PA Firmware upgradation

🔹 What is a Firewall Firmware Upgrade?
Firmware upgrade means upgrading the PAN-OS (Palo Alto Networks Operating System) version running on the firewall.

Example:
Current Version: 10.1.6
Target Version: 10.2.3
You cannot randomly jump versions. Palo Alto requires a supported upgrade path.

BEFORE YOU UPGRADE (Most Important Section)
✅ 1. Check Current Version
Go to:
Device → Dashboard → General Information → Software Version
Or CLI: show system info

✅ 2. Take Full Backup (Mandatory)
Go to:
Device → Setup → Operations
Take:
Export Named Configuration Snapshot
Export Device State
CLI: scp export configuration from running-config.xml to user@server:/path

✅ 3. Read Release Notes
Always check:
Feature changes
Known bugs
Upgrade path
Available on: 🔗 https://lnkd.in/gG_RwK9t�

✅ 4. Check Upgrade Path
Example:
If you are on: 10.1.6
You CANNOT directly go to 10.2.3
You may need: 10.1.6 → 10.1.10 → 10.2.0 → 10.2.3
This depends on the recommended path.

🔥 METHOD 1: Upgrade via GUI (Most Common Method)

Step-by-Step Procedure
Step 1: Download the Target Version
Go to:
Device → Software
Click:
Check Now
Available versions will appear.
Click:
Download (for base image first)

Step 2: Install the Version
After download: Click:
Install
Firewall will reboot.
Downtime:
Standalone: 5–10 minutes
HA: Minimal (if done properly)

Step 3: Verify Upgrade
After reboot:
Go to:
Dashboard → Check Software Version
Or CLI: show system info
Confirm:
PAN-OS version
All services are up

🔥 METHOD 2: Upgrade via CLI
Step 1: Check Available Versions
request system software check
Step 2: Download Version
request system software download version 10.2.3
Step 3: Install Version
request system software install version 10.2.3
Step 4: Reboot
request restart system

🔥 METHOD 3: Upgrade in HA (High Availability) – Recommended Approach
If you are running Active-Passive HA:
Correct Sequence 👇
Step 1: Suspend Passive Device
request high-availability state suspend

Step 2: Upgrade Passive Firewall First
Download → Install → Reboot

Step 3: Make Passive Active
Perform Failove

Step 4: Upgrade Second Firewall
This ensures: ✅ No downtime
✅ Traffic continuity

Real Practical Example
Scenario:
Company Firewall: Model: PA-3220
Current Version: 10.1.6
Target Version: 10.2.3
Mode: Active-Passive HA
Upgrade Path: 10.1.6 → 10.1.10 → 10.2.0 → 10.2.3
Procedure:
Backup both firewalls
Suspend passive
Upgrade passive fully
Failover
Upgrade second firewall
Verify HA sync
Monitor logs for 30 minutes

🔎 Post-Upgrade Checklist
After upgrade always check:
✅ HA Status
show high-availability state
✅ Routing Table
show routing route
✅ Session Table
show session all
✅ Interface Status
show interface all
✅ Logs
Monitor:
System logs
Traffic logs
Threat logs