HA Active/Passive upgrade question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA Active/Passive upgrade question

L2 Linker

Hey PA Guru's!   I have a question I haven't really seen on the KB's and documentation on HA upgrades, and wanted to get some insight.

 

I currently have a pair of PA-3050's we're looking to upgrade, and i've reviewed the docs on the recommended procedures here:  

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgra...

 

and here:

https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

In this case, we are upgrading from 7.0.11 to 8.0.5.  We did a successful upgrade on this on a stand-alone firewall last week without any issues.

 

My question is, when you upgrade a system in an HA Pair where you need to do it in stages, how can you specify which firewall you want to upgrade?  I understand the instructions, but they don't seem to specify this item.  For example:

PA-1 (current primary)
PA-2 (current backup)

disable pre-empt
suspend local device (either with CLI or GUI steps)

My question comes in at this point - As the firewall will now fail over to the backup device, and each FW does not have its own individual IP to log into (as compared to VVRP style failover setups, or other A/P designs where each device has its own IP), how can you clearly specify that you want to upgrade, reboot, upgrade again, reboot, just PA-1?  

I am likely just missing something right in front of my face on this, but I'd rather ask and find out I'm blind, than charge ahead and hope it just 'works'.

Any assistance would be greatly appreciated!

1 accepted solution

Accepted Solutions

@JohPalmer,

You would only see the one IP address since you are only looking at the active firewalls configuration. If you were to console into the other device there should be another management IP address present that is different from the one you just looked at. 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

@JohPalmer,

Is there a reason that you don't have individual IPs assigned to the management interface on the firewalls? That would really be the proper way of doing things without having to console into both devices. 

Hey there - 

 

I'm new to the environment where these are (also been a bit since i managed PAN FW's).  If they do have individual IP's, where would they be set so I can confirm?

and in the off chance that they don't have, would I just need to upgrade them each individually and fail them over on reboot, and hope things work? 🙂   (trying to be a bit more cautious than that)

@JohPalmer,

It would be under Device > Setup  and then under the 'Interfaces' tab you should have a listing for 'Mangement'. If they don't have individual IP addresses then the only device that you could work on without plugging into the console cable would be the active device. I would recommend simply configuring the management interfaces with unique IPs before you perform the update. 

Looking at the section for Device > Setup, the Management interface only has one IP address listed.  Checking through the CLI under the 'deviceconfig' tree, that's also showing only one management IP.  The only other IP's  (aside from gateway, DNS servers, NTP) are the HA IP's (which use 1.1.1.1 and 1.1.1.2 for the peering IP's), nothing to distinguish the FW's from each other.

@JohPalmer,

You would only see the one IP address since you are only looking at the active firewalls configuration. If you were to console into the other device there should be another management IP address present that is different from the one you just looked at. 

So, it looks like the answer is I'll need to go on-site and console into both and get the deviceconfig sections to get the IP's?

Also, as I'm on 7.0.11 on this HA Pair, there's not an interfaces tab under Device > Setup 🙂

So big thank you, I actually figured it out - because I couldn't see a 2nd IP, I wasn't sure one was configured, but after trying the next sequential IP after the primary, I was able to get logged into the secondary FW's management IP - I was just confused since it didn't reference that at ALL anywhere in the setup/config.

Thanks for the help, much apreciated!

L3 Networker

@JohPalmer  FYI if you plan on being able to synchronize between the two firewalls you will need to move them both to 7.1.x before upgrading them to 8.0.x.  They will not synchronize 2 revisions down, only 1.  We asked support about this and that is what they told us.

Your path should be 7.0.11 -> 7.1.0 -> 8.0.0 ->  8.0.5  (we were recommended by our SEs to go to 8.0.7, Panorama has not had a problem with this but we have not moved our firewalls yet.).

 

Brian

Good information to have actually.  I may need to update our plan to move up versions to 7.1, test, then move up to 8.0 and test, then jump to the final.

Supposedly with the active on 7.1.x and the passive on 8.0.x you can tell them to fail over and the passive will pickup without any problems.

  • 1 accepted solution
  • 4127 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!