Skip to main content

Palo Alto Software Upgrade

It is recommended that the software version of the firewall be updated frequently to take advantage of new next generation firewall features to better help in securing the firewalls.

The steps to take are outlined in the PAN-OS Software Updates documentation and are summarised and illustrated below as per the steps that have been recently taken while upgrading from the v9.1.x version to the v10.0.x

Prerequisite

  • Make sure no running pipeline and current pipeline runs without error
  • Perform dynamic updates, make sure latest versions are installed, go to Device -> Dynamic Updates on the left menu pane
    • Update Applications and Threats
    • Update WildFire
  • Make sure there are no candidate configuration that’s not been committed, config has to be in a stable state

  • Make a config backup, go to Device -> Setup -> Operations

    • Save a named config snapshot

    • Export saved snapshot as backup to local location

      Operations Tab

      Operations Tabs

  • Generate and export tech support file go to Device -> Support -> Tech Support File in case of issues that can’t be resolved then you’d need to send this to Palo Alto support

  • Verify the currently installed software version on the system

    Installed software version

    Operations Tabs

  • Check for latest available software go to Device -> Software. Click the Check Now at the button to refresh screen with latest software

    Available software

    Available software

* Download the version(s) to be installed * Same process as above but for Plugins, go to Device -> Plugin click Check Now for available plugins

Notes - Always install latest available maintenance release before major release e.g v9.1.0-h3 -> 9.1.11-h3 before v10.0.0 - When moving to the v10.1.x release then that would be v10.0.(max) -> v10.1.0 -> v10.1.x - Don’t forget there are two regions that’s 4 firewall vm’s to upgrade. In Panorama this might not be an issue but if doing manually then you’d have to install separately on all four

Steps

  • ⚠️ Always start with sbox, if no issue when complete then chances of issues with nonprod and prod are very low
    The flow is sbox -> nonprod -> prod
  • Download if not already and install last available maintenance i.e v9.1.11-h3 or v10.0.(max)
  • Verify system is up and running, check cpu, memory, check firewall’s system resources, should be reasonably low a 90% reading is a red flag wait until its dropped or investigate why it’s so high
  • Download and install next major release i.e. v10.0.0 if coming from v9.1.x or v10.1.0 if coming from v10.0.x
  • Download if not already and install plugins if prompted
  • Verify system is up and running, check cpu, memory, check firewall’s system resources, if high wait until it settles, should not take long
  • Download if not already and install next major release i.e. v10.0.7 or v10.1.x
  • Verify system is up and running, check cpu, memory etc
  • ⚠️ Note: Prod update needs a CR raised and done out of office hours (ideally 8pm or after) as each vm will need to be rebooted to apply the new software version. Comms must be sent out to platform-operations & cloud-native-announce prior to work being carried out and advise CGI (neil.green@cgi.com) as they have an app associated to one palo fw.
  • Start with passive prod vm-1 and once that has been updated, check the Prod LB monitoring->insights is showing the vm as green before starting work on the other prod vm.
  • 🔔 Note: After reboot, follow the steps in the Disk space full messages to re-enable automatic disk usage cleanup by the VM (Very important)
  • Please review that traffic is being received from the Palo’s, once the above steps have been completed under monitor->logs->traffic on the UI.
    • Looking to see if this can be automated in some way but for now please enable.

Post Upgrade

  • Rerun pipeline to see if any issues between current config and new software version
  • Fix forward if any issues, config might need to be updated i.e new markup introduced
  • Deleting old installation files to save space and cleanup is a nice to have
  • Verify via the cli, that disk usage cleanup is enabled only once the vm’s software update has been done. This configuration is lost during the reboot, use the following document to keep the disk space below 90% disk threshold implementation.
  • Move to nonprod after sbox is stable and pipeline runs well i.e. commits current config
    Flow is: sbox -> nonprod -> prod
  • Let team members know that the upgrade was successful
  • 📕 Revisit every 3 months for the next upgrade to keep the firewall software up-to-date
This page was last reviewed on 12 July 2024. It needs to be reviewed again on 12 November 2024 by the page owner platops-build-notices .
This page was set to be reviewed before 12 November 2024 by the page owner platops-build-notices. This might mean the content is out of date.