Best practices - Multi large upgrades pan-os Firewall HA

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Best practices - Multi large upgrades pan-os Firewall HA

L3 Networker

 

Best practices - Multi large upgrades pan-os Firewall HA

 

Good afternoon, as usual, thank you very much for your support and collaboration.

We have the possibility with a customer to perform multiple upgrades in one day, maintenance window.

We need to move from 8.1 to 9.1, i.e. 8.1.x to 9.0.x and from 9.0.x to 9.1.x.

 

So the question is the following:

1.- What is the best practice when it comes to make that jump, that intermediate upgrade from 9.0, for example when going from 8.1.x to ""9.0.x"" ( PAN-OS Intermediate, transitive ) final 9.1.x.

That intermediate jump, what is the best practice: I mean, for example, the current version 8.1.5, download and install the base 9.0.0? or is it recommended to download the base (9.0.0) and download and install (the recommended version of 9.0.x (9.0.16-h2), although it is say the intermediate transition version? to reach the recommended version 9.1.

 

2.- Also in relation to the same, the recommendation is still, in each jump, for example when moving to the same intermediate version 9.0, love or reassemble the HA and then continue with the upgrade ? or is it possible to apply both upgrades to a node and then on the other node ? I would understand that the best practice is to re-amplify the HA at each stage of the upgrade.

 

Please give me your comments, advice, recommendations and suggestions.

 

Thank you very much

 

Best regards

High Sticker
1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

First backup the config. This doc should step you through the process. I forget when they allowed the base release download only and install the preferred release, i.e. just download 9.0 and download and install the latest version of the 9.0.x release. But you can do it with the 9.1, eg download 9.1.0 code but download and install the preferred release 9.1.x.

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

With an HA pair, do it all on the standby unit first. I when doing large jumps as these, it might be wise to go slow. What I mean is do the first jump on the standby, fail over, then upgrade the other one to the same version. Then keep going until you are up to the version you want to be at. Also make sure you dynamic updates are up to date as well, otherwise the PAN wont let you upgrade the OS.

 

Cheers!

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

First backup the config. This doc should step you through the process. I forget when they allowed the base release download only and install the preferred release, i.e. just download 9.0 and download and install the latest version of the 9.0.x release. But you can do it with the 9.1, eg download 9.1.0 code but download and install the preferred release 9.1.x.

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

With an HA pair, do it all on the standby unit first. I when doing large jumps as these, it might be wise to go slow. What I mean is do the first jump on the standby, fail over, then upgrade the other one to the same version. Then keep going until you are up to the version you want to be at. Also make sure you dynamic updates are up to date as well, otherwise the PAN wont let you upgrade the OS.

 

Cheers!

Ok, thanks for your time and your comments.
So, to confirm, each step even transitive, always the recommended version to install. (do not install the base then, even if it is transitive, the correct way then is to download the base and download and install the recommended version per jump, and the best practice is to synchronize the HA for each stage, each jump, perform the upgrade, rearm and sync the HA and then continue with the other version).

High Sticker

Cyber Elite
Cyber Elite

Hello,

Correct, that is how I would go about it.

Regards,

Cyber Elite
Cyber Elite

Hey @Metgatz ,

I am not able to find it in the docs at the moment, but somewhere was explicetly mentioned to keep the difference between the HA member as lower as possible.
Meaning
- Upgrade secondary to latest maintenance release for 8.1.x

- Upgrade secondary to latest maintenance release for 9.0.x ( downloading 9.0 and installing 9.0.x)

Failover

- Upgrade primary to latest maintenance for 8.1.x

- Upgrade primarto latest maintenance for 9.0 (download 9.0 install latest 9.0.x)

Sync cluster

- Repeat for 9.1

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!