Upgrading the software of a Palo Alto Networks firewall (PAN-OS) can be daunting if it’s running in production. If you’ve been in IT long enough, you’ve come across some nightmare upgrades.
The PAN-OS software upgrade is fairly straight forward. There’s plenty of documentation around it.
Because I’m studying for the PCNSA certification, I need to upgrade my firewall to 10.0. In this blog post, I’m going to run through the general steps to upgrade.
My PA-820 lab firewall is currently running on 9.1.4. Reading through the Palo Alto Networks documentation, I need to upgrade to the latest preferred train, which at the time of this post is 9.1.12.
☝️Release Notes
When upgrading to a new feature release, read the release notes. Understand the fixes, new features, and open caveats.
Backup the Configuration
Always cover your butt. Just in case things go sideways, you wan’t to have a backup of your configuration.
Navigate to Device > Setup > Operations
Click on Save named configuration snapshot

Click the dropdown box and select running-config.xml
Click on Export named configuration snapshot and click OK
You’ll be prompted to save the configuration file to your computer.
Install Content Updates
When I first started learning how to upgrade PAN-OS, I found out you needed to have the latest content release versions. This is the Application and Threat Updates.
Head over to Device > Dynamic Updates
Click on Check Now
Download the latest content release under Applications and Threats (as it relates to upgrading to 10.0)

Upgrade PAN-OS
It is recommended to upgrade PAN-OS to the latest preferred version of your current software train. In my example, the latest preferred version is 9.1.2. Here is a useful resource on preferred versions.
Navigate to Device > Software and click on Check Now. You’ll then be presented with a list of software versions.
Download the latest PAN-OS preferred version on your software train.
Then click on Install
After the installation is complete, you’ll be prompted to Reboot the firewall. You should perform this step after business hours to minimize downtime to the end users.
Wait about 10-15 minutes and the firewall should come back up with the latest version you just installed.
You can then proceed to the next feature release version. In my case, I’m going to download 10.0.0 and install the software. This process repeats to your desired version.

Leave a Reply