Upgrading 4.07 to 4.1.2 in HA environment

Reply
Highlighted
Not applicable

Upgrading 4.07 to 4.1.2 in HA environment

The following change log may be useful to all of you wondering how an upgrade goes in an HA active-passive pair. It would be nice if PAN support were to put this into a tech note. Each step is essentially a check or an observation from top to bottom.

2050 Firewall Upgrade 4.07 to 4.1.2 Log:

Pre download of PAN-OS 4.1.0 and 4.1.2 to both units

No commits pending

firewalls shows HA is in synch

Same version of dynamic updates are installed on both units

Backup configs from both and export them

On PAN2 (the current passive), suspend the unit via GUI:device/ha/suspend @ 9:17 am

PAN2 upgrade to 4.1.0 starting @ 9:18am

PAN2 reboot @ 9:22

PAN2 back up at 9:25 and auto com until 9:38. PAN2 comes up as non-functional state. Note that the unit will not be able to log you in for several minutes as the upgrade process is happening.

PAN2 Started 4.1.0 to 4.1.2 upgrade at 9:40

PAN2 reboot at 9:44

PAN2 back up at 9:50 and auto com until 9:53. PAN2 comes up as non-functional state.

Because 4.1.x HA is not compatible with 4.0.x HA there is no way to make the newly upgrade firewall the active. The older fw code must be suspended first and then the new fw is made functional which then brings it into the active state. Because of this limitation, the sessions going through the active will sever when it is suspended. Detail below:

do quickly PAN1 from cli: request high-availability state suspend

NOTE: active sessions will sever when active becomes suspended

do quickly PAN2 from cli: request high-availability state functional

PAN2 immediately becomes active. loss of 14 pings

PAN1 upgrade to 4.1.0 starting @ 10:56am

PAN2 (not PAN1!!) redefined pre-emption to 98 to be favored over PAN1 so that PAN1 does not become active upon reboot into initial 4.1.0 install.

PAN1 reboot @ 11:04

PAN1 back up at 11:10 and auto com until 11:20

PAN1 state shows as "initial" after auto com completes

PAN1 Started 4.1.0 to 4.1.2 upgrade at 11:23

PAN1 state transitioned to passive while 4.1.2 upgrade was running

PAN1 reboot at 11:27

PAN1 back up at 11:32 and auto com until 11:35. PAN1 comes up as passive.

HA dashboard widgets on both sides show no errors and states are synched.

PAN2 pre-emption number set back to 101 then PAN2 was suspended. At this point an auto com job started running on PAN2 after PAN1 became active. This job took about 1 minute. This may be a synch check.

PAN2 commit config (to set back preemption value to 101)

PAN2 "request high-availability state functional" and state then becomes passive

Process completed at 11:43 am

Post upgrade items to do:

Download GlobalProtect client

Activate GlobalProtect client

Enable user ID on outside zone per error message (probably a Global Protect requirement)

Ensure User-ID agent reconnects

Test GlobalProtect upgrade and function

Community Team Member

Re: Upgrading 4.07 to 4.1.2 in HA environment

Thanks for posting this and adding to the discussion here.

Kind Regards

Stay Secure,
Joe
End of line
L2 Linker

Re: Upgrading 4.07 to 4.1.2 in HA environment

Isn't it possible to upgrade directly to 4.1.2? Why is this intermediate step to 4.1.0 needed?

L4 Transporter

Re: Upgrading 4.07 to 4.1.2 in HA environment

Unfortunately you cannot upgrade from 4.0.7 to 4.1.2. You have to upgrade to 4.1.0 first otherwise the upgrade will fail...

rgds Roland

Omicron AG - Wallisellen :-)

Not applicable

Re: Upgrading 4.07 to 4.1.2 in HA environment

This is very well put together. Thank you for taking the time to do this for everyone.

Not applicable

Re: Upgrading 4.07 to 4.1.2 in HA environment

See notes in original thread that you must go to 4.1.0 first which is the basis for that code train. 4.1.2 includes modifications to the base code.

L0 Member

Re: Upgrading 4.07 to 4.1.2 in HA environment

Correct me if I am wrong but you only have to download the 4.1.0 code?  I upgraded a couple of 5020's that way last week.

L2 Linker

Re: Upgrading 4.07 to 4.1.2 in HA environment

Yes, it's definitely not needed to INSTALL 4.1.0 in front of a upgrade to 4.1.2. The only requirement is a downloaded 4.1.0 Firmware. This is described in the Admin Guide (Page 38) too:

You must have a base image downloaded before you can install an update  version. For example, you must have 4.1.0 downloaded (not installed)  before you can upgrade your 3.1.9 device to 4.1.4.

L4 Transporter

Re: Upgrading 4.07 to 4.1.2 in HA environment

Hello,

In the initial post, I saw that the timeframe between the reboot and the autocommit is 15 minutes !!

It's the normal boot time for PA 2000 series ??

PS : all my PA 500 series boot in less than 6-8 minutes. Twice for PA 2000 series ??

Regards,

Hedi

L0 Member

Re: Upgrading 4.07 to 4.1.2 in HA environment

Thanks for the information! Just did this on our 5050-clusterpair without any problems.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!