Paloalto FW HA(Active/Passive) OS Upgrade Procedure 10.1.X -> 11.1.X

sky95hhhh — Tue, 29 Oct 2024 05:00:01 GMT

Hello

I have a question about upgrading the Palo Alto Fire Wall OS.

From the 11.1.X version, we've seen that you can upgrade right away without a 10.2.X or 11.0.X install.

ex) OS Upgrade(10.1.13-h1 -> 11.1.5)
I ran the test on my Standalone firewall (10.1.13-h1) and verified that the upgrade was successful through 11.1.5 install after 11.1.0, 11.1.5 downloads.

My question is whether it applies to HA (Active/Passive).

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair

When you look at the HA Upgrade Guide document above, it says.

> For example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1 release. When HA peers are two or more feature releases apart, the firewall with the older release installed enters a suspended state with the message Peer version too old.

So I set up HA active/passive internally and conducted the test, and the process is as follows.

Prerequisites: PAN-OS 11.1.0, 11.1.5 download

1. Primary(Active) : 10.1.13-h1, Secondary(Passive) : 10.1.13-h1

[failover-User requested]
2. Primary(Suspend) : 10.1.13-h1, Secondary(Active) : 10.1.13-h1

[Primary 11.1.5 install and reboot]
3. Primary(Passive) : 11.1.5, Secondary(Active) : 10.1.13-h1

[failback-User requested]
4. Primary(Active) : 11.1.5, Secondary(Suspend) : 10.1.13-h1

[Secondary 11.1.5 install and reboot]
5. Primary(Active) : 11.1.5, Secondary(Passive) : 11.1.5

According to the above, I think the secondary device should enter the suspend state in number 3, "Primary(passive): 11.1.5, Secondary(Active): 10.1.13-h1".

However, even if the HA peer is separated into more than one release, the firewall with the old release was not put in a suspended state and functioned normally.

So I continued the No. 4 procedure and the two devices were upgraded to 11.1.5 OS normally.

Is there an improvement in the functionality to prevent the old release from entering the suspend in No.3?

topic Paloalto FW HA(Active/Passive) OS Upgrade Procedure 10.1.X -> 11.1.X in Next-Generation Firewall Discussions

Paloalto FW HA(Active/Passive) OS Upgrade Procedure 10.1.X -> 11.1.X