Firmware Updation A-P

Reply
Highlighted
L2 Linker

Firmware Updation A-P

Hi Guys, 

 

We have to upgrade firmware of our PA FWs in Active-passive Cluster (It's first time). Referred some online available documents to get familiar with upgradation process but all of them have difference at certain steps (I mean they are not unique). requesting if anyone can share the easy and effective straight forward steps (preferably through GUI). 

 

Usually what is the downtime expected for business critical applications during firmware updating process on Act-Pas setup.

 

Rgds

Jimmy


Accepted Solutions
Highlighted
L6 Presenter

@Jimmy20 

 

For HA setup upgrade, 3 hours maintenance window is more than sufficient. Usually it should get completed within 2 hours but having extra time will be always good for you in case you come across any issues.

 

If you have failure condition 'ANY' for link and path monitoring, in case of any interface goes down or any of the destination mentioned under path monitoring goes down, it will trigger HA failover. So if you purposely make any of firewall interface down using any mean, it will trigger failover and also solve your purpose.



Mayur S.

View solution in original post


All Replies
L6 Presenter

Hi @Jimmy20 ,

 

You can refer below article for the best practices for Palo Alto HA upgrade. You can refer points

 

Pre and Post upgrade checklist, HA Firewall Upgrade Procedure

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK#anchor4

 

As you have HA firewall, the downtime shouldn't be there if HA failover works fine. I have done several upgrades till date and with HA, if i am doing failover, i had seen only few drops (one or two) to internet. So Downtime shouldn't be there. Still it is mandatory to do firewall upgrade during planned maintenance window for safer side.

 

Also take care of few more steps before upgrade -

a. Take configuration backup of both firewalls and save file locally on your system before upgrade.

b. Keep all the latest dynamic updates downloaded and installed on both firewalls.

 

Hope it helps!



Mayur S.
Highlighted
L2 Linker

Hi Mayur,  So You are recommending to start firmware upgrade first from Primary(Active) unit despite start from Secondary. 

Confirming as most of the available docs suggesting to start from secondary unit. And how much time the whole activity will take to complete.

Rgds

Highlighted
L6 Presenter

@Jimmy20 ,

 

The only advantage you get if you upgrade Primary Unit first is

 

Your HA failover gets tested before proceeding for the upgrade. If you finalized to upgrade Primary Unit first then, initially you need to do HA failover first  so secondary unit becomes active if HA failover works fine. Then you can upgrade primary unit as it will be in passive state post failover.

 

You should never upgrade active state unit directly in case of Active-Passive Setup. If you want to upgrade unit which is in active state at that time, first do HA failover then do the upgrade so there won't be issues to the ongoing traffic...



Mayur S.
Highlighted
L2 Linker

Thanks Mayur..!

 

How much time usually firmware activity takes to complete (active and passive both). 

 

I was checking something today related to "Link and Path monitoring" which is for another activity of failover testing only.

 

Plan is to disconnect or disable the cable/ Interface  from switch end ( any of the connected Interface on PA firewall) This is just to avoid any changes directly on firewall (Eg: Suspend local device) else that would be sort of manual failover.

 

For now on our firewall Link Group is enabled with "ANY" and Path Monitoring is also enabled with "ANY". except this nothing has been available under Link group (I mean about Interfaces).

 

Would like to know, if both the mentioned options which are Enabled with ANY ...will solve our purpose or will something additional also need to configure.

 

Rgds 

Highlighted
L6 Presenter

@Jimmy20 

 

For HA setup upgrade, 3 hours maintenance window is more than sufficient. Usually it should get completed within 2 hours but having extra time will be always good for you in case you come across any issues.

 

If you have failure condition 'ANY' for link and path monitoring, in case of any interface goes down or any of the destination mentioned under path monitoring goes down, it will trigger HA failover. So if you purposely make any of firewall interface down using any mean, it will trigger failover and also solve your purpose.



Mayur S.

View solution in original post

Highlighted
L2 Linker

Hi Mayur, 

 

Just captured a screen shot for Link & path monitoring configuration when we have enabled this time.

 

Will this be sufficient to trigger failover to passive , if in case we have disconnect / disabled any of the directly connected interface from Active firewall Unit.

 

Thought to ask here to avoid any understanding gap.

 

Link and Path Monitoring Screen Shot.jpg

Highlighted
L6 Presenter

@Jimmy20 

 

You need to configure at least one Link Group and Path Group for link and path monitoring respectively. You can also have multiple link & path groups.

Under Link group, you can select all interfaces or specific interfaces under monitoring.



Mayur S.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!