https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41401#M30434 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.</P><P> <A href="https://live.paloaltonetworks.com/docs/DOC-4043">How to Upgrade an High Availability (HA) Pair </A> </P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2092">How to Upgrade PAN-OS and Panorama</A> </P><P>Ideally there should not be any service interruption&nbsp; but as a safer side you should take a maintenance window for the same.</P><P></P><P>But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:</P><P></P><P><EM>In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code. </EM></P><P><EM><SPAN style="font-size: 10pt; line-height: 1.5em;">When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code.&nbsp; </SPAN></EM><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>This is supported in both Active/Passive as well as Active/Active HA Configurations.</EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM><BR /></EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>Hope this helps.</EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM><BR /></EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>Thanks<BR /></EM></SPAN></P></BODY></HTML> Fri, 21 Feb 2014 09:57:01 GMT HULK 2014-02-21T09:57:01Z https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41400#M30433 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>the migation between a PANOS version 5 to PANOS version 6.</P><P>is it supported without service interruption.</P><P>we will have to migrate all the cluster firewall in on shot. to minimize the interruption time frame. or another solution exist?</P><P></P><P>regard's </P></BODY></HTML> Fri, 21 Feb 2014 09:36:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41400#M30433 Gregoux 2014-02-21T09:36:22Z https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41401#M30434 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.</P><P> <A href="https://live.paloaltonetworks.com/docs/DOC-4043">How to Upgrade an High Availability (HA) Pair </A> </P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2092">How to Upgrade PAN-OS and Panorama</A> </P><P>Ideally there should not be any service interruption&nbsp; but as a safer side you should take a maintenance window for the same.</P><P></P><P>But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:</P><P></P><P><EM>In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code. </EM></P><P><EM><SPAN style="font-size: 10pt; line-height: 1.5em;">When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code.&nbsp; </SPAN></EM><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>This is supported in both Active/Passive as well as Active/Active HA Configurations.</EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM><BR /></EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>Hope this helps.</EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM><BR /></EM></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>Thanks<BR /></EM></SPAN></P></BODY></HTML> Fri, 21 Feb 2014 09:57:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41401#M30434 HULK 2014-02-21T09:57:01Z https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41402#M30435 <HTML><HEAD></HEAD><BODY><P>I have successfully upgraded HA pairs without service interruption.&nbsp; But we do always schedule in a maintenance window for safety sake.</P></BODY></HTML> Fri, 21 Feb 2014 13:46:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41402#M30435 pulukas 2014-02-21T13:46:24Z https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41403#M30436 <HTML><HEAD></HEAD><BODY><P>Thank you for this information</P></BODY></HTML> Fri, 21 Feb 2014 16:11:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-interoperability-between-panos-version-5-and-version/m-p/41403#M30436 Gregoux 2014-02-21T16:11:53Z