Hey PA Guru's! I have a question I haven't really seen on the KB's and documentation on HA upgrades, and wanted to get some insight.
I currently have a pair of PA-3050's we're looking to upgrade, and i've reviewed the docs on the recommended procedures here:
In this case, we are upgrading from 7.0.11 to 8.0.5. We did a successful upgrade on this on a stand-alone firewall last week without any issues.
My question is, when you upgrade a system in an HA Pair where you need to do it in stages, how can you specify which firewall you want to upgrade? I understand the instructions, but they don't seem to specify this item. For example:
PA-1 (current primary)
PA-2 (current backup)
suspend local device (either with CLI or GUI steps)
My question comes in at this point - As the firewall will now fail over to the backup device, and each FW does not have its own individual IP to log into (as compared to VVRP style failover setups, or other A/P designs where each device has its own IP), how can you clearly specify that you want to upgrade, reboot, upgrade again, reboot, just PA-1?
I am likely just missing something right in front of my face on this, but I'd rather ask and find out I'm blind, than charge ahead and hope it just 'works'.
Any assistance would be greatly appreciated!
Hey there -
I'm new to the environment where these are (also been a bit since i managed PAN FW's). If they do have individual IP's, where would they be set so I can confirm?
and in the off chance that they don't have, would I just need to upgrade them each individually and fail them over on reboot, and hope things work? 🙂 (trying to be a bit more cautious than that)
It would be under Device > Setup and then under the 'Interfaces' tab you should have a listing for 'Mangement'. If they don't have individual IP addresses then the only device that you could work on without plugging into the console cable would be the active device. I would recommend simply configuring the management interfaces with unique IPs before you perform the update.
Looking at the section for Device > Setup, the Management interface only has one IP address listed. Checking through the CLI under the 'deviceconfig' tree, that's also showing only one management IP. The only other IP's (aside from gateway, DNS servers, NTP) are the HA IP's (which use 188.8.131.52 and 184.108.40.206 for the peering IP's), nothing to distinguish the FW's from each other.
So big thank you, I actually figured it out - because I couldn't see a 2nd IP, I wasn't sure one was configured, but after trying the next sequential IP after the primary, I was able to get logged into the secondary FW's management IP - I was just confused since it didn't reference that at ALL anywhere in the setup/config.
Thanks for the help, much apreciated!
@JohPalmer FYI if you plan on being able to synchronize between the two firewalls you will need to move them both to 7.1.x before upgrading them to 8.0.x. They will not synchronize 2 revisions down, only 1. We asked support about this and that is what they told us.
Your path should be 7.0.11 -> 7.1.0 -> 8.0.0 -> 8.0.5 (we were recommended by our SEs to go to 8.0.7, Panorama has not had a problem with this but we have not moved our firewalls yet.).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!