Upgrading Software on Palo Alto Firewalls Without Internet Connections

Problem

When attempting to manually upgrade PAN-OS software on Palo Alto firewalls that are not connected to the internet (or never have been)  you will run into errors such as “Operation Failed” and “No update information available”.

The manual upload and install from file process doesn’t work correctly using the GUI, especially on PAN-ON versions lower than 7.0.  Since the device can’t contact the Palo Alto update servers the software version list is never able to populate and the whole process fails.

This can be a problem for deployment environments without internet access, or whenever you need to configure an RMA replacement device in advance.

A recent replacement firewall I received from Palo Alto was running PAN-OS 6.0.

Solution

The solution to this problem is to upload the PAN-OS software image using the web GUI and then initiate the installation using the CLI.

Step 1 – Download the PAN-OS Software Image

First you’ll need to download the version of PAN-OS you want to install from the Palo Alto software update page.

If the firewall is running a very old version of PAN-OS then you will need to download several different image files and stair step your way up to the version you want.

Step 2 – Upload the image file to the firewall

Log into the web interface an go to Device \ Software.  Use the upload button to transfer the image to the firewall.

Step 3 – Apply the update using the CLI

Log into the firewall via SSH and execude the command below after changing the version number to match the version you want to apply.

request system software install version 8.0.0

This will queue the installation job and assign the task a job id.  You can monitor the installation progress by using the show jobs command.

show jobs id 2

Once the installation is complete the status will show FIN.

Step 4 – Reboot the firewall

After the installation is complete the firewall must be rebooted.  You can reboot using the web interface or the CLI command below.

request restart system

When the firewall boots up it should be running the new code version.  You can repeat this process as needed until you’ve reached the desired version.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *