12-12-2023 05:50 AM
We are preparing to update this weekend to 10.2.7 to resolve the expiring root certificate issue. We have an HA pair that we want to failover while upgrading as to not disrupt service. While I have the upgrade path from the Palo documentation what I am not sure of is if I can fully upgrade the secondary, failover and then fully upgrade the primary and fail back or if I need to fail back and forth between each step? See below, which option is recommended? Obviously Option A is the preferred choice if it will work but I want to be sure doing it that way won't cause an issue. What do others do?
Option A
Upgrade secondary to 10.1.11h1
Upgrade Secondary to 10.2
Upgrade Secondary to 10.2.7
Fail over to Secondary
Upgrade Primary to 10.1.11h1
Upgrade Primary to 10.2
Upgrade Primary to 10.2.7
Fail back over to Primary
Option B
Upgrade secondary to 10.1.11h1
Fail over to Secondary
Upgrade Primary to 10.1.11h1
Fail over to Primary
Upgrade Secondary to 10.2
Fail over to Secondary
Upgrade Primary to 10.2
Fail over to Primary
Upgrade Secondary to 10.2.7
Fail over to Secondary
Upgrade Primary to 10.2.7
Fail over to Primary
12-12-2023 07:49 AM
Hello,
Option A would be the route I take.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
