01-31-2018 08:29 AM
Hey PA Guru's! I have a question I haven't really seen on the KB's and documentation on HA upgrades, and wanted to get some insight.
I currently have a pair of PA-3050's we're looking to upgrade, and i've reviewed the docs on the recommended procedures here:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgra...
and here:
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
In this case, we are upgrading from 7.0.11 to 8.0.5. We did a successful upgrade on this on a stand-alone firewall last week without any issues.
My question is, when you upgrade a system in an HA Pair where you need to do it in stages, how can you specify which firewall you want to upgrade? I understand the instructions, but they don't seem to specify this item. For example:
PA-1 (current primary)
PA-2 (current backup)
disable pre-empt
suspend local device (either with CLI or GUI steps)
My question comes in at this point - As the firewall will now fail over to the backup device, and each FW does not have its own individual IP to log into (as compared to VVRP style failover setups, or other A/P designs where each device has its own IP), how can you clearly specify that you want to upgrade, reboot, upgrade again, reboot, just PA-1?
I am likely just missing something right in front of my face on this, but I'd rather ask and find out I'm blind, than charge ahead and hope it just 'works'.
Any assistance would be greatly appreciated!
01-31-2018 09:28 AM
You would only see the one IP address since you are only looking at the active firewalls configuration. If you were to console into the other device there should be another management IP address present that is different from the one you just looked at.
01-31-2018 08:46 AM
Is there a reason that you don't have individual IPs assigned to the management interface on the firewalls? That would really be the proper way of doing things without having to console into both devices.
01-31-2018 09:15 AM
Hey there -
I'm new to the environment where these are (also been a bit since i managed PAN FW's). If they do have individual IP's, where would they be set so I can confirm?
and in the off chance that they don't have, would I just need to upgrade them each individually and fail them over on reboot, and hope things work? 🙂 (trying to be a bit more cautious than that)
01-31-2018 09:19 AM
It would be under Device > Setup and then under the 'Interfaces' tab you should have a listing for 'Mangement'. If they don't have individual IP addresses then the only device that you could work on without plugging into the console cable would be the active device. I would recommend simply configuring the management interfaces with unique IPs before you perform the update.
01-31-2018 09:25 AM
Looking at the section for Device > Setup, the Management interface only has one IP address listed. Checking through the CLI under the 'deviceconfig' tree, that's also showing only one management IP. The only other IP's (aside from gateway, DNS servers, NTP) are the HA IP's (which use 1.1.1.1 and 1.1.1.2 for the peering IP's), nothing to distinguish the FW's from each other.
01-31-2018 09:28 AM
You would only see the one IP address since you are only looking at the active firewalls configuration. If you were to console into the other device there should be another management IP address present that is different from the one you just looked at.
01-31-2018 09:36 AM
So, it looks like the answer is I'll need to go on-site and console into both and get the deviceconfig sections to get the IP's?
01-31-2018 09:50 AM
Also, as I'm on 7.0.11 on this HA Pair, there's not an interfaces tab under Device > Setup 🙂
01-31-2018 09:57 AM
So big thank you, I actually figured it out - because I couldn't see a 2nd IP, I wasn't sure one was configured, but after trying the next sequential IP after the primary, I was able to get logged into the secondary FW's management IP - I was just confused since it didn't reference that at ALL anywhere in the setup/config.
Thanks for the help, much apreciated!
01-31-2018 12:22 PM - edited 01-31-2018 12:23 PM
@JohPalmer FYI if you plan on being able to synchronize between the two firewalls you will need to move them both to 7.1.x before upgrading them to 8.0.x. They will not synchronize 2 revisions down, only 1. We asked support about this and that is what they told us.
Your path should be 7.0.11 -> 7.1.0 -> 8.0.0 -> 8.0.5 (we were recommended by our SEs to go to 8.0.7, Panorama has not had a problem with this but we have not moved our firewalls yet.).
Brian
01-31-2018 12:43 PM
Good information to have actually. I may need to update our plan to move up versions to 7.1, test, then move up to 8.0 and test, then jump to the final.
01-31-2018 12:58 PM
Supposedly with the active on 7.1.x and the passive on 8.0.x you can tell them to fail over and the passive will pickup without any problems.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
