How to Manually Download, Import & Install PAN-OS on Palo Alto Firewalls via CLI & Web GUI interface
This article provides comprehensive guidance on the manual processes involved in downloading, uploading, and installing (import) any PAN-OS version on a Palo Alto Firewall. It details the steps for searching and downloading the desired PAN-OS version, as well as the supported methods for uploading the software to your Palo Alto Firewall, including Web, TFTP, and SCP. Additionally, the article offers valuable tips aimed at facilitating a smooth and successful upgrade process.
The necessity for a manual upgrade of a Palo Alto firewall arises in instances where the system operates within an isolated environment employing air-gap architecture and lacks direct internet access. This requirement is further applicable in scenarios where the firewall is devoid of valid licenses, remains unregistered, or serves as a replacement unit as exemplified in a Return Merchandise Authorization (RMA) context.
Whether performing upgrades manually or automatically, it is crucial to consider the same upgrade path rules outlined in our article Complete guide to upgrading Palo Alto firewalls. Individuals unfamiliar with these rules are strongly encouraged to review the article before initiating any PAN-OS upgrade.
Key Topics:
- Downloading PAN-OS Software
- Uploading PAN-OS Software Images to the Firewall
- Verifying Uploaded PAN-OS Software Images (GUI & CLI)
- Installing PAN-OS Software Images
- Summary
Explore our dedicated Palo Alto section to access a collection of high-quality technical articles.
Downloading PAN-OS Software
Begin by downloading the needed software from the Palo Alto Networks support page. Make sure you have a valid support contract.
Once logged in, select Updates on the left pane, followed by Software Updates from the right pane:
Navigating to the software update section
Proceed by clicking on the Content Type dropdown menu and choose the relevant platform. Note that the portal will only show platforms you own, provided they are under a valid contract:
Selecting the correct Palo Alto platform
The portal will display a comprehensive list of different PAN-OS software versions available for download. Utilize the Search feature to locate and download the specific software version(s) you require:
Searching and downloading our PAN-OS software image
Planning your software upgrade path is essential for determining the necessary software downloads and ensuring a seamless transition. In our example, the PA-220 is running version 10.0.0 and we require to upgrade it to version 10.1.11-h1.
According to our PAN-OS upgrade path article, we need the following files:
- PanOS_220-10.1.0 (upload only)
- PanOS_220-10.1.11-h1 (upload and install)
We first upload images 10.1.0 & 10.1.11-h1, then only install 10.1.11-h1.
We’ll now use all supported methods (Web, TFTP & SCP) to demonstrate how to upload these images to our firewall appliance.
Uploading PAN-OS Software Images to the Firewall
PAN-OS supports three different upload methods: Web, TFTP and SCP, of which TFTP and SCP are performed via CLI and require a TFTP or SSH server respectively, serving the images for uploading.
It’s worth noting that when uploading an image, the firewall will automatically check for any file corruption.
Let’s now take a look how to upload PAN-OS images using the different supported methods.
Uploading via Web GUI
Uploading via the web gui interface is the easiest method, as it can be done through the browser with minimal effort. To proceed, select Device from the tabbed menu, then, from the left pane, scroll down to Software and click on Upload from the right pane. The pop-up window will allow you to select the image to be uploaded.
Uploading a software package via Web GUI
In case of a High-Availability setup, the Sync to Peer option (as shown above) will appear. Selecting it will automatically copy the image to the peer firewall.
Uploading via TFTP
Start by downloading and installing a TFTP server (freely available in our download section) and configure it to serve the firewall images. SSH into your Palo Alto firewall and issue the following command to begin the upload/import process: tftp import software from server-ip-address file filename:
admin@PA-220> tftp import software from 192.168.3.51 file PanOS_220-10.1.0
mode set to octet
Connected to 192.168.3.51 (192.168.3.51), port 69
getting from 192.168.3.51:PanOS_220-10.1.0 to /opt/pancfg/tmp/sw-images/cli.tmp.Q7q9PE [octet]
Received 566379744 bytes in 3359.8 seconds [1348615 bit/s]
PanOS_220-10.1.0 saved
admin@PA-220>
Transferring the 553MB image via TFTP took a lengthy 3359 seconds, with an average transfer speed of just 165Kb/sec or 0.165Mb/sec!
TFTP is the slowest of all supported upload methods.
Uploading via SCP
SCP is the second transfer method available, supporting considerably faster transfer speeds compared to TFTP. To begin, download and install an SSH server (freely available in our Freeware download section), then configure it to serve the firewall images. SSH into your Palo Alto firewall and issue the following command to begin the upload process: scp import software from username@server-ip-address:filename:
PanOS_220-10.1.11-h1 37% 378MB 11.8MB/s 00:14 ETA
PanOS_220-10.1.11-h1 saved
admin@PA-220>
Verifying Uploaded PAN-OS Software Images
We can easily verify if our images have been uploaded by selecting Device, then Software from the left pane. The firewall will list all available software images:
Verifying the uploaded PAN-OS images
To verify the image upload via CLI, issue the request system software info command at the firewall’s CLI prompt:
Version Size Released on Downloaded
-------------------------------------------------------------------------
10.0.0 496MB 2020/07/16 17:13:29 yes
10.1.0 540MB 2021/06/01 21:34:47 yes
10.1.11-h1 381MB 2023/11/02 10:16:51 yes
admin@PA-220>
The date & time displayed for each image, is the release date & time from Palo Alto Networks.
Installing PAN-OS Software Image
Installation via GUI
Installing the PAN-OS software image via the GUI interface is as simple as clicking on the Install action for the desirable PAN-OS version:
Installing the desirable PANOS software image
As soon as the Install action is clicked, the below warning will appear advising us we are about to install a feature release upgrade. Backups are always advisable before performing any upgrade. Click OK when ready to continue:
PAN-OS Installation warning
The installation duration varies based on the firewall model. The smaller models like PA-220/PA-850 usually require additional time to finish the process.
It is highly advisable to export backups from the local firewall.
To view the installation progress, click on the Tasks option:
Installation progress
Once the installation is complete, the firewall will prompt to reboot the device for the new software to become effective:
Firewall prompt to reboot device
Alternatively, we can reboot the firewall by visiting Device, then Setup from the left pane, followed by the Operations tab on the right pane. Next, click on Reboot Device under Device Operations:
Manually rebooting the Firewall
Installation via CLI
To perform the installation via CLI, execute the request system software install version software-version command, then press y to continue with the installation:
admin@PA-220> request system software install version 10.1.11-h1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 4. Run 'show jobs id 4' to monitor its status. Please reboot the device after the installation is done.
Issuing the show jobs id 4 command provides us with an update of the installation progress:
admin@PA-220> show jobs id 4
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2023/12/09 21:58:08 21:58:08 4 SWInstall ACT PEND 61%
Warnings:
Details:
Upon the successful completion of the new image installation, you will encounter a prompt advising to restart the firewall to transition to the updated PAN-OS version:
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2023/12/09 21:58:08 21:58:08 4 SWInstall FIN OK 22:07:19
Warnings:
Details: Software installation successfully completed. Please reboot to switch to the new version.
To reboot, issue the request restart system command:
admin@PA-220> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
Broadcast message from root (pts/0) (Sat Dec 9 22:19:32 2023):
The system is going down for reboot NOW!
Summary
This article demonstrates the process of searching and downloading PAN-OS software, manually uploading the software to a Palo Alto Firewall using supported methods (Web GUI, TFTP, and SCP), and manually installing the PAN-OS software through both Web GUI and CLI. If you are contemplating an upgrade, we recommend reviewing our PAN-OS upgrade path article for additional insights.
Your IP address:
18.97.14.88
Wi-Fi Key Generator
Follow Firewall.cx
Cisco Password Crack
Decrypt Cisco Type-7 Passwords on the fly!