It’s easy if your Paloalto firewall has internet access. Upgrade just few click away on GUI.
However, when you need to upgrade many firewalls(like 50+) that’s a complicated job. Downloading firmware for 50 device from Paloalto is not feasible and it also consumes lots of internet bandwidth.
In this post, I’ll demonstrate how I upgrade many firewalls without overwhelm Internet bandwidth.
※ The method required that you have a valid Paloalto CSP account with the same model series register under your CSP account. (So you can download firmware for the model you wish to upgrade.) Or you have obtained firmware from partner.
Paloalto support 2 method to upload file to firewall tftp and scp. Scp is more recommended not only because it’s more reliable but also it has faster transfer speed. Tftp is not reliable but do not need username and password compare to scp. I’ll show both method in this post.
01A. Upload firmware using scp, use the syntax shown below. If prompted with accept fingerprint, enter yes. Wait a few moment, you will see OOOOOO saved.
scp import software from user@Server:/path/firmwareName
01B. Upload firmware using tftp, use the syntax shown below. Since tftp do not use username and password, the upload will begin immediately. Wait a few minutes, you will see OOOOO saved.(Please be patient, tftp is pretty slow.)
tftp import software from Server file firmwareName
※ You only need either 1A or 1B to upload firmware to firewall.
02. Sometimes when you install a new version firmware, the system will give you error “requires a content version of OOOO or greater”. (As shown below)
It indicate that the content version your firewall had is older than the firmware you wish to install. So you need to upgrade content first, then upgrade firewall firmware.
03A. Upload content using scp, use the syntax shown below. If prompted with accept fingerprint, enter yes. Wait a few moment, you will see OOOOOO saved.
scp import content from user@server:/path/contentName
03B. Upload content using tftp, use the syntax shown below. Since tftp do not use username and password, the upload will begin immediately. Wait a few minutes, you will see OOOOO saved.(Please be patient, tftp is pretty slow.)
tftp import content from server file contentName
04. Install new content with syntax shown below.
request content upgrade install skip-content-validity-check yes file contentName
※ By default, Paloalto checks content validity before install, we can force install without checking. “skip-content-validity-check yes” is a hidden command which you can not use tab to autocomplete. And is not recommended if you are not sure the content you upload is legitimate.
05. (optional) Delete fingerprint of your scp server. If you wish not to leave any fingerprint on your firewall. You can use syntax below to delete fingerprint.
delete authentication user-file ssh-know-hosts user username admin 
06. After content has been upgraded, you can use syntax shown below to upgrade firmware.
07. Wait the job to complete and reboot your firewall. After the reboot, you have successfully upgraded the firewall.