topic Re: Best Practices for PAN-OS Upgrade without downtime in General Topics

Best Practices for PAN-OS Upgrade without downtime

NetworkGeek — Fri, 24 Mar 2017 07:41:09 GMT

Hello all,

i have Active /passive firewalls

how can i upgrade PAN-OS without downtime ??

1-when i upgrade active , it will reboot then passive will be active ..

2- When i upgrade the new active is it will be back to old active again ?? what about OS mismatching is it have any impact on HA

3- If both devices will be for VPN ? Tunnel will be down with failover ?

Re: Best Practices for PAN-OS Upgrade without downtime

santonic — Fri, 24 Mar 2017 07:55:43 GMT

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-upgrade-a-High-Availability-HA-pair/ta-p/57081

Re: Best Practices for PAN-OS Upgrade without downtime

TranceforLife — Fri, 24 Mar 2017 08:53:33 GMT

Hi,

Last time l did this way:

1) Disable preemption (if any) from the both devices.

2) Upgrade FIRST PASSIVE then reboot.

3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.

4) Reboot the first device (the one which was active).

From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)

Re: Best Practices for PAN-OS Upgrade without downtime

santonic — Fri, 24 Mar 2017 09:17:03 GMT

I always switchover to passive first, then upgrade previously active one. That way you know both are working before upgrade.

Re: Best Practices for PAN-OS Upgrade without downtime

TranceforLife — Fri, 24 Mar 2017 09:22:04 GMT

True.. Same way you can test by upgrading passive first, rebooting and failing over. If there is an issue you back to old code on the previously active and rolling back on the second box. Really couple;e ways to do it and i think all of them are correct :0

Re: Best Practices for PAN-OS Upgrade without downtime

NetworkGeek — Sat, 25 Mar 2017 07:45:53 GMT

Thank you all ...

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 17:33:13 GMT

@TranceforLife

Did you suspend that passive firewall before upgrading it?

Re: Best Practices for PAN-OS Upgrade without downtime

markk96 — Fri, 26 Jan 2018 20:12:09 GMT

I always Failover to the passive Palo, then I go back to what I consider the "Primary" palo and upgrade it, once it comes up and everything is running on it, I fail back to it. I run that for a day or two and then I upgrade the passive node.

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 20:39:49 GMT

@markk96

so you upgrade the primary first, and are you saying the firewall you are upgrading is in the suspend mode? Do you run into any issues leaving them out of synch for that long?

Re: Best Practices for PAN-OS Upgrade without downtime

OtakarKlier — Fri, 26 Jan 2018 20:45:36 GMT

Hello @jdprovine,

Suspend mode only takes the PAN out of the HA as a viable unit to fail over to.

Hello @NetworkGeek,

Also the VPN downtime is very minimal. I used to updrade a pair of 2050's while I was VPN'ed into them with Global Protect. Maybe lost 1-2 pings at most and never dropped from VPN.

Regards,

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 20:49:33 GMT

@OtakarKlier

The only reason I bring it up is because TAC said that the best practice was to suspend the firewall that you are upgrading and I never had, mostly because I start the upgrade with the passive node. I wouldn't thinking that not suspending the passive node before upgrading it would cause the upgrade from 7.1.13 to 7.1.14 would make it fail.

Re: Best Practices for PAN-OS Upgrade without downtime

markk96 — Fri, 26 Jan 2018 20:50:08 GMT

Correct.

1. Suspend the Primary

2. Upgrade the Primary and Reboot

3. Suspend the Secondary so it fails back to the Primary.

4. Make sure Production is working fine on the new code.

5. Upgrade the Secondary.

I never have any issues leaving the OS mismatched for a couple of days.

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 20:51:40 GMT

@OtakarKlier

I just read your message about doing the PA upgrade while on the vpn, I have always wanted to try that but I have never been brave enough too.

Re: Best Practices for PAN-OS Upgrade without downtime

OtakarKlier — Fri, 26 Jan 2018 20:55:11 GMT

Hello,

If you suspend the device (i usually dont but understand why TAC would say so) make sure to make it active again or verify that it is active prior to upgrading the second one otherwise everything will go down during the reboot since one PAN is rebooting and the other is suspended. I had to learn this the hard way when another admin suspended a device and didtn make it active again :(.

Regards,

Re: Best Practices for PAN-OS Upgrade without downtime

markk96 — Fri, 26 Jan 2018 21:04:17 GMT

I have never had any issue making the suspended Palo active again before I upgrade it, that is what I always do. I make sure they both see one is active and one is passive. Then I start my upgrade and reboot.

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 21:12:40 GMT

@markk96

When I have left it mismatched for no more than 12 hours it won't let me commit changes

Re: Best Practices for PAN-OS Upgrade without downtime

jdprovine — Fri, 26 Jan 2018 21:15:08 GMT

@OtakarKlier

I do a suspend when I fail the primary over to upgrade it and then again on the secondary when I fail back to the primary. But in the past I have not had to suspend the secondary when I go to upgrade it when it is already in the passive position.

Re: Best Practices for PAN-OS Upgrade without downtime

markk96 — Fri, 26 Jan 2018 21:17:18 GMT

I use Panorama, I have not had any issues commiting to them after leaving them mismatched for 24 hours.