This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

FW HA Version Update

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

FW HA Version Update

Go to solution
manuellara
L1 Bithead

‎01-26-2024 03:16 PM

Good afternoon team:
Could you support me on how is the HA version upgrade process?
First the passive fw? then the active one?

Greetings.

#paloaltoHA #update

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎01-26-2024 06:33 PM

Hello @manuellara

 

here is the official documentation: Upgrade an HA Firewall Pair. The official documentation recommends for active/passive firewalls to suspend (fail over) and upgrade the active (primary) peer first, then failback and continue the upgrade with the other firewall, however based on my past experience it is ok to start with passive firewall first.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎01-26-2024 06:33 PM

Hello @manuellara

 

here is the official documentation: Upgrade an HA Firewall Pair. The official documentation recommends for active/passive firewalls to suspend (fail over) and upgrade the active (primary) peer first, then failback and continue the upgrade with the other firewall, however based on my past experience it is ok to start with passive firewall first.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

Go to solution
KWIlson01
L0 Member

‎02-29-2024 10:35 AM

Hey Pavel,
I've done upgrades on HA firewall device groups for a long while. I've always done the passive-firewall upgrade first, then F/O and upgrade the other peer. Is the initial F/O (before upgrade) done to test HA function before upgrading? (Of course I could be misremembering old procedures.)

Go to solution
BPry
Cyber Elite
Cyber Elite

‎02-29-2024 02:42 PM

@KWIlson01,

It's my understanding that this is the intent of the official documentation. In the event that this doesn't work for some reason you have a known good unit to restore traffic that hasn't been modified at all. 

 

In the event that you upgrade the passive firewall and failover and encounter an issue, you've introduced two variables at the same time. It could either be that the passive firewall couldn't handle traffic appropriately to begin with, or it could be the new code causing an issue.

Personally I recommend testing failover at least once a month to validate that everything is functional, and with that I personally always do passive/secondary upgrade first and then move on to the active/primary unit. If you know that failover is actually going to function, the initial failover is just (to me) adding an unnecessary step. 

 

(1)

Go to solution
KWIlson01
L0 Member

‎02-29-2024 02:48 PM

@BPry ,
Appreciate the detail, and thoughts on the procedure. Very good points for best practice.

0 Likes Likes
  • 1 accepted solution
  • 792 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks