Solution: Remove old firmware versions.
delete software version <old-version>
request system software clean-up images
Do not attempt an upgrade without doing cleanup first.
Because the PA-220 is EOL, you should start planning your migration. Palo Alto Networks offers a "Trade-Up" program.
The recommended replacement is the **PA-
The alert on Lena’s screen wasn’t red. It was a quiet, bureaucratic amber.
"PA-220-9.1.16-h1: Critical Security Update Available."
Lena stared at the little boxy firewall sitting on the test bench. The PA-220 was a workhorse—a grey, fanless brick of silicon and stubborn pride. It had been protecting the TerraHydro dam’s north supervisory network for seven years without a single dropped packet.
She didn’t want to touch it.
“Just do it,” her boss, Mark, had said over the phone, his voice crackling with the static of a bad cell connection. “Corporate compliance flagged it. Something about a ‘syslog heap overflow.’ Just push the firmware.”
But Lena had a rule: Never update a silent warrior. The 9.1.7-E7 it was running was ancient, but it was stable. It knew the traffic patterns of the dam’s sensors like a shepherd knows its sheep. Updating meant rebooting. Rebooting meant a sixty-second window of blindness. pa-220 firmware
She checked the schedule. The reservoir was low. No storms for 200 miles. She sighed, downloaded PAN-OS-920-h4.img, and clicked Install.
The progress bar crawled. 10%... 40%... 80%.
Then, the console went black.
Not a reboot. Black. The little green heartbeat LED on the PA-220’s faceplate died.
Lena’s coffee mug stopped halfway to her lips. She leaned in, sniffing. No magic smoke. No pop. Just a dead, five-pound paperweight.
She plugged her laptop directly into the management port. Nothing. She tried the serial console. Gibberish. The firmware had bricked it.
Panic was a cold trickle down her spine. She grabbed the spare PA-220 from the shelf. Factory default. She’d have to rebuild the Access List, the NAT policies, the ten-thousand rules for turbine telemetry.
She was three steps into the rebuild when the lights flickered. Then the server UPS units started beeping.
Lena looked up from her laptop at the main monitoring wall. The north supervisory network was gone. Without the PA-220’s quirky, ancient state tables, the dam’s control VLAN had collapsed. Pressure sensor G-9 was screaming into the void. Turbine 4 was running on local logic only—a blind, roaring dinosaur. Solution: Remove old firmware versions
In the security room, alone at 2:00 AM, Lena grabbed the only tool she had left: an oscilloscope and a JTAG debugger. She cracked the PA-220’s case. Inside, the NAND flash chip was overheating. The new firmware had tried to write a bad block.
With tweezers and a steady hand, she shorted two pins on the board—a trick an old MSP told her once. The heartbeat LED flickered yellow.
The console spat a single line: BootRecovery#
She typed frantically, bypassing the corrupted bootloader, forcing the PA-220 to load the old firmware from a hidden backup sector she’d stashed years ago.
load tftp://10.0.0.5/pa-220-9.1.7-E7.img
She held her breath. The lights on the dam’s network map turned from red to orange. One by one, sensors reported home.
The amber alert on her screen changed to green.
"PA-220: Operational. Content version: Out of date."
Lena closed her laptop. She wiped the sweat from her brow and looked at the little grey firewall. Do not attempt an upgrade without doing cleanup first
She would never update it again. Sometimes, security isn’t about the latest signature. Sometimes, it’s just knowing exactly when to leave a sleeping dog lie.
Solution: The PA-220’s checksum validation is CPU-intensive. Wait 10 minutes. If still stuck, cancel, delete the partial download from /opt/panrepo/cache, and retry using a local HTTP server to bypass CDN corruption.
Upgrading PA-220 from PAN-OS 9.1.12 to 10.1.6-h3
Prerequisites
Step-by-Step
Note: PA-220 may take 10–15 minutes to reboot fully. Do not power cycle during disk expansion.
Solution: The PA-220 firmware might have changed encryption ciphers. Re-establish the connection:
request panorama disconnect
request panorama connect
Then verify with:
show panorama status