PAN Firewall OS Update

(As of 8/27/2025 - Target OS version is 11.1.6-h3 for PA-440, 10.2.10-h9 for PA-220)

1. Log into firewall that needs update. Review general information as model number will dictate which code we will upgrade to.

Note the following;

Current Model (PA-220, PA-440, etc)
Software Version
Serial Number (ensure we are on correct firewall and is for correct customer)

2. Export running config backup (requires superuser permission) and save to customer file in network drive. (Device > Setup > Export Named Configuration Snapshot)

3. Once general info has been reviewed, look at the upgrade path. This is the path that will need to be taken to get to version of code we plan to upgrade to.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/determine-the-upgrade-path

4. On the firewall, navigate to Device > Software and then click on "Check Now" on the bottom bar. Check Now needs to be ran in order to allow download and OS patching. Download update file for next hop in upgrade path. (Note that the base file cannot be skipped [eg. download 11.0.0 when upgrading from 10.x.x])

5. After software file has been downloaded, take note of management tunnel IP as well as public IP for firewall. These will be needed in order to monitor the firewall as it reboots.

6. Install firewall code upgrade. Initiate a continuous ping to management tunnel. After installation, firewall will need to reboot. This ping will be our indicator of when the firewall goes offline during reboot and when it comes back online.