03-24-2017 12:41 AM
Hello all,
i have Active /passive firewalls
how can i upgrade PAN-OS without downtime ??
1-when i upgrade active , it will reboot then passive will be active ..
2- When i upgrade the new active is it will be back to old active again ?? what about OS mismatching is it have any impact on HA
3- If both devices will be for VPN ? Tunnel will be down with failover ?
03-24-2017 01:53 AM
Hi,
Last time l did this way:
1) Disable preemption (if any) from the both devices.
2) Upgrade FIRST PASSIVE then reboot.
3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.
4) Reboot the first device (the one which was active).
From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)
03-24-2017 01:53 AM
Hi,
Last time l did this way:
1) Disable preemption (if any) from the both devices.
2) Upgrade FIRST PASSIVE then reboot.
3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.
4) Reboot the first device (the one which was active).
From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)
03-24-2017 02:17 AM
I always switchover to passive first, then upgrade previously active one. That way you know both are working before upgrade.
03-24-2017 02:22 AM
True.. Same way you can test by upgrading passive first, rebooting and failing over. If there is an issue you back to old code on the previously active and rolling back on the second box. Really couple;e ways to do it and i think all of them are correct :0
01-26-2018 09:33 AM
Did you suspend that passive firewall before upgrading it?
01-26-2018 12:11 PM - edited 01-26-2018 12:12 PM
I always Failover to the passive Palo, then I go back to what I consider the "Primary" palo and upgrade it, once it comes up and everything is running on it, I fail back to it. I run that for a day or two and then I upgrade the passive node.
01-26-2018 12:39 PM
so you upgrade the primary first, and are you saying the firewall you are upgrading is in the suspend mode? Do you run into any issues leaving them out of synch for that long?
01-26-2018 12:45 PM
Hello @jdprovine,
Suspend mode only takes the PAN out of the HA as a viable unit to fail over to.
Hello @NetworkGeek,
Also the VPN downtime is very minimal. I used to updrade a pair of 2050's while I was VPN'ed into them with Global Protect. Maybe lost 1-2 pings at most and never dropped from VPN.
Regards,
01-26-2018 12:49 PM
The only reason I bring it up is because TAC said that the best practice was to suspend the firewall that you are upgrading and I never had, mostly because I start the upgrade with the passive node. I wouldn't thinking that not suspending the passive node before upgrading it would cause the upgrade from 7.1.13 to 7.1.14 would make it fail.
01-26-2018 12:50 PM
Correct.
1. Suspend the Primary
2. Upgrade the Primary and Reboot
3. Suspend the Secondary so it fails back to the Primary.
4. Make sure Production is working fine on the new code.
5. Upgrade the Secondary.
I never have any issues leaving the OS mismatched for a couple of days.
01-26-2018 12:51 PM
I just read your message about doing the PA upgrade while on the vpn, I have always wanted to try that but I have never been brave enough too.
01-26-2018 12:55 PM
Hello,
If you suspend the device (i usually dont but understand why TAC would say so) make sure to make it active again or verify that it is active prior to upgrading the second one otherwise everything will go down during the reboot since one PAN is rebooting and the other is suspended. I had to learn this the hard way when another admin suspended a device and didtn make it active again :(.
Regards,
01-26-2018 01:04 PM
I have never had any issue making the suspended Palo active again before I upgrade it, that is what I always do. I make sure they both see one is active and one is passive. Then I start my upgrade and reboot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
