How to patch Palo Alto PAN-OS
Palo Alto Networks · Network / Security · 5 steps · Palo Alto PAN-OS security status → · updated June 2026
Palo Alto firewalls run PAN-OS and follow a supported upgrade path — you often must install intermediate base images. Back up the config first; a firewall is a single point of failure.
Palo Alto PAN-OS has 14 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.
Check your current version first
Before you patch, record what you're running (PAN-OS CLI / GUI):
show system info —or— Device → SoftwareOr paste your version into the checker for an instant verdict.
Step by step
Run show system info (or Device → Software) to record your version.
Check the advisory for the fixed release and follow the supported upgrade path — you may need to download/install intermediate base images, not jump straight to the target.
Device → Setup → Operations → Export named configuration snapshot before you start.
Device → Software → download the target image, then install it.
Reboot to activate, then confirm with show system info and re-test policies, GlobalProtect and connectivity.
- Follow the upgrade path — skipping feature releases is unsupported and can fail.
- For HA pairs, upgrade the passive unit first, fail over, then upgrade the other.
Official sources
- Advisory: Palo Alto Networks Security Advisories ↗
- Download: Palo Alto Customer Support Portal ↗
Don't patch blind. Palo Alto PAN-OS has 14 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.
Palo Alto PAN-OS security status →Stay ahead of the next one
- Palo Alto PAN-OS security status & health score — score, open CVEs and safe version.
- Palo Alto PAN-OS vulnerabilities — the full CVE list and what's exploited.
- Monitor Palo Alto PAN-OS — get an email alert the moment a new exploited vulnerability lands.
Frequently asked questions
What is the latest version of Palo Alto PAN-OS?
Check the current supported Palo Alto PAN-OS release on its product page or the official vendor advisory, then patch to it.
How do I check which version of Palo Alto PAN-OS I am running?
Use: show system info —or— Device → Software (PAN-OS CLI / GUI). Record the result before and after patching to confirm the update applied.
Is Palo Alto PAN-OS being actively exploited right now?
Yes — 14 Palo Alto PAN-OS vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.
How do I patch Palo Alto PAN-OS safely without breaking production?
Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.
Patch steps are general, well-established guidance for Palo Alto PAN-OS — always test in a non-production environment first and follow the official Palo Alto Networks advisory for your exact version. IsItPatched is independent and not affiliated with Palo Alto Networks; this is not a substitute for vendor documentation. See our disclaimer.