Skip to main content

How to Manually Download, Import & Install PAN-OS on Palo Alto Firewalls via CLI & Web GUI interface

Palo Alto PAN-OS Manual update - upload - upgradeThis article provides comprehensive guidance on the manual processes involved in downloading, uploading, and installing (import) any PAN-OS version on a Palo Alto Firewall. It details the steps for searching and downloading the desired PAN-OS version, as well as the supported methods for uploading the software to your Palo Alto Firewall, including Web, TFTP, and SCP. Additionally, the article offers valuable tips aimed at facilitating a smooth and successful upgrade process.

The necessity for a manual upgrade of a Palo Alto firewall arises in instances where the system operates within an isolated environment employing air-gap architecture and lacks direct internet access. This requirement is further applicable in scenarios where the firewall is devoid of valid licenses, remains unregistered, or serves as a replacement unit as exemplified in a Return Merchandise Authorization (RMA) context.

Whether performing upgrades manually or automatically, it is crucial to consider the same upgrade path rules outlined in our article Complete guide to upgrading Palo Alto firewalls. Individuals unfamiliar with these rules are strongly encouraged to review the article before initiating any PAN-OS upgrade.

Key Topics:

Explore our dedicated Palo Alto section to access a collection of high-quality technical articles.

Downloading PAN-OS Software

Begin by downloading the needed software from the Palo Alto Networks support page. Make sure you have a valid support contract.

Once logged in, select Updates on the left pane, followed by Software Updates from the right pane:

Navigating to the software update section

Proceed by clicking on the Content Type dropdown menu and choose the relevant platform. Note that the portal will only show platforms you own, provided they are under a valid contract:

Selecting the correct Palo Alto platform

The portal will display a comprehensive list of different PAN-OS software versions available for download. Utilize the Search feature to locate and download the specific software version(s) you require:

Searching and downloading our PAN-OS software image

Planning your software upgrade path is essential for determining the necessary software downloads and ensuring a seamless transition. In our example, the PA-220 is running version 10.0.0 and we require to upgrade it to version 10.1.11-h1.

According to our PAN-OS upgrade path article, we need the following files:

  • PanOS_220-10.1.0 (upload only)
  • PanOS_220-10.1.11-h1 (upload and install)

We first upload images 10.1.0 & 10.1.11-h1, then only install 10.1.11-h1.

We’ll now use all supported methods (Web, TFTP & SCP) to demonstrate how to upload these images to our firewall appliance.

Uploading PAN-OS Software Images to the Firewall

PAN-OS supports three different upload methods: Web, TFTP and SCP, of which TFTP and SCP are performed via CLI and require a TFTP or SSH server respectively, serving the images for uploading.

It’s worth noting that when uploading an image, the firewall will automatically check for any file corruption.

Let’s now take a look how to upload PAN-OS images using the different supported methods.

Uploading via Web GUI

Uploading via the web gui interface is the easiest method, as it can be done through the browser with minimal effort. To proceed, select Device from the tabbed menu, then, from the left pane, scroll down to Software and click on Upload from the right pane. The pop-up window will allow you to select the image to be uploaded.

Uploading a software package via Web GUI

In case of a High-Availability setup, the Sync to Peer option (as shown above) will appear. Selecting it will automatically copy the image to the peer firewall.

Uploading via TFTP

Start by downloading and installing a TFTP server (freely available in our download section) and configure it to serve the firewall images. SSH into your Palo Alto firewall and issue the following command to begin the upload/import process: tftp import software from server-ip-address file filename:

admin@PA-220> tftp import software from 192.168.3.51 file PanOS_220-10.1.0
mode set to octet
Connected to 192.168.3.51 (192.168.3.51), port 69
getting from 192.168.3.51:PanOS_220-10.1.0 to /opt/pancfg/tmp/sw-images/cli.tmp.Q7q9PE [octet]
Received 566379744 bytes in 3359.8 seconds [1348615 bit/s]
PanOS_220-10.1.0 saved
admin@PA-220>

Transferring the 553MB image via TFTP took a lengthy 3359 seconds, with an average transfer speed of just 165Kb/sec or 0.165Mb/sec!

TFTP is the slowest of all supported upload methods.

Uploading via SCP

SCP is the second transfer method available, supporting considerably faster transfer speeds compared to TFTP.  To begin, download and install an SSH server (freely available in our Freeware download section), then configure it to serve the firewall images. SSH into your Palo Alto firewall and issue the following command to begin the upload process: scp import software from username@server-ip-address:filename:

admin@PA-220> scp import software from This email address is being protected from spambots. You need JavaScript enabled to view it.:PanOS_220-10.1.11-h1
This email address is being protected from spambots. You need JavaScript enabled to view it.'s password:
PanOS_220-10.1.11-h1                      37%  378MB  11.8MB/s       00:14 ETA
PanOS_220-10.1.11-h1 saved
admin@PA-220>
Transferring the 378MB image via SCP took only 25 seconds with an average transfer speed of 11Mb/sec!

Verifying Uploaded PAN-OS Software Images

We can easily verify if our images have been uploaded by selecting Device, then Software from the left pane. The firewall will list all available software images:

Verifying the uploaded PAN-OS images

To verify the image upload via CLI, issue the request system software info command at the firewall’s CLI prompt:

admin@PA-220> request system software info
Version     Size   Released on         Downloaded
-------------------------------------------------------------------------
10.0.0     496MB   2020/07/16 17:13:29   yes
10.1.0     540MB   2021/06/01 21:34:47   yes
10.1.11-h1 381MB   2023/11/02 10:16:51   yes
admin@PA-220>
 

The date & time displayed for each image, is the release date & time from Palo Alto Networks.

Installing PAN-OS Software Image

Installation via GUI

Installing the PAN-OS software image via the GUI interface is as simple as clicking on the Install action for the desirable PAN-OS version:

Palo Alto Firewalls - Installation of pan-os image via web guiInstalling the desirable PANOS software image

As soon as the Install action is clicked, the below warning will appear advising us we are about to install a feature release upgrade. Backups are always advisable before performing any upgrade. Click OK when ready to continue:

Palo Alto Firewall - PAN-OS upgrade message warningPAN-OS Installation warning

The installation duration varies based on the firewall model. The smaller models like PA-220/PA-850 usually require additional time to finish the process.

It is highly advisable to export backups from the local firewall.

To view the installation progress, click on the Tasks option:

Palo Alto Firewall - PAN-OS installation progressInstallation progress

Once the installation is complete, the firewall will prompt to reboot the device for the new software to become effective:

Palo Alto Firewall - PAN-OS Firewall reboot promptFirewall prompt to reboot device

Alternatively, we can reboot the firewall by visiting Device, then Setup from the left pane, followed by the Operations tab on the right pane. Next, click on Reboot Device under Device Operations:

Palo Alto Firewall - Manually Rebooting the FirewallManually rebooting the Firewall

Installation via CLI

To perform the installation via CLI, execute the request system software install version software-version command, then press y to continue with the installation:

 admin@PA-220> request system software install version 10.1.11-h1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 4. Run 'show jobs id 4' to monitor its status. Please reboot the device after the installation is done.

Issuing the show jobs id 4 command provides us with an update of the installation progress:

admin@PA-220> show jobs id 4
Enqueued           Dequeued   ID  Type      Status  Result Completed
------------------------------------------------------------------------------------------------------------------------------
2023/12/09 21:58:08  21:58:08  4  SWInstall  ACT    PEND   61%
Warnings:
Details:

Upon the successful completion of the new image installation, you will encounter a prompt advising to restart the firewall to transition to the updated PAN-OS version:

admin@PA-220> show jobs id 4
Enqueued            Dequeued  ID  Type      Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2023/12/09 21:58:08 21:58:08  4   SWInstall FIN    OK     22:07:19
Warnings:
Details: Software installation successfully completed. Please reboot to switch to the new version.

To reboot, issue the request restart system command:

admin@PA-220> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
Broadcast message from root (pts/0) (Sat Dec 9 22:19:32 2023):
The system is going down for reboot NOW!

Summary

This article demonstrates the process of searching and downloading PAN-OS software, manually uploading the software to a Palo Alto Firewall using supported methods (Web GUI, TFTP, and SCP), and manually installing the PAN-OS software through both Web GUI and CLI. If you are contemplating an upgrade, we recommend reviewing our PAN-OS upgrade path article for additional insights.

Your IP address:

18.97.14.88

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer