When upgrading from PanOS 4.1.6 to 4.1.7, will the device fail over without issue as it installs the new software or will I have to schedule an outage? Thanks in advance.
Solved! Go to Solution.
The device will have two internal storage partitions . Lets us Say that the 4.1.6 is installed on partition A . Now when you want to upgrade from 4.1.6 to 4.1.7 then the device will install 4.1.7 software in the partition B. Once the installation is complete , you have to REBOOT the device (causing an outage). This is required so that the device will switch its boot up partition to partition B to use the new image 4.1.7.
In case of a stand-alone firewall that needs to be upgraded, Reboot is needed for the Upgraded version to take effect,so an outage is inevitable.
If you are upgrading firewalls in active-passive HA pair ,
1>Upgrade Passive unit
2>Failover the HA pair.
3>Now upgrade the Passive unit (which was Active earlier)
This would e achieved with ideally no downtime.
P.S : In both the cases a scheduled window is always recommended.
Anytime you upgrade software the PA needs a reboot for the new image to load.
As my colleagues reported if you have a HA setup then you should upgrade the passive and then fail over to the passive so it will be come the new active.
Before you even upgrade the original active make sure traffic flows and verify functions like SSL vpn user can connect, IPSEC tunnels are up and traffic can pass.
One important thing to remember is when upgrading always export out the running-config.xml file from the PA before doing any upgrades.
To export out the configuration navigate over to the device tab.
Select the (setup) link
Select (operation tab)
Select (Export named configuration snapshot)
Select the running-comfig.xml file.
Let us know if you have additional questions.
Thanks for the info. We weren't sure if the HA pair would operate on different versions of code. Our aruba stuff doesn't like to play nice when we upgrade the passive and fail it over while we try to upgrade the primary.
Upgrading the passive to different version is supported. What you will see on the dashboard is the version will be miss-match which is okay.
Once you fail over to the passive and it becomes active after you've confirm that all is work within the network then just upgrade the original active to match.
If you have any further questions do let us know.
Take care and have a nice weekend.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!