Query on HA failover

L4 Transporter

Query on HA failover

Currently our secondary unit is running as Primary.

We have upgraded our Secondary (originally Primary) FW and now would like to do the failover so that it becomes Primary.

If the failover doesn't work as expected what should be done straightaway to avoid any traffic loss?

Tags (2)
L2 Linker

Re: Query on HA failover

so you curerntly have:

fw1 --> running the new os and passive?

fw2 --> running the old image and active.


ha status is okay but pan-os version is mismatch and config is not synced( which is normal during upgrade of a cluster)


the fastest way according to me( if you have followed upgrade best practices and turned preempt off)

is to suspend the active firewall(running old os) and with preempt disable there should be no issue making the device functional again right away.


at this point you will have failed over to the fw1 running the new image.
if you notice issues it's simply a case of suspending the fw1 with the new image so you fallback to the other cluster member.


the failovers during an upgrade should be just as fast as before teh upgrade. so if you did not lose any pings when failing over before you started you can expect the same now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!