Different version

Reply
Highlighted
L2 Linker

Different version

I have version 8 on a  PA 3220 and on the secondary device ( hot stand by ) we have version 9, there is some problem in that they work with different versions 


Accepted Solutions
Highlighted
L2 Linker

You need to match PAN OS version.

View solution in original post

Highlighted
L0 Member

That mean if i need to upgrade the OS on HA we going to have outage in your Scenario.

So, If i need to upgrade the OS.

I have to trigger fail over to pass the traffic through Passive Device.

Then upgrade the Active one and trigger the failover to pass the traffic again to Primary Device.

I think, the Ha should work if we don't have BIG major GAPS between PAN-OS version.

I hope you correct me if i am wrong !

View solution in original post


All Replies
Highlighted
L2 Linker

You need to match PAN OS version.

View solution in original post

Highlighted
L1 Bithead

@DGonzalezAR 

 

The HA peers should have the same version of PAN-OS and content version, in order to set them into a HA pair.

 

Refer to the documentation below on the HA overview for further details,

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-overview.html

 

Thanks. 

 

Highlighted
L2 Linker

In order to work HA properly, Both the firewalls should be running the same PAN-OS version and must each be up-to-date on the application, URL, and threat databases.

Highlighted
L0 Member

That mean if i need to upgrade the OS on HA we going to have outage in your Scenario.

So, If i need to upgrade the OS.

I have to trigger fail over to pass the traffic through Passive Device.

Then upgrade the Active one and trigger the failover to pass the traffic again to Primary Device.

I think, the Ha should work if we don't have BIG major GAPS between PAN-OS version.

I hope you correct me if i am wrong !

View solution in original post

Highlighted
L1 Bithead

@AhmedMoustafa 

 

When we are upgrading the OS on a HA pair, for active/passive firewalls, must upgrade the passive peer first, suspend the active peer (fail over), update the active peer, and then return that peer to a functional state (fail back).

To prevent fail over during the upgrade of the HA peers, must make sure preemption is disabled before proceeding with the upgrade. We only need to disable preemption on one peer in the pair.

 

You can check the upgrade steps in the link below.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/upgrade-to-pan-os-90/upgrade-the-fi...

 

 

Highlighted
L2 Linker

Thank you very much we have taken the team to secondary to version 8 and it has worked perfectly then we will migrate to version 9

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!