02-06-2017 12:26 AM - edited 02-06-2017 12:27 AM
Hey guys,
I have two PA-3020 firewalls with 7.0.7 installed.
I want to upgrade to a version of 7.1
Since I have never made an update before, I'm a bit worried about it.
How do you perform updates?
Can I just pick the latest version (currently 7.1.7) and install it?
Or is there like in Cisco a page showing a suggested version?
Or can I install every version without having concerns?
I already checked the minimum supported versions of User-ID Agent, GP andContent Release. These are fine.
02-06-2017 12:50 AM
Hi @MPI-AE,
You can't go directly to 7.1.7.
You need to download the 7.1 base first (no need to install it ... just download it to your device).
Once you have downloaded it you can move forward and download+install the 7.1.7 version.
You have 2 PA-3020. Are they set up in HA ?
In that case you might want to check out the following article :
Cheers !
-Kim.
02-06-2017 12:56 AM
Hi @kiwi
ah okay, good to know!
Yes I have a active-passive cluser, thanks for the link.
But my question is:
Is there a recommended version?
What version would you recommend to install?
Can there be any problems upgrading from my current version to a version of 7.1.x ?
02-06-2017 01:06 AM
Hi,
Different branches have different recommended versions.
In the 7.0 branch, the recommended release is PAN-OS 7.0.12
In the 7.1 branch, the recommended release is PAN-OS 7.1.7
Cheers !
-Kim.
02-06-2017 05:59 AM
Hi @kiwi
I have an active/backup cluster of two PA-3020.
Is it possible to run both firewalls with a different software version?
My intention is to upgrade only my active firewall first and test everything.
And maybe one day later upgrade the second one (if everything works fine)
Is this doable or are there HA issues because of different software versions?
Because what do I have to do if I have to undo the software upgrade?
02-06-2017 06:18 AM
Hi @MPI-AE,
Yes, you can upgrade just one unit.
If you have session synchronization enabled, this will continue to function during the upgrade process as long as you are upgrading from one feature release to the next consecutive feature release, PAN-OS 7.0.x to PAN-OS 7.1 in this case.
If you encounter an issue and decide to revert back you can execute order 66 !!
Just kidding ... '> debug swm revert' will reboot your FW and revert back to the last successfully installed software.
Cheers !
-Kim.
02-06-2017 06:40 AM - edited 02-06-2017 06:41 AM
You can check here for PAN OS versions with critical issues:
02-06-2017 06:49 AM - edited 02-06-2017 07:02 AM
Hi Kim!
So would that be an appropriate procedure:
I disable preemption on both firewalls.
I update my active firewall to 7.1.7 and do a reboot.
my passive 7.0.7 firewall gets the active one.
My 7.1.7 firewall is again up, but is still passive.
So I just do a reboot on my 7.0.7 firewall so that my 7.1.7 becomes again the active one.
PS: Or is there a command to manually make one firewall active?
02-06-2017 11:48 AM
The command via ssh to initiate a failover is request high-availablity state suspend from the active firewall will bring your passive unit to active status. During the upgrade I would recommend updating whatever unit is active, fully upgrading to 7.1.7, then manually do the failover from your active unit making the newly updated 7.1.7 the active firewall.
I would never try to process an upgrade on the active unit while it's still processing traffic if you have an active-passive HA setup. Just upgrade your passive unit that isn't handling any traffic so if for some reason the update bombs out traffic is never interuppted and you can guarentee that the updated unit has returned to normal operations before kicking traffic to it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
