Delaying upgrade between an HA pair

jambulo — Thu, 04 Jun 2026 20:58:06 GMT

Does any successfully perform their HA firewall upgrades in this manner?

1. Upgrade the Seconday(passive) firewall.

2. Make Secondary firewall Active.

3. Wait 1 or more days.

4. Upgrade the Primary(now passive) firewall.

5. Make the Primary firewall active.

It would bring us a lot more comfort knowing that we can easily switch to a different firewall (on the older version) in the event of an issue caused by the upgrade. Will HA syncs still work(sessions, configs, etc) This could be for minor or major versions.

Re: Delaying upgrade between an HA pair

TomYoung — Wed, 10 Jun 2026 20:47:08 GMT

Hi @jambulo ,

Yes, I have upgraded an HA pair in that order, except I did not wait 1 or more days. The HA pair will remain in an active/passive state as long as the PAN-OS version is <= one major version away. "When HA peers are two or more feature releases apart, the firewall with the older release installed enters a suspended state with the message Peer version too old." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair

Once you upgrade 1 NGFW, expect the Running Configuration and the PAN-OS Version status to turn red in the High Availability widget on the dashboard. This is normal as the new version may modify the running configuration. Do not sync the config. Most of the time when you upgrade the 2nd NGFW, the running config will show synced again. Everything else in the widget should show green except the passive NGFW will show yellow.

So, in summary your process will work but I would not make changes on the NGFW during the mismatch because the config sync probably will not work.

Thanks,

Tom

topic Re: Delaying upgrade between an HA pair in Next-Generation Firewall Discussions

Delaying upgrade between an HA pair

Re: Delaying upgrade between an HA pair