1. Overview

Palo Alto Networks manages and maintains your Prisma Cloud Console. For email notifications about Prisma Cloud Compute’s maintenance schedules and upgrade notifications, subscribe to the Prisma Cloud service on the Palo Alto Networks status page.

2. Console

Palo Alto Networks periodically upgrades your Prisma Cloud Compute Console. Detailed upgrade plans for each release are always published on our announcements page. Ensure that you have read through all 'Breaking Changes' in release notes for each major release, for any action items from the users.

The currently installed version of Console is displayed in the bell menu.

upgrade compute version

3. Prisma Cloud Compute components

The versions of all deployed components should match exactly. To support the SaaS upgrade process, older versions of Prisma Cloud Compute components can continue to interoperate with newer versions of Console in a limited way. Plan to upgrade all Prisma Cloud Compute components as soon as possible.

In 2H2021 (second half of calendar year 2021 release) we are adding major changes to Defender - Console backward compatibility. Please refer to this doc for more details: https://docs.twistlock.com/docs/compute_edition/welcome/upcoming_support_lifecycle_changes.html.

4. Defenders

Console will automatically upgrade most Defender types for you. If Console fails to upgrade one or more Defenders, you will see error messages under Manage > Defenders > Manage tab. If you’ve created an alert for Defender health events, Console emits a message on the alert channel for any Defender it fails to upgrade. Contact our support team if you need assistance.

4.1. Defender auto-upgrade

Almost all Defender types can be auto-upgraded. Only App-Embedded Defenders must be upgraded manually.

Both App-Embedded and Serverless Defenders are backwards compatible with newer versions of Console. However, as a best practice, always upgrade them when Console is upgraded. App-Embedded Defenders whose versions are out of sync with Console’s version will continue to interoperate with Console, but some operations might be restricted, such as reconfiguring policy rules.

Incompatible Defenders can cause severe service disruptions such as disconnection from the upgraded Console, frozen runtime security of the environment (as new policies can’t be applied), Defender container panics, excessive alerts, and so on. The Defender auto-upgrade process ensures that there is no such impact caused by incompatibility between Console and Defenders when Console is upgraded. With this process, Defenders are always maintained in a supported and compatible state without any user intervention required.

The following table summarizes the Defender types, and which ones are auto-upgraded.

Defender type Auto-upgrade

Container Defender, which includes:

  • Single Container Defenders

  • Cluster Container Defenders

    • DaemonSets (Kubernetes, OpenShift)

    • ECS Defender task

    • Swarm global service

Y

Serverless Defender

Y* (see Serverless Defender auto-protect)

App-Embedded Defender

N

Tanzu Application Service (TAS) Defender

Y

Host Defender

Y

5. Other components

Manually upgrade all other Prisma Cloud Compute components, such as the Jenkins plugin and twistcli, so that their versions exactly match Console’s version.

If problems due to version mismatches are encountered during the upgrade window, twistcli and the Jenkins plugin are designed to fail open so that CI/CD pipelines do not break when Console is upgraded.

API changes are documented with each release. See the Compute API stability guide on pan.dev to learn more about the endpoints you can depend on for integrations.