The following procedures show how to revert or downgrade to a lower version of PAN-OS on the Palo Alto firewall.
Via the CLI, a revert command can be issued to restore to a previous version.
Note: This feature is not supported for Major upgrades (from 8.1.15 to 8.0.2), due to the logs and other databases modified during the upgrade. Instead, use the 'Re-Install' instructions below. It is recommended that you only use this 'restore' command when downgrading minor versions (from 8.1.15 to 8.1.14)
Step 1.
Verify that the previous PAN-OS version in use prior to the upgrade is still loaded on the partition and is revertable with the CLI command: debug swm status
debug swm status
admin@firewall> debug swm status
Partition State Version
--------------------------------------------------------------------------------
sysroot0 RUNNING-ACTIVE 8.1.15-h3
sysroot1 REVERTABLE 8.1.14-h2
maint EMPTY None
In this sample output, the device is running PAN-OS 8.1.15-h3 as indicated by the RUNNING-ACTIVE state. PAN-OS 8.1.14-h2 is the revertable option.
Step 2.
To boot from the partition in use prior to the upgrade, issue the command: debug swm revert.
Nothing will be un-installed and no configuration changes will be made, but the device will load with the previous PAN-OS version.
debug swm revert
admin@firewall> debug swm revert
Reverting from 8.1.15-h3 (sysroot0) to 8.1.14-h2 (sysroot1)
To check on the current status:
debug swm status
admin@firewall> debug swm status
To boot from the partition in use prior to the upgrade, issue the command: debug swm revert.
Nothing will be un-installed and no configuration changes will be made, but the device will load with the previous PAN-OS version.
debug swm revert
admin@firewall> debug swm revert
Reverting from 8.1.15-h3 (sysroot0) to 8.1.14-h2 (sysroot1)
To check on the current status:
debug swm status
admin@firewall> debug swm status
Partition State Version
--------------------------------------------------------------------------------
sysroot0 RUNNING-ACTIVE 8.1.15-h3
sysroot1 PENDING-REVERT 8.1.14-h2
maint EMPTY None
Step 3.
To reboot after this and to get back to the previous version:
request restart system
admin@firewall> request restart system
admin@firewall> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
Step 4.
- Reinstall
1. If the previous version is no longer available to revert, re-install (no download required) your last PAN-OS version. Perform this step in the GUI by clicking "install" on an older version of the software.
2. Reboot the device.
3. Reload the saved config file.
No comments:
Post a Comment