topic Re: HA Active/Passive upgrade question in General Topics

HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 16:29:10 GMT

Hey PA Guru's! I have a question I haven't really seen on the KB's and documentation on HA upgrades, and wanted to get some insight.

I currently have a pair of PA-3050's we're looking to upgrade, and i've reviewed the docs on the recommended procedures here:

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgrade-the-firewall-to-pan-os-80/upgrade-an-ha-firewall-pair-to-pan-os-80

and here:

https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

In this case, we are upgrading from 7.0.11 to 8.0.5. We did a successful upgrade on this on a stand-alone firewall last week without any issues.

My question is, when you upgrade a system in an HA Pair where you need to do it in stages, how can you specify which firewall you want to upgrade? I understand the instructions, but they don't seem to specify this item. For example:

PA-1 (current primary)
PA-2 (current backup)

disable pre-empt
suspend local device (either with CLI or GUI steps)

My question comes in at this point - As the firewall will now fail over to the backup device, and each FW does not have its own individual IP to log into (as compared to VVRP style failover setups, or other A/P designs where each device has its own IP), how can you clearly specify that you want to upgrade, reboot, upgrade again, reboot, just PA-1?

I am likely just missing something right in front of my face on this, but I'd rather ask and find out I'm blind, than charge ahead and hope it just 'works'.

Any assistance would be greatly appreciated!

Re: HA Active/Passive upgrade question

BPry — Wed, 31 Jan 2018 16:46:01 GMT

@JohPalmer,

Is there a reason that you don't have individual IPs assigned to the management interface on the firewalls? That would really be the proper way of doing things without having to console into both devices.

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 17:15:43 GMT

Hey there -

I'm new to the environment where these are (also been a bit since i managed PAN FW's). If they do have individual IP's, where would they be set so I can confirm?

and in the off chance that they don't have, would I just need to upgrade them each individually and fail them over on reboot, and hope things work? 🙂 (trying to be a bit more cautious than that)

Re: HA Active/Passive upgrade question

BPry — Wed, 31 Jan 2018 17:19:54 GMT

@JohPalmer,

It would be under Device > Setup and then under the 'Interfaces' tab you should have a listing for 'Mangement'. If they don't have individual IP addresses then the only device that you could work on without plugging into the console cable would be the active device. I would recommend simply configuring the management interfaces with unique IPs before you perform the update.

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 17:25:57 GMT

Looking at the section for Device > Setup, the Management interface only has one IP address listed. Checking through the CLI under the 'deviceconfig' tree, that's also showing only one management IP. The only other IP's (aside from gateway, DNS servers, NTP) are the HA IP's (which use 1.1.1.1 and 1.1.1.2 for the peering IP's), nothing to distinguish the FW's from each other.

Re: HA Active/Passive upgrade question

BPry — Wed, 31 Jan 2018 17:28:08 GMT

@JohPalmer,

You would only see the one IP address since you are only looking at the active firewalls configuration. If you were to console into the other device there should be another management IP address present that is different from the one you just looked at.

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 17:36:04 GMT

So, it looks like the answer is I'll need to go on-site and console into both and get the deviceconfig sections to get the IP's?

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 17:50:32 GMT

Also, as I'm on 7.0.11 on this HA Pair, there's not an interfaces tab under Device > Setup 🙂

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 17:57:37 GMT

So big thank you, I actually figured it out - because I couldn't see a 2nd IP, I wasn't sure one was configured, but after trying the next sequential IP after the primary, I was able to get logged into the secondary FW's management IP - I was just confused since it didn't reference that at ALL anywhere in the setup/config.

Thanks for the help, much apreciated!

Re: HA Active/Passive upgrade question

BrianRa — Wed, 31 Jan 2018 20:23:13 GMT

@JohPalmer FYI if you plan on being able to synchronize between the two firewalls you will need to move them both to 7.1.x before upgrading them to 8.0.x. They will not synchronize 2 revisions down, only 1. We asked support about this and that is what they told us.

Your path should be 7.0.11 -> 7.1.0 -> 8.0.0 -> 8.0.5 (we were recommended by our SEs to go to 8.0.7, Panorama has not had a problem with this but we have not moved our firewalls yet.).

Brian

Re: HA Active/Passive upgrade question

JohPalmer — Wed, 31 Jan 2018 20:43:15 GMT

Good information to have actually. I may need to update our plan to move up versions to 7.1, test, then move up to 8.0 and test, then jump to the final.

Re: HA Active/Passive upgrade question

BrianRa — Wed, 31 Jan 2018 20:58:06 GMT

Supposedly with the active on 7.1.x and the passive on 8.0.x you can tell them to fail over and the passive will pickup without any problems.