Upgrading your Palo Alto Firewall or Panorama Management System to the preferred PAN-OS release is always recommended as it ensures it remains stable, safe from known vulnerabilities and exploits but also allows you to take advantage of new features.
This article will show you how to upgrade your standalone Firewall PAN-OS, explain the differences between a Base Image and a Maintenance Release Image. We’ll also explain the PAN-OS upgrade paths, show how to backup and export your configuration, deal with common PAN-OS install errors (upgrading requires greater content version). Finally, we will explain why newer PAN-OS releases might not be visible for download in your firewall’s software section.
While the same process described below can be used to upgrade Panorama PAN-OS, it is important to ensure the Panorama PAN-OS version is equal or greater than the firewalls. When upgrading PAN-OS for both Panorama and Firewall appliances, always upgrade Panorama first.
It is important to note that only eligible Palo Alto customers, that is, those with an active contract, can receive updates for their firewalls. Our article How to Register and Activate Palo Alto Support, Subscription Servers, and Licenses covers this process in great detail.
Direct (one-step) upgrade to the latest PAN-OS depends on the current version your firewall is running. When upgrading from a fairly old to a newer PAN-OS version, multi-step upgrades might be necessary. This ensures the device’s configuration is migrated to the PAN-OS's newer supported features and that nothing “breaks” during the upgrade process.
Like most vendors, Palo Alto Networks produce a base image and maintenance releases. Maintenance releases are small upgrades of the base image and deal with bug fixes and sometimes introduce small enhancements.
As a rule of thumb, firewalls should be running the Palo Alto preferred PAN-OS release, and it is generally a good practice to install these releases as they are published.
When upgrading your PAN-OS to the latest maintenance release of a newer base release, the firewall will likely require you to download the new base release before allowing you to install its latest maintenance release.
For example, our firewall is currently running version 9.0.3-h3, noted by the ‘tick’ on the Currently Installed column, and our goal is to upgrade to version 9.1.4 (preferred release) as shown below:
When attempting to download version 9.1.4, a maintenance release for base 9.1.0, we received an error (see screenshot below) explaining that we need to download 9.1.0 base image first (no installation required). Once downloaded, we can proceed with the download and installation of version 9.1.4.