Best Practices for PAN-OS Upgrade without downtime

L2 Linker

Best Practices for PAN-OS Upgrade without downtime

Hello all,

 

i have Active /passive firewalls

 

how can i upgrade PAN-OS without downtime ??

 

1-when i upgrade active , it will reboot then passive will be active ..

 

2- When i upgrade the new active is it will be back to old active again ?? what about OS mismatching is it have any impact on HA

 

3- If both devices will be for VPN ? Tunnel will be down with failover ?

L5 Sessionator

Re: Best Practices for PAN-OS Upgrade without downtime

L6 Presenter

Re: Best Practices for PAN-OS Upgrade without downtime

Hi,

 

Last time l did this way:

 

1) Disable preemption (if any) from the both devices.

2) Upgrade FIRST PASSIVE then reboot.

3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.

4) Reboot the first device (the one which was active).

 

From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)

L5 Sessionator

Re: Best Practices for PAN-OS Upgrade without downtime

I always switchover to passive first, then upgrade previously active one. That way you know both are working before upgrade.

 

L6 Presenter

Re: Best Practices for PAN-OS Upgrade without downtime

True.. Same way you can test by upgrading passive first, rebooting and failing over. If there is an issue you back to old code on the previously active and rolling back on the second box. Really couple;e ways to do it and i think all of them are correct :0

L2 Linker

Re: Best Practices for PAN-OS Upgrade without downtime

Thank you all ...

 

 

L4 Transporter

Re: Best Practices for PAN-OS Upgrade without downtime

@TranceforLife

Did you suspend that passive firewall before upgrading it?

L3 Networker

Re: Best Practices for PAN-OS Upgrade without downtime

I always Failover to the passive Palo, then I go back to what I consider the "Primary" palo and upgrade it, once it comes up and everything is running on it, I fail back to it.  I run that for a day or two and then I upgrade the passive node.

L4 Transporter

Re: Best Practices for PAN-OS Upgrade without downtime

@markk96

 

so you upgrade the primary first, and are you saying the firewall you are upgrading is in the suspend mode? Do you run into any issues leaving them out of synch for that long?

L7 Applicator

Re: Best Practices for PAN-OS Upgrade without downtime

Hello @jdprovine,

Suspend mode only takes the PAN out of the HA as a viable unit to fail over to.

 

Hello @NetworkGeek,

Also the VPN downtime is very minimal. I used to updrade a pair of 2050's while I was VPN'ed into them with Global Protect. Maybe lost 1-2 pings at most and never dropped from VPN.

 

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!