https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578934#M116080 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142500">@KWIlson01</a>,</P> <P>It's my understanding that this is the intent of the official documentation. In the event that this doesn't work for some reason you have a known good unit to restore traffic that hasn't been modified at all.&nbsp;</P> <P>&nbsp;</P> <P>In the event that you upgrade the passive firewall and failover and encounter an issue, you've introduced two variables at the same time. It could either be that the passive firewall couldn't handle traffic appropriately to begin with, or it could be the new code causing an issue.</P> <P>Personally I recommend testing failover at least once a month to validate that everything is functional, and with that I personally always do passive/secondary upgrade first and then move on to the active/primary unit. If you know that failover is actually going to function, the initial failover is just (to me) adding an unnecessary step.&nbsp;</P> <P>&nbsp;</P> Thu, 29 Feb 2024 22:42:31 GMT BPry 2024-02-29T22:42:31Z https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/574603#M115480 <P>Good afternoon team:<BR />Could you support me on how is the HA version upgrade process?<BR />First the passive fw? then the active one?</P> <P>Greetings.</P> <P>#paloaltoHA #update</P> Fri, 26 Jan 2024 23:16:42 GMT https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/574603#M115480 manuellara 2024-01-26T23:16:42Z https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/574604#M115481 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/213877">@manuellara</a></P> <P>&nbsp;</P> <P>here is the official documentation:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair#id062f1ad5-adb3-4d25-b4a4-529bde5dc96a" target="_self">Upgrade an HA Firewall Pair</A>. The official documentation recommends for active/passive firewalls to suspend (fail over) and upgrade the active (primary) peer first, then failback and continue the upgrade with the other firewall, however based on my past experience it is ok to start with passive firewall first.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Sat, 27 Jan 2024 02:33:02 GMT https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/574604#M115481 PavelK 2024-01-27T02:33:02Z https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578880#M116078 <P>Hey Pavel,<BR />I've done upgrades on HA firewall device groups for a long while. I've always done the passive-firewall upgrade first, then F/O and upgrade the other peer. Is the initial F/O (before upgrade) done to test HA function before upgrading? (Of course I could be misremembering old procedures.)</P> Thu, 29 Feb 2024 18:35:18 GMT https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578880#M116078 KWIlson01 2024-02-29T18:35:18Z https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578934#M116080 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142500">@KWIlson01</a>,</P> <P>It's my understanding that this is the intent of the official documentation. In the event that this doesn't work for some reason you have a known good unit to restore traffic that hasn't been modified at all.&nbsp;</P> <P>&nbsp;</P> <P>In the event that you upgrade the passive firewall and failover and encounter an issue, you've introduced two variables at the same time. It could either be that the passive firewall couldn't handle traffic appropriately to begin with, or it could be the new code causing an issue.</P> <P>Personally I recommend testing failover at least once a month to validate that everything is functional, and with that I personally always do passive/secondary upgrade first and then move on to the active/primary unit. If you know that failover is actually going to function, the initial failover is just (to me) adding an unnecessary step.&nbsp;</P> <P>&nbsp;</P> Thu, 29 Feb 2024 22:42:31 GMT https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578934#M116080 BPry 2024-02-29T22:42:31Z https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578935#M116081 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> ,<BR />Appreciate the detail, and thoughts on the procedure. Very good points for best practice.</P> Thu, 29 Feb 2024 22:48:07 GMT https://live.paloaltonetworks.com/t5/general-topics/fw-ha-version-update/m-p/578935#M116081 KWIlson01 2024-02-29T22:48:07Z