Manually update Palo Alto Firewall PanOS

Recently I managed to pick up a PA-220 second hand for my lab and while i know it's old, it's still a great little firewall. I've got it up and running and it works well. Yes commiting changes can be quite slow, but for what i'm using it for that's not a big deal. I may try and get a Lab license if I can but really, it's just for me to play around with so will have to see how that actually goes. 

When I received the Firewall I was lucky enough that it was already running version 10.1.12 of Pan-OS which is a reasonably current version however I wanted to update to 10.2.8 so I thought I might cover off the upgrade procedure here. You will need to have a Palo Alto account with access to download the software images which, luckily I do. The next thing to keep in mind, is that when upgrading from 10.1 to 10.2, there is an upgrade path. You can find that on the Palo Alto website here. Another point to remember when upgrading from 10.1 to 10.2, is that even if you're on a recent point release of 10.1, which in my case was 10.1.12 and I was, you will still need at least have the 10.2.0 base image downloaded first otherwise you will receive the following error.

Now I will say that prior to doing this, I did make the mistake (or at least it turned out to be a mistake) of upgrading to the base release 10.2.0 and installing it. This caused me all sorts of problems and I had to factory reset the firewall to get it to boot. When I tried to update from 10.2.0 to 10.2.8 or any of the later versions after installing 10.2.0, I received the following error. 

Loading into software manager
Failed to install PanOS_220-10.2.8 with the following errors.
Traceback (most recent call last):
File "/usr/local/bin/swminternal", line 18, in <module>
swmmain.main(sys.argv[1:])
File "/usr/share/pan-swm/swmmain.py", line 103, in main
UI.runCommand(H)
File "/usr/share/pan-swm/swmcli.py", line 278, in runCommand
cmd(self.extcmds)
File "/usr/share/pan-swm/swmcli.py", line 426, in do_load
swm.swmRepository(self).load(args, not self.options['nocrypt'])
File "/usr/lib64/python3.6/site-packages/swm/repo.py", line 413, in load
self.ensure_freespace_step1(data)
File "/usr/lib64/python3.6/site-packages/swm/repo.py", line 300, in 
ensure_freespace_step1
for img in self.redundant_bases():
File "/usr/lib64/python3.6/site-packages/swm/repo.py", line 190, in 
redundant_bases
images.sort(reverse=True)
File "/usr/lib64/python3.6/site-packages/swm/image.py", line 66, in __lt__
return self.release_info['date'] < obj.release_info['date']
TypeError: '<' not supported between instances of 'NoneType' and 
'datetime.datetime'

I think part of the issue with the upgrade to 10.2.0, was caused by an admin role I had setup because once I had the PA factory reset and accessible again, I restored the configuration and attempted to commit and received an error about one of the role attributes that were no longer available in 10.2.0 but I'm not 100% sure if that was the cause. Either way, all I had to do was go into the role, check the attributes and click OK and it went away and I was able to commit. Anyway, eventually I was able to get the following process to work by downgrading the Pan-OS version back to 10.1.12 and then attempting the upgrade process again to 10.2.8. 

To begin, as is always best practice, take a backup of the configuration of your firewall. To do that, navigate to Device -> Setup -> Operations and select Save named configuration snapshot, then select Export named configuration snapshot. I also like to do an Export device state as well but that's not necessary. 

When prompted, select running-config.xml and click OK

Right, now you have your configuration backup saved locally and not on the firewall, the next step is to upload the 10.2.0 image. To do that, navigate to Device -> Software, and click on the Upload button. Alternatively, you can click the check now button and the firewall will provide a download button for the versions of Pan-OS available. 

Navigate to where you have saved the 10.2.0 image, and click OK. Note that the path is always fakepath something so don't worry about that. 

Once the image has finished uploading, repeat the process for the 10.2.8 image. DO NOT CLICK INSTALL ON THE 10.2.0 IMAGE!!!  

Once you have the 10.2.8 image downloaded as well, you can click on the install button on the 10.2.8 image only. Remember that you don't need to actually go to the base image, you just need to have it downloaded to the firewall.

You will receive a message about it being a feature release upgrade etc, you can click OK on this. (Yes this says 10.2.0, I forgot to take a screenshot of the 10.2.8 install but it's the same message) 

Once you click OK, you will see the install progress screen which can take some time. Wait for that to finish and then when prompted, click Yes to reboot the firewall. 

Once the firewall has rebooted, (It can take quite a while) you should be able to log back in, and on the dashboard, you can confirm the version of Pan-OS that is installed in the firewall. 

You can also SSH into the firewall and run the show system info command

And that's it. Fairly simple (Once I followed the correct procedure that is) process and worked well. If you've noticed anything missing or have any issues with this post, please leave a comment and let me know.