Hot Downloads

Complete Guide to Upgrading Palo Alto Firewall PAN-OS. Prerequisites, Upgrade Paths, Config Backup, Application & Threats Update & More

Written by Administrator. Posted in Palo Alto Firewalls

5 1 1 1 1 1 Rating 5.00 (2 Votes)
Pin It

Upgrading your Palo Alto Firewall to the preferred PAN-OS release is always recommended as it ensures it remains stable, safe from known vulnerabilities and exploits but also allows you to take advantage of new features.

This article will show you how to upgrade your standalone Firewall PAN-OS, explain the differences between a Base Image and a Maintenance Release Image. We’ll also explain the PAN-OS upgrade paths, show how to backup and export your configuration, deal with common PAN-OS install errors (upgrading requires greater content version). Finally, we will explain why newer PAN-OS releases might not be visible for download in your firewall’s software section.

Topics covered:

Prerequisites for PAN-OS Upgrades

It is important to note that only eligible Palo Alto customers, that is, those with an active contract, can receive updates for their firewalls. Our article How to Register and Activate Palo Alto Support, Subscription Servers, and Licenses covers this process in great detail.

Understanding PAN-OS Upgrade Paths

Direct (one-step) upgrade to the latest PAN-OS depends on the current version your firewall is running. When upgrading from a fairly old to a newer PAN-OS version, multi-step upgrades might be necessary. This ensures the device’s configuration is migrated to the PAN-OS's newer supported features and that nothing “breaks” during the upgrade process.

Like most vendors, Palo Alto Networks produce a base image and maintenance releases. Maintenance releases are small upgrades of the base image and deal with bug fixes and sometimes introduce small enhancements.

As a rule of thumb, firewalls should be running the Palo Alto preferred PAN-OS release, and it is generally a good practice to install these releases as they are published.

When upgrading your PAN-OS to the latest maintenance release of a newer base release, the firewall will likely require you to download the new base release before allowing you to install its latest maintenance release.

For example, our firewall is currently running version 9.0.3-h3, noted by the ‘tick’ on the Currently Installed column, and our goal is to upgrade to version 9.1.4 (preferred release) as shown below:

Palo Alto PAN-OS upgrade path

When attempting to download version 9.1.4, a maintenance release for base 9.1.0, we received an error (see screenshot below) explaining that we need to download 9.1.0 base image first (no installation required). Once downloaded, we can proceed with the download and installation of version 9.1.4.

palo alto firewall upgrading requires greater content version

Backing Up & Exporting Firewall Configuration

It is imperative to backup and export the configuration before attempting to upgrade. To create a backup go to Devices > Setup, then select the Operations (3) tab and Save named configuration snapshot (4):

backup current palo alto firewall configuration

Once the backup is complete, it is highly recommend to export the configuration by selecting Export named configuration snapshot (5) and saving it in a safe place.

Downloading & Installing PAN-OS Software

We will be upgrading our firewall from PAN-OS 9.0.3-h3 to 9.1.4. As explained previously, for this process, we will download base 9.1.0 and then download & install maintenance release 9.1.4.

Newer PAN-OS versions can be downloaded directly from the firewall GUI (recommended). Alternatively, they can be downloaded from https://support.paloaltonetworks.com and then upload it manually.

From the GUI, go to Device > Software, then click on Check Now (3) to update the software list. When complete, click on Download (4) for base image 9.1.0:

download install pan-os on palo alto firewall

When compete, click on Download (5) on version 9.1.4, then install (option will be available once the image has downloaded). During the installation a progress bar will be displayed:

palo alto firewall installing pan-os software

As soon as the installation process is complete, the firewall will ask to reboot:

 palo alto firewall reboot after pan-os installation

Dealing with Common Install Errors: Upgrading Requires Greater Content Version

A common error users are faced with when attempting to install a newer PAN-OS is the “Error: Upgrading from xxx to xxx requires a content version 8226 or greater and found 8165-5521” error as shown below:

palo alto firewall upgrade requires greater content version

This error is related to the Applications and Threats version the firewall is currently running which is most likely outdated. 

To fix this, go to Device > Dynamic Updates and click on the Check Now (3) button as shown below:

palo alto firewall upgrading applications threats version

Next, download (5) the latest version of Applications and Threats. Once the download is complete, the install option will become available. Proceed with the installation of the newly downloaded Applications and Threats version:

palo alto firewall installing applications and threats

Another common error is the Image File Authentication Error – Failed to Load into Software Manager error. This is covered in detail in our article How to Fix Palo Alto Firewall “Error: Image File Authentication Error”.

Why Aren’t the Latest PAN-OS Releases Available for Download?

Palo Alto Networks continuously publish new PAN-OS releases; however, they might not be available/visible on your firewall if they are not compatible with the version your firewall is currently running.

At the time of writing, PAN-OS 10.0 was available however if you take a close look at the available software, you notice that it is not listed:

palo alto firewall check for new pan-os

After upgrading to version 9.1.4 we went back and clicked the Check Now button. PAN-OS 10 was available to download and install:

 pan-os new images after upgrade

Summary

This article showed how to upgrade a standalone Palo Alto Firewall PAN-OS, it explained the different PAN-OS images (Base Image, Maintenance Release) and PAN-OS upgrade paths depending on your current PAN-OS. We also saw how to download and install the PAN-OS software, common installation errors (requires greater content version error) and finally explained why latest PAN-OS releases are not made available in your firewall’s software download section.

Back to Palo Alto Networks Firewall Section

Pin It

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup