pfSense Auto Update OS + Packages
pfSense Auto Update OS + Packages
For administrators who prefer managing their pfSense firewall from the command line, knowing the right tools for updating is essential. Two key utilities are pkg-static for managing add-on packages and pfSense-upgrade for handling major OS releases.
This guide breaks down two powerful one-liner commands for automating these updates.
Part 1: Updating Installed Packages (pkg-static)
This command updates all installed add-on packages (like pfBlockerNG, Suricata, or other packages from the System > Package Manager menu) to their latest versions, without changing the core pfSense OS.
The Command:
/usr/local/sbin/pkg-static update -f && /usr/local/sbin/pkg-static upgrade -yWhat It Does:
This is a two-part command joined by &&, which means the second part only runs if the first part succeeds.
/usr/local/sbin/pkg-static update -f- This command contacts the pfSense package repositories and forces a refresh of the package catalog. The
-f(force) flag ensures you have the absolute latest list of available package versions, bypassing any local cache.[^1][^2]
- This command contacts the pfSense package repositories and forces a refresh of the package catalog. The
/usr/local/sbin/pkg-static upgrade -y- This command compares the versions of your installed packages to the newly updated catalog. It then proceeds to download and install the latest versions for all packages that have an update available. The
-yflag automatically answers "yes" to any confirmation prompts, making the process non-interactive.[^1]
- This command compares the versions of your installed packages to the newly updated catalog. It then proceeds to download and install the latest versions for all packages that have an update available. The
Use Case:
Run this command when you want to update your add-on packages but are not ready to upgrade the entire pfSense operating system.
Part 2: Upgrading the pfSense OS (pfSense-upgrade)
This command initiates a full pfSense software upgrade, moving the system to the next major or minor release (e.g., from version 2.7.0 to 2.7.2).
The Command:
pfSense-upgrade -d -u -yWhat It Does:
This command uses the official pfSense upgrade script with several flags to automate the process.
pfSense-upgrade: This is the core script responsible for managing the entire OS upgrade, including fetching the new base system, applying it, and reinstalling compatible packages post-upgrade.[^11]-d: Enables debug mode, which provides verbose, detailed output of the entire upgrade process. This is extremely useful for troubleshooting if something goes wrong.[^5]-u: Tells the script to first update the repository metadata. This ensures the upgrader is checking against the latest available firmware release information.[^6]-y: Automatically answers "yes" to all confirmation prompts, allowing the upgrade to run from start to finish without user intervention.
Use Case:
This is the command to use for a complete, non-interactive system OS upgrade. Be aware that this process will download several hundred megabytes of data and will automatically reboot the firewall upon completion.
Important Considerations & Best Practices
- Backup First: Before running any upgrade, always create a backup of your pfSense configuration from Diagnostics > Backup & Restore.
- The Recommended Upgrade Path: For a major OS upgrade, it is best practice to run only the
pfSense-upgradecommand. The upgrade script is designed to handle the reinstallation of your packages correctly for the new OS version. Runningpkg-static upgrade -yright before a major OS upgrade is generally unnecessary and can occasionally lead to dependency issues. - Schedule Downtime: A full OS upgrade using
pfSense-upgradewill result in a reboot and a brief period of network downtime. Plan accordingly.
Ins0mniA