https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564508#M2057 <P>are your DC and DR clustered (via HA4)? If yes, all members of the cluster should be on the same PAN-OS. If the DR is simply a copy (managed by Panorama or not doesn't really matter), it won't matter if the DR is upgraded way ahead of the normal DC</P> <P>&nbsp;</P> <P>to upgrade the HA cluster, i'd recommend the following:</P> <P>&nbsp;</P> <P>- disable preempt</P> <P>- suspend the primary firewall (this triggers a failover to the secondary, this is a good 'double check' to see if your secondary is passing traffic as expected. if this part fails, troubleshoot connectivity on the secondary before going forward with the upgrade)</P> <P>- install your desired PAN-OS on the primary</P> <P>- make primary active again and suspend secondary</P> <P>- check if everything's still working as expected</P> <P>- upgrade secondary</P> <P>- enable preempt again if you had it enabled</P> <P>&nbsp;</P> <P>if the 'distance' between current and future PAN-OS is too great, you'll have to repeat this process a few times i.e. coming from 9.1 to 10.1 you'll have to do a layover on 10.0 for both peers before moving on to 10.1.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade</A>&nbsp;&lt;- the upgrade guide</P> Mon, 06 Nov 2023 13:40:21 GMT reaper 2023-11-06T13:40:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564467#M2054 <P>Hi All,</P> <P>&nbsp;</P> <P>Our current setup is We have Active/Passive on main dc and standalone fw on DR site. Configured as Cluster.</P> <P>&nbsp;</P> <P>It is identified that the DR site is affected by a certain CVE, and it is recommended for upgrade. But we also wish to upgrade the Active/Passive Main DC firewall.</P> <P>&nbsp;</P> <P>I cannot find any articles on how to upgrade an Firewall Cluster, Can you share any tips on what approach upgrade for this setup?</P> <P>&nbsp;</P> <P>Would there be no effect bearing if for example the Active/Passive Firewall is running on 10.1.0 then the DR Stand alone site is running on 10.1.0 version?</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 06 Nov 2023 06:56:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564467#M2054 NickoKristian 2023-11-06T06:56:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564506#M2056 <P>Upgrade passive, reboot passive.</P> <P>Upgrade active, reboot active.</P> <P>&nbsp;</P> <P>What is your current version and what is goal version?</P> Mon, 06 Nov 2023 13:29:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564506#M2056 Raido_Rattameister 2023-11-06T13:29:12Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564508#M2057 <P>are your DC and DR clustered (via HA4)? If yes, all members of the cluster should be on the same PAN-OS. If the DR is simply a copy (managed by Panorama or not doesn't really matter), it won't matter if the DR is upgraded way ahead of the normal DC</P> <P>&nbsp;</P> <P>to upgrade the HA cluster, i'd recommend the following:</P> <P>&nbsp;</P> <P>- disable preempt</P> <P>- suspend the primary firewall (this triggers a failover to the secondary, this is a good 'double check' to see if your secondary is passing traffic as expected. if this part fails, troubleshoot connectivity on the secondary before going forward with the upgrade)</P> <P>- install your desired PAN-OS on the primary</P> <P>- make primary active again and suspend secondary</P> <P>- check if everything's still working as expected</P> <P>- upgrade secondary</P> <P>- enable preempt again if you had it enabled</P> <P>&nbsp;</P> <P>if the 'distance' between current and future PAN-OS is too great, you'll have to repeat this process a few times i.e. coming from 9.1 to 10.1 you'll have to do a layover on 10.0 for both peers before moving on to 10.1.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade</A>&nbsp;&lt;- the upgrade guide</P> Mon, 06 Nov 2023 13:40:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cluster-upgrade/m-p/564508#M2057 reaper 2023-11-06T13:40:21Z