topic Re: General question to software updates of Palo Alto Firewalls in General Topics

General question to software updates of Palo Alto Firewalls

MPI-AE — Mon, 06 Feb 2017 08:27:12 GMT

Hey guys,

I have two PA-3020 firewalls with 7.0.7 installed.

I want to upgrade to a version of 7.1

Since I have never made an update before, I'm a bit worried about it.

How do you perform updates?

Can I just pick the latest version (currently 7.1.7) and install it?

Or is there like in Cisco a page showing a suggested version?

Or can I install every version without having concerns?

I already checked the minimum supported versions of User-ID Agent, GP andContent Release. These are fine.

Re: General question to software updates of Palo Alto Firewalls

kiwi — Mon, 06 Feb 2017 08:50:49 GMT

Hi @MPI-AE,

You can't go directly to 7.1.7.

You need to download the 7.1 base first (no need to install it ... just download it to your device).

Once you have downloaded it you can move forward and download+install the 7.1.7 version.

You have 2 PA-3020. Are they set up in HA ?

In that case you might want to check out the following article :

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-upgrade-a-High-Availability-HA-pair/ta-p/57081

Cheers !

-Kim.

Re: General question to software updates of Palo Alto Firewalls

MPI-AE — Mon, 06 Feb 2017 08:56:56 GMT

Hi @kiwi

ah okay, good to know!

Yes I have a active-passive cluser, thanks for the link.

But my question is:

Is there a recommended version?

What version would you recommend to install?

Can there be any problems upgrading from my current version to a version of 7.1.x ?

Re: General question to software updates of Palo Alto Firewalls

kiwi — Mon, 06 Feb 2017 09:06:06 GMT

Hi,

@MPI-AE,

Different branches have different recommended versions.

In the 7.0 branch, the recommended release is PAN-OS 7.0.12

In the 7.1 branch, the recommended release is PAN-OS 7.1.7

Cheers !

-Kim.

Re: General question to software updates of Palo Alto Firewalls

MPI-AE — Mon, 06 Feb 2017 13:59:21 GMT

Hi @kiwi

I have an active/backup cluster of two PA-3020.

Is it possible to run both firewalls with a different software version?

My intention is to upgrade only my active firewall first and test everything.

And maybe one day later upgrade the second one (if everything works fine)

Is this doable or are there HA issues because of different software versions?

Because what do I have to do if I have to undo the software upgrade?

Re: General question to software updates of Palo Alto Firewalls

kiwi — Mon, 06 Feb 2017 14:18:36 GMT

Hi @MPI-AE,

Yes, you can upgrade just one unit.

If you have session synchronization enabled, this will continue to function during the upgrade process as long as you are upgrading from one feature release to the next consecutive feature release, PAN-OS 7.0.x to PAN-OS 7.1 in this case.

If you encounter an issue and decide to revert back you can execute order 66 !!

Just kidding ... '> debug swm revert' will reboot your FW and revert back to the last successfully installed software.

Cheers !

-Kim.

Re: General question to software updates of Palo Alto Firewalls

Retired Member — Mon, 06 Feb 2017 14:41:03 GMT

You can check here for PAN OS versions with critical issues:

https://live.paloaltonetworks.com/t5/Management-Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882

Re: General question to software updates of Palo Alto Firewalls

MPI-AE — Mon, 06 Feb 2017 15:02:07 GMT

@kiwi

Hi Kim!

So would that be an appropriate procedure:

I disable preemption on both firewalls.

I update my active firewall to 7.1.7 and do a reboot.

my passive 7.0.7 firewall gets the active one.

My 7.1.7 firewall is again up, but is still passive.

So I just do a reboot on my 7.0.7 firewall so that my 7.1.7 becomes again the active one.

PS: Or is there a command to manually make one firewall active?

Re: General question to software updates of Palo Alto Firewalls

BPry — Mon, 06 Feb 2017 19:48:56 GMT

The command via ssh to initiate a failover is request high-availablity state suspend from the active firewall will bring your passive unit to active status. During the upgrade I would recommend updating whatever unit is active, fully upgrading to 7.1.7, then manually do the failover from your active unit making the newly updated 7.1.7 the active firewall.

I would never try to process an upgrade on the active unit while it's still processing traffic if you have an active-passive HA setup. Just upgrade your passive unit that isn't handling any traffic so if for some reason the update bombs out traffic is never interuppted and you can guarentee that the updated unit has returned to normal operations before kicking traffic to it.