https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222175#M123426 <P>Hi</P> <P>What would be the dedicated HA management interface when we do the upgrade. That interface IP shouldn't sync across the devices. can we use any ports other than mgmt port?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 27 Feb 2025 11:06:38 GMT thushy 2025-02-27T11:06:38Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222165#M123423 <P>Hi</P> <P>I am new to Palo Alto firewalls. I need to upgrade the firmware on PA-3220 firewalls&nbsp;in A-P HA . Firewalls doesn't have management ports connected to network and they are remote. It looks like i need management port access of individual firewall to upgrade the firmware. Is it possible to upgrade without management port access? if so, how do you do that? if it is required, can i use any other ports for management connectivity of the firewall for firmware upgrade?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 27 Feb 2025 09:30:47 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222165#M123423 thushy 2025-02-27T09:30:47Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222171#M123425 <H2 data-start="306" data-end="352"><STRONG data-start="309" data-end="352">Recommended HA Interface Assignments</STRONG></H2> <TABLE data-start="353" data-end="1083"> <THEAD data-start="353" data-end="415"> <TR data-start="353" data-end="415"> <TH data-start="353" data-end="372"><STRONG data-start="355" data-end="370">HA Function</STRONG></TH> <TH data-start="372" data-end="400"><STRONG data-start="374" data-end="399">Recommended Interface</STRONG></TH> <TH data-start="400" data-end="415"><STRONG data-start="402" data-end="413">Purpose</STRONG></TH> </TR> </THEAD> <TBODY data-start="478" data-end="1083"> <TR data-start="478" data-end="620"> <TD><STRONG data-start="480" data-end="502">HA1 (Control Link)</STRONG></TD> <TD><STRONG data-start="506" data-end="554">Management Port or Ethernet1/1 – Ethernet1/9</STRONG></TD> <TD>Synchronizes configuration, heartbeats, and failover messages</TD> </TR> <TR data-start="621" data-end="720"> <TD><STRONG data-start="623" data-end="637">HA1 Backup</STRONG> (Optional)</TD> <TD><STRONG data-start="651" data-end="682">Ethernet1/10 – Ethernet1/12</STRONG></TD> <TD>Backup for HA1 in case of failure</TD> </TR> <TR data-start="721" data-end="841"> <TD><STRONG data-start="723" data-end="742">HA2 (Data Link)</STRONG></TD> <TD><STRONG data-start="746" data-end="777">Ethernet1/10 – Ethernet1/12</STRONG></TD> <TD>Synchronizes session tables, forwarding tables, and objects</TD> </TR> <TR data-start="842" data-end="947"> <TD><STRONG data-start="844" data-end="858">HA2 Backup</STRONG> (Optional)</TD> <TD><STRONG data-start="872" data-end="902">Ethernet1/9 – Ethernet1/12</STRONG></TD> <TD>Backup for HA2 if the primary link fails</TD> </TR> <TR data-start="948" data-end="1083"> <TD><STRONG data-start="950" data-end="1009">HA3 (Packet Forwarding Sync, for Active-Active HA only)</STRONG></TD> <TD><STRONG data-start="1012" data-end="1043">Ethernet1/10 – Ethernet1/12</STRONG></TD> <TD>Syncs packets in Active-Active mode</TD> </TR> </TBODY> </TABLE> Thu, 27 Feb 2025 10:52:47 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222171#M123425 Mudhireddy 2025-02-27T10:52:47Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222175#M123426 <P>Hi</P> <P>What would be the dedicated HA management interface when we do the upgrade. That interface IP shouldn't sync across the devices. can we use any ports other than mgmt port?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 27 Feb 2025 11:06:38 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222175#M123426 thushy 2025-02-27T11:06:38Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222185#M123431 <P>You need mgmt port to access specific device.</P> <P>Only active firewall can be accessed through dataplane ports.</P> <P>&nbsp;</P> <P>Procedure:</P> <P>Upgrade passive</P> <P>Reboot passive</P> <P>Wait until passive returns from reboot and is functional</P> <P>Upgrade active</P> <P>Reboot active</P> <P>If you have preemtion enabled then active role will migrate back to the firewall it was initially.</P> Thu, 27 Feb 2025 13:26:44 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-ha-upgrade/m-p/1222185#M123431 Raido_Rattameister 2025-02-27T13:26:44Z