Palo Alto CLI - Pre/Post Upgrade

paloalto cli command upgrade

Commands to run before and after a PAN-OS upgrade. Enable session logging in SecureCRT (or your terminal) before starting so you have a full record to diff.

Related: PAN CLI - Cheat Sheet, PAN CLI - Validate Interfaces


How to Use This Page

  1. Pre-upgrade — Run every command below and save the output as your baseline
  2. Post-upgrade — Run the same commands again and compare against the baseline
  3. Diff the two captures to spot regressions (route count changes, flapping peers, dropped LACP members, etc.)

Tip: Disable the pager at the start so output flows continuously into your log file.

Output size: Some commands produce very long output (full routing/BGP tables, ARP caches). These are marked with a ⚠ below. They’re still worth capturing for a proper diff, but be aware of the volume — especially on boxes with large route tables or many connected hosts.


System

CommandWhy
set cli pager offDisable pagination so output streams cleanly into your session log
show system infoBaseline PAN-OS version, serial number, uptime, hostname, and management IP
show system resourcesVerify CPU / memory utilisation isn’t pegged after the new image loads
show system disk-spaceConfirm no partition is full — upgrades can fail or logs can stop if disk is exhausted
show system environmentalsFan speeds, temperatures, power supply status — rule out hardware stress
show chassis statusChassis / slot health (especially relevant on PA-5400, PA-7000 series)
show clockConfirm time is correct — log correlation depends on it
debug management-server show ntpVerify NTP is synced; clock drift post-reboot breaks syslog and SIEM correlation
show jobs allCheck for any pending or failed jobs (commits, content installs)
show system software statusConfirm which software slots are installed and which is active

Licensing

CommandWhy
request license infoEnsure licensed features (Threat Prevention, GlobalProtect, WildFire, URL Filtering, DNS Security) didn’t deactivate after upgrade

High Availability

CommandWhy
show high-availability allAll-in-one view: local/peer state, sync status, link and path monitoring
show high-availability transitionsCheck if failover was clean or if the pair was flapping
show high-availability state-synchronizationConfirm running config is in sync between peers

Interfaces

CommandWhy
show interface hardwarePhysical link status, speed/duplex, and error counters. ⚠ Lengthy on chassis models with 40+ ports
show interface allLogical interface states (up/down) across all interfaces
show lacp aggregate-ethernet allConfirm all AE (port-channel) members rejoined the bundle post-reboot
show lldp local allVerify the firewall is advertising itself correctly to the network
show lldp neighbors allConfirm what’s on the other end of each cable and on which ports
show counter global filter severity dropCheck for unexpected packet drops — compare pre vs post counts. ⚠ Many counter categories

Routing

CommandWhy
show routing summaryQuick count of routes by protocol (OSPF/BGP/Static) — best for at-a-glance parity. Lightweight — run this first
show routing route⚠ Full RIB — what’s programmed in the control plane. Can be thousands of lines
show routing fib⚠ Full FIB — what’s actually programmed in the data plane. Often even longer than the RIB

Lighter alternative: If you only need to confirm parity, show routing summary may be enough. Run the full RIB/FIB dumps only when you need a line-by-line diff or suspect missing routes.


BGP

CommandWhy
show routing protocol bgp summaryPeer states and prefix counts — all peers should show Established
show routing protocol bgp loc-rib⚠ Verify the actual BGP table content and path selection. Large with many prefixes
show routing protocol bgp peerAll peer detail — confirms Graceful Restart capability, hold timers, and per-peer state
show routing protocol bgp rib-out⚠ What you’re advertising to peers — compare pre/post to catch withdrawn routes

Lighter alternative: bgp summary gives you peer state + prefix counts in a few lines. Only pull the full loc-rib / rib-out when you need to verify specific prefixes or investigate the PAN-304636 bug. | show routing protocol bgp policy aggregate | Check for aggregate routes | | show routing route \| match discard | Look for discard/null routes in the routing table |

PAN-304636 check: After running show routing protocol bgp loc-rib, look for the A (Aggregate) flag next to routes. If the bug applies, you’d see aggregate/null routes leaking into the BGP table. Cross-reference with the aggregate and discard commands above.


OSPF

CommandWhy
show routing protocol ospf neighborAll adjacencies should be in Full state
show routing protocol ospf graceful-restartConfirm the GR helper-mode cycle completed cleanly
show routing protocol ospf summaryOSPF area and LSA counts for parity check

BFD

CommandWhy
show routing bfd summaryAll sessions should be Up with stable timers — flapping here means routing will flap

Network

CommandWhy
show arp all⚠ Verify IP-to-MAC mappings are correct, especially for the HA VMAC. Can be thousands of entries on busy segments
show mac allMAC address table — useful on L2 subinterfaces or vwire deployments

Sessions & Traffic

CommandWhy
show session infoSession settings, CPS, and current session count
show system statistics sessionSession utilisation summary — active count vs max, throughput
show running resource-monitorDataplane CPU, session rate, and packet buffer utilisation

Content & Signatures

CommandWhy
show system setting content-idCurrently installed App-ID, Threat, Antivirus, and WildFire versions
show wildfire statusWildFire cloud connectivity and forwarding status

GlobalProtect

CommandWhy
show global-protect-gateway statusGateway enabled and accepting connections
show global-protect-gateway statisticsCurrent / previous user counts — compare pre vs post
show global-protect-portal statisticsPortal auth stats

For deeper GP troubleshooting see PAN CLI - GP Commands


VPN / IPSec

CommandWhy
show vpn ipsec-saAll IPSec SAs — tunnels should re-establish after reboot
show vpn tunnelTunnel status and encap/decap byte counts

Logs

CommandWhy
show log system direction equal backward | head 200⚠ Look for Critical or Error entries during boot. Pipe to head to cap output
show log system direction equal backward | match CriticalTargeted alternative — only shows Critical-severity entries
show log config direction equal backward | head 50Recent config changes — confirm no unexpected commits happened
show log alarmActive alarms that may need attention

Wrap Up

CommandWhy
set cli pager onRe-enable pagination when done

Pre/Post Diff Checklist

After collecting both sets of output, verify:

  • PAN-OS version matches the target
  • HA state is correct (active/passive as expected)
  • Config sync is in sync
  • All interfaces are up with no new errors
  • LACP bundles have the same member count
  • Route counts match (static, OSPF, BGP)
  • All BGP peers are Established with expected prefix counts
  • All OSPF neighbors are Full
  • BFD sessions are Up
  • Session count is recovering / traffic is flowing
  • Licensed features are active
  • Content versions match (or are newer)
  • GlobalProtect users are reconnecting
  • IPSec tunnels are up
  • No new Critical/Error log entries