topic Upgrading HA setup in large steps in General Topics

Upgrading HA setup in large steps

TSchepers — Wed, 20 Jul 2016 10:07:58 GMT

Hi,

I'm going to upgrade a PANOS 5.0.14 to version 7.1.

As I understand, the correct sequence is:
Update PAN-OS 5.0.14 to 7.1.x:
Download 6.0.0
Download + install latest 6.0.x release (reboot)
Download 6.1.0
Download+Install latest 6.1.x release (reboot)
Download 7.0.1
Download + install latest 7.0.x release (reboot)
Download 7.1.0
Download + Install latest 7.1.x release (reboot)

It's pretty straightforward to do this on a single device, but when you do this in an HA setup, is it a good idea to update 1 device to 7.1 while the other trails behind on version 5? Won't that create issues?
Or do I need to get primary and secondary to the same major version so there isn't a large difference between them?

F.e.: Get both from version 5 to 6 before carrying on to version 7,...

Thanks for your help

Tim Schepers

Re: Upgrading HA setup in large steps

TranceforLife — Wed, 20 Jul 2016 11:26:27 GMT

Hi,

To be on the safe site, just do in stages. HA passive first>reboot>suspend Active>upgrade>Reboot. Advice to disable "preemption" while doing an upgrade.

Thx

Re: Upgrading HA setup in large steps

TSchepers — Wed, 20 Jul 2016 11:41:29 GMT

Thanks for your reply. Exactly what I was thinking. 'Just to be safe'. Since HA can be very sensitive to version differences.
But there has to be some sort of official Palo Alto recommendation for situation like this, right?

So my upgrade path would now become something like this:
download 6.0 on both devices
Suspend Primary and upgrade to 6.0.X
Suspend secondary and upgrade to 6.0.X
Suspend Primary and upgrade to 6.1.X
Suspend Secondary....

Re: Upgrading HA setup in large steps

TranceforLife — Wed, 20 Jul 2016 12:17:48 GMT

Hi,

Please see below:

https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/upgrade-to-pan-os-7-1/upgrade-an-ha-firewall-pair-to-pan-os-7-1

Thx

Re: Upgrading HA setup in large steps

grenzi — Mon, 13 May 2019 10:25:57 GMT

Hello everyone,

I'm resuming this old thread instead of opening a new one.

After reading the best practices, knowledge base and hearing from some support engineers, I think the recommended way to upgrade a HA pair (active/passive) should be as follows. I will use the same terminology used in this document:

Terminology

Active firewall	The firewall in an HA cluster that's passing traffic
Passive firewall	The firewall in an HA cluster that's not passing traffic
Primary firewall	The firewall in an HA cluster that's usually the active firewall
Secondary firewall	The firewall in an HA cluster that's usually the passive firewall

In the example I will upgrade a HA pair from 7.0.6 to 7.1.23

disable preemption on both firewalls;
suspend the primary (currently active) firewall; this will cause a failover, but there will be no traffic disruption and you can confirm that the secondary firewall is working as expected;
download and install PAN-OS 7.0.19 on the primary firewall and reboot it. After rebooting, the primary firewall returns in the passive state and HA sync is working even though the firewalls are running a different PAN-OS version;
suspend the secondary (currently active) firewall; this will cause another failover without traffic disruption;
download and install PAN-OS 7.0.19 on the secondary firewall and reboot it. After rebooting, both firewalls are running PAN-OS 7.0.19;
download PAN-OS 7.1 base image on the secondary (currently passive) firewall; do not install it. Download and install PAN-OS 7.1.23 on the secondary firewall and then reboot it. After rebooting, the secondary firewall is in the passive state and HA sync is working even though the PAN-OS versions mismatch (the secondary firewall is only one major version ahead of the primary one);
suspend the primary (currently active) firewall; this will cause a failover without traffic disruption;
download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;
restore the preemption settings (if needed) and wait until the primary firewall takes over the secondary one.

I know there are some extra-steps, and some support engineers say that we can upgrade from 7.0.6 straight to 7.1.23, but this document states that if you are running PAN-OS version older than 7.0.9 you should install the 7.0.9 or later release first. As per best practice, I always install the latest maintenance release before jumping to the next feature release.

What do you think about it?

Regards

Re: Upgrading HA setup in large steps

Chacko42 — Mon, 13 May 2019 10:55:20 GMT

@grenzi: yeah, that way looks good.

I would not recommend preemption in general, because you can get problems in case you have a link-flapping situation.

Please note, that a failover will cause minimal disruption (no up to 3 ping losses) depending on your environment.

That shouldn't be a problem at all, but if you are using highly sensitive network applications like a bad configured SAP, you may have session losses - as I said: shouldn't be a problem with most environment, but you cannot preclude that.

Re: Upgrading HA setup in large steps

grenzi — Mon, 13 May 2019 11:11:07 GMT

Thanks @Chacko42

I never had an issue with the environments I usually manage. My biggest concerns are about multiple VPN tunnels terminating on the firewalls, but the support engineers ensure that VPN traffic will be preserved during the upgrade.

Re: Upgrading HA setup in large steps

Chacko42 — Mon, 13 May 2019 11:32:19 GMT

@grenzi: Right, the SAs are included in the session synced

Re: Upgrading HA setup in large steps

grenzi — Wed, 29 May 2019 13:45:59 GMT

@grenzi wrote:
download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;

It seems that on PA-3000 series you have to install the base image too (without reboot) prior to install the 7.1.23 version.

Re: Upgrading HA setup in large steps

jeremy.larsen — Mon, 03 Jun 2019 15:05:17 GMT

There is no need to suspend the "active" firewall. Installing on the "passive" firewall first reduces the number of failover events. Yes, you can install the latest image of the code train as long at the base x.x.0 image is downloaded to the firewall first. It's best to run the latest recommended version of your code train before jumping.

Here is my recommendation for the fewest failover events (ditch preemption and don't fixate on a "primary" firewall)

*5.0 so old you might want to verify versions jumps

*Always read HA version compatibility notes before large version hops

*Make sure to update threat prevention/wildfire/etc before upgrades (read the release notes)

1. Download 6.0.0 and latest 6.0.x to both devices (deviceA deviceB)

2. Install latest 6.0.x on PASSIVE deviceB

3. Failover to PASSIVE deviceB

4. Install latest 6.0.x on PASSIVE deviceA

5. Download 7.0.0 and latest 7.0.x to both devices (deviceA deviceB)

6. Install latest 7.0.x on PASSIVE deviceA

7. Failover to PASSIVE deviceA

8. Install latest 7.0.x on PASSIVE deviceB

9. Download 7.1.0 and latest 7.0.x to both devices (deviceA deviceB)

10. Install latest 7.1.x on PASSIVE deviceB

11. Failover to PASSIVE deviceB

12. Install latest 7.1.x on PASSIVE deviceA

... wash, rinse, repeat for 8.0/8.1/9.0