topic Re: Upgrading Active/Passive pair, pause in between upgrades? in Next-Generation Firewall Discussions

Upgrading Active/Passive pair, pause in between upgrades?

jambulo — Wed, 04 Mar 2026 13:45:04 GMT

When upgrading PAN-OS on an Active/Passive pair, does any pause for 1 or more days after upgrading the first firewall (and before upgrading the second firewall)?

The idea here is we will have a bit more time to test for issues. If there is a failure post upgrade, we will have the option to suspend the upgraded firewall and make the firewall that did not yet get upgraded, active.

Re: Upgrading Active/Passive pair, pause in between upgrades?

JayGolf — Wed, 04 Mar 2026 14:17:58 GMT

Hi @jambulo ,

I would recommend upgrading your FW02 to your target version first. Once it comes back up, you could manually fail over and make FW02 active to validate everything is working as expected. If you run into any issues, you can always fail back to FW01, which is still running the previous PAN-OS version.

Since you plan on validating for a bit longer, just be mindful of pushing configuration changes during that time. With mismatched PAN-OS versions, I wouldn’t rely on configuration sync between the two firewalls. If you do need to make changes, it’s best to document them so you can manually apply them to the other firewall IF needed.

I would also recommend creating a testing plan rather than keeping the upgraded unit active for an arbitrary amount of time. For example, test egress connectivity, inter-zone traffic, GlobalProtect, DMZ traffic, app traffic, verify routing, S2S tunnels, etc. If you coordinate the right stakeholders and walk through these tests together, you can usually validate everything much faster and reduce the amount of time the HA pair is running on mismatched versions.

Re: Upgrading Active/Passive pair, pause in between upgrades?

BPry — Wed, 04 Mar 2026 22:25:58 GMT

@jambulo,

I personally would not recommend having mismatched PAN-OS versions for any sort of extended period. In the event that you encounter an issue, you can easily swap partitions on your passive unit and then force it to take over the active role. I just don't see a need when reverting an update takes a minimal amount of time in an HA environment with minimal disruption, or no disruption, as you failover traffic.

As @JayGolf mentioned you're just kind of asking for something to be forgotten or configuration drift to occur. I've seen far too many people who have failed to remember to upgrade the passive unit, encounter issues after a failover because they neglected to sync the configuration, or mistakenly sync the "old" configuration between units.

Re: Upgrading Active/Passive pair, pause in between upgrades?

jambulo — Fri, 06 Mar 2026 13:33:04 GMT

Thanks for the response.

We're choosing to upgrade FW01(designated "active" firewall) first so we are certain that we are upgrading a firewall that is in a known healthy state.

Good call on the config changes, definitely something to keep in mind.

We do have a test plan to run through right after the upgrade, but in our experiences, issues/bugs do not show themselves until 1+ days after the upgrade.

Re: Upgrading Active/Passive pair, pause in between upgrades?

OtakarKlier — Fri, 06 Mar 2026 21:21:25 GMT

Hello,

Like @JayGolf stated, do FW02 first. If youre going to do FW01, just do them both.

Regards,