General question to software updates of Palo Alto Firewalls

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

General question to software updates of Palo Alto Firewalls

L4 Transporter

Hey guys,

 

I have two PA-3020 firewalls with 7.0.7 installed.

 

I want to upgrade to a version of 7.1

 

Since I have never made an update before, I'm a bit worried about it.

 

How do you perform updates?

 

Can I just pick the latest version (currently 7.1.7) and install it?

 

Or is there like in Cisco a page showing a suggested version?

 

Or can I install every version without having concerns?

 

I already checked the minimum supported versions of User-ID Agent, GP andContent Release. These are fine.

8 REPLIES 8

Community Team Member

Hi @MPI-AE,

 

You can't go directly to 7.1.7.

 

You need to download the 7.1 base first (no need to install it ... just download it to your device).

Once you have downloaded it you can move forward and download+install the 7.1.7 version.

 

You have 2 PA-3020.  Are they set up in HA ?

In that case you might want to check out the following article :

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-upgrade-a-High-Availability-HA-pair/...

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

 

ah okay, good to know!

 

Yes I have a active-passive cluser, thanks for the link.

 

But my question is:

 

Is there a recommended version?

 

What version would you recommend to install?

 

Can there be any problems upgrading from my current version to a version of 7.1.x ?

Community Team Member

Hi,

 

@MPI-AE,

 

Different branches have different recommended versions.

 

In the 7.0 branch, the recommended release is PAN-OS 7.0.12

In the 7.1 branch, the recommended release is PAN-OS 7.1.7

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

 

 

I have an active/backup cluster of two PA-3020.

 

Is it possible to run both firewalls with a different software version?

 

My intention is to upgrade only my active firewall first and test everything.

 

And maybe one day later upgrade the second one (if everything works fine)

 

Is this doable or are there HA issues because of different software versions?

 

 

Because what do I have to do if I have to undo the software upgrade?

Community Team Member

Hi @MPI-AE,

 

Yes, you can upgrade just one unit.

 

If you have session synchronization enabled, this will continue to function during the upgrade process as long as you are upgrading from one feature release to the next consecutive feature release, PAN-OS 7.0.x to PAN-OS 7.1 in this case.

 

 

If you encounter an issue and decide to revert back you can execute order 66 !!

Just kidding ... '> debug swm revert' will reboot your FW and revert back to the last successfully installed software.

 

Cheers !

-Kim.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

@kiwi

 

Hi Kim!

 

So would that be an appropriate procedure:

 

I disable preemption on both firewalls.

 

I update my active firewall to 7.1.7 and do a reboot.

 

my passive 7.0.7 firewall gets the active one.

 

My 7.1.7 firewall is again up, but is still passive.

 

So I just do a reboot on my 7.0.7 firewall so that my 7.1.7 becomes again the active one.

 

 

PS: Or is there a command to manually make one firewall active?

The command via ssh to initiate a failover is request high-availablity state suspend from the active firewall will bring your passive unit to active status. During the upgrade I would recommend updating whatever unit is active, fully upgrading to 7.1.7, then manually do the failover from your active unit making the newly updated 7.1.7 the active firewall. 

 

I would never try to process an upgrade on the active unit while it's still processing traffic if you have an active-passive HA setup. Just upgrade your passive unit that isn't handling any traffic so if for some reason the update bombs out traffic is never interuppted and you can guarentee that the updated unit has returned to normal operations before kicking traffic to it. 

  • 3161 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!