Firewall upgrades guidance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall upgrades guidance

L4 Transporter
  1. Hello we have a customer with central location acting as Datacenter with PA 3000 series. The panorama also stays in same DC.

 

All the other locations worldwide are connected to central DC over IPSEC tunnels.

 

Most of the firewalls running at remote sites are having 8.x version.

 

We want to upgrade all of them to 10.x . I checked hardware wise all models support 10.x

 

Some are Active active  and some are Active passive

 

We have to upgrade those firewalls over IPSEC. Our worry is  to plan so that tunnel always remain up . 

 Can anyone provide guidelines as we don't have a backdoor path to connect in case IPSEC does not come up .

 

Our DC firewalls are 9.1.11. 

 

Or is it recommended to have local H&E support for each location ?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

 

 

As you have your firewalls in HA, then you can do the HA failover before upgrading any instance. Before upgrading HA pair, make sure Preemption is disabled on both firewalls which will avoid unexpected HA failovers.

 

Once failover is done, you can verify if gateway that is in passive state is accessible without any issues. If it is set then you can upgrade same. Once upgrade for passive firewall is done and it is stabilized, then you can failover all the traffic to this firewall to proceed for upgrading other firewall.

 

 

Now when you are not local on the site and planning upgrade remotely, it is best practice to have local person at the site or have OOB/Console management connectivity to the firewalls. Otherwise you need to make sure you have access to the firewalls remotely all the time during upgrade.

 

So when you do not have either of the above said options, you need to have pre-upgrade checklist which will ensure HA failover is working as expected and you are able to connect to the firewalls post failover as you are accessing those firewalls via tunnel which is on the same firewall.

 

In case IPSEC goes down then you will not get access to the devices. So it’s better to have someone at site who will provide you console access.

 

You can refer below KB article on Best Practices for PAN-OS Upgrade.

 

Ref. KB article

 

P.S. – One of my friend have also gone through the same situation where site was new and devices were connected. He wanted to connect that site over the IPSEC tunnel with main DC. At that time, he had managed to established management connectivity over the internet with restricting access to his specific source public IP only. So with this, without IPSEC tunnel, firewall was accessible using public IP for time being. I don’t see this as a best practice but I just recalled this incident when saw your post. Again, I would recommend you to have someone at site to give you console access.

M

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

 

 

As you have your firewalls in HA, then you can do the HA failover before upgrading any instance. Before upgrading HA pair, make sure Preemption is disabled on both firewalls which will avoid unexpected HA failovers.

 

Once failover is done, you can verify if gateway that is in passive state is accessible without any issues. If it is set then you can upgrade same. Once upgrade for passive firewall is done and it is stabilized, then you can failover all the traffic to this firewall to proceed for upgrading other firewall.

 

 

Now when you are not local on the site and planning upgrade remotely, it is best practice to have local person at the site or have OOB/Console management connectivity to the firewalls. Otherwise you need to make sure you have access to the firewalls remotely all the time during upgrade.

 

So when you do not have either of the above said options, you need to have pre-upgrade checklist which will ensure HA failover is working as expected and you are able to connect to the firewalls post failover as you are accessing those firewalls via tunnel which is on the same firewall.

 

In case IPSEC goes down then you will not get access to the devices. So it’s better to have someone at site who will provide you console access.

 

You can refer below KB article on Best Practices for PAN-OS Upgrade.

 

Ref. KB article

 

P.S. – One of my friend have also gone through the same situation where site was new and devices were connected. He wanted to connect that site over the IPSEC tunnel with main DC. At that time, he had managed to established management connectivity over the internet with restricting access to his specific source public IP only. So with this, without IPSEC tunnel, firewall was accessible using public IP for time being. I don’t see this as a best practice but I just recalled this incident when saw your post. Again, I would recommend you to have someone at site to give you console access.

M

Thanks @SutareMayur  very well explained ; 

 

Glad to have people like you in the community .

This is helpful to me also. Thank for sharing detailed thoughts.

Totally agreed…

  • 1 accepted solution
  • 3030 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!