topic Re: Firewall upgrades guidance in General Topics

Firewall upgrades guidance

FWPalolearner — Thu, 02 Dec 2021 05:02:21 GMT

Hello we have a customer with central location acting as Datacenter with PA 3000 series. The panorama also stays in same DC.

All the other locations worldwide are connected to central DC over IPSEC tunnels.

Most of the firewalls running at remote sites are having 8.x version.

We want to upgrade all of them to 10.x . I checked hardware wise all models support 10.x

Some are Active active and some are Active passive

We have to upgrade those firewalls over IPSEC. Our worry is to plan so that tunnel always remain up .

Can anyone provide guidelines as we don't have a backdoor path to connect in case IPSEC does not come up .

Our DC firewalls are 9.1.11.

Or is it recommended to have local H&E support for each location ?

Re: Firewall upgrades guidance

SutareMayur — Thu, 02 Dec 2021 11:15:33 GMT

Hi @FWPalolearner ,

As you have your firewalls in HA, then you can do the HA failover before upgrading any instance. Before upgrading HA pair, make sure Preemption is disabled on both firewalls which will avoid unexpected HA failovers.

Once failover is done, you can verify if gateway that is in passive state is accessible without any issues. If it is set then you can upgrade same. Once upgrade for passive firewall is done and it is stabilized, then you can failover all the traffic to this firewall to proceed for upgrading other firewall.

Now when you are not local on the site and planning upgrade remotely, it is best practice to have local person at the site or have OOB/Console management connectivity to the firewalls. Otherwise you need to make sure you have access to the firewalls remotely all the time during upgrade.

So when you do not have either of the above said options, you need to have pre-upgrade checklist which will ensure HA failover is working as expected and you are able to connect to the firewalls post failover as you are accessing those firewalls via tunnel which is on the same firewall.

In case IPSEC goes down then you will not get access to the devices. So it’s better to have someone at site who will provide you console access.

You can refer below KB article on Best Practices for PAN-OS Upgrade.

Ref. KB article

P.S. – One of my friend have also gone through the same situation where site was new and devices were connected. He wanted to connect that site over the IPSEC tunnel with main DC. At that time, he had managed to established management connectivity over the internet with restricting access to his specific source public IP only. So with this, without IPSEC tunnel, firewall was accessible using public IP for time being. I don’t see this as a best practice but I just recalled this incident when saw your post. Again, I would recommend you to have someone at site to give you console access.

Re: Firewall upgrades guidance

FWPalolearner — Thu, 02 Dec 2021 15:38:32 GMT

Thanks @SutareMayur very well explained ;

Glad to have people like you in the community .

Re: Firewall upgrades guidance

d.spider — Mon, 06 Dec 2021 08:54:41 GMT

This is helpful to me also. Thank for sharing detailed thoughts.

Re: Firewall upgrades guidance

d.spider — Mon, 06 Dec 2021 08:55:12 GMT

Totally agreed…