Upgrading your Palo Alto Firewall or Panorama Management System to the preferred PAN-OS release is always recommended as it ensures it remains stable, safe from known vulnerabilities and exploits but also allows you to take advantage of new features.
This article will show you how to upgrade your standalone Firewall PAN-OS, explain the differences between a Base Image and a Maintenance Release Image. We’ll also explain the PAN-OS upgrade paths, show how to backup and export your configuration, deal with common PAN-OS install errors (upgrading requires greater content version). Finally, we will explain why newer PAN-OS releases might not be visible for download in your firewall’s software section.
While the same process described below can be used to upgrade Panorama PAN-OS, it is important to ensure the Panorama PAN-OS version is equal or greater than the firewalls. When upgrading PAN-OS for both Panorama and Firewall appliances, always upgrade Panorama first.
- Prerequisites for PAN-OS Upgrades
- Understanding PAN-OS Upgrade Paths
- Backing Up & Exporting Firewall Configuration
- Downloading & Installing PAN-OS Software
- Dealing with Common Install Errors: Upgrading Requires Greater Content Version
- Why Aren’t the Latest PAN-OS Releases Available for Download?
It is important to note that only eligible Palo Alto customers, that is, those with an active contract, can receive updates for their firewalls. Our article How to Register and Activate Palo Alto Support, Subscription Servers, and Licenses covers this process in great detail.
Direct (one-step) upgrade to the latest PAN-OS depends on the current version your firewall is running. When upgrading from a fairly old to a newer PAN-OS version, multi-step upgrades might be necessary. This ensures the device’s configuration is migrated to the PAN-OS's newer supported features and that nothing “breaks” during the upgrade process.
Like most vendors, Palo Alto Networks produce a base image and maintenance releases. Maintenance releases are small upgrades of the base image and deal with bug fixes and sometimes introduce small enhancements.
As a rule of thumb, firewalls should be running the Palo Alto preferred PAN-OS release, and it is generally a good practice to install these releases as they are published.
When upgrading your PAN-OS to the latest maintenance release of a newer base release, the firewall will likely require you to download the new base release before allowing you to install its latest maintenance release.
For example, our firewall is currently running version 9.0.3-h3, noted by the ‘tick’ on the Currently Installed column, and our goal is to upgrade to version 9.1.4 (preferred release) as shown below:
When attempting to download version 9.1.4, a maintenance release for base 9.1.0, we received an error (see screenshot below) explaining that we need to download 9.1.0 base image first (no installation required). Once downloaded, we can proceed with the download and installation of version 9.1.4.
It is imperative to backup and export the configuration before attempting to upgrade. To create a backup go to Devices > Setup, then select the Operations (3) tab and Save named configuration snapshot (4):
Once the backup is complete, it is highly recommend to export the configuration by selecting Export named configuration snapshot (5) and saving it in a safe place.
We will be upgrading our firewall from PAN-OS 9.0.3-h3 to 9.1.4. As explained previously, for this process, we will download base 9.1.0 and then download & install maintenance release 9.1.4.
Newer PAN-OS versions can be downloaded directly from the firewall GUI (recommended). Alternatively, they can be downloaded from https://support.paloaltonetworks.com and then upload it manually.
From the GUI, go to Device > Software, then click on Check Now (3) to update the software list. When complete, click on Download (4) for base image 9.1.0:
When complete, click on Download (5) on version 9.1.4, then install (option will be available once the image has downloaded). During the installation a progress bar will be displayed:
As soon as the installation process is complete, the firewall will ask to reboot:
A common error users are faced with when attempting to install a newer PAN-OS is the “Error: Upgrading from xxx to xxx requires a content version 8226 or greater and found 8165-5521” error as shown below:
This error is related to the Applications and Threats version the firewall is currently running which is most likely outdated.
To fix this, go to Device > Dynamic Updates and click on the Check Now (3) button as shown below:
Next, download (5) the latest version of Applications and Threats. Once the download is complete, the install option will become available. Proceed with the installation of the newly downloaded Applications and Threats version:
Another common error is the Image File Authentication Error – Failed to Load into Software Manager error. This is covered in detail in our article How to Fix Palo Alto Firewall “Error: Image File Authentication Error”.
Palo Alto Networks continuously publish new PAN-OS releases; however, they might not be available/visible on your firewall if they are not compatible with the version your firewall is currently running.
At the time of writing, PAN-OS 10.0 was available however if you take a close look at the available software, you notice that it is not listed:
After upgrading to version 9.1.4 we went back and clicked the Check Now button. PAN-OS 10 was available to download and install:
This article showed how to upgrade a standalone Palo Alto Firewall PAN-OS, it explained the different PAN-OS images (Base Image, Maintenance Release) and PAN-OS upgrade paths depending on your current PAN-OS. We also saw how to download and install the PAN-OS software, common installation errors (requires greater content version error) and finally explained why latest PAN-OS releases are not made available in your firewall’s software download section.