part of the upgrade to PAN-OS 9.0. After upgrade to PAN-OS 10.1, you
have the option to recover and migrate these logs to the PAN-OS 10.1 log format.

PAN-OS Upgrade Guide Version 11.1 & later 38 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

You must upgrade all Log Collectors in a collector group at the same time to avoid losing log
data loss. No log forwarding or log collection occurs if the Log Collectors in a collector group are
not all running the same PAN-OS version. Additionally, the log data for the Log Collectors in the
collector group is not visible in the ACC or Monitor tabs until all Log Collectors are running the
same PAN-OS version. For example, if you have three Log Collectors in a collector group and
you upgrade two of the Log Collectors, then no logs are forwarded to any Log Collectors in the
collector group.
Before you upgrade Panorama, refer to the Release Notes for the minimum content release
version required for PAN-OS® 11.1.
STEP 1 | Determine the Upgrade Path to PAN-OS 11.1.

STEP 2 | (Panorama Interconnect plugin only) Synchronize the Panorama Node with the Panorama
Controller.
Before you begin upgrading a Panorama Node, you must synchronize the Panorama Controller
and Panorama Node configuration. This is required to successfully push the common
Panorama Controller configuration to your Panorama Node after successful upgrade.

STEP 3 | Save a backup of the current Panorama configuration file that you can use to restore the
configuration if you have problems with the upgrade.

Although Panorama automatically creates a backup of the configuration, best practice

is to create and externally store a backup before you upgrade.

1. Log in to the Panorama web interface.

2. Save named Panorama configuration snapshot (Panorama > Setup > Operations), enter
a Name for the configuration, and click OK.
3. Export named Panorama configuration snapshot, select the Name of the configuration
you just saved, click OK, and save the exported file to a location that is external to
Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 39 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Download the latest content updates to a host that can connect and upload content to
Panorama either over SCP or HTTPS.

Palo Alto Networks highly recommends that Panorama, Log Collectors, and all
managed firewalls run the same content release version.

Refer to the Release Notes for the minimum content release version you must install for
a Panorama software release. If you intend to upgrade Log Collectors and firewalls to a
particular release, you must first upgrade Panorama to that (or a later) release.
For a Panorama virtual appliance, ensure that the instance meets the Setup Prerequisites
for the Panorama Virtual Appliance.
If you do not need to install content updates at this time, then skip ahead to 6.
1. Use a host that has internet access to log in to the Palo Alto Networks Customer
Support website.
2. Download content updates as needed:
1. Click Updates > Dynamic Updates in the Resources section.
2. Download the appropriate content updates and save the files to the host. Perform
this step for each content type you need to update.

STEP 5 | Enable the following TCP ports on your network.

These TCP ports must be enabled on your network to allow inter-Log Collector
communication.
• TCP/9300
• TCP/9301
• TCP/9302

STEP 6 | Install the latest content updates.

You must install content updates before software updates and you must Upgrade the
Firewall to PAN-OS 11.1 from Panorama first and then upgrade Log Collectors
before you install them on the Panorama management server.

Install the Applications or Applications and Threats update first, and then install any other
updates (Antivirus, WildFire®, and URL Filtering), one at a time, and in any sequence.

Regardless whether your subscription includes both Applications and Threats content,
Panorama installs and needs only the Applications content. For details, see Panorama,
Log Collector, Firewall, and WildFire Version Compatibility.

Log in to the Panorama web interface and perform the following steps for each content type:
1. Select Panorama > Dynamic Updates.
2. Click Upload, select the content Type, Browse to the location on the host to which you
downloaded the update, select the update, and click OK.
3. Install From File, select the Package Type, and click OK.

PAN-OS Upgrade Guide Version 11.1 & later 40 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 7 | Upload the plugin version supported on PAN-OS 11.1 for all plugins currently installed on
Panorama.
See the Compatibility Matrix for the Panorama plugin version supported for your target PAN-
OS 11.1 release.
This is required to successfully upgrade Panorama from PAN-OS 11.0 to PAN-OS 11.1.
Upgrade to PAN-OS 11.1 is blocked if the supported plugin version is not downloaded.

The downloaded plugins required to upgrade to PAN-OS 11.1 automatically install

after Panorama successfully upgrades to PAN-OS 11.1. If a downloaded plugin does
not automatically install, you must manually install the impacted plugin after upgrade
to PAN-OS 11.1

1. Download the plugin version supported on PAN-OS 11.1.

1. Log in to the Palo Alto Networks Support Portal.
2. Select Updates > Software Updates and select the plugin from the drop-down menu.
3. Download the plugin version supported on PAN-OS 10.2.
4. Repeat this step for all plugins currently installed on Panorama.
2. Log in to the Panorama web interface
3. Select Panorama > Plugins and Upload the plugin version you downloaded in the
previous step.
Repeat this step for all plugins currently installed on Panorama.

STEP 8 | Download the latest PAN-OS 11.1 release image to a host that can connect and upload
content to Panorama either over SCP or HTTPS.
1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
web site.
2. Download software updates:
1. On the main page of Palo Alto Networks Customer Support website, click Updates >
Software Updates.
2. Locate the model-specific for the latest PAN-OS 11.1 release image. For
example, to upgrade an M-Series appliance to Panorama 11.1.0, download the
Panorama_m-11.1.0 image; to upgrade a Panorama virtual appliance to Panorama
11.1.0, download the Panorama_pc-11.1.0 image.

You can quickly locate Panorama images by selecting Panorama M Images

(M-Series appliances) or Panorama Updates (virtual appliances) from the
Content By drop-down.
(PAN-OS 11.1.3 and later releases) By default, the results display the
preferred releases. In the Release type field, click Other to view the other
available releases.
3. Click the filename and save the file to the host.

PAN-OS Upgrade Guide Version 11.1 & later 41 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 9 | Upgrade Panorama to PAN-OS 11.1.

1. Log in to the Panorama web interface.
2. Select Panorama > Software and Upload the PAN-OS 11.1 image you downloaded in
the previous step.
3. Browse to the location on the host to which you downloaded the update, select the
update, Sync To Peer if Panorama is in an HA configuration (to push the software image
to the secondary peer), and click OK.
4. (Panorama mode only) A notification is displayed if you have a local Log Collector that
contains logs generated in PAN-OS 10.0 or earlier releases.
This notification is displayed the first time you attempt to Install PAN-OS 11.1.2 or
later 11.1 release and is not displayed a second time after the notification is closed. It
warns you that logs generated by Panorama or managed devices when running PAN-OS
10.0 or earlier release are detected and will be deleted on upgrade. This means that the
impacted logs are not viewable or searchable after successful upgrade.
However, you can recover these impacted logs after upgrade. The notification also
provides you with the following information:
• Impacted log types.
• Impacted time frames for each log type.
• Each debug logdb migrate-lc command required to recover the impacted logs
for each log type.
Copy the listed debug logdb migrate-lc before you Close the notification.
Close the notification.
5. Install the software image and reboot.
For an HA configuration, Upgrade Panorama in an HA Configuration; otherwise:
1. Install the uploaded image.
2. After you successfully complete the installation, reboot using one of the following
methods:
• If prompted to reboot, click Yes. If you see a CMS Login prompt, press
Enter without typing a username or password. When the Panorama login
prompt appears, enter the username and password you specified during initial
configuration.
• If you are not prompted to reboot, Reboot Panorama from the Device Operations
section (Panorama > Setup > Operations).
Continue to the next step after Panorama successfully reboots.

STEP 10 | (PAN-OS 11.1.2 and later releases; Panorama mode only) Log in to the Panorama CLI and
recover the impacted logs using the debug logdb migrate-lc commands listed in the
previous step.
These commands must be run sequentially and cannot be run simultaneously. If you didn't
copy the debug logdb migrate-lc commands from the notification window, click Tasks
and view the failed Install job details.

PAN-OS Upgrade Guide Version 11.1 & later 42 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | Verify that your Panorama plugin versions are supported PAN-OS 11.1.
You must verify and install Panorama plugin version supported on PAN-OS 11.1 after you
successfully upgrade Panorama. See the Compatibility Matrix for more information about
supported Panorama plugins supported on PAN-OS 11.1.
1. Log in to the Panorama web interface and review the General Information widget in the
Dashboard to verify the PAN-OS 11.1 compatible plugin versions successfully installed.
You can also log in to the Panorama CLI and enter the command show plugins
installed to view the list of currently installed plugins.
2. Select Panorama > Plugins and search for the plugin that did not install.
3. Install the plugin version supported on PAN-OS 11.1.
4. Repeat the steps above until all plugins installed on Panorama are running the version
supported on PAN-OS 11.1.

STEP 12 | (If local Log Collector is in a Collector Group) Upgrade the remaining Log Collectors in the
Collector Group.

STEP 13 | (Recommended for Panorama mode) Increase the memory of the Panorama virtual appliance
to 64GB.
After you successfully upgrade the Panorama virtual appliance in Panorama mode to
PAN-OS 11.1, Palo Alto Networks recommends increasing the memory of the Panorama
virtual appliance to 64GB to meet the increased system requirements to avoid any logging,
management, and operational performance issues related to an under-provisioned Panorama
virtual appliance.

STEP 14 | (Panorama and managed devices in FIPS-CC mode) Upgrade Panorama and Managed
Devices in FIPS-CC Mode.
Upgrading Panorama and managed devices in FIPS-CC mode requires you to reset the secure
connection status of the devices in FIPS-CC mode if added to Panorama management while
running a PAN-OS 11.1 release. You need to re-onboard the following managed devices to
Panorama management:
• Managed devices in FIPS-CC mode added to Panorama using the device registration
authentication key.
• Managed devices in the normal operational mode added to Panorama using the device
registration authentication key
You do not need to re-onboard managed devices added to Panorama management while the
managed device was running a PAN-OS 10.0 or earlier release.

PAN-OS Upgrade Guide Version 11.1 & later 43 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 15 | (PAN-OS 10.2 and later releases) Regenerate or re-import all certificates to adhere to
OpenSSL Security Level 2.
This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.1. Skip
this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your
certificates.
It is required that all certificates meet the following minimum requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 16 | Select Commit > Commit and Push and Commit and Push the Panorama managed
configuration to all managed devices.
After you successfully upgrade Panorama and managed devices to PAN-OS 11.1, a full commit
and push of the Panorama managed configuration is required before you can push selective
configuration to your managed devices and leverage the improved shared configuration object
management for multi-vsys firewalls managed by Panorama.

Install Content Updates Automatically for Panorama without an

Internet Connection
®
Automatically download content updates to firewalls, Log Collectors, and WildFire appliances
in air-gapped networks where the Panorama™ management server, managed firewalls, Log
Collectors, and WildFire appliances are not connected to the internet. To accomplish this, you
must deploy an additional Panorama with internet access and an SCP server. After you deploy the
Panorama with internet access, you configure the internet-connected Panorama to automatically
download content updates to the SCP server. From the SCP server, the air-gapped Panorama is
configured to automatically download and install content updates as per your content updates
schedule. Panorama generates a system log when the Panorama with internet access downloads
content updates to the SCP server or when the air-gapped Panorama downloads and installs
content updates from the SCP server.
Only the following content update schedules from an internet-connected Panorama to a
Panorama without an internect connection are supported:

Do not manipulate or change the content update file name after you successfully
download it to the SCP server. Panorama cannot download and install content updates
with altered file names. Additionally, for the automatic content update to be successful,
you must ensure that there is enough disk space on the SCP server, that the SCP server is
running when a download is about to start, and that both Panoramas are powered on and
not in the middle of a reboot.

This example shows how to configuring the automatic content updates for Applications and
Threats content updates.

PAN-OS Upgrade Guide Version 11.1 & later 44 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 1 | Deploy an SCP server.

Content updates for managed firewalls, Log Collectors, and WildFire appliances downloads
from the internet-connected Panorama. The air-gapped Panorama downloads the content
updates from the SCP server and then installs the updates on managed firewalls, WildFire
appliances, and Log Collectors.

When you create the folder directory for content updates, it is a best practice to create
a folder for each type of type of content update. This is the burden of managing a large
volume of content updates and reduces the possibility of deleting content updates that
should not be deleted from the SCP server.

STEP 2 | Deploy the internet-connected Panorama.

This Panorama communicates with the Palo Alto Networks update server and downloads the
content updates to the SCP server.
1. Set up the Panorama management server.
• Set Up the M-Series Appliance
• Set Up the Panorama Virtual Appliance
2. Perform the initial Panorama configuration.
• Perform Initial Configuration of the M-Series Appliance
• Perform Initial Configuration of the Panorama Virtual Appliance

STEP 3 | Deploy the Panorama without an internet connection.

This Panorama communicates with the SCP server to download and install content updates on
managed firewalls, Log Collectors, and WildFire appliances.
1. Set up the Panorama management server.
• Set Up the M-Series Appliance
• Set Up the Panorama Virtual Appliance
2. Perform the initial Panorama configuration.
• Perform Initial Configuration of the M-Series Appliance
• Perform Initial Configuration of the Panorama Virtual Appliance
3. Add your managed firewalls, Log Collectors, and WildFire appliances.
• Add a Firewall as a Managed Device
• Configure a Managed Collector
• Add a Standalone Wildfire Appliance to Manage with Panorama

PAN-OS Upgrade Guide Version 11.1 & later 45 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Configure the internet-connected Panorama to download content updates to your SCP
server.
1. Log in to the Panorama Web Interface.
2. Create an SCP server profile.
1. Select Panorama > Server Profiles > SCP and Add a new SCP server profile.
2. Enter a descriptive Name for the SCP server profile.
3. Enter the SCP Server IP address.
4. Enter the Port.
5. Enter the SCP server User Name.
6. Enter the SCP server Password and Confirm Password.
7. Click OK to save your changes.

3. Create a content updates schedule to regularly download content updates to the SCP
server.
You must create a schedule for each type of content update you intend to automatically
download and install on managed firewalls, Log Collectors, and WildFire appliances.
1. Select Panorama > Device Deployment > Dynamic Updates, select Schedules, and
Add a content updates schedule.
2. Enter a descriptive Name for the content updates schedule.
3. For the Download Source, select Update Server.
4. Select the content update Type.
5. Select the Recurrence to set the interval at which Panorama checks the Palo Alto
Networks update server for new content updates.

To configure a more precise recurrence schedule, enter the number of

minutes past the selected recurrence interval. If you have multiple content
updates scheduled to download using the same recurrence interval, stagger
them to avoid overloading the Panorama and SCP server.
6. For the Action, select Download And SCP.
7. Select the SCP Profile you configured in the previous step.
8. Enter the SCP Path for the content updates type.
9. (Optional) Enter the Threshold, in hours, for the content updates. Panorama
downloads only content updates that are this number of hours old (or older)
10.Click OK to save your changes.

PAN-OS Upgrade Guide Version 11.1 & later 46 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

4. Commit your changes.

PAN-OS Upgrade Guide Version 11.1 & later 47 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 5 | Configure the air-gapped Panorama to download content updates from the SCP server and
then install the updates on your managed firewalls, Log Collectors, and WildFire appliances.
1. Log in to the Panorama Web Interface.
2. Create an SCP server profile.
1. Select Panorama > Server Profiles > SCP and Add a new SCP server profile.
2. Enter a descriptive Name for the SCP server profile.
3. Enter the SCP Server IP address.
4. Enter the Port.
5. Enter the SCP server User Name.
6. Enter the SCP server Password and Confirm Password.
7. Click OK to save your changes.

3. Create a content updates schedule to regularly download and install content updates
from the SCP server.
You must create a schedule for each type of content update you intend to automatically
download and install on managed firewalls, Log Collectors, and WildFire appliances.
1. Select Panorama > Device Deployment > Dynamic Updates, select Schedules, and
Add a content updates schedule.
2. Enter a descriptive Name for the content updates schedule.
3. For the Download Source, select SCP.
4. Select the SCP Profile you configured in the previous step.
5. Enter the SCP Path for the content updates type.
6. Select the content update Type.
7. Select the Recurrence to set the interval at which Panorama checks the Palo Alto
Networks update server for new content updates.

To configure a more precise recurrence schedule, enter the number of

minutes past the selected recurrence interval. If you have multiple content
updates scheduled to download using the same recurrence interval, stagger
them to avoid overloading the Panorama and SCP server.
8. For the Action, select Download or Download And Install.

PAN-OS Upgrade Guide Version 11.1 & later 48 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Only Download and Download and Install are supported when the
Download Source is SCP.
If you select Download, you must manually start the content update install
on your managed firewalls.
9. Select the Devices on which to install the content updates.
10.(Optional) Enter the Threshold, in hours, for the content updates. Panorama
downloads only content updates that are this number of hours old (or older)
11.Click OK to save your changes.

4. Commit your changes.

Upgrade Panorama in an HA Configuration

To ensure a seamless failover when you update the Panorama software in a high availability (HA)
configuration, the active and passive Panorama peers must be running the same Panorama release
with the same Applications database version. The following example describes how to upgrade an
HA pair (active peer is Primary_A and passive peer is Secondary_B).
If you are upgrading Panorama and managed devices in FIPS-CC mode to PAN-OS 11.1 from
PAN-OS 10.2 or earlier release, you must take the additional steps of resetting the secure
connection status of the devices in FIPS-CC mode if added to Panorama management while
running a PAN-OS 10.2 release. See Upgrade Panorama and Managed Devices in FIPS-CC Mode
for more details on upgrading Panorama and FIPS-CC devices in FIPS-CC mode.

PAN-OS Upgrade Guide Version 11.1 & later 49 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Before updating Panorama, refer to the Release Notes for the minimum content release version
required for PAN-OS 11.0.
STEP 1 | Upgrade the Panorama software on the Secondary_B (passive) peer.
Perform one of the following tasks on the Secondary_B peer:
• Upgrade Panorama with an Internet Connection
• Upgrade Panorama Without an Internet Connection
After the upgrade, this Panorama transitions to a non-functional state because the peers are
no longer running the same software release.

STEP 2 | (Panorama Interconnect plugin only) Synchronize the Panorama Node with the Panorama
Controller.
Before you begin upgrading a Panorama Node, you must synchronize the Panorama Controller
and Panorama Node configuration. This is required to successfully push the common
Panorama Controller configuration to your Panorama Node after successful upgrade.

STEP 3 | (Best Practices) If you are leveraging Strata Logging Service, install the Panorama device
certificate on each Panorama HA peer.
Panorama automatically switches to using the device certificate for authentication with Strata
Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.0.

If you do not install the device certificate prior to upgrade to PAN-OS 11.0, Panorama
continues to use the existing logging service certificates for authentication.

STEP 4 | Suspend the Primary_A peer to force a failover.

On the Primary_A peer:
1. In the Operational Commands section (Panorama > High Availability), Suspend local
Panorama.
2. Verify that state is suspended (displayed on bottom-right corner of the web interface).
The resulting failover should cause the Secondary_B peer to transition to active state.

STEP 5 | Upgrade the Panorama software on the Primary_A (currently passive) peer.
Perform one of the following tasks on the Primary_A peer:
• Upgrade Panorama with an Internet Connection
• Upgrade Panorama Without an Internet Connection
After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption
is enabled (default), the Primary_A peer automatically transitions to the active state and the
Secondary_B peer reverts to the passive state.
If you disabled preemption, manually Restore the Primary Panorama to the Active State.

PAN-OS Upgrade Guide Version 11.1 & later 50 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Verify that both peers are now running any newly installed content release versions and the
newly installed Panorama release.
On the Dashboard of each Panorama peer, check the Panorama Software Version and
Application Version and confirm that they are the same on both peers and that the running
configuration is synchronized.

STEP 7 | (Local Log Collectors in a Collector Group only) Upgrade the remaining Log Collectors in the
Collector Group.
• Upgrade Log Collectors When Panorama Is Internet-Connected
• Upgrade Log Collectors When Panorama Is Not Internet-Connected

STEP 8 | (Recommended for Panorama mode) Increase the memory of the Panorama virtual appliance
to 64GB.
After you successfully upgrade the Panorama virtual appliance in Panorama mode to
PAN-OS 11.1, Palo Alto Networks recommends increasing the memory of the Panorama
virtual appliance to 64GB to meet the increased system requirements to avoid any logging,
management, and operational performance issues related to an under-provisioned Panorama
virtual appliance.

STEP 9 | Select Commit > Commit and Push and Commit and Push the Panorama managed
configuration to all managed devices.
After you successfully upgrade Panorama and managed devices to PAN-OS 11.1, a full commit
and push of the Panorama managed configuration is required before you can push selective
configuration to your managed devices and leverage the improved shared configuration object
management for multi-vsys firewalls managed by Panorama.

STEP 10 | (Panorama and managed devices in FIPS-CC mode) Upgrade Panorama and Managed
Devices in FIPS-CC Mode.
Upgrading Panorama and managed devices in FIPS-CC mode requires you to reset the secure
connection status of the devices in FIPS-CC mode if added to Panorama management while
running a PAN-OS 11.1 release. You need to re-onboard the following managed devices to
Panorama management:
• Managed devices in FIPS-CC mode added to Panorama using the device registration
authentication key.
• Managed devices in the normal operational mode added to Panorama using the device
registration authentication key
You do not need to re-onboard managed devices added to Panorama management while the
managed device was running a PAN-OS 10.0 or earlier release.

PAN-OS Upgrade Guide Version 11.1 & later 51 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.1. Skip
this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your
certificates.
It is required that all certificates meet the following minimum requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

Install a PAN-OS Software Patch

Where Can I Use This? What Do I Need?

• Panorama running PAN-OS 11.1.3 or later Device management license

releases Support license
PAN-OS 11.1.3 or later 11.1 release
Outbound internet access

Review the PAN-OS 11.1 Release Notes and then use the following procedure to install a PAN-
OS software patch to address bugs and Common Vulnerability and Exposures (CVE) in the
PAN-OS release currently running on your Panorama™ management server. Installing a PAN-
OS software patch applies fixes to bugs and CVEs without the need to schedule a prolonged
maintenance and allows you to strengthen your security posture immediately without introducing
any new known issues or changes to default behaviors that may come with installing a new PAN-
OS release. Additionally, you can revert the currently installed software patch to uninstall the bug
and CVE fixes applied when you installed the software patch.
A system log is generated (Monitor > Logs > System) when a PAN-OS software patch is installed
or reverted. An outbound internet connection is required to download the PAN-OS software
patch from the Palo Alto Networks Customer Support Portal.
• Install
• Revert

Install

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Software and Check Now to retrieve the latest PAN-OS software
patches from the Palo Alto Networks Update Server.

STEP 3 | Check (enable) Include Patch to display all available PAN-OS software patches.

STEP 4 | Locate the software patch for the PAN-OS release currently installed on Panorama.
A software patch is denoted by a Patch label displayed alongside the Version name.

PAN-OS Upgrade Guide Version 11.1 & later 52 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 5 | View More Info to review the software patch details such as the critical bug and CVE fixes
and whether the Next-Gen firewall needs to be restarted for the fixes to be applied.

STEP 6 | Download the software patch.

(HA only) Check (enable) Sync to HA Peer and Continue Download to download the PAN-OS
software patch.
Click Close after the software patch successfully downloaded.

STEP 7 | Install the software patch.

After the software patch has successfully installed, click Close.

STEP 8 | Apply the software patch.

Click Apply when prompted to confirm you want to apply the installed PAN-OS software
patch to Panorama.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, Panorama automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to Panorama.

STEP 9 | (HA only) Install the PAN-OS software patch on the Panorama HA peer.
1. Log in to the Panorama web interface of the HA peer.
2. Select Panorama > Software Check Now.
3. Install the software patch.
4. Reboot Panorama if required.

Revert
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Software and locate the PAN-OS software patch you want to revert.

STEP 3 | Revert the software patch.

Click Revert when prompted to confirm you want to revert the installed PAN-OS software
patch on Panorama.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, the firewall automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to Panorama.

Migrate Panorama Logs to the New Log Format

After you upgrade to a Panorama 8.0 or later release, Panorama Log Collectors use a new log
storage format. Because Panorama cannot generate reports or ACC data from logs in the pre-8.0-
release log format after you upgrade, you must migrate the existing logs as soon as you upgrade
Panorama and its Log Collectors from a PAN-OS® 7.1 or earlier release to a PAN-OS 8.0 or later
release and you must do this before you upgrade your managed firewalls. Panorama will continue

PAN-OS Upgrade Guide Version 11.1 & later 53 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

to collect logs from managed devices during the log migration but will store the incoming logs
in the new log format after you upgrade to a PAN-OS 8.0 or later release. For this reason, you
will see only partial data in the ACC and in Reports until Panorama completes the log migration
process.

Log migration to the new format is a one time task that you must perform when you
upgrade to PAN-OS 8.0 or later release (or when you upgrade to PAN-OS 8.0 as part of
your upgrade path); you do not need to perform this migration again when you upgrade to
a later PAN-OS release.

The amount of time Panorama takes to complete the log migration process depends on the
volume of new logs being written to Panorama and the size of the log database you are migrating.
Because log migration is a CPU-intensive process, begin the migration during a time when the
logging rate is lower. You can always stop migration during peak times if you notice that CPU
utilization rates are high and resume the migration when the incoming log rate is lower.
After you Install Content and Software Updates for Panorama and upgrade the Log Collectors,
migrate the logs as follows:

View the incoming logging rate.

For best results, start log migration when the incoming log rate is low. To check the rate, run
the following command from the Log Collector CLI:

admin@FC-M500-1> debug log-collector log-collection-stats show

incoming-logs

High CPU utilization (close to 100%) during log migration is expected and operations
will continue to function normally. Log migration is throttled in favor of incoming logs
and other processes in the event of resource contention.

Start migrating the logs on each Log Collector to the new format.
To begin the migration, enter the following command from the CLI of each Log Collector:

admin@FC-M500-1> request logdb migrate lc serial-number <ser_num>

start

View the log migration status to estimate the amount of time it will take to finish migrating all
existing logs to the new format.

admin@FC-M500-1> request logdb migrate lc serial-number <ser_num>

status Slot: all
Migration State: In Progress
Percent Complete: 0.04
Estimated Time Remaining: 451 hour(s) 47 min(s)

PAN-OS Upgrade Guide Version 11.1 & later 54 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Stop the log migration process.

To temporarily stop the log migration process, enter the following command from the Log
Collector CLI:

admin@FC-M500-1 request logdb migrate lc serial-number <ser_num>

stop

Upgrade Panorama for Increased Device Management Capacity

Upgrade to PAN-OS 9.1 or later releases to use your existing device management license on your
M-600 appliance to manage up to 5,000 firewalls or Panorama™ virtual appliance to manage up
to 2,500 firewalls.
STEP 1 | Increase CPUs and Memory for the Panorama Virtual Appliance if the Panorama virtual
appliance does not already meet the minimum resource requirements for increased device
management.
Review the Increased Device Management Capacity Requirements to verify whether your
existing Panorama virtual appliance meets the minimum requirements before upgrading.

STEP 2 | Log in to the Panorama CLI.

STEP 3 | Change the Panorama management server to Management Only if Panorama is not already
in this mode.
• (M-600 appliances only) Begin at Step 5 to Set Up an M-Series Appliance in Management
Only Mode.
or
• Set Up a Panorama Virtual Appliance in Management Only Mode.

STEP 4 | Log in to the Panorama web interface.

STEP 5 | Upgrade the Panorama management server.

• Upgrade Panorama with an Internet Connection.
• Upgrade Panorama Without an Internet Connection.
• Upgrade Panorama in an HA Configuration.

PAN-OS Upgrade Guide Version 11.1 & later 55 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Select Panorama > Licenses and verify that the device management license is successfully
activated.

If you activated your device management license and then upgraded to PAN-OS 9.1
or later release, you can manage up to 5,000 firewalls with an M-600 appliance, or up
to 2,500 firewalls with a Panorama virtual appliance, but the Description still displays
Device management license to manage up to 1000 devices.

Upgrade Panorama and Managed Devices in FIPS-CC Mode

On successful upgrade to PAN-OS 11.1, all managed devices in FIPS-CC mode and any managed
device added to Panorama when the device was running a PAN-OS 10.0 or earlier release must be
re-onboarded to Panorama management. This requires you to reset the secure connection status
for Panorama in FIPS-CC mode and for any managed devices in FIPS-CC mode. After resetting the
secure connection status, you must add the firewall, Log Collector, and WildFire appliance added
to Panorama using the device registration authentication key back to Panorama management. This
procedure is not required for and does not impact managed devices added to Panorama while
running PAN-OS 10.0 or earlier release. This is required for all supported Panorama models and
Next-Generation firewall hardware and VM-Series models in FIPS-CC mode.
STEP 1 | Create a list of your managed devices in FIPS-CC mode and any managed device added to
Panorama using the device registration authentication key. This will help you later on to
focus your efforts when you re-onboard your managed devices to Panorama management.

STEP 2 | Upgrade Panorama and managed devices to PAN-OS 11.1.

• Upgrade Panorama with an Internet Connection
• Upgrade Panorama Without an Internet Connection
• Upgrade Panorama in an HA Configuration

STEP 3 | After successful upgrade to PAN-OS 11.1, review the system logs on Panorama to identify
which managed devices in FIPS-CC mode are unable to connect to Panorama.

STEP 4 | Reset the secure connection state on Panorama.

This step resets connectivity for any managed device added to Panorama management while
running a PAN-OS 11.1 release and is irreversible. This step has no impact on the connectivity

PAN-OS Upgrade Guide Version 11.1 & later 56 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

status of firewalls added when running PAN-OS 10.0 or earlier release that are upgraded to
PAN-OS 11.1.
1. Log in to the Panorama CLI.
2. Reset the secure connection status.

admin> request sc3 reset

3. Restart the management server on Panorama.

admin> debug software restart process management-server

4. (HA only) Repeat this step for each peer in the high availability (HA) configuration.

STEP 5 | Reset the secure connection state on the managed device in FIPS-CC mode.
This step resets the managed device connection and is irreversible.
1. Log in to the managed device CLI.
• Log in to the firewall CLI
• Log in to the Log Collector CLI
• Log in to the WildFire Appliance CLI
2. Reset the secure connection state.

admin> request sc3 reset

3. Restart the management server on the managed device.

admin> debug software restart process management-server

STEP 6 | Add the impacted managed devices back to Panorama.

• Add a Firewall as a Managed Device
• Configure a Managed Collector
• Add Standalone WildFire Appliances to Manage with Panorama

STEP 7 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1, it is required that all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

Downgrade from Panorama 11.1

PAN-OS® 11.1 introduces advanced threat prevention support for Zero-day exploit prevention
that leverages inline deep learning, simplified software upgrade and downgrade for Panorama and
managed devices to reduce the operational burden of upgrading managed devices across multiple
PAN-OS releases, proactive Best Practice Assessment (BPA) using AIOps to further eliminate

PAN-OS Upgrade Guide Version 11.1 & later 57 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

exposure from a compromised security posture, on-premises Web Proxy to help transition to the
cloud without sacrificing security or efficiency, firewall support for a stateful DHCPv6 Client to
obtain IPv6 addresses, enhanced visibility for user context for the Cloud Identity Engine (CIE),
TLSv1.3 support for management access, and enhanced IoT security policy rule recommendations
to make it easier to scale and manage policy rule recommendations. Use the following workflow
to downgrade firewalls before you downgrade Log Collectors and Panorama running a Panorama
11.1 release to an earlier feature release. This procedure works both for Panorama when
managing a local Log Collector and for Panorama when managing one or more Dedicated Log
Collectors.

To downgrade from PAN-OS 11.1 to an earlier PAN-OS release, you must download and
install the preferred PAN-OS 11.0 or later PAN-OS 11.0 release before you can continue
on your downgrade path to your target PAN-OS release. Downgrade from PAN-OS 11.0
fails if you attempt to downgrade to PAN-OS 10.2 or earlier PAN-OS release.

Review the Palo Alto Networks Compatibility Matrix to confirm that the firewalls and
appliances you intend to downgrade are compatible with the PAN-OS release to which
you intend to downgrade. For the firewalls and appliances that you can downgrade, you
should also review the Upgrade/Downgrade Considerations to ensure that you account
for all features and configuration settings that will be different or unavailable after you
downgrade.

Logs generated when running PAN-OS 11.1 are not compatible with PAN-OS 11.0 and
earlier releases and are deleted on downgrade. To preserve logs generated when running
PAN-OS 11.1.1 or PAN-OS 11.1.0, you must first upgrade to PAN-OS 11.1.2 before you
begin downgrading to your target PAN-OS release. This is required to successfully recover
logs generated in PAN-OS 11.1 after downgrade.

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Save a backup of the configuration files for Panorama and managed devices.
1. Export Panorama and device configuration snapshot (Panorama > Setup > Operations).
2. Save the exported .tgz file to a location external to Panorama, Log Collectors, and
firewalls. You can use this backup to restore the configuration if you experience
problems that cause you to start over.

STEP 3 | If you have configured authentication for a Dedicated Log Collector and removed the admin
administrator, configure and push a new admin user to your Dedicated Log Collectors.
Dedicated Log Collectors must have the admin user configured in order to downgrade to
PAN-OS 9.1 and earlier releases.

STEP 4 | Select Panorama > Plugins and Download the plugin version supported on PAN-OS 11.0 for
all plugins currently installed on Panorama.
See the Panorama Plugins Compatibility Matrix for the Panorama plugin version supported on
PAN-OS 11.0 and earlier releases.
This is required to successfully downgrade Panorama from PAN-OS 11.1 to PAN-OS 11.0 and
earlier releases. The downloaded plugin version is automatically installed during downgrade to

PAN-OS Upgrade Guide Version 11.1 & later 58 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

PAN-OS 11.0. Downgrade to PAN-OS 11.0 is blocked if the supported plugin version is not
downloaded.

(ZTP plugin only) To successfully downgrade Panorama to PAN-OS 11.0, you must
uninstall the ZTP plugin before you begin the downgrade process. After successful
downgrade to PAN-OS 11.0, you must reinstall the ZTP plugin on Panorama.

STEP 5 | Downgrade each firewall running a PAN-OS 11.1 release.

Downgrading from PAN-OS 11.1 to a previous feature release requires that you first
downgrade to the preferred PAN-OS 11.0 release or later PAN-OS 11.0 release. After
successfully downgrading to the preferred PAN-OS 11.0 or later PAN-OS 11.0 release,
you can continue downgrading to your target PAN-OS version.
If downgrading more than one firewall, streamline the process by having each firewall-
specific PAN-OS 11.0 image downloaded to Panorama before you start downgrading.
For example, to downgrade your PA-220 firewall to PAN-OS 11.0, download the
PanOS_220-11.0.0 or PanOS_3000-11.0.0 images.

Panorama requires that all firewalls are running the same or an earlier PAN-OS release. So
before you downgrade Panorama, use and repeat the appropriate tasks below according to
your environment to downgrade all managed firewalls as needed:
1. Check Now for available images (Panorama > Device Deployment > Software).
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable

PAN-OS Upgrade Guide Version 11.1 & later 59 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Locate the PAN-OS 11.0 image for each model or series of firewalls you intend to
downgrade. If the image is not already downloaded, then Download it.
Non-HA Firewall
Install (Action column) the appropriate PAN-OS 11.0 version, select all the firewalls you intend
to downgrade, select Reboot device after install, and click OK.
Active/Active HA Firewalls
1. Click Install, disable (clear) Group HA Peers, select either of the HA peers, select Reboot
device after install, and click OK. Wait for the firewall to finish rebooting before you
proceed.
2. Click Install, disable (clear) Group HA Peers, select the HA peer that you didn’t update in
the previous step, select Reboot device after install, and click OK.
Active/Passive HA Firewalls
In this example, the active firewall is named fw1 and the passive firewall is named fw2:
1. Install (Action column) the appropriate update, disable (clear) Group HA Peers, select
fw2, select Reboot device after install, and click OK.
2. After fw2 finishes rebooting, verify fw1 (Dashboard > High Availability widget) is still
the active peer and that fw2 is still the passive peer (the Local firewall state is active
and the Peer—fw2—is passive).
3. Access fw1 and Suspend local device (Device > High Availability > Operational
Commands).
4. Access fw2 (Dashboard > High Availability) and verify that the Local firewall state is
active and the Peer firewall—fw1—is suspended.
5. Access Panorama, select Panorama > Device Deployment > Software, Install (Action
column) the appropriate update, disable (clear) Group HA Peers, select fw1, select
Reboot device after install, and click OK. Wait for fw1 to finish rebooting before you
proceed.
6. Access fw1 (Dashboard > High Availability widget) and verify that the Local firewall
state is passive and the Peer—fw2—is active.

If you enabled preemption in the Election settings (Device > High Availability >
General), then fw1 will be reinstated as the active peer after reboot.

PAN-OS Upgrade Guide Version 11.1 & later 60 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Downgrade each Log Collector running Panorama 11.0.

Downgrading from PAN-OS 11.1 to a previous feature release requires that you
first downgrade to the preferred PAN-OS 11.0 or later PAN-OS 11.0 release. After
successfully downgrading to the preferred PAN-OS 11.0 or later PAN-OS 11.0 release,
you can continue downgrading to your target PAN-OS version.

1. Log in to the Log Collector CLI and delete all esdata directories.
admin> debug elasticsearch erase data
Repeat this step for all Log Collectors in the Collector Group that you are downgrading.
2. Check Now for available images (Panorama > Device Deployment > Software).
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
3. Locate the PAN-OS 11.0 image. If the image is not already downloaded, then Download
it (Action column).
4. After the download is complete, Install the image on each Log Collector running 11.1.
Select Reboot device after install to automatically reboot the device when the upgrade
is complete.

STEP 7 | Downgrade Panorama.

Downgrading from PAN-OS 11.1 to a previous feature release requires that you
first downgrade to the preferred PAN-OS 11.0 or later PAN-OS 11.0 release. After
successfully downgrading to the preferred PAN-OS 11.0 or later PAN-OS 11.0 release,
you can continue downgrading to your target PAN-OS version.

1. (Panorama mode only) Log in to the Panorama CLI and delete all esdata directories.
admin> debug elasticsearch erase data
2. Log in to the Panorama web interface and select Panorama > Software and Check Now
for available images.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable

PAN-OS Upgrade Guide Version 11.1 & later 61 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
3. Locate the target PAN-OS image. If the image is not already downloaded, then
Download it.
4. After the download is complete, Install the image on Panorama.
5. Reboot Panorama as follows:
• If you are prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter
without typing the username or password. When the Panorama login prompt appears,
enter the username and password you set during initial configuration.
• If you are not prompted to reboot, select Panorama > Setup > Operations and click
Reboot Panorama (Device Operations).

STEP 8 | (ZTP plugin only) Re-install the ZTP plugin.

1. Log in to the Panorama web interface.
2. Install the ZTP plugin.
3. Select Panorama > Zero Touch Provisioning and check (enable) ZTP.

STEP 9 | (Enterprise DLP only) Edit the Enterprise DLP data filtering settings to reduce the Max File
Size to 20MB or less.
This is required when downgrading from Panorama plugin for Enterprise DLP 4.0.1 or later
release. Large file size inspection is supported on Enterprise DLP 4.0.1 and later releases.

STEP 10 | (Enterprise DLP only) Synchronize the Enterprise DLP data filtering profiles on Panorama
with the DLP cloud service.
This is required when downgrading Panorama from PAN-OS 11.0.2 and Enterprise DLP plugin
4.0.1 to PAN-OS 11.0.1 or earlier 11.1 release and Enterprise DLP plugin 4.0.0.
1. Log in to the Panorama CLI.
2. Push the Enterprise DLP configuration from Panorama to the DLP cloud service.

admin> request plugins dlp push-dlp-config

3. Reset the Enterprise DLP plugin.

admin> request plugins dlp reset

4. Commit on Panorama and push to managed firewalls using Enterprise DLP.

1. Log in to the Panorama web interface.
2. Select Commit > Commit to Panorama and Commit.
3. Select Commit > Push to Devices and Edit Selections.
4. Select Device Groups and Include Device and Network Templates.
5. Click OK.
6. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

PAN-OS Upgrade Guide Version 11.1 & later 62 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | Log in to the Panorama CLI and recover the logs generated in PAN-OS 11.1.
admin> debug logdb migrate-lc start log-type all
To view the log migration status:
admin> debug logdb migrate-lc status

PAN-OS Upgrade Guide Version 11.1 & later 63 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama
Troubleshoot Your Panorama Upgrade
To troubleshoot your Panorama upgrade, use the following table to review possible issues and
how to resolve them.
Symptom
The software warranty license expired.
The latest PAN-OS software versions were
not available.
(Panorama Virtual Appliance in Legacy
Mode only) The upgrade version failed to
preload into the software manager.
PAN-OS Upgrade Guide Version 11.1 & later
Resolution
From the CLI, delete the expired license key:
1. Enter delete license key <software
license key>.
2. Enter delete license key
Software_Warranty<expiredate>.key.
You can only see software versions that are one
feature release ahead of the current installed
version. For example, if you have an 8.1 release
installed, only 9.0 releases will be available
to you. To see 9.1 releases, you first have to
upgrade to 9.0.
This issue occurs when there are not enough
resources available. You can either increase the
virtual machine capacity or migrate from Legacy
mode to Panorama mode.
64 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Deploy Upgrades to Firewalls, Log Collectors, and

WildFire Appliances Using Panorama
You can use Panorama™ to qualify software and content updates by deploying them to a
subset of firewalls, Dedicated Log Collectors, or WildFire® appliances and appliance clusters
before installing the updates on the rest of your managed appliances. If you want to schedule
periodic content updates, Panorama requires a direct internet connection. To deploy software or
content updates on demand (unscheduled), the procedure differs based on whether Panorama is
connected to the internet. Panorama displays a warning if you manually deploy a content update
when a scheduled update process has started or will start within five minutes.
When deploying updates, Panorama notifies the managed appliances (firewalls, Log Collectors,
and WildFire appliances) that updates are available and the appliances then retrieve the update
packages from Panorama. By default, managed appliances retrieve updates over the management
(MGT) interface on Panorama. However, if you want to reduce the traffic load on the MGT
interface by using another interface for appliances to retrieve updates, you can Configure
Panorama to Use Multiple Interfaces.
You can quickly revert a content version for one or more firewalls to the previously installed
content version using Panorama. After a new content version is installed on the firewall, you can
revert back to the previously installed version if the newly installed content version destabilizes or
otherwise disrupts your network operations.

By default, you can download up to two software or content updates of each type to
Panorama. When you start any download beyond that maximum, Panorama deletes the
oldest update of the selected type. To change the maximum, see Manage Panorama
Storage for Software and Content Updates.

• What Updates Can Panorama Push to Other Devices?

• Panorama, Log Collector, Firewall, and WildFire Version Compatibility
• Schedule a Content Update Using Panorama
• Upgrade Firewalls When Panorama Is Internet-Connected
• Upgrade Firewalls When Panorama Is Not Internet-Connected
• Upgrade Log Collectors When Panorama Is Internet-Connected
• Upgrade Log Collectors When Panorama Is Not Internet-Connected
• Upgrade a WildFire Cluster from Panorama with an Internet Connection
• Upgrade a WildFire Cluster from Panorama without an Internet Connection
• Upgrade a ZTP Firewall
• Install a PAN-OS Software Patch
• Revert Content Updates from Panorama

What Updates Can Panorama Push to Other Devices?

The software and content updates you can install vary based on which subscriptions are active on
each firewall, Log Collector, and WildFire® appliance and appliance cluster:

PAN-OS Upgrade Guide Version 11.1 & later 65 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Appliance Type Software Updates Content Updates

Log Collector Panorama™ Applications (Log Collectors

don’t need Threats
signatures)
Antivirus
WildFire®

Firewall PAN-OS® Applications

GlobalProtect™ agent/app Applications and Threats
Antivirus
WildFire

WildFire PAN-OS WildFire

VM images

Schedule a Content Update Using Panorama

Panorama™ requires a direct internet connection for scheduling Supported Updates on firewalls,
Log Collectors, and WildFire® appliances and appliance clusters. Otherwise, you can perform
only on-demand updates. (To schedule Antivirus, WildFire, or BrightCloud URL updates for Log
Collectors, the Log Collectors must be running Panorama 7.0.3 or a later release.) Each firewall,
Log Collector, or WildFire appliance or appliance cluster receiving an update generates a log
to indicate that the installation succeeded (a Config log) or failed (a System log). To schedule
updates on the Panorama management server, see Install Updates for Panorama with an Internet
Connection.

Before deploying updates, see Panorama, Log Collector, Firewall, and WildFire Version
Compatibility for important details about content release version compatibility. Refer
to the Release Notes for the minimum content release version you must install for a
Panorama release.
Panorama can download only one update at a time for updates of the same type. If
you schedule multiple updates of the same type to download during the same time
Recurrence, only the first download succeeds.
If your firewalls connect directly to the Palo Alto Networks® Update Server, you can also
use Panorama templates (Device > Dynamic Updates) to push content update schedules
to the firewalls. If you want to delay the installation of updates for a period after they are
released, you must deploy schedules using templates. In rare instances, a content update
includes errors; specifying a delay increases the likelihood that Palo Alto Networks will
identify and remove such an update from the Update Server before your firewalls install it.

Perform the following steps for each update type you want to schedule.
STEP 1 | Select Panorama > Device Deployment > Dynamic Updates, click Schedules, and Add a
schedule.

PAN-OS Upgrade Guide Version 11.1 & later 66 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 2 | Specify a Name (to identify the schedule), the update Type, and the update frequency
(Recurrence). The frequency options depend on the update Type.

PAN-OS® uses the Panorama timezone for update scheduling.

If you set the Type to App and Threat, Log Collectors install and need only the Applications
content, not the Threats content. Firewalls use both Applications and Threats content. For
details, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.

STEP 3 | Select one of the following schedule actions and then select the firewalls or Log Collectors:
• Download And Install (Best Practice)—Select Devices (firewalls), Log Collectors, or WildFire
Appliances and Clusters.
• Download Only—Panorama downloads the update but does not install it.

STEP 4 | Click OK.

STEP 5 | Select Commit > Commit to Panorama and then Commit your changes.

Panorama, Log Collector, Firewall, and WildFire Version

Compatibility
For best results, adhere to the following Panorama™ compatibility guidelines:
Install the same Panorama release on both the Panorama management server and the
Dedicated Log Collectors.
Panorama must be running the same or a later PAN-OS version than the firewall it manages.
See Panorama Management Compatibility for more information.
Before upgrading firewalls to PAN-OS 11.0, you must first upgrade Panorama to 11.0.
Dedicated Log Collectors must be running the same or later PAN-OS version than the managed
firewalls forwarding logs.
Panorama running PAN-OS 11.1 can manage WildFire® appliances and WildFire appliance
clusters that are running the same or an earlier PAN-OS release. See Panorama Management
Compatibility for more information.
It is recommended that the Panorama management server, Wildfire appliances, and Wildfire
appliance clusters run the same PAN-OS release.
The content release version on the Panorama management server must be the same (or earlier)
version as the content release version on any Dedicated Log Collectors or managed firewalls.
See Panorama Management Compatibility for more information.

Palo Alto Networks® recommends installing the same Applications database version on
Panorama as on the Dedicated Log Collectors and firewalls.

Regardless whether your subscriptions include the Applications database or Applications and
Threats database, Panorama installs only the Applications database. Panorama and Dedicated
Log Collectors do not enforce policy rules so they do not need the threat signatures from the
Threats database. The Applications database contains threat metadata (such as threat IDs and

PAN-OS Upgrade Guide Version 11.1 & later 67 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

names) that you use on Panorama and Dedicated Log Collectors when defining policy rules
to push to managed firewalls and when interpreting threat information in logs and reports.
However, firewalls require the full Applications and Threats database to match the identifiers
recorded in logs with the corresponding threat, URL, or application names. Refer to the Release
Notes for the minimum content release version required for a Panorama release.

Upgrade Log Collectors When Panorama Is Internet-Connected

For a list of software or content updates you can install on Log Collectors, see Supported
Updates.

If you are upgrading from PAN-OS 8.1, PAN-OS 9.0 introduced a new log data format for
local and Dedicated Log Collectors. On your upgrade path to PAN-OS 10.1, existing log
data is automatically migrated to the new log data format when you upgrade from PAN-
OS 8.1 to PAN-OS 9.0.

You must upgrade all Log Collectors in a collector group at the same time to avoid losing log
data. No log forwarding or log collection occurs if the Log Collectors in a collector group are not
all running the same PAN-OS version. Additionally, the log data for the Log Collectors in the
collector group is not visible in the ACC or Monitor tabs until all Log Collectors are running the
same PAN-OS version. For example, if you have three Log Collectors in a collector group and
you upgrade two of the Log Collectors, then no logs are forwarded to any Log Collectors in the
collector group.
Palo Alto Networks recommends that you upgrade Log Collectors during a maintenance window.
Due to log format migration, the entire upgrade procedure takes an additional number of hours
depending on the amount of log data on the local and Dedicated Log Collectors.
STEP 1 | Before you upgrade Log Collectors, ensure that you are running the appropriate Panorama™
software release on the Panorama management server.

Palo Alto Networks® highly recommends that Panorama and Log Collectors run the
same software release version and that Panorama, Log Collectors, and all managed
firewalls run the same content release version. For important software and content
compatibility details, see Panorama, Log Collector, Firewall, and WildFire Version
Compatibility.

Panorama must be running the same (or later) software release as Log Collectors but must
have the same or later content release version:
• Software release version—If your Panorama management server is not already running
the same or a later software release than the release to which you intend to update Log
Collectors, then you must install the same or a later Panorama release on Panorama (see
Install Content Updates and Software Upgrades for Panorama) before you update any Log
Collectors.
• Content release version—For content release versions, you should ensure that all Log
Collectors are running the latest content release version or, at minimum, running a later
version than is running on Panorama; if not, then first Upgrade the Firewall to PAN-OS

PAN-OS Upgrade Guide Version 11.1 & later 68 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

11.1 from Panorama and then update Log Collectors before you update the content release
version on the Panorama management server.
To check software and content versions:
• Panorama management server—To determine which software and content versions are
running on the Panorama management server, log in to the Panorama web interface and go
to General Information settings (Dashboard).
• Log Collectors—To determine which software and content versions are running on Log
Collectors, log in to the CLI of each Log Collector and run the show system info
command.

STEP 2 | Enable the following TCP ports on your network.

These TCP ports must be enabled on your network to allow inter-Log Collector
communication.
• TCP/9300
• TCP/9301
• TCP/9302

STEP 3 | Determine the Upgrade Path to PAN-OS 11.1.

You cannot skip installation of any feature release versions in the path from the currently
running PAN-OS version to PAN-OS 11.1.0.

Review PAN-OS Upgrade Checklist, the known issues and changes to default
behavior in the Release Notes and Upgrade/Downgrade Considerations for each
release through which you pass as part of your upgrade path.

STEP 4 | Install the latest content updates.

Refer to the Release Notes for the minimum content release versions required for a
Panorama software release.

1. Log in to the Panorama web interface.

2. Select Panorama > Device Deployment > Dynamic Updates and Check Now for the
latest updates. If an update is available, the Action column displays a Download link.
3. If not already installed, Download the appropriate content updates. After a successful
download, the link in the Action column changes from Download to Install.
4. Install the content update (Applications and Threats update) before any others.
If your subscription includes both Applications and Threats content, install the Apps
content first. This automatically installs both Application and Threats content.

Regardless whether your subscription includes both Applications and Threats

content, Panorama installs and needs only the Applications content. For details,
see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
5. Repeat the substeps above for any other updates (Antivirus, WildFire, or URL Filtering)
as needed, one at a time, and in any sequence.

PAN-OS Upgrade Guide Version 11.1 & later 69 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 5 | Upgrade the Log Collector to the PAN-OS releases along your upgrade path to PAN-OS
11.1.

If upgrading more than one Log Collector, streamline the process by determining
the upgrade paths for all Log Collectors you intend to upgrade before you start
downloading images.

1. Upgrade Log Collectors When Panorama is Internet-Connected to PAN-OS 9.1.

2. Upgrade Log Collectors When Panorama is Internet-Connected to PAN-OS 10.0.
3. Upgrade Log Collectors When Panorama is Internet-Connected to PAN-OS 10.1.
PAN-OS 11.1 introduces a new log format. On upgrade from PAN-OS 11.1 to PAN-
OS 10.1, you can choose to migrate logs generated in PAN-OS 8.1 or earlier release.
Otherwise, these logs are automatically deleted on successful upgrade to PAN-OS 10.1.
During migration, log data is not visible in the ACC or Monitor tabs. While the migration
takes place, log data continues forwarding to the appropriate Log Collector but you may
experience some impact to performance.
4. Upgrade Log Collectors When Panorama is Internet-Connected to PAN-OS 10.2.
5. Upgrade Log Collectors When Panorama is Internet-Connected to PAN-OS 11.0.

STEP 6 | Upgrade the Log Collector to PAN-OS 11.1.

1. On Panorama, Check Now (Panorama > Device Deployment > Software) for the latest
updates. If an update is available, the Action column displays a Download link.
2. Download the model-specific file for the release version of the PAN-OS 11.1 release.
For example, to upgrade an M-Series appliance to Panorama 11.1.0, download the
Panorama_m-11.1.0 image.
After a successful download, the Action column changes from Download to Install for
that image.
3. Install PAN-OS 11.1 and select the appropriate Log Collectors.
4. A notification is displayed if one or more selected Log Collector contain logs generated
in PAN-OS 10.0 or earlier releases.
This notification is displayed the first time you attempt to Install PAN-OS 11.1.2 or
later 11.1 release and is not displayed a second time after the notification is closed. It
warns you that logs generated by Panorama or managed devices when running PAN-OS
10.0 or earlier release are detected and will be deleted on upgrade. This means that the
impacted logs are not viewable or searchable after successful upgrade.
However, you can recover these impacted logs after upgrade. The notification also
provides you with the following information. If multiple Log Collectors are selected, click

PAN-OS Upgrade Guide Version 11.1 & later 70 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Tasks and view the failed Install job details for each Log Collector to view and copy
the required migration commands.
• Impacted log types.
• Impacted time frames for each log type.
• Each debug logdb migrate-lc command required to recover the impacted logs
for each log type.
Copy the listed debug logdb migrate-lc before you Close the notification.
Close the notification.
5. Select one of the following depending on your needs:
• Upload only to device (do not install).
• Reboot device after install.
6. Click OK to start the upload or installation.
Continue to the next step after the selected Log Collectors successfully reboot.

STEP 7 | Verify the software and content update versions that are installed on the Log Collector.
Enter the show system info operational command. The output will resemble the following:

sw-version: 11.1.0
app-version: 8750-8261
app-release-date: 2023/08/31 03:57:2

STEP 8 | (PAN-OS 11.1.2 and later releases; Panorama mode only) Log in to the Log Collector CLI
of each impacted Log Collector and recover the impacted logs using the debug logdb
migrate-lc commands listed in the previous step.
These commands must be run sequentially and cannot be run simultaneously. If you didn't
copy the debug logdb migrate-lc commands from the notification window, click Tasks
and view the failed Install job details for the particular Log Collector.

STEP 9 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a Dedicated Log Collector in FIPS-CC mode requires you to reset the secure
connection status if you added the Dedicated Log Collector to Panorama management while
the Dedicated Log Collector was running a PAN-OS 11.1 release.
You do not need to re-onboard the Dedicated Log Collector added to Panorama management
while the Dedicated Log Collector was running a PAN-OS 10.0 or earlier release.

PAN-OS Upgrade Guide Version 11.1 & later 71 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 10 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.0. Skip
this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your
certificates.
It is required that all certificates meet the following minimum requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 11 | (Recommended for Panorama virtual appliance) Increase the memory of the Panorama virtual
appliance to 64GB.
After you successfully upgrade the Panorama virtual appliance in Log Collector mode to
PAN-OS 11.1, Palo Alto Networks recommends increasing the memory of the Panorama
virtual appliance to 64GB to meet the increased system requirements to avoid any logging,
management, and operational performance issues related to an under-provisioned Panorama
virtual appliance.

Upgrade Log Collectors When Panorama Is Not Internet-

Connected
For a list of software or content updates you can install on Log Collectors, see Supported
Updates.

If you are upgrading from PAN-OS 8.1, PAN-OS 9.0 introduced a new log data format for
local and Dedicated Log Collectors. On your upgrade path to PAN-OS 10.1, existing log
data is automatically migrated to the new format when you upgrade from PAN-OS 8.1 to
PAN-OS 9.0.

You must upgrade all Log Collectors in a collector group at the same time to avoid losing log
data. No log forwarding or log collection occurs if the Log Collectors in a collector group are not
all running the same PAN-OS version. Additionally, the log data for the Log Collectors in the
collector group is not visible in the ACC or Monitor tabs until all Log Collectors are running the
same PAN-OS version. For example, if you have three Log Collectors in a collector group and
you upgrade two of the Log Collectors, then no logs are forwarded to any Log Collectors in the
collector group.
Palo Alto Networks recommends that you upgrade Log Collectors during a maintenance window.
Due to log format migration, the entire upgrade procedure takes an additional number of hours
depending on the amount of log data on the local and Dedicated Log Collectors.

PAN-OS Upgrade Guide Version 11.1 & later 72 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 1 | Before you upgrade Log Collectors, ensure that you are running the appropriate Panorama™
software release on the Panorama management server.

Palo Alto Networks® highly recommends that Panorama and Log Collectors run the
same software release version and that Panorama, Log Collectors, and all managed
firewalls run the same content release version. For important software and content
compatibility details, see Panorama, Log Collector, Firewall, and WildFire Version
Compatibility.

Panorama must be running the same (or later) software release as Log Collectors but must
have the same or later content release version:
• Software release version—If your Panorama management server is not already running
the same or a later software release than the release to which you intend to update Log
Collectors, then you must install the same or a later Panorama release on Panorama (see
Install Content and Software Updates for Panorama) before you update any Log Collectors.
• Content release version—For content release versions, you should ensure that all Log
Collectors are running the latest content release version or, at minimum, running a later
version than you will install or that is running on Panorama; if not, then first Upgrade the
Firewall to PAN-OS 11.1 from Panorama and then update Log Collectors before you update
the content release version on the Panorama management server (see Install Content
Updates and Software Upgrades for Panorama).
To check the software and content versions:
• Panorama management server—To determine which software and content versions are
running on the Panorama management server, log in to the Panorama web interface and go
to General Information settings (Dashboard).
• Log Collectors—To determine which software and content versions are running on Log
Collectors, log in to the CLI of each Log Collector and run the show system info
command.

STEP 2 | Determine the Upgrade Path to PAN-OS 11.1.

Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the
Release Notes and Upgrade/Downgrade Considerations for each release through which you
pass as part of your upgrade path.

If upgrading more than one Log Collector, streamline the process by determining
the upgrade paths for all Log Collectors you intend to upgrade before you start
downloading images.

STEP 3 | Enable the following TCP ports on your network.

These TCP ports must be enabled on your network to allow inter-Log Collector
communication.
• TCP/9300
• TCP/9301
• TCP/9302

PAN-OS Upgrade Guide Version 11.1 & later 73 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Download the latest content and software updates to a host that can connect and upload the
files to Panorama either over SCP or HTTPS.

Refer to the Release Notes for the minimum content release versions required for a
Panorama software release.

1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
web site.
2. Download the latest content updates:
1. Click Dynamic Updates in the Resources section.
2. Download the latest content updates and save the files to the host. Perform this step
for each content type you will update.
3. Download the software updates:
1. Return to the main page of the Palo Alto Networks® Customer Support website and
click Software Updates in the Resources section.
2. Review the Download column to determine which version to install. The update
package filenames for M-Series appliances begin with “Panorama_m” followed by the
release number. For example, to upgrade an M-Series appliance to Panorama 11.1.0,
download the Panorama_m-11.1.0 image.

You can quickly locate Panorama images by selecting Panorama M Images

(for M-Series appliances) from the Filter By drop-down.
4. Click the appropriate filename and save the file to the host.

STEP 5 | Install the latest content updates.

If you need to install content updates, you must do so before you install software
updates. Additionally, install content updates on firewalls first and then on Log
Collectors before you update the content release version on Panorama.

Install the Applications or Applications and Threats update first and then install any other
updates (Antivirus, WildFire®, or URL Filtering) as needed, one at a time, and in any sequence.

Regardless whether your subscription includes both Applications and Threats content,
Panorama installs and needs only the Applications content. For details, see Panorama,
Log Collector, Firewall, and WildFire Version Compatibility.

1. Log in to the Panorama web interface.

2. Select Panorama > Device Deployment > Dynamic Updates.
3. Click Upload, select the update Type, Browse to the appropriate content update file on
the host, and click OK.
4. Click Install From File, select the update Type, and select the File Name of the update
you just uploaded.
5. Select the Log Collectors.
6. Click OK to start the installation.
7. Repeat these steps for each content update.

PAN-OS Upgrade Guide Version 11.1 & later 74 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Upgrade the Log Collector to the PAN-OS releases along your upgrade path to PAN-OS
11.1.
1. Upgrade Log Collectors When Panorama is Not Internet-Connected to PAN-OS 9.1.
2. Upgrade Log Collectors When Panorama is Not Internet-Connected to PAN-OS 10.0.
3. Upgrade Log Collectors When Panorama is Not Internet-Connected to PAN-OS 10.1.
PAN-OS 10.0 introduces a new log format. On upgrade from PAN-OS 10.0 to PAN-
OS 10.1, you can choose to migrate logs generated in PAN-OS 8.1 or earlier release.
Otherwise, these logs are automatically deleted on successful upgrade to PAN-OS 10.1.
During migration, log data is not visible in the ACC or Monitor tabs. While the migration
takes place, log data continues forwarding to the appropriate Log Collector but you may
experience some impact to performance.
4. Upgrade Log Collectors When Panorama is Not Internet-Connected to PAN-OS 10.2.
5. Upgrade Log Collectors When Panorama is Not Internet-Connected to PAN-OS 11.0.

STEP 7 | Upgrade the Log Collector to PAN-OS 11.1.

1. Select Panorama > Device Deployment > Software.
2. Click Upload, Browse to the appropriate software update file on the host, and click OK.
3. Click Install in the Action column for the release you just uploaded.
4. Install PAN-OS 11.1 and select the appropriate Log Collectors.
5. A notification is displayed if one or more selected Log Collector contain logs generated
in PAN-OS 10.0 or earlier releases.
This notification is displayed the first time you attempt to Install PAN-OS 11.1.2 or
later 11.1 release and is not displayed a second time after the notification is closed. It
warns you that logs generated by Panorama or managed devices when running PAN-OS
10.0 or earlier release are detected and will be deleted on upgrade. This means that the
impacted logs are not viewable or searchable after successful upgrade.
However, you can recover these impacted logs after upgrade. The notification also
provides you with the following information. If multiple Log Collectors are selected, click
Tasks and view the failed Install job details for each Log Collector to view and copy
the required migration commands.
• Impacted log types.
• Impacted time frames for each log type.
• Each debug logdb migrate-lc command required to recover the impacted logs
for each log type.
Copy the listed debug logdb migrate-lc before you Close the notification.
Close the notification.
6. Select one of the following depending on your needs:
• Upload only to device (do not install).
• Reboot device after install.
7. Click OK to start the upload or installation.
Continue to the next step after the selected Log Collectors successfully reboot.

PAN-OS Upgrade Guide Version 11.1 & later 75 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 8 | Verify the software and content versions that are installed on each Log Collector.
Log in to the Log Collector CLI and enter the show system info operational command. The
output will resemble the following:

sw-version: 11.1.0
app-version: 8750-8261
app-release-date: 2023/08/31 03:57:2

STEP 9 | (PAN-OS 11.1.2 and later releases; Panorama mode only) Log in to the Log Collector CLI
of each impacted Log Collector and recover the impacted logs using the debug logdb
migrate-lc commands listed in the previous step.
These commands must be run sequentially and cannot be run simultaneously. If you didn't
copy the debug logdb migrate-lc commands from the notification window, click Tasks
and view the failed Install job details for the particular Log Collector.

STEP 10 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a Dedicated Log Collector in FIPS-CC mode requires you to reset the secure
connection status if you added the Dedicated Log Collector to Panorama management while
the Dedicated Log Collector was running a PAN-OS 11.1 release.
You do not need to re-onboard the Dedicated Log Collector added to Panorama management
while the Dedicated Log Collector was running a PAN-OS 10.0 or earlier release.

STEP 11 | (PAN-OS 10.2 and later releases) Regenerate or re-import all certificates to adhere to
OpenSSL Security Level 2.
This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.0. Skip
this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your
certificates.
It is required that all certificates meet the following minimum requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 12 | (Recommended for Panorama virtual appliance) Increase the memory of the Panorama virtual
appliance to 64GB.
After you successfully upgrade the Panorama virtual appliance in Log Collector mode to
PAN-OS 11.1, Palo Alto Networks recommends increasing the memory of the Panorama
virtual appliance to 64GB to meet the increased system requirements to avoid any logging,
management, and operational performance issues related to an under-provisioned Panorama
virtual appliance.

PAN-OS Upgrade Guide Version 11.1 & later 76 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Upgrade a WildFire Cluster from Panorama with an Internet

Connection
WildFire appliances in a cluster can be upgraded in parallel when they are managed by Panorama.
If Panorama has a direct connection to the internet, you can check and download new releases
directly from Panorama.

Panorama can manage WildFire appliances and appliance clusters running the same or
earlier PAN-OS software version.

STEP 1 | Upgrade Panorama to an equal or later release than the target software release you want to
install on the WildFire cluster.
For information on upgrading Panorama, refer to Install Content and Software Updates for
Panorama.

STEP 2 | Temporarily suspend sample analysis.

1. Stop firewalls from forwarding any new samples to the WildFire appliance.
1. Log in to the firewall web interface.
2. Select Device > Setup > WildFire and edit General Settings.
3. Clear the WildFire Private Cloud field.
4. Click OK and Commit.
2. Confirm that analysis for samples the firewalls already submitted to the appliance is
complete:
1. Log in to the Panorama web interface.
2. Select Panorama > Managed WildFire Clusters and View the cluster analysis
environment Utilization.
3. Verify that the Virtual Machine Usage does not show any sample analysis in progress.

If you do not want to wait for the WildFire appliance to finish analyzing
recently-submitted samples, you can continue to the next step. However,
consider that the WildFire appliance then drops pending samples from the
analysis queue.

PAN-OS Upgrade Guide Version 11.1 & later 77 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 3 | Install the latest WildFire appliance content update.

These updates equip the appliance with the latest threat information to accurately detect
malware.

You must install content updates before installing software upgrades. Refer to
the Release Notes for the minimum content release version you must install for a
Panorama release.

1. Download the WildFire content update:

1. Select Panorama > Device Deployment > Dynamic Updates.
2. Select a WildFire content update release package and click Download.
2. Click Install.
3. Select the WildFire cluster(s) or individual appliances that you want to upgrade.
4. Click OK to start the installation.

STEP 4 | Download the PAN-OS software version to the WildFire appliance.

You cannot skip any major release version when upgrading the WildFire appliance. For
example, if you want to upgrade from PAN-OS 9.1 to PAN-OS 11.0, you must first download
and install PAN-OS 10.0, PAN-OS 10.1, and PAN-OS 10.2.
1. Download the WildFire software upgrade:
1. Select Panorama > Device Deployment > Software.
2. Click Check Now to retrieve an updated list of releases.
3. Select the WildFire release that you wish to install and click Download.
4. Click Close to exit the Download Software window
2. Click Install.
3. Select the WildFire cluster(s) that you want to upgrade.
4. Select Reboot device after install:
5. Click OK to start the installation.
6. (Optional) Monitor installation progress on Panorama.

STEP 5 | (Optional) View the status of the reboot tasks on the WildFire controller node.
On the WildFire cluster controller, run the following command and look for the job type
Install and Status FIN:

admin@WF-500(active-controller)> show cluster task pending

PAN-OS Upgrade Guide Version 11.1 & later 78 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Check that the WildFire appliance is ready to resume sample analysis.
1. Verify that the sw-version field shows 11.0.0:

admin@WF-500(passive-controller)> show system info | match sw-

version

2. Confirm that all processes are running:

admin@WF-500(passive-controller)> show system software status

3. Confirm that the auto-commit (AutoCom) job is complete:

admin@WF-500(passive-controller)> show jobs all

Upgrade a WildFire Cluster from Panorama without an Internet

Connection
WildFire appliances in a cluster can be upgraded in parallel when they are managed by Panorama.
If Panorama does not have a direct connection to the internet, you must download the software
content and updates from the Palo Alto Networks Support site and host them on an internal
server before they can be distributed by Panorama.

Panorama can manage WildFire appliances and appliance clusters running the same or
earlier PAN-OS software version.

STEP 1 | Upgrade Panorama to an equal or later release than the target software release you want to
install on the WildFire cluster.
For information on upgrading Panorama, refer to Install Content and Software Updates for
Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 79 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 2 | Temporarily suspend sample analysis.

1. Stop firewalls from forwarding any new samples to the WildFire appliance.
1. Log in to the firewall web interface.
2. Select Device > Setup > WildFire and edit General Settings.
3. Clear the WildFire Private Cloud field.
4. Click OK and Commit.
2. Confirm that analysis for samples the firewalls already submitted to the appliance is
complete:
1. Log in to the Panorama web interface.
2. Select Panorama > Managed WildFire Clusters and View the cluster analysis
environment Utilization.
3. Verify that the Virtual Machine Usage does not show any sample analysis in progress.

If you do not want to wait for the WildFire appliance to finish analyzing
recently-submitted samples, you can continue to the next step. However,
consider that the WildFire appliance then drops pending samples from the
analysis queue.

STEP 3 | Download the WildFire content and software updates to a host that has internet access.
Panorama must have access to the host.
1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
web site
2. Download content updates:
1. Click Dynamic Updates in the Tools section.
2. Download the desired content update and save the file to the host. Perform this step
for each content type you will update.
3. Download software updates:
1. Return to the main page of the Palo Alto Networks Customer Support web site and
click Software Updates in the Tools section.
2. Review the Download column to determine the version to install. The filename of the
update package indicates the model and release of the upgrade: WildFire_<release>.
3. Click the filename and save the file to the host.

PAN-OS Upgrade Guide Version 11.1 & later 80 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Install the latest WildFire appliance content update.

These updates equip the appliance with the latest threat information to accurately detect
malware.

You must install content updates before installing software upgrades. Refer to
the Release Notes for the minimum content release version you must install for a
Panorama release.

1. Download the WildFire content update:

1. Select Panorama > Device Deployment > Dynamic Updates.
2. Click Upload, select the content Type, Browse to the WildFire content update file, and
click OK.
3. Click Install From File, select the package Type, the File Name, and the WildFire
appliances in the cluster that you want to upgrade, then click OK.
2. Click OK to start the installation.

STEP 5 | Download the PAN-OS software version to the WildFire appliance.

You cannot skip any major release version when upgrading the WildFire appliance. For
example, if you want to upgrade from PAN-OS 9.1 to PAN-OS 11.0, you must first download
and install PAN-OS 10.0, PAN-OS 10.1, and PAN-OS 10.2.
1. Download the WildFire software upgrade:
1. Select Panorama > Device Deployment > Software.
2. Click Check Now to retrieve an updated list of releases.
3. Select the WildFire release that you wish to install and click Download.
4. Click Close to exit the Download Software window
2. Click Install.
3. Select the WildFire cluster(s) that you want to upgrade.
4. Select Reboot device after install:
5. Click OK to start the installation.
6. (Optional) Monitor installation progress on Panorama.

STEP 6 | (Optional) View the status of the reboot tasks on the WildFire controller node.
On the WildFire cluster controller, run the following command and look for the job type
Install and Status FIN:

admin@WF-500(active-controller)> show cluster task pending

PAN-OS Upgrade Guide Version 11.1 & later 81 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 7 | Check that the WildFire appliance is ready to resume sample analysis.
1. Verify that the sw-version field shows 11.0.0:

admin@WF-500(passive-controller)> show system info | match sw-

version

2. Confirm that all processes are running:

admin@WF-500(passive-controller)> show system software status
3. Confirm that the auto-commit (AutoCom) job is complete:

admin@WF-500(passive-controller)> show jobs all

Upgrade Firewalls When Panorama Is Internet-Connected

Review the PAN-OS 11.1 Release Notes and then use the following procedure to upgrade
firewalls that you manage with Panorama. This procedure applies to standalone firewalls and
firewalls deployed in a high availability (HA) configuration.
When upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each
HA peer to the same feature PAN-OS release on your upgrade path before continuing. For
example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade
both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1
release. When HA peers are two or more feature releases apart, the firewall with the older release
installed enters a suspended state with the message Peer version too old.

If Panorama is unable to connect directly to the updates server, follow the Upgrade
Firewalls When Panorama Is Not Internet-Connected procedure so that you can
manually download images to Panorama and then distribute the images to firewalls.

The new Skip Software Version Upgrade feature enables you to skip up to three releases when
deploying upgrades from Panorama appliances on PAN-OS 11.1 to firewalls on PAN-OS 10.1 or
later versions.
Before you can upgrade firewalls from Panorama, you must:
Make sure Panorama is running the same or a later PAN-OS version than you are upgrading
to. You must upgrade Panorama and its Log Collectors to 11.1 before upgrading the managed
firewalls to this version. In addition, when upgrading Log Collectors to 11.1, you must upgrade
all Log Collectors at the same time due to changes in the logging infrastructure.
Ensure that firewalls are connected to a reliable power source. A loss of power during an
upgrade can make a firewall unusable.
Decide whether to stay in Legacy mode if the Panorama virtual appliance is in Legacy mode
on upgrade to PAN-OS 11.1. Legacy mode is not supported for a new Panorama virtual
appliance deployment running PAN-OS 9.1 or later release. If you upgrade the Panorama
virtual appliance from PAN-OS 9.0 or earlier release to PAN-OS 11.1, Palo Alto Networks

PAN-OS Upgrade Guide Version 11.1 & later 82 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

recommends reviewing the Setup Prerequisites for the Panorama Virtual Appliance and
changing to Panorama mode or Management Only mode based on your needs.
If you want to keep the Panorama virtual appliance in Legacy mode, increase CPUs and
memory allocated to the Panorama virtual appliance to a minimum 16 CPUs and 32GB memory
to successfully upgrade to PAN-OS 11.1. See the Setup Prerequisites for the Panorama Virtual
Appliance for more information.
(Recommended for multi-vsys managed firewalls) Transition all vsys of a multi-vsys managed
firewall to Panorama.
This is recommended to avoid commit issues on the multi-vsys managed firewall and allows
you to take advantage of optimized shared object pushes from Panorama.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
(Multi-vsys managed firewalls) Delete or rename any locally configured Shared object that has
an identical name to an object in the Panorama Shared configuration. Otherwise, configuration
pushes from Panorama fail after the upgrade and display the error <object-name> is
already in use.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Modified your Security policy rule to allow ssl application traffic.

This applies to firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version upgrade only.
This is required to prevent managed devices disconnecting from Panorama after
upgrade to PAN-OS 11.1 if traffic between Panorama and managed devices is
controlled using the panorama App-ID. Managed devices will disconnect from
Panorama if the ssl application is not allowed before you upgrade.

PAN-OS 11.1 uses TLS version 1.3 to encrypt the service certificate and handshake messages
between Panorama and managed firewalls. As a result, the App-ID for traffic from managed
firewalls to Panorama is reclassified from panorama to ssl. To continue communication

PAN-OS Upgrade Guide Version 11.1 & later 83 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

between Panorama and managed devices, you must modify the Security policy rule controlling
traffic between Panorama and managed devices to also allow the ssl application.
Skip this step if the Security policy rule controlling traffic between Panorama and managed
devices allows Any application or if you already modified your Security policy rule controlling
traffic between Panorama and managed devices.
1. Select Policies > Security > Pre Rules.
2. Select Device Group containing the Security policy rule controlling traffic between
Panorama and managed firewalls.
3. Select the Security policy rule.
4. Select Application and Add the ssl.

Do not delete the panorama application. This will cause all managed firewalls
to disconnect from Panorama after you push the changes.

5. Click OK.
6. Select Commit > Commit and Push and Commit and Push your configuration changes.

PAN-OS Upgrade Guide Version 11.1 & later 84 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 3 | Save a backup of the current configuration file on each managed firewall you plan to
upgrade.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Select Panorama > Setup > Operations and click Export Panorama and devices config
bundle to generate and export the latest configuration backup of Panorama and of each
managed appliance.

2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 85 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Install the latest content update.

Refer to the Release Notes for the minimum content release version required for PAN-OS
11.1. Make sure to follow the Best Practices for Applications and Threats Content Updates
when deploying content updates to Panorama and managed firewalls.
1. Select Panorama > Device Deployment > Dynamic Updates and Check Now for the
latest updates. If an update is available, the Action column displays a Download link.

2. Click Install and select the firewalls on which you want to install the update. If you are
upgrading HA firewalls, you must update content on both peers.
3. Click OK

STEP 5 | Determine the Upgrade Path to PAN-OS 11.1.

Review the PAN-OS Upgrade Checklist, the known issues and changes to default
behavior in the Release Notes and upgrade/downgrade considerations for each
release through which you pass as part of your upgrade path.

If upgrading more than one firewall, streamline the process by determining upgrade
paths for all firewalls before you start downloading images.

STEP 6 | (Best Practices) If you are leveraging Strata Logging Service, install the device certificate.
The firewall automatically switches to using the device certificate for authentication with
Strata Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1.

If you do not install the device certificate prior to upgrade to PAN-OS 11.1, the firewall
continues to use the existing logging service certificates for authentication.

PAN-OS Upgrade Guide Version 11.1 & later 86 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 7 | (HA firewall upgrades only) If you will be upgrading firewalls that are part of an HA pair,
disable preemption. You need only disable this setting on one firewall in each HA pair.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.

3. Commit your change. Make sure the commit is successful before you proceed with the
upgrade.

STEP 8 | (HA firewall upgrades only) Suspend the primary HA peer to force a failover.
(Active/passive firewalls) For firewalls in an active/passive HA configuration, suspend and
upgrade the active HA peer first.
(Active/active firewalls) For firewalls in an active/active HA configuration, suspend and
upgrade the active-primary HA peer first.
1. Log in to the firewall web interface of active primary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.

3. In the bottom-right corner, verify that the state is suspended.

The resulting failover should cause the secondary passive HA peer to transition to
active state.

The resulting failover verifies that HA failover is functioning properly before you
upgrade.

STEP 9 | (Optional) Upgrade your managed firewalls to PAN-OS 10.1.

The skip software version upgrade feature supports managed firewalls running PAN-OS 10.1
or later releases. If your managed firewalls are on PAN-OS 10.0 or an earlier release, first
upgrade to PAN-OS 10.1 or a later release.

STEP 10 | (Optional) Export the file to a configured SCP server.

In PAN-OS 11.1, SCP servers are available as a download source when deploying upgrades to
managed firewalls. Export the file before downloading the software and content images in the
next step.

PAN-OS Upgrade Guide Version 11.1 & later 87 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | Validate and download the software and content versions required for the target release.
In this step, you’re able to both view and download the intermediate software and content
images required to upgrade to PAN-OS 11.1.
Downloading software and content images using multi-image download is optional. You can
still download images one at a time.
1. Click Panorama > Device Deployment > Software > Action > Validate.
2. View the intermediate software and content versions you need to download.
3. Select the firewalls you want to upgrade and click Deploy.
4. Select a download source and click Download.

STEP 12 | Install PAN-OS 11.1.0 on the firewalls.

(SD-WAN only) To preserve an accurate status for your SD-WAN links, you must
upgrade your hub firewalls to PAN-OS 11.1 before you upgrade your branch firewalls.
Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data
(Panorama > SD-WAN > Monitoring) and for SD-WAN links to erroneously display as
down.

1. Click Install in the Action column that corresponds to the firewall models you want to
upgrade. For example, if you want to upgrade your PA-440 firewalls, click Install in the
row that corresponds to PanOS_440-11.1.0.
2. In the Deploy Software file dialog, select all firewalls that you want to upgrade.
(HA firewall upgrades only) To reduce downtime, select only one peer in each HA pair.
For active/passive pairs, select the passive peer; for active/active pairs, select the active-
secondary peer.
3. (HA firewall upgrades only) Make sure Group HA Peers is not selected.
4. Select Reboot device after install.
5. To begin the upgrade, click OK.
6. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
7. After the firewalls finish rebooting, select Panorama > Managed Devices and verify the
Software Version is 11.1.0 for the firewalls you upgraded. Also verify that the HA status
of any passive firewalls you upgraded is still passive.

PAN-OS Upgrade Guide Version 11.1 & later 88 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 13 | (HA firewall upgrades only) Restore HA functionality to the primary HA peer.
1. Log in to the firewall web interface of suspended primary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
3. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
4. Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.

STEP 14 | (HA firewall upgrades only) Suspend the secondary HA peer to force a failover back to the
primary HA peer.
1. Log in to the firewall web interface of active secondary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
3. In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the primary passive HA peer to transition to active
state.

The resulting failover verifies that HA failover is functioning properly before you
upgrade.

STEP 15 | (HA firewall upgrades only) Upgrade the second HA peer in each HA pair.
1. In the Panorama web interface, select Panorama > Device Deployment > Software.
2. Click Install in the Action column that corresponds to the firewall models of the HA pairs
you are upgrading.
3. In the Deploy Software file dialog, select all firewalls that you want to upgrade. This
time, select only the peers of the HA firewalls you just upgraded.
4. Make sure Group HA Peers is not selected.
5. Select Reboot device after install.
6. To begin the upgrade, click OK.
7. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.

STEP 16 | (HA firewall upgrades only) Restore HA functionality to the secondary HA peer.
1. Log in to the firewall web interface of suspended secondary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
3. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
4. Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.

PAN-OS Upgrade Guide Version 11.1 & later 89 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 17 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a managed firewall in FIPS-CC mode requires you to reset the secure connection
status if you added the Dedicated Log Collector to Panorama management while the managed
firewall was running a PAN-OS 11.1 release.
You do not need to re-onboard the managed firewall added to Panorama management while
the managed firewall was running a PAN-OS 10.0 or earlier release.

STEP 18 | Verify the software and content release version running on each managed firewall.
1. On Panorama, select Panorama > Managed Devices.
2. Locate the firewalls and review the content and software versions in the table.
For HA firewalls, you can also verify that the HA Status of each peer is as expected.

STEP 19 | (HA firewall upgrades only) If you disabled preemption on one of your HA firewalls before
you upgraded, then edit the Election Settings (Device > High Availability) and re-enable the
Preemptive setting for that firewall and then Commit the change.

STEP 20 | On the Panorama web interface, push the entire Panorama managed configuration to your
managed firewalls.
This step is required to enable selective commit and push of device group and template stack
configuration changes from Panorama to your managed firewalls.
This is required to successfully push configuration changes to multi-vsys firewalls managed
by Panorama after successful upgrade to PAN-OS 11.1 from PAN-OS 10.1 or earlier release.
For more information, see the change to default behavior for shared configuration objects for
multi-vsys firewalls managed by Panorama.
1. Select Commit > Push to Devices.
2. Push.

PAN-OS Upgrade Guide Version 11.1 & later 90 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 21 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1 or later release, it is required that all certificates meet the
following minimum requirements. Skip this step if you are upgrading from PAN-OS 10.2 and
have already regenerated or re-imported your certificates.
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 22 | View the software upgrade history of the firewall.

1. Log into the Panorama interface.
2. Go to Panorama > Managed Devices > Summary and click Device History.

Upgrade Firewalls When Panorama Is Not Internet-Connected

For a list of software and content updates you can install on firewalls, see Supported Updates.
The new Skip Software Version Upgrade feature enables you to skip up to three releases when
deploying upgrades from Panorama appliances on PAN-OS 11.1 to firewalls on PAN-OS 10.1 or
later versions.
Before you can upgrade firewalls from Panorama, you must:
Make sure Panorama is running the same or a later PAN-OS version than you are upgrading
to. You must upgrade Panorama and its Log Collectors to 11.1 before upgrading the managed
firewalls to this version. In addition, when upgrading Log Collectors to 11.1, you must upgrade
all Log Collectors at the same time due to changes in the logging infrastructure.
Ensure that firewalls are connected to a reliable power source. A loss of power during an
upgrade can make a firewall unusable.
Decide whether to stay in Legacy mode if the Panorama virtual appliance is in Legacy mode
on upgrade to PAN-OS 11.1. Legacy mode is not supported for a new Panorama virtual
appliance deployment running PAN-OS 9.1 or later release. If you upgrade the Panorama
virtual appliance from PAN-OS 9.0 or earlier release to PAN-OS 11.1, Palo Alto Networks
recommends reviewing the Setup Prerequisites for the Panorama Virtual Appliance and
changing to Panorama mode or Management Only mode based on your needs.
If you want to keep the Panorama virtual appliance in Legacy mode, increase CPUs and
memory allocated to the Panorama virtual appliance to a minimum 16 CPUs and 32GB memory
to successfully upgrade to PAN-OS 11.1. See the Setup Prerequisites for the Panorama Virtual
Appliance for more information.
(Recommended for multi-vsys managed firewalls) Transition all vsys of a multi-vsys managed
firewall to Panorama.
This is recommended to avoid commit issues on the multi-vsys managed firewall and allows
you to take advantage of optimized shared object pushes from Panorama.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.

PAN-OS Upgrade Guide Version 11.1 & later 91 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

(Multi-vsys managed firewalls) Delete or rename any locally configured Shared object that has
an identical name to an object in the Panorama Shared configuration. Otherwise, configuration
pushes from Panorama fail after the upgrade and display the error <object-name> is
already in use.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Modified your Security policy rule to allow ssl application traffic.

This applies to firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version upgrade only.
This is required to prevent managed devices disconnecting from Panorama after
upgrade to PAN-OS 11.1 if traffic between Panorama and managed devices is
controlled using the panorama App-ID. Managed devices will disconnect from
Panorama if the ssl application is not allowed before you upgrade.

PAN-OS 11.1 uses TLS version 1.3 to encrypt the service certificate and handshake messages
between Panorama and managed firewalls. As a result, the App-ID for traffic from managed
firewalls to Panorama is reclassified from panorama to ssl. To continue communication

PAN-OS Upgrade Guide Version 11.1 & later 92 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

between Panorama and managed devices, you must modify the Security policy rule controlling
traffic between Panorama and managed devices to also allow the ssl application.
Skip this step if the Security policy rule controlling traffic between Panorama and managed
devices allows Any application or if you already modified your Security policy rule controlling
traffic between Panorama and managed devices.
1. Select Policies > Security > Pre Rules.
2. Select Device Group containing the Security policy rule controlling traffic between
Panorama and managed firewalls.
3. Select the Security policy rule.
4. Select Application and Add the ssl.

Do not delete the panorama application. This will cause all managed firewalls
to disconnect from Panorama after you push the changes.

5. Click OK.
6. Select Commit > Commit and Push and Commit and Push your configuration changes.

STEP 3 | Save a backup of the current configuration file on each managed firewall you plan to
upgrade.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Export Panorama and devices config bundle (Panorama > Setup > Operations) to
generate and export the latest configuration backup of Panorama and of each managed
appliance.
2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 93 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 4 | Determine which content updates you need to install. Refer to Release Notes for the
minimum content release version you must install for a PAN-OS® release.

Palo Alto Networks highly recommends that Panorama, Log Collectors, and all
managed firewalls run the same content release version.

For each content update, determine whether you need updates and take note of which
content updates you need to download in the following step.

Ensure that Panorama is running the same but not a later content release version than
is running on managed firewalls and Log Collectors.

STEP 5 | Determine the software upgrade path for the firewalls that you intend to update to
Panorama 11.1.
Log in to Panorama, select Panorama > Managed Devices, and note the current Software
Version for the firewalls you intend to upgrade.

Review PAN-OS Upgrade Checklist, the known issues and changes to default
behavior in the Release Notes and Upgrade/Downgrade Considerations for each
release through which you pass as part of your upgrade path.

STEP 6 | (Optional) Upgrade your managed firewalls to PAN-OS 10.1.

The skip software version upgrade feature supports managed firewalls running PAN-OS 10.1
or later releases. If your managed firewalls are on PAN-OS 10.0 or an earlier release, first
upgrade to PAN-OS 10.1 or a later release.

STEP 7 | Perform a validation check of the release.

In this step, you’re able to view the intermediate software and content images required to
upgrade to 11.1.
1. Select Panorama > Device Deployment > Software > Action > Validate.
2. View the intermediate software and content versions you need to download.

STEP 8 | Download the content and software updates to a host that can connect and upload the files
to Panorama or a configured SCP server either over SCP or HTTPS.
By default, you can upload a maximum of two software or content updates of each type to
a Panorama appliance and if you download a third update of the same type, Panorama will
delete the update for the earliest version of that type. If you need to upload more than two
software updates or content updates of a single type, use the set max-num-images count

PAN-OS Upgrade Guide Version 11.1 & later 94 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

<number> CLI command to increase the maximum number of images that Panorama can
store.
1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
web site.
2. Download content updates:
1. Click Dynamic Updates in the Resources section.
2. Download the latest content release version (or, at a minimum, the same or a later
version than you will install or is running on the Panorama management server) and
save the file to the host; repeat for each content type you need to update.
3. Download software updates:
1. Return to the main page of the Palo Alto Networks Customer Support web site and
click Software Updates in the Resources section.
2. Review the Download column to determine which versions you need to install. The
filename of the update packages indicates the model. For example, to upgrade a
PA-440 and PA-5430 firewall to PAN-OS 11.1.0, download the PanOS_440-11.1.0
and PanOS_5430-11.1.0 images.

You can quickly locate specific PAN-OS images by selecting PAN-OS for the
PA-<series/model> from the Filter By drop-down.
4. Click the appropriate filename and save the file to the host.

STEP 9 | Download the intermediate software versions and latest content version.
On PAN-OS 11.0, you are able to download multiple intermediate releases using the multi-
image download capability.
1. Select the firewalls you want to upgrade (Required Deployments > Deploy).
2. Select a download source and click Download.

STEP 10 | Install content updates on managed firewalls.

You must install content updates before software updates.

Install the Applications or Applications and Threats update first and then install any other
updates (Antivirus, WildFire®, or URL Filtering) as needed, one at a time, and in any sequence.
1. Select Panorama > Device Deployment > Dynamic Updates.
2. Click Upload, select the update Type, Browse to the appropriate content update file, and
click OK.
3. Click Install From File, select the update Type, and select the File Name of the content
update you just uploaded.
4. Select the firewalls on which to install the update.
5. Click OK to start the installation.
6. Repeat these steps for each content update.

PAN-OS Upgrade Guide Version 11.1 & later 95 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 11 | (Firewalls serving as GlobalProtect™ portals only) Upload and activate a GlobalProtect
agent/app software update on firewalls.

You activate the update on firewalls so that users can download it to their endpoints
(client systems).

1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
website.
2. Download the appropriate GlobalProtect agent/app software update.
3. On Panorama, select Panorama > Device Deployment > GlobalProtect Client.
4. Click Upload, Browse to the appropriate GlobalProtect agent/app software update on
the host to which you downloaded the file, and click OK.
5. Click Activate From File and select the File Name of the GlobalProtect agent/app
update you just uploaded.

You can activate only one version of agent/app software at a time. If you
activate a new version but some agents require a previous version, you will have
to reactivate the earlier version again for those agents to download the previous
update.
6. Select the firewalls on which to activate the update.
7. Click OK to activate.

STEP 12 | Install PAN-OS 11.1.

To avoid downtime when updating the software on high availability (HA) firewalls,
update one HA peer at a time.
For active/active firewalls, it doesn’t matter which peer you update first.
For active/passive firewalls, you must update the passive peer first, suspend the active
peer (fail over), update the active peer, and then return the active peer to a functional
state (fail back).

(SD-WAN only) To preserve an accurate status for your SD-WAN links, you must
upgrade your hub firewalls to PAN-OS 11.1 before you upgrade your branch firewalls.
Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data
(Panorama > SD-WAN > Monitoring) and for SD-WAN links to erroneously display as
down.

1. Perform the steps that apply to your firewall configuration to install the PAN-OS
software update you just uploaded.
• Non-HA firewalls—Click Install in the Action column, select all the firewalls you are
upgrading, select Reboot device after install, and click OK.
• Active/active HA firewalls:
1. Confirm that the preemption setting is disabled on the first peer that you intend
to upgrade (Device > High Availability > Election Settings). If enabled, then edit
Election Settings and disable (clear) the Preemptive setting and Commit your

PAN-OS Upgrade Guide Version 11.1 & later 96 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

change. You need only disable this setting on one firewall in each HA pair but
ensure that the commit is successful before you proceed.
2. Click Install, disable (clear) Group HA Peers, select either HA peer, select Reboot
device after install, and click OK. Wait for the firewall to finish rebooting before
you proceed.
3. Click Install, disable (clear) Group HA Peers, select the HA peer that you didn’t
update in the previous step, Reboot device after install, and click OK.
• Active/passive HA firewalls—In this example, the active firewall is named fw1 and the
passive firewall is named fw2:
1. Confirm that the preemption setting is disabled on the first peer that you intend
to upgrade (Device > High Availability > Election Settings). If enabled, then edit
Election Settings and disable (clear) the Preemptive setting and Commit your
change. You need only disable this setting on one firewall in each HA pair but
ensure that the commit is successful before you proceed.
2. Click Install in the Action column for the appropriate update, disable (clear) Group
HA Peers, select fw2, Reboot device after install, and click OK. Wait for fw2 to
finish rebooting before you proceed.
3. After fw2 finishes rebooting, verify on fw1 (Dashboard > High Availability) that
fw2 is still the passive peer (the Local firewall state is active and the Peer—fw2—
is passive).
4. Access fw1 and Suspend local device (Device > High Availability > Operational
Commands).
5. Access fw2 (Dashboard > High Availability) and verify that the Local firewall state
is active and the Peer is suspended.
6. Access Panorama, select Panorama > Device Deployment > Software, click
Install in the Action column for the appropriate release, disable (clear) Group HA
Peers, select fw1, Reboot device after install, and click OK. Wait for fw1 to finish
rebooting before you proceed.
7. Access fw1 (Device > High Availability > Operational Commands), click Make local
device functional, and then wait two minutes before you proceed.
8. On fw1 (Dashboard> High Availability), verify that the Local firewall state is
passive and the Peer (fw2) is active.

STEP 13 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a managed firewall in FIPS-CC mode requires you to reset the secure connection
status if you added the Dedicated Log Collector to Panorama management while the managed
firewall was running a PAN-OS 11.1 release.
You do not need to re-onboard the managed firewall added to Panorama management while
the managed firewall was running a PAN-OS 10.0 or earlier release.

STEP 14 | Verify the software and content versions that are installed on each managed firewall.
1. Select Panorama > Managed Devices.
2. Locate the firewall and review the values in the Software Version, Apps and Threat,
Antivirus, URL Filtering, and GlobalProtect Client columns.

PAN-OS Upgrade Guide Version 11.1 & later 97 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 15 | If you disabled preemption on one of your HA firewalls before you upgraded, then edit the
Election Settings (Device > High Availability) and re-enable the Preemptive setting for that
firewall.

STEP 16 | On the Panorama web interface, push the entire Panorama managed configuration to your
managed firewalls.
This step is required to enable selective commit and push of device group and template stack
configuration changes from Panorama to your managed firewalls.
This is required to successfully push configuration changes to multi-vsys firewalls managed
by Panorama after successful upgrade to PAN-OS 11.1. For more information, see the change
to default behavior for shared configuration objects for multi-vsys firewalls managed by
Panorama.
1. Select Commit > Push to Devices.
2. Push.

STEP 17 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1, it is required that all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 18 | View the software upgrade history of the firewall.

1. Log into the Panorama interface.
2. Go to Panorama > Managed Devices > Summary and click Device History.

Upgrade a ZTP Firewall

After you successfully add a ZTP firewall to the Panorama™ management server, configure the
target PAN-OS version of the ZTP firewall. Panorama checks whether PAN-OS version installed
on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it
successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP
firewall is less than the target PAN-OS version, then the ZTP firewall enters an upgrade cycle until
target PAN-OS version is installed.
STEP 1 | Log in to the Panorama Web Interface as an admin user.

STEP 2 | Add a ZTP Firewall to Panorama.

STEP 3 | Select Panorama > Device Deployment > Updates and Check Now for the latest PAN-OS
releases.

STEP 4 | Select Panorama > Managed Devices > Summary and select one or more ZTP firewalls.

STEP 5 | Reassociate the selected ZTP firewall(s).

STEP 6 | Check (enable) Auto Push on 1st Connect.

PAN-OS Upgrade Guide Version 11.1 & later 98 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 7 | In the To SW Version column, select the target PAN-OS version for the ZTP firewall.

STEP 8 | Click OK to save your configuration changes.

STEP 9 | Select Commit and Commit to Panorama.

STEP 10 | Power on the ZTP firewall.

When the ZTP firewall connects to Panorama for the first time, it automatically upgrades to
the PAN-OS version you selected.
• Panorama running PAN-OS 11.1.0—If you are upgrading managed firewalls across PAN-OS
major or maintenance releases, the intermediary PAN-OS releases on your upgrade path are
installed first before the target PAN-OS release is installed.
For example, you configured the target To SW Version for the managed firewall as PAN-OS
11.1.0 and the firewall is running PAN-OS 10.2. On first connection to Panorama, PAN-OS
11.0.0 is installed on the managed firewall first. After PAN-OS 11.0.0 successfully installs,
the firewall is automatically upgraded to the target PAN-OS 11.1.0 release.
• Panorama running PAN-OS 11.0.1 and later releases—If you are upgrading managed
firewalls across PAN-OS major or maintenance releases, the intermediary PAN-OS
major releases on your upgrade path are installed and the base PAN-OS major release is
downloaded before the target PAN-OS maintenance release is installed.
For example, you configured the target To SW Version for the managed firewall as PAN-OS
11.0.1 and the firewall is running PAN-OS 10.0. On first connection to Panorama, PAN-OS
10.1.0 and PAN-OS 10.2.0 are installed on the managed firewall. After the managed firewall
reboots, PAN-OS 11.0.0 is downloaded and then the firewall automatically installs to the
target PAN-OS 11.0.1 release.

STEP 11 | Verify the ZTP firewall software upgrade.

1. Log in to the Panorama Web Interface.
2. Select Panorama > Managed Devices > Summary and navigate to the ZTP firewall(s).
3. Verify the Software Version column displays the correct target PAN-OS release.

PAN-OS Upgrade Guide Version 11.1 & later 99 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 12 | For all future PAN-OS upgrades, see Upgrade the Firewall to PAN-OS 11.1 from Panorama.

Install a PAN-OS Software Patch

Where Can I Use This? What Do I Need?

• Panorama-managed Next-Gen firewall Device management license

CN-Series firewalls are not supported Support license
• Panorama-managed WildFire appliance PAN-OS 11.1.3 or later 11.1 release
Outbound internet access

Review the PAN-OS 11.1 Release Notes and then use the following procedure to install a PAN-
OS software patch to address bugs and Common Vulnerability and Exposures (CVE) in the PAN-
OS release currently running on your managed devices from your Panorama™ management
server. Installing a PAN-OS software patch applies fixes to bugs and CVEs without the need
to schedule a prolonged maintenance and allows you to strengthen your security posture
immediately without introducing any new known issues or changes to default behaviors that may
come with installing a new PAN-OS release. Additionally, you can revert the currently installed
software patch to uninstall the bug and CVE fixes applied when you installed the software patch.
A system log is generated (Monitor > Logs > System) when a PAN-OS software patch is installed
or reverted. An outbound internet connection is required to download the PAN-OS software
patch from the Palo Alto Networks Customer Support Portal. For air-gapped managed devices,
Panorama must still have internet access to download the PAN-OS software patch, but an
outbound internet connection is not required to install and apply them to the managed devices.
• Install
• Revert

Install
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Device Deployment > Software and Check Now to retrieve the latest
PAN-OS software patches from the Palo Alto Networks Update Server.

STEP 3 | Check (enable) Include Patch to display all available PAN-OS software patches.

STEP 4 | Locate the software patch for the PAN-OS release currently installed on your managed
devices.
A software patch is denoted by a Patch label displayed alongside the Version name.

STEP 5 | View More Info to review the software patch details such as the critical bug and CVE fixes
and whether your managed devices need to be restarted for the fixes to be applied.

PAN-OS Upgrade Guide Version 11.1 & later 100 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

STEP 6 | Download the software patch.

(HA only) Check (enable) Sync to HA Peer and Continue Download to download the PAN-OS
software patch.
Click Close after the software patch successfully downloaded.

STEP 7 | Install the software patch.

After the software patch has successfully installed, click Close.

STEP 8 | Select the managed devices on which you want to install the PAN-OS software patch and
click OK.
(HA only) If you are installing a software patch on a pair of managed devices in a high
availability (HA) configuration, you must select and install the software patch on both HA
peers.

STEP 9 | Apply the software patch.

Click Apply when prompted to confirm you want to apply the installed PAN-OS software
patch to your managed devices.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, the firewall automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to your managed devices.

Revert
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Device Deployment > Software and Check Now to retrieve the latest
PAN-OS software patches from the Palo Alto Networks Update Server.

STEP 3 | Revert the software patch.

STEP 4 | Select the managed devices for which you want to revert the PAN-OS software patch and
click OK.
Only eligible managed devices are displayed.
(HA only) If you are installing a software patch on a pair of managed devices in a high
availability (HA) configuration, you must select and install the software patch on both HA
peers.

STEP 5 | Click Revert when prompted to confirm you want to revert the installed PAN-OS software
patch from the selected managed devices.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, the firewall automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 101 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama

Revert Content Updates from Panorama

Panorama™ allows you to quickly revert the Applications, Applications and Threats, Antivirus,
WildFire®, and WildFire content versions on one or more firewalls, Log Collectors, or WildFire
appliances directly from Panorama. Use Panorama to revert content versions installed on
managed devices to leverage a centralized workflow that helps mitigate any risk associated with
the introduction or modification of applications or new threat signatures in a content update.
Panorama generates a system log for each device when you revert content. Make sure that
you use Best Practices for Applications and Threats Content Updates when you deploy content
updates to your managed devices.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Device Deployment > Dynamic Updates and Revert Content.

STEP 3 | Select the content type you need to revert.

STEP 4 | Select one or more firewalls on which to revert content and click OK. The content version
you revert to must be an older version than the version currently installed on the device.

PAN-OS Upgrade Guide Version 11.1 & later 102 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS
• PAN-OS Upgrade Checklist
• Upgrade/Downgrade Considerations
• Upgrade the Firewall to PAN-OS 11.1
• Upgrade the Firewall to PAN-OS 11.1 from Panorama
• Install a PAN-OS Software Patch
• Downgrade PAN-OS
• Troubleshoot Your PAN-OS Upgrade

103
Upgrade PAN-OS

PAN-OS Upgrade Checklist

Planning your PAN-OS upgrade can help ensure a smoother transition to a newer version of PAN-
OS for your Panorama or firewalls.
Make sure the device is registered and licensed.
Verify the available disk space.
The disk space required varies based on the PAN-OS release. Select Device > Software and
review the target PAN-OS release Size to determine the required disk space.
Run show system disk-space
Verify the minimum content release version.
Identify the preferred release.
• (PAN-OS 11.1.3 and later releases)
Select Device > Software. By default, the Release Type column displays the preferred
and base releases. To view the preferred releases only, disable (clear) the Base Releases
checkbox.
• (PAN-OS 11.1.3 and later releases)
Run request system software info preferred
See the Palo Alto Networks Support Software Release Guidance and End-of-Life Summary
for more information. Additionally, review the known and addressed issues, upgrade and
downgrade considerations, and limitations for your target PAN-OS release to understand how
a PAN-OS upgrade may impact you.
Determine the upgrade path.

When you upgrade from one PAN-OS feature release version to a later feature release,
you cannot skip the installation of any feature release versions in the path to your
target release.
Review the upgrade/downgrade considerations for all releases in your upgrade path.
(Required for GlobalProtect) Verify the minimum GlobalProtect™ agent version to prevent
GlobalProtect users from losing VPN connectivity. GlobalProtect can be upgraded directly to
the latest version.
Verify the minimum plugin release versions on the target release version for any plugins you
have installed.
Verify connectivity from the management interface to the update server.
Select Device > Troubleshooting and test the Update Server Connectivity to check that the
DNS can resolve the address.
If it doesn’t resolve, change the DNS to 8.8.8.8 (you need to use a public DNS server
rather than your own DNS server) and ping again.
If this doesn’t resolve, change the update server to
staticupdates.paloaltonetworks.com and Commit.

PAN-OS Upgrade Guide Version 11.1 & later 104 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

(SD-WAN only) Identify the hub and branch firewalls you intend to upgrade to PAN-OS 11.1.
To preserve an accurate status for your SD-WAN links, you must upgrade your hub firewalls to
PAN-OS 11.1 before you upgrade your branch firewalls. Upgrading branch firewalls before hub
firewalls may result in incorrect monitoring data (Panorama > SD-WAN > Monitoring) and for
SD-WAN links to erroneously display as down.
If there are any plugins currently installed, download the plugin version supported on PAN-
OS 11.1 for all plugins currently installed on Panorama (Panorama > Plugins) or your firewall
(Device > Plugins) before upgrade.
See the Panorama Plugins Compatibility Matrix for the Panorama plugin version supported on
PAN-OS 11.1.
This is required to successfully upgrade Panorama and firewall to PAN-OS 11.1. The
downloaded plugin version is automatically installed during upgrade to PAN-OS 11.1. Upgrade
to PAN-OS 11.1 is blocked if the supported plugin version is not downloaded.

PAN-OS Upgrade Guide Version 11.1 & later 105 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Upgrade/Downgrade Considerations
The following table lists the new features that have upgrade or downgrade impact. Make sure you
understand all upgrade/downgrade considerations before you upgrade to or downgrade from a
PAN-OS 11.1 release or a later release. For additional information about PAN-OS 11.1 and later
releases, refer to the PAN-OS Release Notes.

Feature Upgrade Considerations Downgrade Considerations

NGFW Clustering When you upgrade from None

a PAN-OS 11.1.3 release
(PAN-OS 11.1.5)
to a PAN-OS 11.1.5 or
later release, upgrade the
PA-7500 Series firewalls in
an NGFW cluster in parallel,
not individually. Upgrading
the devices in parallel avoids
a split-brain scenario.

IPv6 Support on Cellular None Before downgrading a

Interfaces for PA-415-5G PA-415-5G firewall to a
Firewalls release earlier than PAN-OS
11.2.3 or earlier than PAN-
(PAN-OS 11.2.3)
OS 11.1.5, if you have an
(PAN-OS 11.1.5) IPv6 address configured on
a cellular interface, configure
the interface with an IPv4
address and remove the
IPv6 address. Otherwise,
the firewall blocks the
downgrade.

NPTv6 with Dynamically None Before downgrading to

Assigned IPv6 Address Prefix a release earlier than
PAN-OS 11.1.5, disable
NPTv6 on an interface
that has a dynamically
assigned IPv6 address or
remove the configuration.
(The downgrade block is
unavailable between PAN-OS
11.1.5 and 11.1.0; therefore,
the image downgrade
succeeds, but auto commit
fails.)

PAN-OS Upgrade Guide Version 11.1 & later 106 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

IKE Gateway with Dynamic None If you downgrade to a release

IPv6 Address Assignment that doesn't support IKE
gateway with dynamic IPv6
address assignment (a release
earlier than PAN-OS 11.1.5),
the NGFW disables the IPSec
tunnel. You must load a
supported configuration to
match the PAN-OS version to
which you downgraded.

Overlapping IP Address None A downgrade attempt to a

Support release earlier than PAN-
OS 11.1.4 will be blocked
when Duplicate IP Address
Support is enabled. An
error message will appear
upon a downgrade attempt,
Failed to downgrade.
Duplicate IP address
is not supported
in older versions.
Please remove all
duplicate IP address
configuration,
disable Duplicate
IP Address Support,
and commit before
proceeding with the
downgrade.

Advanced Routing Engine In PAN-OS 11.2.0, when None

Advanced Routing is enabled,
(PAN-OS 11.2.0)
IP multicast is not supported.
An upcoming version will
provide support for this
feature. Customers who
have multicast configured or
who plan to deploy multicast
routing should not upgrade to
11.2.0.
Additionally, in PAN-OS
11.2.0, when Advanced
Routing is enabled, the BGP
dampening configuration isn't
applied to any peers or peer

PAN-OS Upgrade Guide Version 11.1 & later 107 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS
Feature
Authenticate LSVPN Satellite
with Serial Number and IP
Address Method
(PAN-OS 11.1.3 and later
releases)
PAN-OS Upgrade Guide Version 11.1 & later
Upgrade Considerations
group; the configuration is
preserved but has no effect
on BGP. Customers can use
BGP even if they have applied
a Dampening profile to a
specific set of peers. The
issue doesn't affect any other
BGP features.
PAN-OS stores the
configuration changes in
the database internally.
Therefore, the latest saved
configuration is applied when
you upgrade to this feature.
After you upgrade from PAN-
OS 10.0 or earlier releases
to PAN-OS 10.1 and later
releases (with Username/
password and Satellite Cookie
Authentication method
enabled), and if the satellite
cookie expires, it will result in
a login failure.
In this case, you should enter
the username and password
for successful authentication.
108
Downgrade Considerations
• If you downgrade to
PAN-OS 10.1 and later
releases, only Username/
password and Satellite
Cookie Authentication
method will be supported.
• If you download and install
a minor version of the
plugin and then decide
to downgrade to another
minor version of the same
release, the configuration
done on the minor version
before downgrade, will
take into effect on the
downgraded minor version
of the same release.
PAN-OS stores the
configuration changes in
the database internally.
Therefore, the latest saved
configuration is applied
when you downgrade from
this feature.
For example, if you have
installed SD-WAN plugin
11.1.5 with a configuration
(configuration 1), and
then you decide to
downgrade to another
minor version of the same
release, 11.1.4 with a
different configuration
(configuration 2). In this
case, the configuration of
the minor version (before
the downgrade), that is
©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

configuration 1, will take
effect on the downgraded
minor version, 11.1.4.

After you upgrade from PAN- • If you downgrade to PAN-

OS 10.0 or earlier releases/ OS releases earlier than
PAN-OS 10.1 and later 10.1, only serial number
release to PAN-OS 11.1.3, authentication method is
consider the following: supported.
• If you’ve disabled Serial • If you downgrade to
number and IP Address PAN-OS releases later
Authentication method than 10.1 and earlier
and the satellite cookie than 10.2.8, Username/
expires, it will result in a password and Satellite
login failure. In this case, Cookie Authentication
the administrator should method is supported.
enter the username and • If you downgrade to PAN-
password for successful OS 10.2.8 and later 10.2
authentication. releases, both 'Username/
• If you’ve enabled Serial password and Satellite
number and IP Address Cookie Authentication'
Authentication method and 'Serial number and IP
and the satellite serial address Authentication'
number is registered methods are supported.
with the GlobalProtect
portal and the IP address
is present in the IP allow
list, then the login will be
successful.
• If you’ve enabled Serial
number and IP Address
Authentication method,
but the satellite serial
number is not registered
with the GlobalProtect
portal, or the IP address is
not present in the IP allow
list, then the login fails. In
this case, the firewall does
not fall back to any other
authentication method and
results in an authentication
failure. In the case of
authentication failure,
the satellite will wait
until the configured retry

PAN-OS Upgrade Guide Version 11.1 & later 109 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

interval is elapsed before
attempting to authenticate
again. Ensure that the
satellite serial number is
registered with the portal
correctly and the satellite
IP address is present in the
IP allow list for successful
authentication.

Per Policy Persistent DIPP
When using Panorama to
upgrade the firewall from
PAN-OS 11.0.0 to 11.1.1,
regular DIPP NAT rules
should be converted to
persistent DIPP NAT rules,
but that conversion fails and
the rules remain as regular
DIPP NAT rules.
When using Panorama to
downgrade the firewall from
PAN-OS 11.1.1 to 11.0 0, per
policy persistent DIPP NAT
rules are converted to regular
DIPP NAT rules.

TLSv1.3 Support for If you upgrade to PAN-OS
GlobalProtect 11.1 from an earlier PAN-OS
version with Max Version set
to Max in the SSL/TLS service
profile, the TLS version will
be replaced with TLSv1.2
after the upgrade.
If you upgrade to a later PAN-
OS version from PAN-OS
11.1 with Max Version set to
<TLS Version> in the SSL/
TLS service profile, the TLS
version will remain with the
configured <TLS Version>
after the upgrade. There is no
replacement of the versions
as the versions are already
configured in 11.1.x itself.
If you downgrade from PAN-
OS 11.1 with TLSv1.3 to
an earlier PAN-OS version,
the TLSv1.3 will be replaced
with TLSv1.2 after you
downgrade. The downgrade
will succeed but auto commit
will fail if you had selected
TLS v1.3 aes-chacha20-
poly1305 cipher, in PAN-OS
11.1 that is not supported in
the earlier PAN-OS versions.
You must add or replace
the appropriate supported
ciphers to the downgraded
version and commit the
changes manually.

Upgrading the VM-50 and Before upgrading your None.

VM-50L VM-50 or VM-50L firewall to
PAN-OS 11.1, the minimum
plugin versions are required
to be installed before you
begin upgrading:

PAN-OS Upgrade Guide Version 11.1 & later 110 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

• Upgrading from PAN-OS
10.2—Minimum plugin
version required is 3.0.6
• Upgrading from PAN-OS
11.0—Minimum plugin
version required is 4.0.3-
h1.

VM-Series Firewalls When upgrading VM-Series None.

firewalls from PAN-OS
versions 10.1.x through
11.1.x, you must upgrade the
VM-Series plugin version to
later than 2.1.6 on all 10.1.x
firewalls before performing
the upgrade to avoid HA
issues.

Collector Groups All logs generated while Downgrade is not

running a PAN-OS 10.0 or
earlier release are deleted on
upgrade to PAN-OS 11.1.1.
To recover logs generated
in PAN-OS 11.0 or earlier
release, you must upgrade
to PAN-OS 11.1.2 or later
release where you can
manually recover all impacted
logs using CLI commands
provided by Palo Alto
Networks.
recommended. If you choose
to downgrade from 11.1, all
logs generated in PAN-OS
11.1 are deleted and need
to manually recovered. To
recover logs generated in
11.1, you must:
1. Upgrade to PAN-OS
11.1.2 or later 11.1
release.
This is required to
successfully recover
impacted logs.
2. Log in to the Log Collector
CLI and delete all esdata
directories.
admin> debug
elasticsearch erase
data
3. Downgrade to your target
PAN-OS version.
4. Commit and push the
changes to the Collector
Group and all managed
devices.

PAN-OS Upgrade Guide Version 11.1 & later 111 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

5. Log in to the Log Collector
CLI and recover the
impacted logs.
admin> debug logdb
migrate-lc start
log-type all

If you have
already
downgraded
from PAN-
OS 11.1 and
ElasticSearch
is caught in a
restart loop,
please contact
Palo Alto
Networks
Support

All Log Collectors in a None.

Collector Group must be
upgraded at the same time.
Upgrading some, but not all
Log Collectors, in a Collector
Group during an upgrade
window is not supported.

Log Collectors running PAN- None.

OS 11.1 must be onboarded
using the device registration
authentication for inter-Log
Collector communication.
On your upgrade path to
PAN-OS 11.1, Log Collectors
added to Panorama
management when running
PAN-OS 9.1 or earlier release
must first be upgraded
to PAN-OS 10.1 or later
release and re-onboarded
to Panorama management
using the device registration
authentication key.
Upgrade to PAN-OS 11.1
is blocked if Log Collectors

PAN-OS Upgrade Guide Version 11.1 & later 112 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

onboarded to Panorama
management without
the device registration
authentication key are
detected.

If you are using Collector None.

Groups, the following
requirements must be met to
upgrade to 11.1.0.
• You must perform a
manual Collector Group
push after the upgrade to
11.1 to upgrade managed
log collectors.

PAN-OS
requires all
log collectors
within a
Collector
Group to be
on the same
version.
• You must register your log
collectors with Panorama
using a device registration
authentication key.

If the device
registration
authentication
key does
not initialize
correctly,
it fails to
form the
connections
to the peer
nodes.

After upgrading Log None.

collectors to PAN-OS 11.1,
the follow TCP ports are
now required for inter-Log
Collector communication

PAN-OS Upgrade Guide Version 11.1 & later 113 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS
Feature
Pan Service Proxy
Authentication sequence
Panorama Management of
Multi-Vsys Firewalls
Upgrade from PAN-OS 10.1
to PAN-OS 11.1 using Skip
PAN-OS Upgrade Guide Version 11.1 & later
Upgrade Considerations
and must be opened on your
network.
• TCP/9300
• TCP/9301
• TCP/9302
None.
When you upgrade to
PAN-OS 11.1.1, the Exit
the sequence on failed
authentication option is no
longer dependent on the
Use domain to determine
authentication profile option.
Before upgrading a Panorama
managed multi-vsys firewall
to PAN-OS 11.0 using Skip
Software Version Upgrade:
• Delete or rename any
locally configured firewall
114
Downgrade Considerations
Downgrading a next-
generation firewall from
PAN-OS 11.1 will fail if it has
pan service proxy enabled.
To downgrade successfully,
disable pan service proxy
before you downgrade.
Next-generation firewall:
Select Network > Proxy, click
the settings icon for Proxy
Enablement, choose None,
and then click OK.
Panorama: Templates >
Network > Proxy, click
the settings icon for Proxy
Enablement, choose None,
and then click OK.
If you select the Exit
the sequence on failed
authentication option,
downgrading from PAN-OS
11.1.1 to a previous version
is not successful unless the
Exit the sequence on failed
authentication option is not
selected or unless both the
Exit the sequence on failed
authentication option and
the Use domain to determine
authentication profile option
are selected.
None.
©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

Software Version Upgrade Shared object that has an
only identical name to an object
in the Panorama Shared
configuration. Otherwise,
configuration pushes from
Panorama fail after the
upgrade and display the
error <object-name>
is already in use.
• Palo Alto Networks
recommends that if a
multi-vsys firewall is
managed by Panorama,
then all vsys configurations
should be managed by
Panorama.
This helps avoid commit
failures on the managed
multi-vsys firewall and
allows you to take
advantage of optimized
shared object pushes from
Panorama.

After you successfully

upgrade a managed multi-
vsys firewall to PAN-OS 10.2
using Skip Software Version
Upgrade, the firewalls
become out-of-sync on
Panorama and a full commit
and push is required.
On Panorama, select Commit
and Push to Devices the
entire Panorama managed
configuration to the multi-
vsys firewall before you
commit and push any
configuration changes from
Panorama.

(PAN-OS 11.2) TLSv1.3 None. Downgrading from PAN-

Support for HSM Integration OS 11.2 to an earlier version
with SSL Inbound Inspection removes support for the
establishment and decryption
of TLSv1.3 sessions when

PAN-OS Upgrade Guide Version 11.1 & later 115 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Feature Upgrade Considerations Downgrade Considerations

the private keys of internal
servers are stored on an
HSM. Even if both client
and server support TLSv1.3,
the appliance establishes a
TLSv1.2 connection.

PAN-OS Upgrade Guide Version 11.1 & later 116 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Upgrade the Firewall to PAN-OS 11.1

How you upgrade to PAN-OS 11.1 depends on whether you have standalone firewalls or firewalls
in a high availability (HA) configuration and, for either scenario, whether you use Panorama to
manage your firewalls. Review the PAN-OS 11.1 Release Notes and then follow the procedure
specific to your deployment:
• Determine the Upgrade Path to PAN-OS 11.1
• Upgrade the Firewall to PAN-OS 11.1 from Panorama
• Upgrade a Standalone Firewall
• Upgrade an HA Firewall Pair

When upgrading firewalls that you manage with Panorama or firewalls that are configured
to forward content to a WildFire appliance, you must first upgrade Panorama and its Log
Collectors and then upgrade the WildFire appliance before you upgrade the firewalls.
Additionally, it is not recommended to manage firewalls running a later maintenance
release than Panorama as this may result in features not working as expected. For
example, it is not recommended to manage firewalls running PAN-OS 10.1.1 or later
maintenance releases if Panorama is running PAN-OS 10.1.0.

Determine the Upgrade Path to PAN-OS 11.1

For Panorama, standalone devices, or Panorama managed devices running PAN-OS 10.1 or earlier
releases, the recommended upgrade path includes installing the latest maintenance release in
each release version before you download the base image for the next feature release version. To
minimize downtime for your users, perform upgrades during non-business hours.

For manual upgrades, Palo Alto Networks recommends installing and upgrading from the
latest maintenance release for each PAN-OS release along your upgrade path. Do not
install the PAN-OS base image for a feature release unless it is the target release you want
to upgrade to.

Determine the upgrade path as follows:

STEP 1 | Identify which version is currently installed.
• From Panorama, select Panorama > Managed Devices and check the Software Version on
the firewalls you plan to upgrade.
• From the firewall, select Device > Software and check which version has a check mark in
the Currently Installed column.

STEP 2 | (PAN-OS 11.1.3 and later releases) View the preferred releases.
• From Panorama, click Panorama > Software, and disable (clear) the Base Releases
checkbox.
• From firewall, click Device > Software, and disable (clear) the Base Releases checkbox.

PAN-OS Upgrade Guide Version 11.1 & later 117 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 3 | Identify the upgrade path:

Review the known issues and changes to default behavior in the Release Notes and
Upgrade/Downgrade Considerations for each release through which you pass as
part of your upgrade path.

Installed PAN-OS Version Recommended Upgrade Path to PAN-OS 11.1

11.0.x • If you are already running a PAN-OS 11.0

release, you can upgrade directly to PAN-OS
11.1

10.2.x • If you are already running a PAN-OS 10.2

release, you can upgrade directly to PAN-OS
11.1

10.1.x You can now use the Skip Software Version

Upgrade feature to skip software versions when
upgrading your device from PAN-OS 10.1 or later
releases.
• If you are already running a PAN-OS 10.1
release, you can upgrade directly to PAN-OS
11.1.
• If you are already running a PAN-OS 10.1
release, download and install the latest
preferred PAN-OS 10.1 maintenance release
and reboot.
• Upgrade the Firewall to PAN-OS 10.2.

10.0.x • Download and install the latest preferred PAN-

OS 10.0 maintenance release and reboot.
• Download PAN-OS 10.1.0
• Download and install the latest preferred PAN-
OS 10.1 maintenance release and reboot.
You can now use the Skip Software Version
Upgrade feature to skip software versions
when upgrading your device from PAN-OS
10.1 or later releases.
• Proceed to Upgrade the Firewall to PAN-OS
11.1.

9.1.x • Download and install the latest preferred PAN-

OS 9.1 maintenance release and reboot.
• Download PAN-OS 10.0.0.
• Download and install the latest preferred PAN-
OS 10.0 maintenance release and reboot.

PAN-OS Upgrade Guide Version 11.1 & later 118 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Installed PAN-OS Version Recommended Upgrade Path to PAN-OS 11.1

• Download PAN-OS 10.1.0
• Download and install the latest preferred PAN-
OS 10.1 maintenance release and reboot.
You can now use the Skip Software Version
Upgrade feature to skip software versions
when upgrading your device from PAN-OS
10.1 or later releases.
• Proceed to Upgrade the Firewall to PAN-OS
11.1.

9.0.x • Download and install the latest preferred PAN-

OS 9.0 maintenance release and reboot.

Review the upgrade/downgrade

considerations before upgrading
any Log Collectors to the latest
PAN-OS 9.0 maintenance release.
• Download PAN-OS 9.1.0.
• Download and install the latest preferred PAN-
OS 9.1 maintenance release and reboot.
• Download PAN-OS 10.0.0.
• Download and install the latest preferred PAN-
OS 10.0 maintenance release and reboot.
• Download PAN-OS 10.1.0
• Download and install the latest preferred PAN-
OS 10.1 maintenance release and reboot.
You can now use the Skip Software Version
Upgrade feature to skip software versions
when upgrading your device from PAN-OS
10.1 or later releases.
• Proceed to Upgrade the Firewall to PAN-OS
11.1.

8.1.x • Download and install the latest preferred PAN-

OS 8.1 maintenance release and reboot.
• Download PAN-OS 9.0.0
• Download and install the latest preferred PAN-
OS 9.0 maintenance release and reboot.

Review the upgrade/downgrade

considerations before upgrading
any Log Collectors to the latest
PAN-OS 9.0 maintenance release.

PAN-OS Upgrade Guide Version 11.1 & later 119 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Installed PAN-OS Version Recommended Upgrade Path to PAN-OS 11.1

• Download PAN-OS 9.1.0.
• Download and install the latest preferred PAN-
OS 9.1 maintenance release and reboot.
• Download PAN-OS 10.0.0.
• Download and install the latest preferred PAN-
OS 10.0 maintenance release and reboot.
• Download PAN-OS 10.1.0
• Download and install the latest preferred PAN-
OS 10.1 maintenance release and reboot.
You can now use the Skip Software Version
Upgrade feature to skip software versions
when upgrading your device from PAN-OS
10.1 or later releases.
• Proceed to Upgrade the Firewall to PAN-OS
11.1.

Upgrade a Standalone Firewall

Review the PAN-OS 11.1 Release Notes and then use the following procedure to upgrade a
firewall that is not in an HA configuration to PAN-OS 11.1.

If your firewalls are configured to forward samples to a WildFire appliance for analysis,
you must upgrade the WildFire appliance before upgrading the forwarding firewalls.

To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall
is connected to a reliable power source. A loss of power during an upgrade can make the
firewall unusable.

PAN-OS Upgrade Guide Version 11.1 & later 120 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 1 | Save a backup of the current configuration file.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Select Device > Setup > Operations and click Export named configuration snapshot.

2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.

3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 2 | (Optional) If you have enabled User-ID, after you upgrade, the firewall clears the current
IP address-to-username and group mappings so that they can be repopulated with the
attributes from the User-ID sources. To estimate the time required for your environment to
repopulate the mappings, run the following CLI commands on the firewall.
• For IP address-to-username mappings:
• show user user-id-agent state all
• show user server-monitor state all
• For group mappings: show user group-mapping statistics

PAN-OS Upgrade Guide Version 11.1 & later 121 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 3 | Ensure that the firewall is running the latest content release version.
Refer to the Release Notes for the minimum content release version you must install for a
PAN-OS 11.1 release. Make sure to follow the Best Practices for Applications and Threats
Content Updates.
1. Select Device > Dynamic Updates and see which Applications or Applications and
Threats content release version is Currently Installed.

2. If the firewall is not running the minimum required content release version or a later
version required for PAN-OS 11.1, Check Now to retrieve a list of available updates.
3. Locate and Download the desired content release version.
After you successfully download a content update file, the link in the Action column
changes from Download to Install for that content release version.
4. Install the update.

STEP 4 | Determine the Upgrade Path to PAN-OS 11.1

Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the
Release Notes and Upgrade/Downgrade Considerations for each release through which you
pass as part of your upgrade path.

STEP 5 | (Best Practices) If you are leveraging Strata Logging Service, install the device certificate.
The firewall automatically switches to using the device certificate for authentication with
Strata Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1.

If you do not install the device certificate prior to upgrade to PAN-OS 11.1, the firewall
continues to use the existing logging service certificates for authentication.

PAN-OS Upgrade Guide Version 11.1 & later 122 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 6 | Upgrade to PAN-OS 11.1.

If your firewall does not have internet access from the management port, you can
download the software image from the Palo Alto Networks Customer Support
Portal and then manually Upload it to your firewall.

1. Select Device > Software and click Check Now to display the latest PAN-OS updates.
Only the versions for the next available PAN-OS release are displayed. For example,
if the PAN-OS 11.1 is installed on the firewall, then only PAN-OS 11.1 releases are
displayed.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox.
2. Select Panorama > Device Deployment > Software > Action > Validate
Panorama > Device Deployment > Software > Action > Validate to view all intermediate
software and content images required to upgrade to 11.1.0.
3. Download the intermediate software and content images.
4. After you download the image (or, for a manual upgrade, after you upload the image),
Install the image.
5. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and click
Reboot Device.

At this point, the firewall clears the User-ID mappings, then connects to the
User-ID sources to repopulate the mappings.
6. If you have enabled User-ID, use the following CLI commands to verify that the firewall
has repopulated the IP address-to-username and group mappings before allowing traffic.
• show user ip-user-mapping all
• show user group list

STEP 7 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1, it is required that all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide for more information on regenerating or re-importing
your certificates.

PAN-OS Upgrade Guide Version 11.1 & later 123 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 8 | Verify that the firewall is passing traffic.

Select Monitor > Session Browser and verify that you are seeing new sessions.

STEP 9 | View the software upgrade history on the firewall.

1. Log in to the firewall interface.
2. Go to Device > Summary > Software and click Device History.

Upgrade an HA Firewall Pair

Review the PAN-OS 11.1 Release Notes and then use the following procedure to upgrade a pair
of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive
and active/active configurations.
To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration,
update one HA peer at a time: For active/active firewalls, it doesn’t matter which peer you
upgrade first (though for simplicity, this procedure shows you how to upgrade the active-primary
peer first). For active/passive firewalls, you must suspend (fail over) and upgrade the active
(primary) peer first. After you upgrade the primary peer, you must unsuspend the primary peer
to return it to a functional state (passive). Next, you must suspend the passive (secondary) peer
to make the primary peer active again. After the primary peer is active and the secondary peer
is suspended, you can continue the upgrade. To prevent failover during the upgrade of the HA
peers, you must make sure preemption is disabled before proceeding with the upgrade. You only
need to disable preemption on one peer in the pair.
When upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each
HA peer to the same feature PAN-OS release on your upgrade path before continuing. For
example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade
both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1
release. When HA peers are two or more feature releases apart, the firewall with the older release
installed enters a suspended state with the message Peer version too old.

To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewalls
are connected to a reliable power source. A loss of power during an upgrade can make
firewalls unusable.

PAN-OS Upgrade Guide Version 11.1 & later 124 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 1 | Save a backup of the current configuration file.

Although the firewall automatically creates a backup of the configuration, it is a best

practice to create and externally store a backup before you upgrade.

Perform these steps on each firewall in the pair:

1. Select Device > Setup > Operations and click Export named configuration snapshot.

2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.

3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 2 | Select Device > Support and Generate Tech Support File.
Click Yes when prompted to generate the tech support file.

PAN-OS Upgrade Guide Version 11.1 & later 125 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 3 | Ensure that each firewall in the HA pair is running the latest content release version.
Refer to the Release Notes for the minimum content release version you must install for a
PAN-OS 11.1 release. Make sure to follow the Best Practices for Applications and Threats
Content Updates.
1. Select Device > Dynamic Updates and check which Applications or Applications and
Threats to determine which update is Currently Installed.

2. If the firewalls are not running the minimum required content release version or a later
version required for PAN-OS 11.1, Check Now to retrieve a list of available updates.
3. Locate and Download the desired content release version.
After you successfully download a content update file, the link in the Action column
changes from Download to Install for that content release version.
4. Install the update. You must install the update on both peers.

STEP 4 | Determine the Upgrade Path to PAN-OS 11.1

You cannot skip the installation of any feature release versions in the path from the currently
running PAN-OS version to PAN-OS 11.1.
Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the
Release Notes and Upgrade/Downgrade Considerations for each release through which you
pass as part of your upgrade path.

STEP 5 | (Best Practices) If you are leveraging Strata Logging Service, install the device certificate on
each HA peer.
The firewall automatically switches to using the device certificate for authentication with
Strata Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1.

If you do not install the device certificate prior to upgrade to PAN-OS 11.1, the firewall
continues to use the existing logging service certificates for authentication.

PAN-OS Upgrade Guide Version 11.1 & later 126 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 6 | Disable preemption on the first peer in each pair. You only need to disable this setting on
one firewall in the HA pair but ensure that the commit is successful before you proceed with
the upgrade.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.

3. Commit the change.

STEP 7 | Suspend the primary HA peer to force a failover.

(Active/passive firewalls) For firewalls in an active/passive HA configuration, suspend and
upgrade the active HA peer first.
(Active/active firewalls) For firewalls in an active/active HA configuration, suspend and
upgrade the active-primary HA peer first.
1. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
2. In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the secondary HA peer to transition to active state.

The resulting failover verifies that HA failover is functioning properly before you
upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 127 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 8 | Install PAN-OS 11.1 on the suspended HA peer.

1. On the primary HA peer, select Device > Software and click Check Now for the latest
updates.
Only the versions for the next available PAN-OS release are displayed. For example,
if the PAN-OS 11.1 is installed on the firewall, then only PAN-OS 11.1 releases are
displayed.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox.
2. Locate and Download PAN-OS 11.1.0.

If your firewall does not have internet access from the management port, you
can download the software image from the Palo Alto Networks Support Portal
and then manually Upload it to your firewall.
If your firewall does have internet access and you encounter a file download
error, click Check Now again to refresh the list of PAN-OS images.
3. After you download the image (or, for a manual upgrade, after you upload the image),
Install the image.

4. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
5. After the device finishes rebooting, view the High Availability widget on the Dashboard
and verify that the device you just upgraded is in sync with the peer.

STEP 9 | Restore HA functionality to the primary HA peer.

1. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
2. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
3. Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.

PAN-OS Upgrade Guide Version 11.1 & later 128 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 10 | On the secondary HA peer, suspend the HA peer.

1. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
2. In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the primary HA peer to transition to Active state.

STEP 11 | Install PAN-OS 11.1 on the secondary HA peer.

1. On the secondary peer, select Device > Software and click Check Now for the latest
updates.
2. Locate and Download PAN-OS 11.1.0.
3. After you download the image, Install it.
4. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.

STEP 12 | Restore HA functionality to the secondary HA peer.

1. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
2. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
3. Wait for the HA peer running configuration to synchronize.
In the Dasbhoard, monitor the Running Config status High Availability widget.

STEP 13 | Re-enable preemption on the HA peer where it was disabled in the previous step.
1. Select Device > High Availability and edit the Election Settings.
2. Enable (check) the Preemptive setting and click OK.
3. Commit the change.

STEP 14 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1, it is required that all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

PAN-OS Upgrade Guide Version 11.1 & later 129 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 15 | Verify that both peers are passing traffic as expected.

In an active/passive configuration, only the active peer should be passing traffic; both peers
should be passing traffic in an active/active configuration.
Run the following CLI commands to confirm that the upgrade succeeded:
• (Active peers only) To verify that active peers are passing traffic, run the show session
all command.
• To verify session synchronization, run the show high-availability interface ha2
command and make sure that the Hardware Interface counters on the CPU table are
increasing as follows:
• In an active/passive configuration, only the active peer shows packets transmitted; the
passive peer will show only packets received.

If you enabled HA2 keep-alive, the hardware interface counters on the passive
peer will show both transmit and receive packets. This occurs because HA2
keep-alive is bi-directional, which means that both peers transmit HA2 keep-
alive packets.
• In an active/active configuration, you will see packets received and packets transmitted
on both peers.

PAN-OS Upgrade Guide Version 11.1 & later 130 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Upgrade the Firewall to PAN-OS 11.1 from Panorama

Deploy content updates and upgrade PAN-OS for managed firewalls from the Panorama™
management server.
• Upgrade Firewalls When Panorama Is Internet-Connected
• Upgrade Firewalls When Panorama Is Not Internet-Connected
• Upgrade a ZTP Firewall

Upgrade Firewalls When Panorama Is Internet-Connected

Review the PAN-OS 11.1 Release Notes and then use the following procedure to upgrade
firewalls that you manage with Panorama. This procedure applies to standalone firewalls and
firewalls deployed in a high availability (HA) configuration.
When upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each
HA peer to the same feature PAN-OS release on your upgrade path before continuing. For
example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade
both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1
release. When HA peers are two or more feature releases apart, the firewall with the older release
installed enters a suspended state with the message Peer version too old.

If Panorama is unable to connect directly to the updates server, follow the Upgrade
Firewalls When Panorama Is Not Internet-Connected procedure so that you can
manually download images to Panorama and then distribute the images to firewalls.

The new Skip Software Version Upgrade feature enables you to skip up to three releases when
deploying upgrades from Panorama appliances on PAN-OS 11.1 to firewalls on PAN-OS 10.1 or
later versions.
Before you can upgrade firewalls from Panorama, you must:
Make sure Panorama is running the same or a later PAN-OS version than you are upgrading
to. You must upgrade Panorama and its Log Collectors to 11.1 before upgrading the managed
firewalls to this version. In addition, when upgrading Log Collectors to 11.1, you must upgrade
all Log Collectors at the same time due to changes in the logging infrastructure.
Ensure that firewalls are connected to a reliable power source. A loss of power during an
upgrade can make a firewall unusable.
Decide whether to stay in Legacy mode if the Panorama virtual appliance is in Legacy mode
on upgrade to PAN-OS 11.1. Legacy mode is not supported for a new Panorama virtual
appliance deployment running PAN-OS 9.1 or later release. If you upgrade the Panorama
virtual appliance from PAN-OS 9.0 or earlier release to PAN-OS 11.1, Palo Alto Networks
recommends reviewing the Setup Prerequisites for the Panorama Virtual Appliance and
changing to Panorama mode or Management Only mode based on your needs.
If you want to keep the Panorama virtual appliance in Legacy mode, increase CPUs and
memory allocated to the Panorama virtual appliance to a minimum 16 CPUs and 32GB memory
to successfully upgrade to PAN-OS 11.1. See the Setup Prerequisites for the Panorama Virtual
Appliance for more information.

PAN-OS Upgrade Guide Version 11.1 & later 131 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

(Recommended for multi-vsys managed firewalls) Transition all vsys of a multi-vsys managed
firewall to Panorama.
This is recommended to avoid commit issues on the multi-vsys managed firewall and allows
you to take advantage of optimized shared object pushes from Panorama.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
(Multi-vsys managed firewalls) Delete or rename any locally configured Shared object that has
an identical name to an object in the Panorama Shared configuration. Otherwise, configuration
pushes from Panorama fail after the upgrade and display the error <object-name> is
already in use.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Modified your Security policy rule to allow ssl application traffic.

This applies to firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version upgrade only.
This is required to prevent managed devices disconnecting from Panorama after
upgrade to PAN-OS 11.1 if traffic between Panorama and managed devices is
controlled using the panorama App-ID. Managed devices will disconnect from
Panorama if the ssl application is not allowed before you upgrade.

PAN-OS 11.1 uses TLS version 1.3 to encrypt the service certificate and handshake messages
between Panorama and managed firewalls. As a result, the App-ID for traffic from managed
firewalls to Panorama is reclassified from panorama to ssl. To continue communication

PAN-OS Upgrade Guide Version 11.1 & later 132 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

between Panorama and managed devices, you must modify the Security policy rule controlling
traffic between Panorama and managed devices to also allow the ssl application.
Skip this step if the Security policy rule controlling traffic between Panorama and managed
devices allows Any application or if you already modified your Security policy rule controlling
traffic between Panorama and managed devices.
1. Select Policies > Security > Pre Rules.
2. Select Device Group containing the Security policy rule controlling traffic between
Panorama and managed firewalls.
3. Select the Security policy rule.
4. Select Application and Add the ssl.

Do not delete the panorama application. This will cause all managed firewalls
to disconnect from Panorama after you push the changes.

5. Click OK.
6. Select Commit > Commit and Push and Commit and Push your configuration changes.

PAN-OS Upgrade Guide Version 11.1 & later 133 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 3 | Save a backup of the current configuration file on each managed firewall you plan to
upgrade.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Select Panorama > Setup > Operations and click Export Panorama and devices config
bundle to generate and export the latest configuration backup of Panorama and of each
managed appliance.

2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 134 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 4 | Install the latest content update.

Refer to the Release Notes for the minimum content release version required for PAN-OS
11.1. Make sure to follow the Best Practices for Applications and Threats Content Updates
when deploying content updates to Panorama and managed firewalls.
1. Select Panorama > Device Deployment > Dynamic Updates and Check Now for the
latest updates. If an update is available, the Action column displays a Download link.

2. Click Install and select the firewalls on which you want to install the update. If you are
upgrading HA firewalls, you must update content on both peers.
3. Click OK

STEP 5 | Determine the Upgrade Path to PAN-OS 11.1.

Review the PAN-OS Upgrade Checklist, the known issues and changes to default
behavior in the Release Notes and upgrade/downgrade considerations for each
release through which you pass as part of your upgrade path.

If upgrading more than one firewall, streamline the process by determining upgrade
paths for all firewalls before you start downloading images.

STEP 6 | (Best Practices) If you are leveraging Strata Logging Service, install the device certificate.
The firewall automatically switches to using the device certificate for authentication with
Strata Logging Service ingestion and query endpoints on upgrade to PAN-OS 11.1.

If you do not install the device certificate prior to upgrade to PAN-OS 11.1, the firewall
continues to use the existing logging service certificates for authentication.

PAN-OS Upgrade Guide Version 11.1 & later 135 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 7 | (HA firewall upgrades only) If you will be upgrading firewalls that are part of an HA pair,
disable preemption. You need only disable this setting on one firewall in each HA pair.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.

3. Commit your change. Make sure the commit is successful before you proceed with the
upgrade.

STEP 8 | (HA firewall upgrades only) Suspend the primary HA peer to force a failover.
(Active/passive firewalls) For firewalls in an active/passive HA configuration, suspend and
upgrade the active HA peer first.
(Active/active firewalls) For firewalls in an active/active HA configuration, suspend and
upgrade the active-primary HA peer first.
1. Log in to the firewall web interface of active primary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.

3. In the bottom-right corner, verify that the state is suspended.

The resulting failover should cause the secondary passive HA peer to transition to
active state.

The resulting failover verifies that HA failover is functioning properly before you
upgrade.

STEP 9 | (Optional) Upgrade your managed firewalls to PAN-OS 10.1.

The skip software version upgrade feature supports managed firewalls running PAN-OS 10.1
or later releases. If your managed firewalls are on PAN-OS 10.0 or an earlier release, first
upgrade to PAN-OS 10.1 or a later release.

STEP 10 | (Optional) Export the file to a configured SCP server.

In PAN-OS 11.1, SCP servers are available as a download source when deploying upgrades to
managed firewalls. Export the file before downloading the software and content images in the
next step.

PAN-OS Upgrade Guide Version 11.1 & later 136 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 11 | Validate and download the software and content versions required for the target release.
In this step, you’re able to both view and download the intermediate software and content
images required to upgrade to PAN-OS 11.1.
Downloading software and content images using multi-image download is optional. You can
still download images one at a time.
1. Click Panorama > Device Deployment > Software > Action > Validate.
2. View the intermediate software and content versions you need to download.
3. Select the firewalls you want to upgrade and click Deploy.
4. Select a download source and click Download.

STEP 12 | Install PAN-OS 11.1.0 on the firewalls.

(SD-WAN only) To preserve an accurate status for your SD-WAN links, you must
upgrade your hub firewalls to PAN-OS 11.1 before you upgrade your branch firewalls.
Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data
(Panorama > SD-WAN > Monitoring) and for SD-WAN links to erroneously display as
down.

1. Click Install in the Action column that corresponds to the firewall models you want to
upgrade. For example, if you want to upgrade your PA-440 firewalls, click Install in the
row that corresponds to PanOS_440-11.1.0.
2. In the Deploy Software file dialog, select all firewalls that you want to upgrade.
(HA firewall upgrades only) To reduce downtime, select only one peer in each HA pair.
For active/passive pairs, select the passive peer; for active/active pairs, select the active-
secondary peer.
3. (HA firewall upgrades only) Make sure Group HA Peers is not selected.
4. Select Reboot device after install.
5. To begin the upgrade, click OK.
6. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
7. After the firewalls finish rebooting, select Panorama > Managed Devices and verify the
Software Version is 11.1.0 for the firewalls you upgraded. Also verify that the HA status
of any passive firewalls you upgraded is still passive.

PAN-OS Upgrade Guide Version 11.1 & later 137 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 13 | (HA firewall upgrades only) Restore HA functionality to the primary HA peer.
1. Log in to the firewall web interface of suspended primary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
3. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
4. Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.

STEP 14 | (HA firewall upgrades only) Suspend the secondary HA peer to force a failover back to the
primary HA peer.
1. Log in to the firewall web interface of active secondary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
3. In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the primary passive HA peer to transition to active
state.

The resulting failover verifies that HA failover is functioning properly before you
upgrade.

STEP 15 | (HA firewall upgrades only) Upgrade the second HA peer in each HA pair.
1. In the Panorama web interface, select Panorama > Device Deployment > Software.
2. Click Install in the Action column that corresponds to the firewall models of the HA pairs
you are upgrading.
3. In the Deploy Software file dialog, select all firewalls that you want to upgrade. This
time, select only the peers of the HA firewalls you just upgraded.
4. Make sure Group HA Peers is not selected.
5. Select Reboot device after install.
6. To begin the upgrade, click OK.
7. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.

STEP 16 | (HA firewall upgrades only) Restore HA functionality to the secondary HA peer.
1. Log in to the firewall web interface of suspended secondary firewall HA peer.
2. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
3. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/
active configuration, verify that the state is Active.
4. Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.

PAN-OS Upgrade Guide Version 11.1 & later 138 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 17 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a managed firewall in FIPS-CC mode requires you to reset the secure connection
status if you added the Dedicated Log Collector to Panorama management while the managed
firewall was running a PAN-OS 11.1 release.
You do not need to re-onboard the managed firewall added to Panorama management while
the managed firewall was running a PAN-OS 10.0 or earlier release.

STEP 18 | Verify the software and content release version running on each managed firewall.
1. On Panorama, select Panorama > Managed Devices.
2. Locate the firewalls and review the content and software versions in the table.
For HA firewalls, you can also verify that the HA Status of each peer is as expected.

STEP 19 | (HA firewall upgrades only) If you disabled preemption on one of your HA firewalls before
you upgraded, then edit the Election Settings (Device > High Availability) and re-enable the
Preemptive setting for that firewall and then Commit the change.

STEP 20 | On the Panorama web interface, push the entire Panorama managed configuration to your
managed firewalls.
This step is required to enable selective commit and push of device group and template stack
configuration changes from Panorama to your managed firewalls.
This is required to successfully push configuration changes to multi-vsys firewalls managed
by Panorama after successful upgrade to PAN-OS 11.1 from PAN-OS 10.1 or earlier release.
For more information, see the change to default behavior for shared configuration objects for
multi-vsys firewalls managed by Panorama.
1. Select Commit > Push to Devices.
2. Push.

PAN-OS Upgrade Guide Version 11.1 & later 139 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 21 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1 or later release, it is required that all certificates meet the
following minimum requirements. Skip this step if you are upgrading from PAN-OS 10.2 and
have already regenerated or re-imported your certificates.
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 22 | View the software upgrade history of the firewall.

1. Log into the Panorama interface.
2. Go to Panorama > Managed Devices > Summary and click Device History.

Upgrade Firewalls When Panorama Is Not Internet-Connected

For a list of software and content updates you can install on firewalls, see Supported Updates.
The new Skip Software Version Upgrade feature enables you to skip up to three releases when
deploying upgrades from Panorama appliances on PAN-OS 11.1 to firewalls on PAN-OS 10.1 or
later versions.
Before you can upgrade firewalls from Panorama, you must:
Make sure Panorama is running the same or a later PAN-OS version than you are upgrading
to. You must upgrade Panorama and its Log Collectors to 11.1 before upgrading the managed
firewalls to this version. In addition, when upgrading Log Collectors to 11.1, you must upgrade
all Log Collectors at the same time due to changes in the logging infrastructure.
Ensure that firewalls are connected to a reliable power source. A loss of power during an
upgrade can make a firewall unusable.
Decide whether to stay in Legacy mode if the Panorama virtual appliance is in Legacy mode
on upgrade to PAN-OS 11.1. Legacy mode is not supported for a new Panorama virtual
appliance deployment running PAN-OS 9.1 or later release. If you upgrade the Panorama
virtual appliance from PAN-OS 9.0 or earlier release to PAN-OS 11.1, Palo Alto Networks
recommends reviewing the Setup Prerequisites for the Panorama Virtual Appliance and
changing to Panorama mode or Management Only mode based on your needs.
If you want to keep the Panorama virtual appliance in Legacy mode, increase CPUs and
memory allocated to the Panorama virtual appliance to a minimum 16 CPUs and 32GB memory
to successfully upgrade to PAN-OS 11.1. See the Setup Prerequisites for the Panorama Virtual
Appliance for more information.
(Recommended for multi-vsys managed firewalls) Transition all vsys of a multi-vsys managed
firewall to Panorama.
This is recommended to avoid commit issues on the multi-vsys managed firewall and allows
you to take advantage of optimized shared object pushes from Panorama.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.

PAN-OS Upgrade Guide Version 11.1 & later 140 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

(Multi-vsys managed firewalls) Delete or rename any locally configured Shared object that has
an identical name to an object in the Panorama Shared configuration. Otherwise, configuration
pushes from Panorama fail after the upgrade and display the error <object-name> is
already in use.
This applies to multi-vsys firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version Upgrade only.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Modified your Security policy rule to allow ssl application traffic.

This applies to firewalls upgraded from PAN-OS 10.1 to PAN-OS 11.1 using Skip
Software Version upgrade only.
This is required to prevent managed devices disconnecting from Panorama after
upgrade to PAN-OS 11.1 if traffic between Panorama and managed devices is
controlled using the panorama App-ID. Managed devices will disconnect from
Panorama if the ssl application is not allowed before you upgrade.

PAN-OS 11.1 uses TLS version 1.3 to encrypt the service certificate and handshake messages
between Panorama and managed firewalls. As a result, the App-ID for traffic from managed
firewalls to Panorama is reclassified from panorama to ssl. To continue communication

PAN-OS Upgrade Guide Version 11.1 & later 141 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

between Panorama and managed devices, you must modify the Security policy rule controlling
traffic between Panorama and managed devices to also allow the ssl application.
Skip this step if the Security policy rule controlling traffic between Panorama and managed
devices allows Any application or if you already modified your Security policy rule controlling
traffic between Panorama and managed devices.
1. Select Policies > Security > Pre Rules.
2. Select Device Group containing the Security policy rule controlling traffic between
Panorama and managed firewalls.
3. Select the Security policy rule.
4. Select Application and Add the ssl.

Do not delete the panorama application. This will cause all managed firewalls
to disconnect from Panorama after you push the changes.

5. Click OK.
6. Select Commit > Commit and Push and Commit and Push your configuration changes.

STEP 3 | Save a backup of the current configuration file on each managed firewall you plan to
upgrade.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Export Panorama and devices config bundle (Panorama > Setup > Operations) to
generate and export the latest configuration backup of Panorama and of each managed
appliance.
2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 142 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 4 | Determine which content updates you need to install. Refer to Release Notes for the
minimum content release version you must install for a PAN-OS® release.

Palo Alto Networks highly recommends that Panorama, Log Collectors, and all
managed firewalls run the same content release version.

For each content update, determine whether you need updates and take note of which
content updates you need to download in the following step.

Ensure that Panorama is running the same but not a later content release version than
is running on managed firewalls and Log Collectors.

STEP 5 | Determine the software upgrade path for the firewalls that you intend to update to
Panorama 11.1.
Log in to Panorama, select Panorama > Managed Devices, and note the current Software
Version for the firewalls you intend to upgrade.

Review PAN-OS Upgrade Checklist, the known issues and changes to default
behavior in the Release Notes and Upgrade/Downgrade Considerations for each
release through which you pass as part of your upgrade path.

STEP 6 | (Optional) Upgrade your managed firewalls to PAN-OS 10.1.

The skip software version upgrade feature supports managed firewalls running PAN-OS 10.1
or later releases. If your managed firewalls are on PAN-OS 10.0 or an earlier release, first
upgrade to PAN-OS 10.1 or a later release.

STEP 7 | Perform a validation check of the release.

In this step, you’re able to view the intermediate software and content images required to
upgrade to 11.1.
1. Select Panorama > Device Deployment > Software > Action > Validate.
2. View the intermediate software and content versions you need to download.

STEP 8 | Download the content and software updates to a host that can connect and upload the files
to Panorama or a configured SCP server either over SCP or HTTPS.
By default, you can upload a maximum of two software or content updates of each type to
a Panorama appliance and if you download a third update of the same type, Panorama will
delete the update for the earliest version of that type. If you need to upload more than two
software updates or content updates of a single type, use the set max-num-images count

PAN-OS Upgrade Guide Version 11.1 & later 143 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

<number> CLI command to increase the maximum number of images that Panorama can
store.
1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
web site.
2. Download content updates:
1. Click Dynamic Updates in the Resources section.
2. Download the latest content release version (or, at a minimum, the same or a later
version than you will install or is running on the Panorama management server) and
save the file to the host; repeat for each content type you need to update.
3. Download software updates:
1. Return to the main page of the Palo Alto Networks Customer Support web site and
click Software Updates in the Resources section.
2. Review the Download column to determine which versions you need to install. The
filename of the update packages indicates the model. For example, to upgrade a
PA-440 and PA-5430 firewall to PAN-OS 11.1.0, download the PanOS_440-11.1.0
and PanOS_5430-11.1.0 images.

You can quickly locate specific PAN-OS images by selecting PAN-OS for the
PA-<series/model> from the Filter By drop-down.
4. Click the appropriate filename and save the file to the host.

STEP 9 | Download the intermediate software versions and latest content version.
On PAN-OS 11.0, you are able to download multiple intermediate releases using the multi-
image download capability.
1. Select the firewalls you want to upgrade (Required Deployments > Deploy).
2. Select a download source and click Download.

STEP 10 | Install content updates on managed firewalls.

You must install content updates before software updates.

Install the Applications or Applications and Threats update first and then install any other
updates (Antivirus, WildFire®, or URL Filtering) as needed, one at a time, and in any sequence.
1. Select Panorama > Device Deployment > Dynamic Updates.
2. Click Upload, select the update Type, Browse to the appropriate content update file, and
click OK.
3. Click Install From File, select the update Type, and select the File Name of the content
update you just uploaded.
4. Select the firewalls on which to install the update.
5. Click OK to start the installation.
6. Repeat these steps for each content update.

PAN-OS Upgrade Guide Version 11.1 & later 144 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 11 | (Firewalls serving as GlobalProtect™ portals only) Upload and activate a GlobalProtect
agent/app software update on firewalls.

You activate the update on firewalls so that users can download it to their endpoints
(client systems).

1. Use a host with internet access to log in to the Palo Alto Networks Customer Support
website.
2. Download the appropriate GlobalProtect agent/app software update.
3. On Panorama, select Panorama > Device Deployment > GlobalProtect Client.
4. Click Upload, Browse to the appropriate GlobalProtect agent/app software update on
the host to which you downloaded the file, and click OK.
5. Click Activate From File and select the File Name of the GlobalProtect agent/app
update you just uploaded.

You can activate only one version of agent/app software at a time. If you
activate a new version but some agents require a previous version, you will have
to reactivate the earlier version again for those agents to download the previous
update.
6. Select the firewalls on which to activate the update.
7. Click OK to activate.

STEP 12 | Install PAN-OS 11.1.

To avoid downtime when updating the software on high availability (HA) firewalls,
update one HA peer at a time.
For active/active firewalls, it doesn’t matter which peer you update first.
For active/passive firewalls, you must update the passive peer first, suspend the active
peer (fail over), update the active peer, and then return the active peer to a functional
state (fail back).

(SD-WAN only) To preserve an accurate status for your SD-WAN links, you must
upgrade your hub firewalls to PAN-OS 11.1 before you upgrade your branch firewalls.
Upgrading branch firewalls before hub firewalls may result in incorrect monitoring data
(Panorama > SD-WAN > Monitoring) and for SD-WAN links to erroneously display as
down.

1. Perform the steps that apply to your firewall configuration to install the PAN-OS
software update you just uploaded.
• Non-HA firewalls—Click Install in the Action column, select all the firewalls you are
upgrading, select Reboot device after install, and click OK.
• Active/active HA firewalls:
1. Confirm that the preemption setting is disabled on the first peer that you intend
to upgrade (Device > High Availability > Election Settings). If enabled, then edit
Election Settings and disable (clear) the Preemptive setting and Commit your

PAN-OS Upgrade Guide Version 11.1 & later 145 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

change. You need only disable this setting on one firewall in each HA pair but
ensure that the commit is successful before you proceed.
2. Click Install, disable (clear) Group HA Peers, select either HA peer, select Reboot
device after install, and click OK. Wait for the firewall to finish rebooting before
you proceed.
3. Click Install, disable (clear) Group HA Peers, select the HA peer that you didn’t
update in the previous step, Reboot device after install, and click OK.
• Active/passive HA firewalls—In this example, the active firewall is named fw1 and the
passive firewall is named fw2:
1. Confirm that the preemption setting is disabled on the first peer that you intend
to upgrade (Device > High Availability > Election Settings). If enabled, then edit
Election Settings and disable (clear) the Preemptive setting and Commit your
change. You need only disable this setting on one firewall in each HA pair but
ensure that the commit is successful before you proceed.
2. Click Install in the Action column for the appropriate update, disable (clear) Group
HA Peers, select fw2, Reboot device after install, and click OK. Wait for fw2 to
finish rebooting before you proceed.
3. After fw2 finishes rebooting, verify on fw1 (Dashboard > High Availability) that
fw2 is still the passive peer (the Local firewall state is active and the Peer—fw2—
is passive).
4. Access fw1 and Suspend local device (Device > High Availability > Operational
Commands).
5. Access fw2 (Dashboard > High Availability) and verify that the Local firewall state
is active and the Peer is suspended.
6. Access Panorama, select Panorama > Device Deployment > Software, click
Install in the Action column for the appropriate release, disable (clear) Group HA
Peers, select fw1, Reboot device after install, and click OK. Wait for fw1 to finish
rebooting before you proceed.
7. Access fw1 (Device > High Availability > Operational Commands), click Make local
device functional, and then wait two minutes before you proceed.
8. On fw1 (Dashboard> High Availability), verify that the Local firewall state is
passive and the Peer (fw2) is active.

STEP 13 | (FIPS-CC mode only) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading a managed firewall in FIPS-CC mode requires you to reset the secure connection
status if you added the Dedicated Log Collector to Panorama management while the managed
firewall was running a PAN-OS 11.1 release.
You do not need to re-onboard the managed firewall added to Panorama management while
the managed firewall was running a PAN-OS 10.0 or earlier release.

STEP 14 | Verify the software and content versions that are installed on each managed firewall.
1. Select Panorama > Managed Devices.
2. Locate the firewall and review the values in the Software Version, Apps and Threat,
Antivirus, URL Filtering, and GlobalProtect Client columns.

PAN-OS Upgrade Guide Version 11.1 & later 146 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 15 | If you disabled preemption on one of your HA firewalls before you upgraded, then edit the
Election Settings (Device > High Availability) and re-enable the Preemptive setting for that
firewall.

STEP 16 | On the Panorama web interface, push the entire Panorama managed configuration to your
managed firewalls.
This step is required to enable selective commit and push of device group and template stack
configuration changes from Panorama to your managed firewalls.
This is required to successfully push configuration changes to multi-vsys firewalls managed
by Panorama after successful upgrade to PAN-OS 11.1. For more information, see the change
to default behavior for shared configuration objects for multi-vsys firewalls managed by
Panorama.
1. Select Commit > Push to Devices.
2. Push.

STEP 17 | Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.

On upgrade to PAN-OS 11.1, it is required that all certificates meet the following minimum
requirements:
• RSA 2048 bits or greater, or ECDSA 256 bits or greater
• Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more
information on regenerating or re-importing your certificates.

STEP 18 | View the software upgrade history of the firewall.

1. Log into the Panorama interface.
2. Go to Panorama > Managed Devices > Summary and click Device History.

Upgrade a ZTP Firewall

After you successfully add a ZTP firewall to the Panorama™ management server, configure the
target PAN-OS version of the ZTP firewall. Panorama checks whether PAN-OS version installed
on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it
successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP
firewall is less than the target PAN-OS version, then the ZTP firewall enters an upgrade cycle until
target PAN-OS version is installed.
STEP 1 | Log in to the Panorama Web Interface as an admin user.

STEP 2 | Add a ZTP Firewall to Panorama.

STEP 3 | Select Panorama > Device Deployment > Updates and Check Now for the latest PAN-OS
releases.

STEP 4 | Select Panorama > Managed Devices > Summary and select one or more ZTP firewalls.

STEP 5 | Reassociate the selected ZTP firewall(s).

STEP 6 | Check (enable) Auto Push on 1st Connect.

PAN-OS Upgrade Guide Version 11.1 & later 147 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 7 | In the To SW Version column, select the target PAN-OS version for the ZTP firewall.

STEP 8 | Click OK to save your configuration changes.

STEP 9 | Select Commit and Commit to Panorama.

STEP 10 | Power on the ZTP firewall.

When the ZTP firewall connects to Panorama for the first time, it automatically upgrades to
the PAN-OS version you selected.
• Panorama running PAN-OS 11.1.0—If you are upgrading managed firewalls across PAN-OS
major or maintenance releases, the intermediary PAN-OS releases on your upgrade path are
installed first before the target PAN-OS release is installed.
For example, you configured the target To SW Version for the managed firewall as PAN-OS
11.1.0 and the firewall is running PAN-OS 10.2. On first connection to Panorama, PAN-OS
11.0.0 is installed on the managed firewall first. After PAN-OS 11.0.0 successfully installs,
the firewall is automatically upgraded to the target PAN-OS 11.1.0 release.
• Panorama running PAN-OS 11.0.1 and later releases—If you are upgrading managed
firewalls across PAN-OS major or maintenance releases, the intermediary PAN-OS
major releases on your upgrade path are installed and the base PAN-OS major release is
downloaded before the target PAN-OS maintenance release is installed.
For example, you configured the target To SW Version for the managed firewall as PAN-OS
11.0.1 and the firewall is running PAN-OS 10.0. On first connection to Panorama, PAN-OS
10.1.0 and PAN-OS 10.2.0 are installed on the managed firewall. After the managed firewall
reboots, PAN-OS 11.0.0 is downloaded and then the firewall automatically installs to the
target PAN-OS 11.0.1 release.

STEP 11 | Verify the ZTP firewall software upgrade.

1. Log in to the Panorama Web Interface.
2. Select Panorama > Managed Devices > Summary and navigate to the ZTP firewall(s).
3. Verify the Software Version column displays the correct target PAN-OS release.

PAN-OS Upgrade Guide Version 11.1 & later 148 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 12 | For all future PAN-OS upgrades, see Upgrade the Firewall to PAN-OS 11.1 from Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 149 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Install a PAN-OS Software Patch

Where Can I Use This? What Do I Need?

• Next-Gen Firewall Support license

PAN-OS 11.1.3 or later 11.1 release
Outbound intenet access

Review the PAN-OS 11.1 Release Notes and then use the following procedure to install a PAN-
OS software patch to address bugs and Common Vulnerability and Exposures (CVE) in the PAN-
OS release currently running on your Next-Gen firewall. Installing a PAN-OS software patch
applies fixes to bugs and CVEs without the need to schedule a prolonged maintenance and
allows you to strengthen your security posture immediately without introducing any new known
issues or changes to default behaviors that may come with installing a new PAN-OS release.
Additionally, you can revert the currently installed software patch to uninstall the bug and CVE
fixes applied when you installed the software patch.
A system log is generated (Monitor > Logs > System) when a PAN-OS software patch is installed
or reverted. An outbound internet connection is required to download the PAN-OS software
patch from the Palo Alto Networks Customer Support Portal.
• Install
• Revert

Install
STEP 1 | Log in to the firewall web interface.

STEP 2 | Select Device > Software and Check Now to retrieve the latest PAN-OS software patches
from the Palo Alto Networks Update Server.

STEP 3 | Check (enable) Include Patch to display all available PAN-OS software patches.

STEP 4 | Locate the software patch for the PAN-OS release currently installed on your Next-Gen
firewall.
A software patch is denoted by a Patch label displayed alongside the Version name.

STEP 5 | View More Info to review the software patch details such as the critical bug and CVE fixes
and whether the Next-Gen firewall needs to be restarted for the fixes to be applied.

STEP 6 | Download the software patch.

(HA only) Check (enable) Sync to HA Peer and Continue Download to download the PAN-OS
software patch.
Click Close after the software patch successfully downloaded.

PAN-OS Upgrade Guide Version 11.1 & later 150 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 7 | Install the software patch.

After the software patch has successfully installed, click Close.

STEP 8 | Apply the software patch.

Click Apply when prompted to confirm you want to apply the installed PAN-OS software
patch to the Next-Gen firewall.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, the firewall automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to the Next-Gen firewall.

STEP 9 | (HA only) Install the PAN-OS software patch on the firewall HA peer.
1. Log in to the firewall web interface of the HA peer.
2. Select Device > Software Check Now.
3. Install the software patch.
4. Reboot the firewall if required.

Revert
STEP 1 | Log in to the firewall web interface.

STEP 2 | Select Device > Software and locate the PAN-OS software patch you want to revert.

STEP 3 | Revert the software patch.

Click Revert when prompted to confirm you want to revert the installed PAN-OS software
patch on the Next-Gen firewall.
A status bar is displayed showing the current progress of the PAN-OS software patch
application. Click Close after the patch is successfully applied.
At this point, the firewall automatically reboots if a reboot is required to complete applying the
PAN-OS software patch to the Next-Gen firewall.

PAN-OS Upgrade Guide Version 11.1 & later 151 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

Downgrade PAN-OS
The way you downgrade a firewall from PAN-OS 11.1 depends on whether you are downgrading
to a previous feature release (where the first or second digit in the PAN-OS version changes, for
example, from 9.1.2 to 9.0.8 or from 9.0.3 to 8.1.14) or downgrading to a maintenance release
version within the same feature release (where the third digit in the release version changes,
for example, from 8.1.2 to 8.1.0). When you downgrade from one feature release to an earlier
feature release, you can migrate the configuration from the later release to accommodate new
features. To migrate the PAN-OS 11.1 configuration to an earlier PAN-OS release, first restore
the configuration for the feature release to which you are downgrading. You do not need to
restore the configuration when you downgrade from one maintenance release to another within
the same feature release.
• Downgrade a Firewall to a Previous Maintenance Release
• Downgrade a Firewall to a Previous Feature Release
• Downgrade a Windows Agent

Always downgrade into a configuration that matches the software version. Unmatched
software versions and configurations can result in failed downgrades or force the system
into maintenance mode. This only applies to a downgrade from one feature release to
another (for example 9.0.0 to 8.1.3), not to downgrades to maintenance releases within
the same feature release version (for example, 8.1.3 to 8.1.1).
If you have a problem with a downgrade, you may need to enter maintenance mode and
reset the device to factory default and then restore the configuration from the original
config file that was exported prior to the upgrade.

Downgrade a Firewall to a Previous Maintenance Release

Because maintenance releases do not introduce new features, you can downgrade to a previous
maintenance release in the same feature release without having to restore the previous
configuration. A maintenance release is a release in which the third digit in the release version
changes, for example a downgrade from 10.1.6 to 10.1.4 is considered a maintenance release
downgrade because only the third digit in the release version is different.
Use the following procedure to downgrade to a previous maintenance release within the same
feature release.
STEP 1 | Save a backup of the current configuration file.

Although the firewall automatically creates a backup of the configuration, it is a best

practice to create a backup before you downgrade and store it externally.

1. Export named configuration snapshot (Device > Setup > Operations).

2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the downgrade.

PAN-OS Upgrade Guide Version 11.1 & later 152 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 2 | Install the previous maintenance release image.

If your firewall does not have internet access from the management port, you can
download the software update from the Palo Alto Networks Support Portal. You can
then manually Upload it to your firewall.

1. Check Now (Device > Software) for available images.

(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox.
2. Locate the version to which you want to downgrade. If the image is not already
downloaded, then Download it.
3. After the download completes, Install the image.
4. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, go to Device Operations (Device > Setup >
Operations) and Reboot Device.

Downgrade a Firewall to a Previous Feature Release

Use the following workflow to restore the configuration that was running before you upgraded
to a different feature release. Any changes made since the upgrade are lost. Therefore, it is
important to back up your current configuration so you can restore those changes when you
return to the newer feature release. Review the Upgrade/Downgrade Considerations before you
downgrade a firewall to a previous feature release.

To downgrade from PAN-OS 11.1 to an earlier PAN-OS release, you must download and
install PAN-OS 10.1.3 or later PAN-OS 10.1 release before you can continue on your
downgrade path to your target PAN-OS release. Downgrade from PAN-OS 11.1 fails if
you attempt to downgrade to PAN-OS 10.1.2 or earlier PAN-OS 11.1 release.

Use the following procedure to downgrade to a previous feature release.

STEP 1 | Save a backup of the current configuration file.

Although the firewall automatically creates a backup of the configuration, it is a best

practice to create a backup before you upgrade and store it externally.

1. Export named configuration snapshot (Device > Setup > Operations).

2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the downgrade.

PAN-OS Upgrade Guide Version 11.1 & later 153 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS

STEP 2 | Install the previous feature release image.

Autosave versions are created when you upgrade to a new release.

1. Check Now (Device > Software) for available images.

2. Install PAN-OS 10.1.
Downgrading from PAN-OS 11.1 to a previous feature release requires that you
first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.1 release. After successfully
downgrading to PAN-OS 10.1.3 or later PAN-OS 10.1 release, you can continue
downgrading to your target PAN-OS version.
1. Locate and Download the PAN-OS 11.1 image.
2. Install the PAN-OS 11.1 image.
3. Locate the target PAN-OS image to which you want to downgrade. If the image is not
already downloaded, then Download it.
4. After the download completes, Install the image.
5. Select a Config File for Downgrading, which the firewall will load after you reboot the
device. In most cases, you should select the configuration that was saved automatically
when you upgraded from the release to which you are now downgrading. For example,
if you are running PAN-OS 11.1 and are downgrading to PAN-OS 10.2.2, select
autosave-10.2.2.
6. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, go to Device Operations (Device > Setup >
Operations) and Reboot Device.

Downgrade a Windows Agent

After you uninstall the PAN-OS 11.1 Windows-based User-ID agent, perform the following steps
before you install an earlier agent release.
STEP 1 | Open the Windows Start menu and select Administrative Tools.

STEP 2 | Select Computer Management > Services and Applications > Services and double-click
User-ID Agent.

STEP 3 | Select Log On, select This account, and specify the username for the User-ID agent account.

STEP 4 | Enter the Password and Confirm Password.

STEP 5 | Click OK to save your changes.

PAN-OS Upgrade Guide Version 11.1 & later 154 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS
Troubleshoot Your PAN-OS Upgrade
To troubleshoot your PAN-OS upgrade, use the following table to review possible issues and how
to resolve them.
Symptom
The software warranty license expired.
The latest PAN-OS software versions were
not available.
Checking for dynamic updates failed.
No valid device certificate was found.
PAN-OS Upgrade Guide Version 11.1 & later
Resolution
From the CLI, delete the expired license key:
1. Enter delete license key
<software license key>.
2. Enter delete license key
Software_Warranty<expiredate>.key.
You can only see software versions that are
one feature release ahead of the current
installed version. For example, if you have an
9.1 release installed, only 10.0 releases will
be available to you. To see 11.1 releases, you
first have to upgrade to 10.1.
This issue occurs due to a network
connectivity error. See the KnowledgeBase
article Dynamic Updates Display Error After
Clicking On Check Now Button.
In PAN-OS 9.1.3 and later versions, a device
certificate must be installed if you are
leveraging a Palo Alto Networks cloud service.
To install the device certificate:
1. Log in to the Customer Support Portal.
2. Select Generate OTP (Assets > Device
Certificates).
3. In Device Type, select Generate OTP for
Next-Gen Firewalls.
4. Select your PAN-OS device serial number.
5. Generate OTP and copy the one-time-
password.
6. Log in to the firewall as an admin user.
7. Select Device Certificate (Device > Setup
> Management > Device > Certificate and
Get Certificate.
8. Paste the OTP and click OK.
155 ©2024 Palo Alto Networks, Inc.
Upgrade PAN-OS
Symptom
The software image file failed to load onto
the software manager due to an image
authentication error.
The VMware NSX plugin version was not
compatible with the new software version.
The reboot time after upgrading to PAN-OS
9.1 was longer than expected.
The device did not have support even when
licenses are active.
The firewall did not have a DHCP address
assigned to it by the DHCP server.
The firewall continuously boots into
maintenance mode.
In an HA configuration, the firewall goes into
a suspended state after upgrading the peer
firewall with an error that the firewall is too
old.
PAN-OS Upgrade Guide Version 11.1 & later 156
Resolution
To update the software image list, click Check
Now. This establishes a new connection to
the update server.
The VMware NSX plugin was automatically
installed upon upgrade to 8.0. If you are not
using the plugin, you can uninstall it.
Upgrade to Applications and Threats Content
Release Version 8221 or later. For more
information on minimum software and
content versions, see <xref to 11.1 Associated
Software and Content Versions>.
In Device > Software, click Check Now.
This updates the licensing information on the
firewall by establishing a new connection to
the update server.
If this does not work from the web interface,
use request system software check.
Configure a security policy rule allowing
the traffic from the ISP DHCP server to the
internal networks.
In the CLI, Access the Maintenance Recovery
Tool (MRT). In the MRT window, select
Continue > Disk Image. Select either Reinstall
<current version> or Revert to <previous
version>. Once the revert or reinstall
operation completes, select Reboot.
Upgrading one firewall to a version that is
more than one major release ahead will result
in a network outage. You must upgrade both
firewalls only one major release ahead before
upgrading to the next major release.
Downgrade the peer firewall to the version
that the suspended firewall stopped at.
©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall
• Upgrade the VM-Series PAN-OS Software (Standalone)
• Upgrade the VM-Series PAN-OS Software (HA Pair)
• Upgrade the VM-Series PAN-OS Software Using Panorama
• Upgrade the PAN-OS Software Version (VM-Series for NSX)
• Upgrade the VM-Series Model
• Upgrade the VM-Series Model in an HA Pair
• Downgrade a VM-Series Firewall to a Previous Release

157
Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (Standalone)

Review the new features, addressed issues, and known issues and then use the following
procedure to upgrade a firewall that is not in an HA configuration.

To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewall
is connected to a reliable power source. A loss of power during an upgrade can make the
firewall unusable.

STEP 1 | Verify that enough hardware resources are available to the VM-Series firewall.
Refer to the VM-Series System Requirements to see the resource requirements for each VM-
Series model. Allocate additional hardware resources before continuing the upgrade process;
the process for assigning additional hardware resources differs on each hypervisor.
If the VM-Series firewall does not have the required resources for the model, it defaults to the
capacity associated with the VM-50.

STEP 2 | From the web interface, navigate to Device > Licenses and make sure you have the correct
VM-Series firewall license and that the license is activated.
On the VM-Series firewall standalone version, navigate to Device > Support and make sure
that you have activated the support license.

STEP 3 | Save a backup of the current configuration file.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. Select Device > Setup > Operations and click Export named configuration snapshot.
2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 4 | If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-
to-username and group mappings so that they can be repopulated with the attributes from
the User-ID sources. To estimate the time required for your environment to repopulate the
mappings, run the following CLI commands on the firewall.
• For IP address-to-username mappings:
• show user user-id-agent state all
• show user server-monitor state all
• For group mappings: show user group-mapping statistics

PAN-OS Upgrade Guide Version 11.1 & later 158 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 5 | Ensure that the firewall is running the latest content release version.
1. Select Device > Dynamic Updates and see which Applications or Applications and
Threats content release version is Currently Installed.
2. If the firewall is not running the minimum required content release version or a later
version required for PAN-OS, Check Now to retrieve a list of available updates.
3. Locate and Download the desired content release version.
After you successfully download a content update file, the link in the Action column
changes from Download to Install for that content release version.
4. Install the update.

STEP 6 | Upgrade the VM-Series plugin.

1. Before upgrading, check the latest Release Notes for details on whether a new VM-
Series plugin affects your environment.
For example, suppose a new VM-Series plugin version only includes AWS features. To
take advantage of the new features, you must update the plugin on your VM-Series
firewall instances on AWS.

Do not install an upgrade that does not apply to your environment.

2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
3. Select Device > Plugins to view the plugin version. Use Check Now to check for
updates.
4. Select the version of the plugin and click Install in the Action column to install the plugin.

STEP 7 | Upgrade PAN-OS.

If your firewall does not have internet access from the management port, you can
download the software image from the Palo Alto Networks Customer Support
Portal and then manually Upload it to your firewall.

1. Select Device > Software and click Check Now to display the latest PAN-OS updates.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable

PAN-OS Upgrade Guide Version 11.1 & later 159 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Locate and Download the target PAN-OS version.
3. After you download the image (or, for a manual upgrade, after you upload the image),
Install the image.
4. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and click
Reboot Device.

At this point, the firewall clears the User-ID mappings, then connects to the
User-ID sources to repopulate the mappings.
5. If you have enabled User-ID, use the following CLI commands to verify that the firewall
has repopulated the IP address-to-username and group mappings before allowing traffic.
• show user ip-user-mapping all
• show user group list
6. If you are upgrading to an XFR release for the first time, repeat this step to upgrade to
the corresponding XFR release.

STEP 8 | Verify that the firewall is passing traffic.

Select Monitor > Session Browser and verify that you are seeing new sessions.

PAN-OS Upgrade Guide Version 11.1 & later 160 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (HA Pair)

Use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration.
This procedure applies to both active/passive and active/active configurations.
To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration,
update one HA peer at a time: For active/active firewalls, it doesn’t matter which peer you
upgrade first (though for simplicity, this procedure shows you how to upgrade the active-
secondary peer first). For active/passive firewalls, you must upgrade the passive peer first,
suspend the active peer (fail over), update the active peer, and then return that peer to a
functional state (fail back). To prevent failover during the upgrade of the HA peers, you must
make sure preemption is disabled before proceeding with the upgrade. You only need to disable
preemption on one peer in the pair.

To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewalls
are connected to a reliable power source. A loss of power during an upgrade can make
firewalls unusable.

STEP 1 | Verify that enough hardware resources are available to the VM-Series firewall.
Refer to the VM-Series System Requirements to see the resource requirements for each VM-
Series model. Allocate additional hardware resources before continuing the upgrade process;
the process for assigning additional hardware resources differs on each hypervisor.
If the VM-Series firewall does not have the required resources for the model, it defaults to the
capacity associated with the VM-50.

STEP 2 | From the web interface, navigate to Device > Licenses and make sure you have the correct
VM-Series firewall license and that the license is activated.
On the VM-Series firewall standalone version, navigate to Device > Support and make sure
that you have activated the support license.

STEP 3 | Save a backup of the current configuration file.

Although the firewall automatically creates a backup of the configuration, it is a best

practice to create and externally store a backup before you upgrade.

Perform these steps on each firewall in the pair:

1. Select Device > Setup > Operations and click Export named configuration snapshot.
2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 4 | If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-
to-username and group mappings so that they can be repopulated with the attributes from

PAN-OS Upgrade Guide Version 11.1 & later 161 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

the User-ID sources. To estimate the time required for your environment to repopulate the
mappings, run the following CLI commands on the firewall.
• For IP address-to-username mappings:
• show user user-id-agent state all
• show user server-monitor state all
• For group mappings: show user group-mapping statistics

STEP 5 | Ensure that each firewall in the HA pair is running the latest content release version.
Refer to the release notes for the minimum content release version you must install for a PAN-
OS 11.0 release. Make sure to follow the Best Practices for Application and Threat Updates.
1. Select Device > Dynamic Updates and check which Applications or Applications and
Threats to determine which update is Currently Installed.
2. If the firewalls are not running the minimum required content release version or a later
version required for the software version you are installing, Check Now to retrieve a list
of available updates.
3. Locate and Download the desired content release version.
After you successfully download a content update file, the link in the Action column
changes from Download to Install for that content release version.
4. Install the update. You must install the update on both peers.

STEP 6 | Upgrade the VM-Series plugin.

1. Before upgrading, check the latest Release Notes for details on whether a new VM-
Series plugin affects your environment.
For example, suppose a new VM-Series plugin version only includes AWS features. To
take advantage of the new features, you must update the plugin on your VM-Series
firewall instances on AWS.

Do not install an upgrade that does not apply to your environment.

2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
3. Select Device > Plugins to view the plugin version. Use Check Now to check for
updates.
4. Select the version of the plugin and click Install in the Action column to install the plugin.
When installing the plugin on VM-Series firewalls in an HA pair, install the plugin on the
passive peer before the active peer. After installing the plugin on the passive peer, it will
transition to a non-functional state. Installing the plugin on the active peer returns the
passive peer to a functional state.

PAN-OS Upgrade Guide Version 11.1 & later 162 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 7 | Disable preemption on the first peer in each pair. You only need to disable this setting on
one firewall in the HA pair but ensure that the commit is successful before you proceed with
the upgrade.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.
3. Commit the change.

STEP 8 | Install the PAN-OS release on the first peer.

To minimize downtime in an active/passive configuration, upgrade the passive peer first. For
an active/active configuration, upgrade the secondary peer first. As a best practice, if you are
using an active/active configuration, we recommend upgrading both peers during the same
maintenance window.

If you want to test that HA is functioning properly before the upgrade, consider
upgrading the active peer in an active/passive configuration first to ensure that
failover occurs without incident.

1. On the first peer, select Device > Software and click Check Now for the latest updates.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Locate and Download the target PAN-OS version.

If your firewall does not have internet access from the management port, you
can download the software image from the Palo Alto Networks Support Portal
and then manually Upload it to your firewall.
3. After you download the image (or, for a manual upgrade, after you upload the image),
Install the image.
4. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
5. After the device finishes rebooting, view the High Availability widget on the Dashboard
and verify that the device you just upgraded is still the passive or active-secondary peer
in the HA configuration.

PAN-OS Upgrade Guide Version 11.1 & later 163 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 9 | Install the PAN-OS release on the second peer.

1. (Active/passive configurations only) Suspend the active peer so that HA fails over to the
peer you just upgraded.
1. On the active peer, select Device > High Availability > Operational Commands and
click Suspend local device.
2. View the High Availability widget on the Dashboard and verify that the state changes
to Passive.
3. On the other peer, verify that it is active and is passing traffic (Monitor > Session
Browser).
2. On the second peer, select Device > Software and click Check Now for the latest
updates.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
3. Locate and Download the target PAN-OS version.
4. After you download the image, Install it.
5. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
6. (Active/passive configurations only) From the CLI of the peer you just upgraded, run the
following command to make the firewall functional again:
request high-availability state functional

STEP 10 | Verify that both peers are passing traffic as expected.

In an active/passive configuration, only the active peer should be passing traffic; both peers
should be passing traffic in an active/active configuration.
Run the following CLI commands to confirm that the upgrade succeeded:
• (Active peers only) To verify that active peers are passing traffic, run the show session
all command.
• To verify session synchronization, run the show high-availability interface ha2
command and make sure that the Hardware Interface counters on the CPU table are
increasing as follows:
• In an active/passive configuration, only the active peer shows packets transmitted; the
passive peer will show only packets received.

If you enabled HA2 keep-alive, the hardware interface counters on the passive
peer will show both transmit and receive packets. This occurs because HA2
keep-alive is bi-directional, which means that both peers transmit HA2 keep-
alive packets.
• In an active/active configuration, you will see packets received and packets transmitted
on both peers.

PAN-OS Upgrade Guide Version 11.1 & later 164 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 11 | If you disabled preemption prior to the upgrade, re-enable it now.

1. Select Device > High Availability and edit the Election Settings.
2. Select Preemptive and click OK.
3. Commit the change.

PAN-OS Upgrade Guide Version 11.1 & later 165 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software Using

Panorama
Use the following procedure to upgrade firewalls that you manage with Panorama. This procedure
applies to standalone firewalls and firewalls deployed in a high availability (HA) configuration.

If Panorama is unable to connect directly to the update server, follow the procedure for
deploying updates to firewalls when Panorama is not internet-connected so that you
can manually download images to Panorama and then distribute the images to firewalls.

Before you can upgrade firewalls from Panorama, you must:

Make sure Panorama is running the same or a later PAN-OS version than you are upgrading
to. You must upgrade Panorama and its Log Collectors to 9.1 before upgrading the managed
firewalls to this version. In addition, when upgrading Log Collectors to 9.1, you must upgrade
all Log Collectors at the same time due to changes in the logging infrastructure.
Plan for an extended maintenance window of up to six hours when upgrading Panorama to
9.1. This release includes significant infrastructure changes, which means that the Panorama
upgrade will take longer than in previous releases.
Ensure that firewalls are connected to a reliable power source. A loss of power during an
upgrade can make a firewall unusable.
STEP 1 | After upgrading Panorama, commit and push the configuration to the firewalls you are
planning to upgrade.

STEP 2 | Verify that enough hardware resources are available to the VM-Series firewall.
Refer to the VM-Series System Requirements to see the resource requirements for each VM-
Series model. Allocate additional hardware resources before continuing the upgrade process;
the process for assigning additional hardware resources differs on each hypervisor.
If the VM-Series firewall does not have the required resources for the model, it defaults to the
capacity associated with the VM-50.

STEP 3 | From the web interface, navigate to Device > Licenses and make sure you have the correct
VM-Series firewall license and that the license is activated.
On the VM-Series firewall standalone version, navigate to Device > Support and make sure
that you have activated the support license.

PAN-OS Upgrade Guide Version 11.1 & later 166 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 4 | Save a backup of the current configuration file on each managed firewall you plan to
upgrade.

Although the firewall automatically creates a configuration backup, it is a best practice

to create and externally store a backup before you upgrade.

1. From the Panorama web interface, select Panorama > Setup > Operations and
click Export Panorama and devices config bundle to generate and export the latest
configuration backup of Panorama and of each managed appliance.
2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 5 | Update the content release version on the firewalls you plan to upgrade.
Refer to the Release Notes for the minimum content release version required for PAN-
OS 11.0. Make sure to follow the Best Practices for Application and Threat Updates when
deploying content updates to Panorama and managed firewalls.
1. Select Panorama > Device Deployment > Dynamic Updates and Check Now for the
latest updates. If an update is available, the Action column displays a Download link.
2. If not already installed, Download the latest content release version.
3. Click Install, select the firewalls on which you want to install the update, and click OK. If
you are upgrading HA firewalls, you must update content on both peers.

STEP 6 | (HA firewall upgrades only) If you will be upgrading firewalls that are part of an HA pair,
disable preemption. You need only disable this setting on one firewall in each HA pair.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.
3. Commit your change. Make sure the commit is successful before you proceed with the
upgrade.

STEP 7 | Download the target PAN-OS release image.

1. Select Panorama > Device Deployment > Software and Check Now for the latest
release versions.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Download the firewall-specific file (or files) for the release version to which you are
upgrading. You must download a separate installation file for each firewall model (or
firewall series) that you intend to upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 167 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 8 | Install the PAN-OS software update on the firewalls.

1. Click Install in the Action column that corresponds to the firewall models you want to
upgrade.
2. In the Deploy Software file dialog, select all firewalls that you want to upgrade. To
reduce downtime, select only one peer in each HA pair. For active/passive pairs, select
the passive peer; for active/active pairs, select the active-secondary peer.
3. (HA firewall upgrades only) Make sure Group HA Peers is not selected.
4. Select Reboot device after install.
5. To begin the upgrade, click OK.
6. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
7. After the firewalls finish rebooting, select Panorama > Managed Devices and verify the
Software Version is 9.1.0 for the firewalls you upgraded. Also verify that the HA status
of any passive firewalls you upgraded is still passive.

STEP 9 | (HA firewall upgrades only) Upgrade the second HA peer in each HA pair.
1. (Active/passive upgrades only) Suspend the active device in each active/passive pair you
are upgrading.
1. Switch context to the active firewall.
2. In the High Availability widget on the Dashboard, verify that Local firewall state is
Active and the Peer is Passive).
3. Select Device > High Availability > Operational Commands > Suspend local device.
4. Go back to the High Availability widget on the Dashboard and verify that Local
changed to Passive and Peer changed to Active.
2. Go back to the Panorama context and select Panorama > Device Deployment >
Software.
3. Click Install in the Action column that corresponds to the firewall models of the HA pairs
you are upgrading.
4. In the Deploy Software file dialog, select all firewalls that you want to upgrade. This
time, select only the peers of the HA firewalls you just upgraded.
5. Make sure Group HA Peers is not selected.
6. Select Reboot device after install.
7. To begin the upgrade, click OK.
8. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
9. (Active/passive upgrades only) From the CLI of the peer you just upgraded, run the
following command to make the firewall functional again:
request high-availability state functional

PAN-OS Upgrade Guide Version 11.1 & later 168 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 10 | (PAN-OS XFR upgrade only) Upgrade the first peer and second peer to PAN-OS XFR by
repeating Step 8 and Step 9.

STEP 11 | Verify the software and content release version running on each managed firewall.
1. On Panorama, select Panorama > Managed Devices.
2. Locate the firewalls and review the content and software versions in the table.
For HA firewalls, you can also verify that the HA Status of each peer is as expected.

STEP 12 | (HA firewall upgrades only) If you disabled preemption on one of your HA firewalls before
you upgraded, then edit the Election Settings (Device > High Availability) and re-enable the
Preemptive setting for that firewall and then Commit the change.

PAN-OS Upgrade Guide Version 11.1 & later 169 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (VM-Series for

NSX)
Choose the upgrade method that best suits your deployment.
• Upgrade the VM-Series for NSX During a Maintenance Window—use this option to upgrade
the VM-Series firewall during a maintenance window without changing the OVF URL in the
service definition.
• Upgrade the VM-Series for NSX without disrupting traffic—use this option to upgrade the VM-
Series firewall without disrupting service to the guest VMs or changing the OVF URL in the
service definition.
The following graphics displays the currently supported combinations of Panorama and the
Panorama plugin for VMware NSX, as well as the upgrade paths you are required to follow to
upgrade successfully.
• Each box below represents a supported combination.
• When upgrading the Panorama plugin for NSX or Panorama in an HA pair, upgrade the passive
Panorama peer first, followed by the active HA peer.
Before upgrading your VM-Series for VMware NSX deployment, review the upgrade paths shown
below to understand the upgrade steps to arrive at the plugin and PAN-OS combination that best
suits your environment.

PAN-OS Upgrade Guide Version 11.1 & later 170 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

PAN-OS Upgrade Guide Version 11.1 & later 171 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the VM-Series for NSX During a Maintenance Window

For the VM-Series Firewall NSX edition, use Panorama to upgrade the software version on the
firewalls.
STEP 1 | Review the VM-Series for VMware NSX upgrade paths.

STEP 2 | Allocate additional hardware resources to your VM-Series firewall.

Verify that enough hardware resources are available to the VM-Series firewall. Refer to the
VM-Series System Requirements to see the new resource requirements for each VM-Series
model. Allocate additional hardware resources before continuing the upgrade process. The
process for assigning additional hardware resources differs on each hypervisor.

STEP 3 | Save a backup of the current configuration file on each managed firewall that you plan to
upgrade.

Although the firewall will automatically create a backup of the configuration, it is a

best practice to create a backup prior to upgrade and store it externally.

1. Select Device > Setup > Operations and click Export Panorama and devices config
bundle. This option is used to manually generate and export the latest version of the
configuration backup of Panorama and of each managed device.
2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

STEP 4 | Check the Release Notes to verify the Content Release version required for the PAN-OS
version.
The firewalls you plan to upgrade must be running the Content Release version required for
the PAN-OS version.
1. Select Panorama > Device Deployment > Dynamic Updates.
2. Check for the latest updates. Click Check Now (located in the lower left-hand corner
of the window) to check for the latest updates. The link in the Action column indicates
whether an update is available. If a version is available, the Download link displays.
3. Click Download to download a selected version. After successful download, the link in
the Action column changes from Download to Install.
4. Click Install and select the devices on which you want to install the update. When the
installation completes, a check mark displays in the Currently Installed column.

PAN-OS Upgrade Guide Version 11.1 & later 172 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 5 | Deploy software updates to selected firewalls.

If your firewalls are configured in HA, make sure to clear the Group HA Peers check
box and upgrade one HA peer at a time.

1. Select Panorama > Device Deployment > Software.

2. Check for the latest updates. Click Check Now (located in the lower left-hand corner
of the window) to check for the latest updates. The link in the Action column indicates
whether an update is available.
(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
3. Review the File Name and click Download. Verify that the software versions that
you download match the firewall models deployed on your network. After successful
download, the link in the Action column changes from Download to Install.
4. Click Install and select the devices on which you want to install the software version.
5. Select Reboot device after install, and click OK.
6. If you have devices configured in HA, clear the Group HA Peers check box and upgrade
one HA peer at a time.

STEP 6 | Verify the software and Content Release version running on each managed device.
1. Select Panorama > Managed Devices.
2. Locate the device(s) and review the content and software versions on the table.

Upgrade the VM-Series for NSX Without Disrupting Traffic

Use the following procedure to upgrade the PAN-OS version of the VM-Series firewalls in your
VMware NSX environment. This procedure allows you to perform the PAN-OS upgrade without
disrupting traffic by migrating VMs to different ESXi hosts.
STEP 1 | Review the VM-Series for VMware NSX upgrade paths.

STEP 2 | Save a backup of the current configuration file on each managed firewall that you plan to
upgrade.

Although the firewall will automatically create a backup of the configuration, it is a

best practice to create a backup prior to upgrade and store it externally.

1. Select Device > Setup > Operations and click Export Panorama and devices config
bundle. This option is used to manually generate and export the latest version of the
configuration backup of Panorama and of each managed device.
2. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 173 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 3 | Check the Release Notes to verify the Content Release version required for the PAN-OS
version.
The firewalls you plan to upgrade must be running the Content Release version required for
the PAN-OS version.
1. Select Panorama > Device Deployment > Dynamic Updates.
2. Check for the latest updates. Click Check Now (located in the lower left-hand corner
of the window) to check for the latest updates. The link in the Action column indicates
whether an update is available. If a version is available, the Download link displays.
3. Click Download to download a selected version. After successful download, the link in
the Action column changes from Download to Install.
4. Click Install and select the devices on which you want to install the update. When the
installation completes, a check mark displays in the Currently Installed column.

STEP 4 | Download the PAN-OS image to all VM-Series firewalls in the cluster.
1. Login to Panorama.
2. Select Panorama > Device Deployment > Software.
3. Click Refresh to view the latest software release and also review the Release Notes to
view a description of the changes in a release and to view the migration path to install
the software.
4. Click Download to retrieve the software then click Install.

Do not reboot the VM-Series firewalls after installing the new software image.

5. Select the managed devices to be upgraded.

6. Clear the Reboot device after install check box.

7. Click OK.

PAN-OS Upgrade Guide Version 11.1 & later 174 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 5 | Upgrade the VM-Series firewall on the first ESXi host in the cluster.
1. Login to vCenter.
2. Select Hosts and Clusters.
3. Right-click the host and select Maintenance Mode > Enter Maintenance Mode.
4. Migrate (automatically or manually) all VMs, except the VM-Series firewall, off of the
host.
5. Power off the VM-Series firewall. This should happen automatically upon entering
maintenance mode on the host.
6. (Optional) Assign additional CPUs or memory to the VM-Series firewall before
continuing with the upgrade process.
Verify that enough hardware resources are available to the VM-Series firewall. Refer to
the VM-Series models to see the new resource requirements for each VM-Series model.
7. Right-click the host and select Maintenance Mode > Exit Maintenance Mode. Exiting
maintenance mode causes the NSX ESX Agent Manager (EAM) to power on the VM-
Series firewall. The firewall reboots with the new PAN-OS version.
8. Migrate (automatically or manually) all VMs back to the original host.

STEP 6 | Repeat this process for each VM-Series firewall on each ESXi host.

STEP 7 | Verify the software and Content Release version running on each managed device.
1. Select Panorama > Managed Devices.
2. Locate the device(s) and review the content and software versions on the table.

PAN-OS Upgrade Guide Version 11.1 & later 175 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the VM-Series Model

The licensing process for the VM-Series firewall uses the UUID and the CPU ID to generate a
unique serial number for each VM-Series firewall. Hence, when you generate a license, the license
is mapped to a specific instance of the VM-Series firewall and cannot be modified.
Use the instructions in this section if you are:
• Migrating from an evaluation license to a production license.
• Upgrading the model to allow for increased capacity. For example you want to upgrade from
the VM-100 to the VM-300 model.

• Upgrading capacity, which restarts some critical processes on the firewall. An HA

configuration is recommended to minimize service disruption; to upgrade the capacity
on a HA pair, see Upgrade the VM-Series Model in an HA Pair.
• In a private or public cloud deployment, if your firewall is licensed with the BYOL
option, you must deactivate your VM before you change the instance type or VM
type. Upgrading the model or instance changes the UUID and CPU ID, so you must
apply the license when the .

STEP 1 | Allocate additional hardware resources to your VM-Series firewall.

Before initiating the capacity upgrade, you must verify that enough hardware resources are
available to the VM-Series firewall to support the new capacity. The process for assigning
additional hardware resources differs on each hypervisor.
To check the hardware requirements for your new VM-Series model, see VM-Series Models.
Although the capacity upgrade does not require a reboot of the VM-Series firewall, you need
to power down the virtual machine to change the hardware allocation.

PAN-OS Upgrade Guide Version 11.1 & later 176 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 2 | Retrieve the license API key from the Customer Support portal.
1. Log in to the Customer Support Portal.

Make sure that you are using the same account that you used to register the
initial license.
2. From the menu on the left, select Assets > API Key Management.
3. Copy the API key.

STEP 3 | On the firewall, use the CLI to install the API key copied in the previous step.

request license api-key set key <key>

STEP 4 | ( If you have internet access) Enable the firewall to Verify Update Server identity on Device
> Setup > Service.

STEP 5 | Commit your changes. Ensure that you have a locally-configured user on the firewall.
Panorama pushed users might not be available after the deactivation if the configuration
exceeds the non-licensed PA-VM objects limit.

PAN-OS Upgrade Guide Version 11.1 & later 177 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 6 | Upgrade the capacity.

Select Device > Licenses > Upgrade VM Capacity and then activate your licenses and
subscriptions in one of the following ways:
• (internet) Retrieve license keys from license server—Use this option if you activated your
license on the Customer Support portal.
• (internet) Use an authorization code—Use this option to upgrade the VM-Series capacity
using an authorization code for licenses that have not been previously activated on the
support portal. When prompted, enter the Authorization Code and then click OK.
• (no internet) Manually upload license key—Use this option if your firewall does not have
internet connectivity to the Customer Support portal. From a computer with access to the
internet, log in to the CSP, download a license key file, transfer it to a computer in the same
network as the firewall, and upload it to the firewall.

STEP 7 | Verify that your firewall is licensed successfully.

On the Device > Licenses page, verify that the license was successfully activated.

PAN-OS Upgrade Guide Version 11.1 & later 178 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Upgrade the VM-Series Model in an HA Pair

Upgrading the VM-Series firewall allows you to increase the capacity on the firewall. Capacity
is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN
tunnels, and SSL VPN tunnels that the VM-Series firewall is optimized to handle. When you apply
a new capacity license on the VM-Series firewall, the model number and the associated capacities
are implemented on the firewall.

Verify the VM-Series System Requirements for your firewall model before you upgrade.
If your firewall has less than 5.5GB memory, the capacity (number of sessions, rules,
security zones, address objects, etc) on the firewall will be limited to that of the VM-50
Lite.

This process is similar to that of upgrading a pair of hardware-based firewalls that are in an HA
configuration. During the capacity upgrade process, session synchronization continues, if you
have it enabled. To avoid downtime when upgrading firewalls that are in a high availability (HA)
configuration, update one HA peer at a time.

Do not make configuration change to the firewalls during the upgrade process. During the
upgrade process, configuration sync is automatically disabled when a capacity mismatch
is detected and is then re-enabled when both HA peers have matching capacity licenses.
If the firewalls in the HA pair have different major software versions (such as 9.1 and 9.0)
and different capacities, both devices will enter the Suspended HA state. Therefore, it is
recommended that you make sure both firewalls are running the same version of PAN-OS
before upgrading capacity.

STEP 1 | Upgrade the capacity license on the passive firewall.

Follow the procedure to Upgrade the VM-Series Model.
The new VM-Series model displays on the dashboard after some processes restart on this
passive peer. This upgraded peer is now is a non-functional state because of the capacity
mismatch with its active peer.
If you have enabled session synchronization, verify that sessions are synchronized across HA
peers before you continue to the next step. To verify session synchronization, run the show
high-availability interface ha2 command and make sure that the Hardware
Interface counters on the CPU table are increasing as follows:
• In an active/passive configuration, only the active peer show packets transmitted and the
passive device will only show packets received.
If you have enabled HA2 keep-alive, the hardware interface counters on the passive
peer will show both transmit and receive packets. This occurs because HA2 keep-alive is
bidirectional which means that both peers transmit HA2 keep-alive packets.
• In an active/active configuration, you will see packets received and packets transmitted on
both peers.

PAN-OS Upgrade Guide Version 11.1 & later 179 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

STEP 2 | Upgrade the capacity license on the active firewall.

Follow the procedure to Upgrade the VM-Series Model.
The new VM-Series model displays on the dashboard after the critical processes restart. The
passive firewall becomes active, and this peer (previously active firewall) moves from the initial
state to becoming the passive peer in the HA pair.

PAN-OS Upgrade Guide Version 11.1 & later 180 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

Downgrade a VM-Series Firewall to a Previous Release

Use the following workflow to restore the configuration that was running before you upgraded
to a different feature release. Any changes made since the upgrade are lost. Therefore, it is
important to back up your current configuration so you can restore those changes when you
return to the newer release.
Use the following procedure to downgrade to a previous release.
STEP 1 | Save a backup of the current configuration file.

Although the firewall automatically creates a backup of the configuration, it is a best

practice to create a backup before you upgrade and store it externally.

1. Export named configuration snapshot (Device > Setup > Operations).

2. Select the XML file that contains your running configuration (for example, running-
config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to
restore the configuration if you have problems with the downgrade.

STEP 2 | Install the previous feature release image.

Autosave versions are created when you upgrade to a new release.

1. Check Now (Device > Software) for available images.

(PAN-OS 11.1.3 and later releases) By default, the preferred releases and the
corresponding base releases are displayed. To view the preferred releases only, disable
(clear) the Base Releases checkbox. Similarly, to view the base releases only, disable
(clear) the Preferred Releases checkbox.
2. Locate the image to which you want to downgrade. If the image is not already
downloaded, then Download it.
3. After the download completes, Install the image.
4. Select a Config File for Downgrading, which the firewall will load after you reboot the
device. In most cases, you should select the configuration that was saved automatically
when you upgraded from the release to which you are now downgrading. For
example, if you are running PAN-OS 9.1 and are downgrading to PAN-OS 9.0.3, select
autosave-9.0.3.
5. After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, go to Device Operations (Device > Setup >
Operations) and Reboot Device.

PAN-OS Upgrade Guide Version 11.1 & later 181 ©2024 Palo Alto Networks, Inc.
Upgrade the VM-Series Firewall

PAN-OS Upgrade Guide Version 11.1 & later 182 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins
• Panorama Plugins Upgrade/Downgrade Considerations
• Upgrade a Panorama Plugin
• Upgrade the Enterprise DLP Plugin
• Upgrade the Panorama Interconnect Plugin
• Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

183
Upgrade Panorama Plugins

Panorama Plugins Upgrade/Downgrade Considerations

The following table lists the new features that have upgrade or downgrade impact. Make sure you
understand fall upgrade/downgrade considerations before you upgrade to or downgrade from a
PAN-OS 11.1 release. For additional information about PAN-OS 11.1 releases, refer to the PAN-
OS 11.1 Release Notes.

Table 1: Panorama Plugins Upgrade/Downgrade Considerations

Feature Upgrade Considerations Downgrade Considerations

Panorama Plugins Before you upgrade to PAN- To downgrade from PAN-

OS 11.1, you must download OS 11.0, you must download
• AWS Plugin
the Panorama plugin version the Panorama plugin version
• Azure Plugin supported on PAN-OS 11.1 supported on PAN-OS 10.2 and
• Kubernetes Plugin for all plugins installed on earlier releases for all plugins
Panorama. This is required to installed on Panorama. See the
• Software Firewall successfully upgrade to PAN- Panorama Plugins Compatibility
Licensing Plugin OS 11.1. See the Compatibility Matrix for more information.
• SD-WAN Plugin Matrixfor more information.
• IPS Signature
Converter Plugin (Enterprise DLP) After upgrading
Panorama to PAN-OS 10.2, you
• ZTP Plugin must install Application and
• Enterprise DLP Plugin Threats content release version
8520 on all managed firewalls
• Openconfig Plugin
running PAN-OS 11.1 or earlier
• GCP Plugin release. This is required to
• Cisco ACI Plugin successfully push configuration
changes to managed firewalls
• Nutanix Plugin leveraging Enterprise DLP that
• VCenter Plugin you did not upgrade to PAN-OS
10.2.

(Enterprise DLP) Loading

a Panorama configuration
backup that does contain
the Shared Enterprise DLP
configuration deletes the shared
App exclusion filter required to
scan non-file based traffic.

(SD-WAN) Panorama plugin

for SD-WAN 2.2 and earlier
releases are not supported in
PAN-OS 11.0.
Upgrading a Panorama
management server to PAN-

PAN-OS Upgrade Guide Version 11.1 & later 184 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Feature Upgrade Considerations Downgrade Considerations

OS 11.1 when the Panorama
plugin for SD-WAN 2.2 or
earlier release is installed
causes the SD-WAN plugin
to be hidden in the Panorama
web interface or causes the
SD-WAN configuration to be
deleted. In both cases, you are
unable to install a new SD-WAN
plugin version or uninstall the
SD-WAN plugin.

SD-WAN After successful upgrade of None.

Panorama to PAN-OS 11.1
and the Panorama plugin from
SD-WAN version 2.0.0 to SD-
WAN version 3.0, you must
clear the SD-WAN cache on
Panorama for existing SD-WAN
deployments only.
Clearing the SD-WAN cache
does not delete any existing SD-
WAN configuration but deletes
the IP address, tunnel, and
gateway naming conventions for
the new format introduced in
Panorama plugin for SD-WAN
version 3.0.
For new deployments of SD-
WAN, you do not need to
clear the SD-WAN cache on
Panorama if you install the
Panorama plugin for SD-WAN
version 3.0 on Panorama after
you upgrade to PAN-OS 11.0.
1. Log in to the Panorama CLI.
2. Clear the SD-WAN cache on
Panorama.

admin> debug
plugins sd_wan
drop-config-cache
all

PAN-OS Upgrade Guide Version 11.1 & later 185 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade a Panorama Plugin

Use the following procedure to upgrade the version of most plugins installed on your Panorama
management server. When upgrading one of the plugins listed below, use the procedure at the
link provided. To upgrade to the latest VM-Series plugin,
• Upgrade the Enterprise DLP Plugin
• Upgrade the Panorama Interconnect Plugin
• See the VM-Series for VMware NSX documentation when upgrading the Panorama plugin for
VMware NSX.
STEP 1 | Refer to the Compatibility Matrix for the minimum supported PAN-OS version for each
Panorama plugin.

STEP 2 | Review the Panorama Plugin Release Notes to identify your target plugin version.

STEP 3 | Review the Panorama Plugins Upgrade/Downgrade Considerations.

STEP 4 | Download the plugin.

1. Select Panorama > Plugins.
2. Select Check Now to retrieve a list of available updates.
3. Select Download in the Action column to download the plugin.

STEP 5 | Install the plugin.

Select the version of the plugin you downloaded in the previous step and click Install in the
Action column to install the plugin. Panorama will alert you when the installation is complete.

When installing the plugin for the first time on a Panorama HA pair, install the plugin
on the passive peer before the active peer. On installing the plugin on the passive peer,
it transitions to a non-functional state. Then, after you successfully install the plugin
on the active peer, the passive peer returns to a functional state.

STEP 6 | Optional You can review your plugin upgrade logs using the following CLI commands.

tail plugins-log ...

tail mp-log plugin_install.log

PAN-OS Upgrade Guide Version 11.1 & later 186 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade the Enterprise DLP Plugin

Upgrade the Enterprise Data Loss Prevention (E-DLP) plugin version installed on your Panorama™
management server.
See the Palo Alto Networks Panorama plugin Compatibility Matrix and review the minimum PAN-
OS version required for your target Enterprise DLP plugin version.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Upgrade the Enterprise DLP plugin version on Panorama.

For Panorama in a high availability (HA) configuration, repeat this step on the Panorama HA
peer.
1. Select Panorama > Plugins and Check Now for the latest dlp plugin verison.
2. Download and Install the latest version of the Enterprise DLP plugin.
3. After the new plugin version successfully installs, view the Panorama Dashboard and
verify in the General Information widget that the Plugin DLP version displays the
Enterprise DLP plugin version you upgraded to.

STEP 3 | Upgrade the

STEP 4 | (Upgrade to 4.0.0 only) Edit Enterprise DLP data filtering settings to reduce the Max File Size
to 20 MB or less.
This is required when upgrading from Panorama plugin for Enterprise DLP 3.0.3 or later
releases to Enterprise DLP 4.0.0 or later releases as this plugin version does not support large
file size inspection.

PAN-OS Upgrade Guide Version 11.1 & later 187 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade the Panorama Interconnect Plugin

Use the following procedure to upgrade the Panorama™ Interconnect plugin on the Panorama
Controller and Panorama Nodes. When you upgrade the Panorama Interconnect plugin, you must
upgrade the Panorama Controller before you upgrade the Panorama Nodes to the same plugin
version as the Controller. The new plugin version you download and install on the Panorama
Node must be the same plugin version you installed on the Panorama Controller to ensure
that the plugin version on the Panorama Controller and selected Panorama Nodes remain
synchronized.
If this is the first time you are installing the plugin, see Set up the Panorama Interconnect Plugin.
STEP 1 | Log in to the Panorama web interface of the Panorama Controller.

STEP 2 | Upgrade the Panorama Interconnect plugin on the Panorama Controller.

1. Select Panorama > Plugins and search for Interconnect.
2. Download and Install the new Interconnect plugin version. A prompt is displayed to
notify you after the installation is completed.
3. Verify that the Dashboard displays the newly installed Interconnect plugin version.

PAN-OS Upgrade Guide Version 11.1 & later 188 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 3 | Upgrade the Panorama Interconnect plugin on the Panorama Node.

1. Select Panorama > Interconnect > Panorama Nodes, select one or more Panorama
Nodes, and Upgrade Plugin.
2. Verify the selected Panorama Nodes and click OK to begin the plugin upgrade.

3. Wait until the plugin upgrade job is Completed. Click Panorama > Interconnect > Tasks
to view the job progress.

4. After the upgrade completes successfully, select Panorama > Interconnect > Panorama
Nodes to verify that the Plugin version is correct for the selected Panorama Nodes.

PAN-OS Upgrade Guide Version 11.1 & later 189 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Install/Upgrade SD-WAN Plugin with Compatible PAN-

OS Release
Where Can I Use This? What Do I Need?

• PAN-OS SD-WAN plugin license

• SD-WAN

It’s imperative to ensure that an existing network infrastructure remains up to date and is capable
of upgrading its features to unlock new functionalities. The SD-WAN upgrade guide helps the
network administrators to upgrade the Panorama management server and Palo Alto Networks
firewalls that are compatible with the SD-WAN plugin release.
It is important that you have a proper upgrade or downgrade plan before starting actual upgrade
or downgrade procedure. Refer the valid upgrade and downgrade paths for your currently
installed SD-WAN plugin version.
Before proceeding with the upgrade process, ensure the following:
• Take a backup of all the configurations on each device.
• Refer Panorama Plugin Compatibility Matrix to review the features introduced in each version
of the Panorama plugin for SD-WAN.
• You have administrator access to the Palo Alto Networks devices.

Prerequisites
Before you upgrade the Panorama HA pair, it's important to save the configuration files, create a
technical support file, and check for the compatible content release version for your device.

Back up Your Configuration File

Make a backup of the current configuration file. It's recommended to make a backup of your
current Panorama and firewall configurations:
• Take the backup of the Panorama and firewall configurations before upgrading the device.
• Save and export Panorama and firewall configurations to restore that backup.
• Save and export firewall configurations to revert to that backup.
If you have problems with the upgrade, you can use these backups to restore the configuration by
loading the configuration backup on the firewall managed by the Panorama management server.

Generate a Technical Support File

It's important to generate the technical support file for debugging purposes.

PAN-OS Upgrade Guide Version 11.1 & later 190 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

1. Select Device > Support and Generate Tech Support File.

The technical support file must be generated on both the HA pair for debugging purposes.

It may take a few minutes to generate a technical support file and the time taken to
generate would vary.

2. Click Yes when prompted to generate the tech support file.

3. Click Download Tech Support File to save it in the firewall or Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 191 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Install Compatible Content Release Version

Ensure that each firewall and Panorama HA pair is running the latest content release (Applications
and Threats) version.

All the firewalls and the Panorama must have the same version of Applications and
Threats downloaded and installed for the upgrade to be successful.

Refer to the corresponding Release Notes for the minimum content release (such as, Applications
and Threats) version you must install for a corresponding PAN-OS release. Make sure to follow
the best practices for applications and threat content updates.
Your firewall and the Panorama running a specific PAN-OS version must contain the minimum
content release (Applications and Threats) version that’s compatible with the PAN-OS version.
Use the following workflow to download and install the content release version that’s compatible
with the PAN-OS version:
1. For the firewall, select Device > Dynamic Updates and for Panorama select Panorama >
Dynamic Updates to check the version information of the Applications and Threats.
2. Check Now to retrieve a list of available updates.
3. Locate and Download the appropriate content release version. After you successfully
download a content update file, the link in the Action column changes from Download to
Install for that content release version.
4. Install the update on the Palo Alto Networks devices.

Important Considerations for Upgrading Panorama

The following are the important considerations for upgrading the SD-WAN plugin version on your
Panorama management server:
• (HA Deployments only) Both the active and passive Panorama must have the same Panorama
software and SD-WAN plugin versions.
• (HA Deployments only) Maintain the same HA states for both Panorama and Palo Alto
Networks Next-Generation Firewalls after upgrade and before commit or commit all, so that
the configuration changes are minimal.
• Always ensure that the Panorama software version is higher than the PAN-OS version.

PAN-OS Upgrade Guide Version 11.1 & later 192 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

• For MongoDB synchronization status for an SD-WAN plugin version, refer to MongoDB
Synchronization Status with SD-WAN Database Collections.

• (HA Deployments only) You must upgrade both active and passive Panorama HA pairs
simultaneously.
• After completing the SD-WAN plugin upgrade, you must perform a commit force
through the CLI command (in configuration mode) on the Palo Alto Networks device.
If you perform commit all instead of commit force, then you will lose all the SD-WAN
configurations on that device.

After the upgrade is complete, note the changes after the upgrade.

Upgrade and Downgrade Paths for SD-WAN Plugin

Where Can I Use This? What Do I Need?

• PAN-OS SD-WAN plugin license

• SD-WAN

Before you upgrade or downgrade an SD-WAN plugin, you must know what are the appropriate
plugin versions that you can upgrade or downgrade from the currently installed SD-WAN plugin
version on your firewall. Therefore, always refer to the valid upgrade and downgrade paths for
your currently installed SD-WAN plugin version as a first step in your migration plan.

Upgrade and Downgrade Considerations

• If you need to upgrade your SD-WAN plugin, don't upgrade to a release that we
released before your currently installed version.
For example, we don't support an upgrade from SD-WAN plugin version 3.0.7 to SD-
WAN plugin version 3.2.0 because we released SD-WAN plugin version 3.2.0 before
SD-WAN plugin 3.0.7.
However, you can upgrade from any maintenance release to another maintenance
release within the same major or minor release version. For example, you can upgrade
from any SD-WAN 2.2 to any other SD-WAN 2.2 plugin release.
Refer the upgrade paths and downgrade paths for SD-WAN plugin before upgrading
or downgrading your currently installed SD-WAN plugin version.
• If you need to downgrade your SD-WAN plugin, don't downgrade to a release that we
released after your currently installed version.
For example, we don't support a downgrade from SD-WAN plugin version 3.2.0 to SD-
WAN plugin version 3.0.7 because we released SD-WAN plugin version 3.0.7 after SD-
WAN plugin 3.2.0.
Refer the upgrade paths and downgrade paths for SD-WAN plugin before upgrading
or downgrading your currently installed SD-WAN plugin version.

PAN-OS Upgrade Guide Version 11.1 & later 193 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade Path for SD-WAN Plugin

Interpret the information in the upgrade table as follows:
• Upgrade From (the Current Installed Version)—The current SD-WAN plugin version before the
upgrade.
• To Allowed SD-WAN Plugin Version—The list of SD-WAN plugin versions you can upgrade to
from the current SD-WAN plugin version.
• To Recommended SD-WAN Plugin Version—The SD-WAN plugin version we recommend you
to upgrade to from the current SD-WAN plugin version.
For example, you can upgrade from the SD-WAN plugin version 2.2.1 to SD-WAN plugin versions
2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, and later 2.2 releases. However, out of all the valid SD-WAN plugin
versions (2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, and later 2.2 releases), our recommended version is 2.2.6.
Note that if you want to upgrade from SD-WAN 2.2.1 to 3.0.7, you can't upgrade it directly. You
must first upgrade the SD-WAN plugin from 2.2.1 to 2.2.6 (the recommended version) and then
to 3.0.7.
Following are the upgrade paths for the SD-WAN plugin version. When you perform an SD-WAN
upgrade, the target plugin version performs the migration process.

Upgrade From (the Current To Allowed SD-WAN Plugin To Recommended SD-WAN

Installed Version) Version Plugin Version

SD-WAN Plugin 2.2 Versions

2.2.1 2.2.2 and later 2.2 versions 2.2.6

2.2.2 2.2.3 and later 2.2 versions 2.2.6

2.2.3 2.2.4 and later 2.2 versions 2.2.6

2.2.4 2.2.5 and later 2.2 versions 2.2.6

2.2.5 2.2.6 and later 2.2 versions 2.2.6

2.2.6 • 3.0.7 and later 3.0 versions 3.0.8, 3.1.3, 3.2.2, and 3.3.1.
• 3.1.3 and later 3.1 versions
• 3.2.1 and later 3.2 versions
• 3.3.0 and later 3.3 versions

SD-WAN Plugin 3.0 Versions

3.0.0 3.0.8 —

3.0.1 3.0.5 and 3.0.8 —

3.0.2 3.0.5 and 3.0.8 —

PAN-OS Upgrade Guide Version 11.1 & later 194 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade From (the Current To Allowed SD-WAN Plugin To Recommended SD-WAN

Installed Version) Version Plugin Version

3.0.3 3.0.5 and 3.0.8 —

3.0.4 3.0.5 and 3.0.8 —

3.0.5 • 3.0.6 and later 3.0 versions 3.0.7-h2, 3.1.3, 3.2.1, and
• 3.1.0-hf 3.3.0

• 3.1.2 and later 3.1 versions

• 3.2.0 and later 3.2 versions
• 3.3.0 and later 3.3 versions

3.0.6 • 3.0.7 and later 3.0 versions 3.0.7-h2, 3.1.3, 3.2.1, 3.3.0,
• 3.1.3 and later 3.1 versions and 3.0.8

• 3.2.0 and later 3.2 versions

• 3.3.0 and later 3.3 versions

3.0.7 • 3.1.3, and later 3.1 3.1.3, 3.2.1, 3.3.0, and 3.0.8
versions
• 3.2.1 and later 3.2 versions
• 3.3.0 and later 3.3 versions

3.0.8 • 3.1.1 3.2.2, and 3.3.2.

• 3.1.3
• 3.2.1 and later 3.2 versions
• 3.3.0 and later 3.3 versions

SD-WAN plugin
3.0.8 version
supports the
Prisma Access
hub.

SD-WAN Plugin 3.1 Versions

3.1.0 • 3.1.1 3.1.3, 3.2.1, and 3.3.0

• 3.1.3 and later 3.1 versions
• 3.2.0 and later 3.2 versions
• 3.3.0 and later 3.3 versions

3.1.1 • 3.1.3 and later 3.1 versions 3.1.3, 3.2.1, and 3.3.0
• 3.2.0 and later 3.2 versions

PAN-OS Upgrade Guide Version 11.1 & later 195 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Upgrade From (the Current To Allowed SD-WAN Plugin To Recommended SD-WAN

Installed Version) Version Plugin Version
• 3.3.0 and later 3.3 versions

3.1.2 • 3.1.3 and later 3.1 versions 3.1.3, 3.2.1, and 3.3.0
• 3.2.0 and later 3.2 versions
• 3.3.0 and later 3.3 versions

3.1.3 • 3.2.1 and later 3.2 versions 3.2.1 and 3.3.0

• 3.3.0 and later 3.3 versions

SD-WAN Plugin 3.2 Versions

3.2.0 • 3.2.1 and later 3.2 versions 3.2.1 and 3.3.0

• 3.3.0 and later 3.3 versions

3.2.1 3.3.0 and later 3.3 versions 3.3.0

3.2.2 3.3.1 and later 3.3 versions 3.3.2

SD-WAN Plugin 3.3 Versions

3.3.0 3.3.1 and later 3.3 versions 3.3.1

3.3.1 3.3.2 and later 3.3 versions 3.3.2

Downgrade Path for SD-WAN Plugin

Interpret the information in the downgrade table as follows:
• Downgrade From (the Current Installed Version)—This is the current SD-WAN plugin version
before the downgrade.
• To Allowed SD-WAN Plugin Version—This is the list of SD-WAN plugin versions you can
downgrade to from the current SD-WAN plugin version.
Following are the downgrade paths for the SD-WAN plugin version. When you perform an SD-
WAN downgrade, the current plugin version performs the migration process.

Downgrade From (the Current Installed To Allowed SD-WAN Plugin Version

Version)

2.2.2, 2.2.3, 2.2.4, 2.2.5, and 2.2.6 2.2.1

2.2.3, 2.2.4, 2.2.5, and 2.2.6 2.2.2

2.2.4, 2.2.5, and 2.2.6 2.2.3

PAN-OS Upgrade Guide Version 11.1 & later 196 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Downgrade From (the Current Installed To Allowed SD-WAN Plugin Version

Version)

2.2.5 and 2.2.6 2.2.4

2.2.6 2.2.5

3.0.7, 3.1.3, 3.2.1, and 3.3.0 2.2.6

3.0.5 3.0.0, 3.0.1, 3.0.2, 3.0.3, and 3.0.4

3.0.6, 3.0.7, 3.1.0-hf, 3.1.1, 3.1.3, 3.2.0, 3.2.1, 3.0.5

and 3.3.0

3.0.7, 3.1.3, 3.2.0, 3.2.1, and 3.3.0 3.0.6

3.1.3, 3.2.1, and 3.3.0 3.0.7

3.0.8 2.2.1 and later 2.2 versions, 3.0.0, 3.0.1, 3.0.2,

3.0.3, 3.0.4, 3.0.5, and 3.0.7.

3.1.1, 3.1.3, 3.2.0, 3.2.1, and 3.3.0 3.1.0

3.1.3, 3.2.0, 3.2.1, and 3.3.0 3.1.1 and 3.1.2

3.2.1 and 3.3.0 3.1.3 and 3.2.0

3.3.1 2.2.6, 3.0.6, 3.0.7, 3.1.3, 3.2.1, and 3.3.0

3.2.2, 3.3.2 3.0.8

3.3.2 3.2.2

Install the SD-WAN Plugin

Install the SD-WAN plugin version on your Panorama™ management server and firewalls
leveraging SD-WAN.
See the Palo Alto Networks Panorama Plugin Compatibility Matrix and review the minimum PAN-
OS version required for your target SD-WAN plugin version.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Install the SD-WAN plugin version on Panorama.

For Panorama in a high availability (HA) configuration, repeat this step on the Panorama HA
peer.
1. Select Panorama > Plugins and Check Now for the latest sd_wan plugin version.
2. Download and Install the latest version of the SD-WAN plugin.

PAN-OS Upgrade Guide Version 11.1 & later 197 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 3 | After the new plugin version successfully installs, view the Panorama Dashboard and in the
General Information widget verify that the SD-WAN plugin displays the SD-WAN plugin
version you have installed.

Upgrade Panorama High Availability Pair (Active/Passive)

Leveraging SD-WAN Plugin
Where Can I Use This? What Do I Need?

• PAN-OS SD-WAN plugin license

• SD-WAN

Follow the upgrade path based on the SD-WAN plugin version that your Panorama management
server is running.

Panorama Running SD-WAN Plugin Version Follow the Steps

1.0.x Panorama HA pair: Upgrade SD-WAN plugin

1.0.4 to 2.2.6 release

2.1.x Panorama HA pair: Upgrade SD-WAN plugin

2.1.x to 2.2.6 release

2.2.6 Panorama HA pair: Upgrade SD-WAN plugin

2.2.6 to 3.0.7 release

Panorama HA Pair: Upgrade SD-WAN Plugin 1.0.4 to 2.2.6 Release

When your Panorama is installed with any of the SD-WAN plugin versions between 1.0.x to
2.2.x, and if you want to upgrade the SD-WAN plugin version, you must upgrade to SD-WAN
plugin version 2.2.6 first (and not any intermediate version). Because the SD-WAN 2.2.6 version
contains the new features, bug fixes, performance improvements, and enhancements.
It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
Use the following workflow in the same order to upgrade your Panorama HA pair with SD-WAN
2.2.6 plugin version.

PAN-OS Upgrade Guide Version 11.1 & later 198 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 1 | Upgrade your Panorama management server version.

1. From Panorama 9.1.x, download and install Panorama 10.0.7-h3 on both active and passive
Panorama.
2. From Panorama 10.0.7-h3, download and install the latest Panorama 10.1 release on both
active and passive Panorama.
3. After the Panorama is upgraded to the latest 10.1 release, check if the active Panorama
remains as active and the passive Panorama remains as passive. If there is no change in the
HA states, then the upgrade is successful. Otherwise, you need to perform a force switch
over to maintain the state of the HA pairs that it was before the upgrade.
To perform the force switchover, execute the following CLI commands in the same order
from the current active HA peer.

admin > request high-availbility state suspend

admin > request high-availbility state functional

PAN-OS Upgrade Guide Version 11.1 & later 199 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 2 | Monitor the configd logs.

(In administrator mode) Before upgrading the SD-WAN plugin to 2.2.6, start monitoring the
configd log on both the Panorama HA pairs.

admin> tail follow yes mp-log configd.log

If you see the below error message on executing tail follow yes mp-log
configd.log command, the Mongo DB of the active and passive Panorama has become out
of sync.

To resolve this issue:

1. (In administrator mode) Drop the whole database pan_oplog on both the active and passive
Panorama.

admin > debug mongo drop database pan_oplog instance mdb

2. (In administrator mode) Restart configd on both the active and passive Panorama.

admin > debug software restart process configd

Once the configd is restarted, refresh the respective web interface and command line interface.
After restart, you won't be seeing the mongo pan_oplog error on any of the commit processes.

We recommend you to monitor the configd logs during the whole upgrade process.

STEP 3 | Download and install the SD-WAN plugin version 2.2.6 on both active and passive
Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 200 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 4 | (In administrator mode) Drop the SD-WAN collections on both active and passive Panorama.

admin > debug mongo drop database pl_sd_wan instance mdb

This step is required to make the SD-WAN Mongo DB collections in synchronization.

STEP 5 | (In configuration mode) Forcefully commit the changes from the active Panorama.

After completing the SD-WAN plugin upgrade, you must perform a commit force through the
CLI command (in the configuration mode) on the Palo Alto Networks device. If you perform
commit all instead of commit force, then you will lose all the SD-WAN configurations on that
device.

STEP 6 | Check the following after Panorama HA upgrade.

1. Perform a selective push to branch devices first, followed by the hub devices from active
Panorama.
2. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.
3. Verify if the SD-WAN configurations such as, Tunnel, BGP, Key ID, and traffic are as
expected.

After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache,
IPSec tunnel cache, and subnet cache will be refreshed which will not affect the
functionalities of SD-WAN.

PAN-OS Upgrade Guide Version 11.1 & later 201 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 7 | (Recommended) Upgrade the connected firewalls.

Once the Panorama HA pair upgrade is successful, the connected hub and branch devices
can be upgraded one-by-one starting with the branch firewalls followed by hub firewalls (the
branch and hub firewalls can be standalone firewalls or HA pairs).

We recommend you to check the SD-WAN configuration and functionality after

upgrading each firewall.

1. Introduce a minor change on all the templates by modifying or adding the comment for
an interface on the template, followed by a Commit and Push to Devices. This is just a
verification activity to ensure that the configuration is good and the upgrade is working.

2. Check the SD-WAN configuration and functionalities.

3. Upgrade the branch firewall one-by-one till all the branches are upgraded.
4. Follow the below steps for branch firewalls first.
1. Start upgrading a pair of branch HA or standalone devices from Panorama version 9.1.x
to 10.0.7-h3, and then to the latest Panorama 10.1 release.
2. Introduce a minor change in the comment of an interface from the particular firewall
template from the active Panorama where the upgrade was performed, Commit, and
Push to Devices. Once the Commit All is completed, check the SD-WAN configurations
and functionalities. This is just a verification activity to ensure that the configuration is
good and the upgrade is working after the firewall is upgraded.
5. Follow the below steps for the hub firewalls. It's important that you complete the upgrade
of the branch firewalls and then start the upgrade of the hub firewalls.
1. Start upgrading a pair of hub HA or standalone devices from Panorama version 9.1.x to
10.0.7-h3, and then to the latest Panorama 10.1 release.
2. Introduce a minor change in the comment of an interface from the particular firewall
template from the active Panorama where the upgrade was performed, Commit, and
Push to Devices. Once the Commit All is completed, check the SD-WAN configurations
and functionalities.
This is just a verification activity to ensure that the configuration is good and the upgrade
is working after the firewall is upgraded.
6. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.
7. After the upgrade is complete, note the changes after the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 202 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Panorama HA Pair: Upgrade SD-WAN Plugin 2.1.x to 2.2.6 Release

When your Panorama is installed with SD-WAN plugin version 2.1.x, and if you want to upgrade
the SD-WAN plugin version, you must upgrade to SD-WAN plugin version 2.2.6 first (and not any
intermediate version). Because the SD-WAN 2.2.6 version contains the new features, bug fixes,
performance improvements, and enhancements.
It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
Use the following workflow in the same order to upgrade your Panorama HA pair with the SD-
WAN 2.2.6 plugin version.
STEP 1 | Upgrade your Panorama management server version.
1. Download and install the latest Panorama 10.1 release on both active and passive
Panorama.
2. After the Panorama is upgraded to the latest 10.1 release, check if the active Panorama
remains as active and the passive Panorama remains as passive. If there is no change in the
HA states, then the upgrade is successful. Otherwise, you need to perform a force switch
over to maintain the state of the HA pairs that it was before the upgrade.
To perform the force switchover, execute the following CLI commands in the same order
from the current active HA peer.

admin > request high-availbility state suspend

admin > request high-availbility state functional

PAN-OS Upgrade Guide Version 11.1 & later 203 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 2 | Monitor the configd logs.

(In administrator mode) Before upgrading the SD-WAN plugin to 2.2.6, start monitoring the
configd log on both the Panorama HA pairs.

admin> tail follow yes mp-log configd.log

If you see the below error message on executing admin > tail follow yes mp-log
configd.log command, the mongo DB of the active and passive Panorama has become out
of sync.

To resolve this issue:

1. (In administrator mode) Drop the whole database pan_oplog on both the active and passive
Panorama.

admin > debug mongo drop database pan_oplog instance mdb

2. (In administrator mode) Restart configd on both the active and passive Panorama.

admin > debug software restart process configd

Once the configd is restarted, refresh the respective web interface and command line interface.
After restart, you won't be seeing the mongo pan_oplog error on any of the commit processes.

We recommend you to monitor the configd logs during the whole upgrade process.

STEP 3 | Download and install the SD-WAN plugin version 2.2.6 on both active and passive
Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 204 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 4 | (In administrator mode) Drop the SD-WAN collections on both active and passive Panorama.

admin > debug mongo drop database pl_sd_wan instance mdb

This step is required to make the SD-WAN Mongo DB collections in synchronization.

STEP 5 | (In configuration mode) Forcefully commit the changes from the active Panorama.

After completing the SD-WAN plugin upgrade, you must perform a commit force through the
CLI command (in the configuration mode) on the Palo Alto Networks device. If you perform
commit all instead of commit force, then you will lose all the SD-WAN configurations on that
device.

STEP 6 | Check the following after Panorama HA upgrade.

1. Perform a selective push to branch devices first, followed by the hub devices from active
Panorama.
2. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.
3. Verify if the SD-WAN configurations such as, tunnel, BGP, Key ID, and traffic are as
expected.

After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache,
IPSec tunnel cache, and subnet cache will be refreshed which will not affect the
functionalities of SD-WAN.

PAN-OS Upgrade Guide Version 11.1 & later 205 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 7 | (Recommended) Upgrade the connected firewalls.

Once the Panorama HA pair upgrade is successful, the connected hub and branch devices
can be upgraded one-by-one starting with the branch firewalls followed by hub firewalls (the
branch and hub firewalls can be standalone firewalls or HA pairs).

We recommend you to check the SD-WAN configuration and functionality after

upgrading each firewall.

1. Introduce a minor change on all the templates by modifying or adding the comment for
an interface on the template, followed by a Commit and Push to Devices. This is just a
verification activity to ensure that the configuration is good and the upgrade is working.

2. Check the SD-WAN configuration and functionalities.

3. Upgrade the branch firewall one-by-one till all the branches are upgraded.
4. Follow the below steps for branch firewalls first.
1. Start upgrading a pair of branch HA or standalone devices from Panorama version 9.1.x
to 10.0.7-h3, and then to the latest Panorama 10.1 release.
2. Introduce a minor change in the comment of an interface from the particular firewall
template from the active Panorama where the upgrade was performed, Commit, and
Push to Devices. Once the Commit All is completed, check the SD-WAN configurations
and functionalities. This is just a verification activity to ensure that the configuration is
good and the upgrade is working after the firewall is upgraded.
5. Follow the below steps for the hub firewalls. It's important that you complete the upgrade
of the branch firewalls and then start the upgrade of the hub firewalls.
1. Start upgrading a pair of hub HA or standalone devices from Panorama version 9.1.x to
10.0.7-h3, and then to the latest Panorama 10.1 release.
2. Introduce a minor change in the comment of an interface from the particular firewall
template from the active Panorama where the upgrade was performed, Commit, and
Push to Devices. Once the Commit All is completed, check the SD-WAN configurations
and functionalities.
This is just a verification activity to ensure that the configuration is good and the upgrade
is working after the firewall is upgraded.
6. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.
7. After the upgrade is complete, note the changes after the upgrade.

PAN-OS Upgrade Guide Version 11.1 & later 206 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Panorama HA Pair: Upgrade SD-WAN Plugin 2.2.6 to 3.0.7 Release

It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
STEP 1 | Download the SD-WAN plugin 3.0.7 and delete all the 3.0.x plugins downloaded on both the
Panorama HA pairs except SD-WAN plugin version 3.0.7.

STEP 2 | Upgrade the Panorama software version from the latest 10.1 version to the latest 10.2
version. After a successful upgrade to the latest 10.2 version, the SD-WAN plugin 3.0.7 will
be installed automatically.
To verify if the SD-WAN plugin 3.0.7 version is installed on your Panorama, check the General
Information in the Panorama Dashboard.

STEP 3 | Once the upgrade is complete, check if the SD-WAN configurations and its functionalities
are as expected.

STEP 4 | Perform a commit force through the CLI command (in the configuration mode) on the Palo
Alto Networks device. If you perform commit all instead of commit force, then you will lose
all the SD-WAN configurations on that device.

STEP 5 | (Recommended) Upgrade the connected devices one-by-one starting with the branch pairs
followed by hub pairs.

STEP 6 | Once the devices are upgraded, check for SD-WAN configurations and its functionalities.

STEP 7 | After the upgrade is complete, note the changes after the upgrade.

Upgrade Standalone Panorama Leveraging SD-WAN Plugin

Where Can I Use This? What Do I Need?

• PAN-OS SD-WAN plugin license

• SD-WAN

Complete the Prerequisites before proceeding with the upgrade procedure.

Follow the upgrade path based on the SD-WAN plugin version that your Panorama management
server is running.

Panorama Running SD-WAN Plugin Version Follow the Steps

1.0.x Standalone Panorama: Upgrade SD-WAN

Plugin 1.0.4 to 2.2.6 Release

2.1.x Standalone Panorama: Upgrade SD-WAN

plugin 2.1.x to 2.2.6 release

PAN-OS Upgrade Guide Version 11.1 & later 207 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Panorama Running SD-WAN Plugin Version Follow the Steps

2.2.6 Standalone Panorama: Upgrade SD-WAN

plugin 2.2.6 to 3.0.7 release

Standalone Panorama: Upgrade SD-WAN Plugin 1.0.4 to 2.2.6 Release

It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
STEP 1 | Download and install Panorama software version 10.0.7-h3.

STEP 2 | From Panorama 10.0.7-h3, download, and install the latest Panorama 10.1 release.

STEP 3 | Download and install the SD-WAN plugin version 2.2.6 on Panorama.

STEP 4 | (In configuration mode) Forcefully commit the changes from the active Panorama.
After completing the SD-WAN plugin upgrade, you must perform a commit force through the
CLI (configuration mode) on the Palo Alto Networks device. If you perform commit all instead
of commit force, then you will lose all the SD-WAN configurations on that device.

PAN-OS Upgrade Guide Version 11.1 & later 208 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 5 | Check the following after upgrading the standalone Panorama.

1. Push to devices from Panorama.
2. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.

3. Verify if the SD-WAN configurations such as, Tunnel, BGP, Key ID, and traffic are as
expected.

After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache,
IPSec tunnel cache, and subnet cache will be refreshed which will not affect the
functionalities of SD-WAN.

STEP 6 | Once the Panorama upgrade is successful, if needed, all the connected devices can be
upgraded one-by-one starting with the branch pairs/standalone followed by the hub pairs/
standalone. It's recommended to check the SD-WAN configuration and functionality after
each upgrade.

STEP 7 | After the upgrade is complete, note the changes after the upgrade.

Standalone Panorama: Upgrade SD-WAN Plugin 2.1.x to 2.2.6 Release

It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
STEP 1 | Download and install the latest Panorama 10.1 release.

STEP 2 | Download and install the SD-WAN plugin version 2.2.6 on Panorama.

PAN-OS Upgrade Guide Version 11.1 & later 209 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 3 | (In configuration mode) Forcefully commit the changes from the active Panorama.
After completing the SD-WAN plugin upgrade, you must perform a commit force through the
CLI (configuration mode) on the Palo Alto Networks device. If you perform commit all instead
of commit force, then you will lose all the SD-WAN configurations on that device.

STEP 4 | Check the following after upgrading the standalone Panorama.

1. Push to devices from Panorama.
2. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.

3. Verify if the SD-WAN configurations such as, Tunnel, BGP, Key ID, and traffic are as
expected.

After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache,
IPSec tunnel cache, and subnet cache will be refreshed which will not affect the
functionalities of SD-WAN.

STEP 5 | Once the Panorama upgrade is successful, if needed, all the connected devices can be
upgraded one-by-one starting with the branch pairs/standalone followed by the hub pairs/
standalone. It's recommended to check the SD-WAN configuration and functionality after
each upgrade.

STEP 6 | After the upgrade is complete, note the changes after the upgrade.

Standalone Panorama: Upgrade SD-WAN Plugin 2.2.6 to 3.0.7 Release

It's recommended to always ensure that the Panorama software version is higher than the PAN-
OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be
any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
STEP 1 | Download and install the latest Panorama 10.1 release.

PAN-OS Upgrade Guide Version 11.1 & later 210 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

STEP 2 | Download and install the SD-WAN plugin version 2.2.6 on Panorama.

STEP 3 | (In configuration mode) Forcefully commit the changes from the active Panorama.
After completing the SD-WAN plugin upgrade, you must perform a commit force through the
CLI (configuration mode) on the Palo Alto Networks device. If you perform commit all instead
of commit force, then you will lose all the SD-WAN configurations on that device.

STEP 4 | Check the following after upgrading the standalone Panorama.

1. Push to devices from Panorama.
2. Select Panorama > Managed Devices > Summary and verify if the device group and
templates are in synchronization on both active and passive Panorama under the devices
summary page.

3. Verify if the SD-WAN configurations such as, Tunnel, BGP, Key ID, and traffic are as
expected.

After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache,
IPSec tunnel cache, and subnet cache will be refreshed which will not affect the
functionalities of SD-WAN.

STEP 5 | Once the Panorama upgrade is successful, if needed, all the connected devices can be
upgraded one-by-one starting with the branch pairs/standalone followed by the hub pairs/
standalone. It's recommended to check the SD-WAN configuration and functionality after
each upgrade.

STEP 6 | After the upgrade is complete, note the changes after the upgrade.

Changes to Note After Upgrade

Where Can I Use This? What Do I Need?

• PAN-OS SD-WAN plugin license

PAN-OS Upgrade Guide Version 11.1 & later 211 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

Where Can I Use This? What Do I Need?

• SD-WAN

After the upgrade, you must conduct the below checks before committing the changes to
Panorama:
• Verify that the Router Name is configured (Panorama > SD-WAN > Devices) for each
SD-WAN device in the VPN cluster. The Router Name configuration is supported from
SD-WAN plugin 3.1.0 and later releases.
• Verify that the BGP (Panorama > SD-WAN > Devices) is enabled for each SD-WAN
device in the VPN cluster. Ensure that the same BGP address family (IPv4 BGP or IPv6
BGP) is enabled which was configured before the upgrade. IPv6 is supported from SD-
WAN plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain the
IPv6 option only if you are upgrading from SD-WAN 3.1.1 or later releases.
• Verify if the same VPN Authentication type (Pre Shared Key or Certificate) is enabled
(Panorama > SD-WAN > Devices > VPN Tunnel) which was configured before the
upgrade. The Certificate authentication type is supported from SD-WAN plugin 3.2.0
and later releases. Therefore, the upgraded plugin will contain the VPN Authentication
type (Pre Shared Key or Certificate) only if you are upgrading from SD-WAN plugin
3.2.0 or later releases.

After the upgrade (on Panorama HA pair or standalone Panorama), the following changes can be
seen:
• You will no longer see the zone tabs in Panorama > SD-WAN > Devices for the added SD-
WAN device. Therefore, you must create the Security policy rules between existing and
predefined zones (zone-to-branch, zone-to-hub, zone-internet, and zone-internal).
• In a full mesh VPN cluster, the branch with the lower serial number will be used as an IKE
initiator. In case of upstream NAT, both inbound and outbound NAT should be present on the
NAT device, when inbound NAT is not present PLUG-15276 will be seen.

MongoDB Synchronization Status with SD-WAN Database Collections

With some SD-WAN plugin versions, the SD-WAN database collections in MongoDB could go
out of synchronization, which is a known issue. Hence, you may need to perform additional steps
in the upgrade procedure when upgrading to SD-WAN plugin version 2.2.6 from any earlier
releases.
The following table provides whether the SD-WAN MongoDB collections will be in sync or not
with respect to the SD-WAN plugin versions (that are tested).

S.No Compatible PAN-OS SD-WAN Plugin Mongo Port SD-WAN

Software Version with Version Collections
SD-WAN Plugin Version under Mongo on
Panorama HA

1 10.1.6 2.1.2 31377 Not in

synchronization

PAN-OS Upgrade Guide Version 11.1 & later 212 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

S.No Compatible PAN-OS SD-WAN Plugin Mongo Port SD-WAN

Software Version with Version Collections
SD-WAN Plugin Version under Mongo on
Panorama HA

2 10.1.x 2.1.2 31377 Not in

synchronization

3 10.1.x 2.2.6 27017 In

synchronization

4 10.2.7-h3 3.0.7 27017 In

synchronization

PAN-OS Upgrade Guide Version 11.1 & later 213 ©2024 Palo Alto Networks, Inc.
Upgrade Panorama Plugins

PAN-OS Upgrade Guide Version 11.1 & later 214 ©2024 Palo Alto Networks, Inc.
CLI Commands for Upgrade
• Use CLI Commands for Upgrade Tasks

215
CLI Commands for Upgrade

Use CLI Commands for Upgrade Tasks

Use the following CLI commands to carry out upgrade tasks.

If you want to... Use...

Check the current versions of the firewall

• Check the current version of the firewall

software and content.
show system info

Access the available dynamic updates and upgrade the content version of the firewall

• Check available content versions of

dynamic updates directly from the Palo
Alto Networks servers.
request content upgrade
check

• Check available content versions of

dynamic updates directly from the firewall.
request content upgrade
info

• Download content version directly to the

firewall.
request content upgrade
download <content version>

• Install content version.

request content upgrade

install <content version>

PAN-OS Upgrade Guide Version 11.1 & later 216 ©2024 Palo Alto Networks, Inc.
CLI Commands for Upgrade

If you want to... Use...

Access the available software versions and upgrade the firewall

• Check the available software versions

available for download.
request system software
info

• Check the preferred releases of a software.

(PAN-OS 11.1.3 and later releases)
request system software
info preferred

• Check the base releases of a software.

(PAN-OS 11.1.3 and later releases)
request system software
info base

• Check both preferred and base releases of

a software.
(PAN-OS 11.1.3 and later releases) request system software
info preferred base

• Check the available versions loaded on the

firewall.
request system software
check

• Download a specific version of the

software.
request system software
download version <version>

PAN-OS Upgrade Guide Version 11.1 & later 217 ©2024 Palo Alto Networks, Inc.
CLI Commands for Upgrade

If you want to... Use...

• Check the status of a specific download

job.
Show job id <jobid>

• Install the downloaded software.

request system software

install version 10.1.0

• Restart the firewall.

request restart system

Access the available software patches for the firewall:

The patch feature is currently offered in preview mode. Full support is not available with
this functionality.

If you want to... Use...

• Check the available software patches

available for download.
request system patch c
heck

• Check the available patches for the

currently installed firewall version.
request system patch i
nfo

PAN-OS Upgrade Guide Version 11.1 & later 218 ©2024 Palo Alto Networks, Inc.
CLI Commands for Upgrade

If you want to... Use...

• Download a specific patch version.

request system patch do

wnload version <version>

• Check more detailed information for a

specific patch version.
request system patch in
fo version <version>

• Install the downloaded patch.

request system patch in

stall version <version>

• Apply the installed patch.

request system patch a

pply

PAN-OS Upgrade Guide Version 11.1 & later 219 ©2024 Palo Alto Networks, Inc.
CLI Commands for Upgrade

PAN-OS Upgrade Guide Version 11.1 & later 220 ©2024 Palo Alto Networks, Inc.
APIs for Upgrade
• Use the API for Upgrade Tasks

221
APIs for Upgrade

Use the API for Upgrade Tasks

Use the following CLI commands to carry out upgrade tasks.

If you want to... Use...

Check the current versions of the firewall

• Check the current version of the firewall https://firewall/api/?

software and content. type=op&cmd=<request><system><software><chec
check></software></system>

Access the available dynamic updates and upgrade the content version of the firewall

• Check available content versions of https://firewall/api/?

dynamic updates directly from the Palo type=op&cmd=<request><content><upgrade><chec
Alto Networks servers. check></upgrade></content></
request>

• Check available content versions of https://firewall/api/?

dynamic updates directly from the firewall. type=op&cmd=<request><content><upgrade><info
info></upgrade></content></
request>

• Download latest content version directly to https://firewall/api/?

the firewall. type=op&cmd=<request><content><upgrade><down
latest></download></upgrade></
content></request>

• Download specific content version directly https://firewall/api/?

to the firewall. type=op&cmd=<request><content><upgrade><down
specific file name here<file></
download></upgrade></content></
request>

• Install content version. https://firewall/api/?

type=op&cmd=<request><content><upgrade><inst
<content version></version></
install></upgrade></content></
request>

Access the available software versions and upgrade the firewall

• Check the available software versions https://firewall/api/?

available for download. type=op&cmd=<request><system><software><info
info></software></system></
request>

PAN-OS Upgrade Guide Version 11.1 & later 222 ©2024 Palo Alto Networks, Inc.
APIs for Upgrade

If you want to... Use...

• Check the available versions loaded on the https://firewall/api/?

firewall. type=op&cmd=<request><system><software><chec
check></software></system></
request>

• Download a specific version of the https://firewall/api/?

software. type=op&cmd=request><system><software><downl
version></download></software></
system></request>

• Check the status of a specific download https://firewall/api/?

job. type=op&cmd=<show><jobs></jobs></
show>

• Install the downloaded software. https://firewall/api/?

type=op&cmd=<request><system><software><inst
version></install></software></
system></request>

• Restart the firewall. https://firewall/api/?

type=op&cmd=<request><restart><system></
system></restart></request>

PAN-OS Upgrade Guide Version 11.1 & later 223 ©2024 Palo Alto Networks, Inc.
APIs for Upgrade

PAN-OS Upgrade Guide Version 11.1 & later 224 ©2024 Palo Alto Networks, Inc.