Problem
When attempting to manually upgrade PAN-OS software on Palo Alto firewalls that are not connected to the internet (or never have been) you will run into errors such as “Operation Failed” and “No update information available”.
The manual upload and install from file process doesn’t work correctly using the GUI, especially on PAN-ON versions lower than 7.0. Since the device can’t contact the Palo Alto update servers the software version list is never able to populate and the whole process fails.
This can be a problem for deployment environments without internet access, or whenever you need to configure an RMA replacement device in advance.
A recent replacement firewall I received from Palo Alto was running PAN-OS 6.0.
Solution
The solution to this problem is to upload the PAN-OS software image using the web GUI and then initiate the installation using the CLI.
Step 1 – Download the PAN-OS Software Image
First you’ll need to download the version of PAN-OS you want to install from the Palo Alto software update page.
If the firewall is running a very old version of PAN-OS then you will need to download several different image files and stair step your way up to the version you want.
Step 2 – Upload the image file to the firewall
Log into the web interface an go to Device \ Software. Use the upload button to transfer the image to the firewall.
Step 3 – Apply the update using the CLI
Log into the firewall via SSH and execude the command below after changing the version number to match the version you want to apply.
request system software install version 8.0.0
This will queue the installation job and assign the task a job id. You can monitor the installation progress by using the show jobs command.
show jobs id 2
Once the installation is complete the status will show FIN.
Step 4 – Reboot the firewall
After the installation is complete the firewall must be rebooted. You can reboot using the web interface or the CLI command below.
request restart system
When the firewall boots up it should be running the new code version. You can repeat this process as needed until you’ve reached the desired version.
Hi Sam,
When you upload from file on the gui it always shows C:/fakepath/7.1.0 for example.
How is the session established from the gui to the pc your on?
I’m having trouble uploading software to upgrade a pa-200 to the current release.
It was on 5.1.0 and I’ve managed to get it to 7.0, but 7.1 is timing out. I just changed the administrators timeout to 0. I’m hoping that helps.
Thanks!
Tom
I’m not sure what method the web gui utilizes for the file transfer. If that’s not working for you then you could try coping the image over via SCP, or TFTP instead.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Manually-Import-and-Install-PAN-OS-from-the-CLI/ta-p/58646