Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Best Practices for PAN-OS Upgrade without downtime

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Best Practices for PAN-OS Upgrade without downtime

L2 Linker

Hello all,

 

i have Active /passive firewalls

 

how can i upgrade PAN-OS without downtime ??

 

1-when i upgrade active , it will reboot then passive will be active ..

 

2- When i upgrade the new active is it will be back to old active again ?? what about OS mismatching is it have any impact on HA

 

3- If both devices will be for VPN ? Tunnel will be down with failover ?

2 accepted solutions

Accepted Solutions

L6 Presenter

Hi,

 

Last time l did this way:

 

1) Disable preemption (if any) from the both devices.

2) Upgrade FIRST PASSIVE then reboot.

3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.

4) Reboot the first device (the one which was active).

 

From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)

View solution in original post

17 REPLIES 17

L6 Presenter

Hi,

 

Last time l did this way:

 

1) Disable preemption (if any) from the both devices.

2) Upgrade FIRST PASSIVE then reboot.

3) Upgrade the currently active box, before reboot failover to passive with already new PAN-OS running on it.

4) Reboot the first device (the one which was active).

 

From what l understood all session wich are terminates on the Active box will be reestablished (BGP, OSPF, IPSec etc). Only traversing session will not be interrupted during failover. So yes VPN will be reestablished (short downtime)

I always switchover to passive first, then upgrade previously active one. That way you know both are working before upgrade.

 

True.. Same way you can test by upgrading passive first, rebooting and failing over. If there is an issue you back to old code on the previously active and rolling back on the second box. Really couple;e ways to do it and i think all of them are correct :0

Thank you all ...

 

 

@TranceforLife

Did you suspend that passive firewall before upgrading it?

L3 Networker

I always Failover to the passive Palo, then I go back to what I consider the "Primary" palo and upgrade it, once it comes up and everything is running on it, I fail back to it.  I run that for a day or two and then I upgrade the passive node.

@markk96

 

so you upgrade the primary first, and are you saying the firewall you are upgrading is in the suspend mode? Do you run into any issues leaving them out of synch for that long?

Hello @jdprovine,

Suspend mode only takes the PAN out of the HA as a viable unit to fail over to.

 

Hello @NetworkGeek,

Also the VPN downtime is very minimal. I used to updrade a pair of 2050's while I was VPN'ed into them with Global Protect. Maybe lost 1-2 pings at most and never dropped from VPN.

 

 

Regards,

@OtakarKlier

The only reason I bring it up is because TAC said that the best practice was to suspend the firewall that you are upgrading and I never had, mostly because I start the upgrade with the passive node. I wouldn't thinking that not suspending the passive node before upgrading it would cause the upgrade from  7.1.13 to 7.1.14 would make it fail.

Correct.

 

1. Suspend the Primary

2. Upgrade the Primary and Reboot

3. Suspend the Secondary so it fails back to the Primary.

4. Make sure Production is working fine on the new code.

5. Upgrade the Secondary.

 

I never have any issues leaving the OS mismatched for a couple of days.

 

 

@OtakarKlier

I just read your message about doing the PA upgrade while on the vpn, I have always wanted to try that but I have never been brave enough too.

Hello,

If you suspend the device (i usually dont but understand why TAC would say so) make sure to make it active again or verify that it is active prior to upgrading the second one otherwise everything will go down during the reboot since one PAN is rebooting and the other is suspended. I had to learn this the hard way when another admin suspended a device and didtn make it active again :(.

 

Regards,

I have never had any issue making the suspended Palo active again before I upgrade it, that is what I always do.  I make sure they both see one is active and one is passive.  Then I start my upgrade and reboot.

  • 2 accepted solutions
  • 15516 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!