02-21-2014 01:36 AM
Hello
the migation between a PANOS version 5 to PANOS version 6.
is it supported without service interruption.
we will have to migrate all the cluster firewall in on shot. to minimize the interruption time frame. or another solution exist?
regard's
02-21-2014 01:57 AM
Hello Sir,
You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.
How to Upgrade an High Availability (HA) Pair
How to Upgrade PAN-OS and Panorama
Ideally there should not be any service interruption but as a safer side you should take a maintenance window for the same.
But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:
In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code.
When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code. This is supported in both Active/Passive as well as Active/Active HA Configurations.
Hope this helps.
Thanks
02-21-2014 01:57 AM
Hello Sir,
You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.
How to Upgrade an High Availability (HA) Pair
How to Upgrade PAN-OS and Panorama
Ideally there should not be any service interruption but as a safer side you should take a maintenance window for the same.
But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:
In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code.
When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code. This is supported in both Active/Passive as well as Active/Active HA Configurations.
Hope this helps.
Thanks
02-21-2014 05:46 AM
I have successfully upgraded HA pairs without service interruption. But we do always schedule in a maintenance window for safety sake.
02-21-2014 08:11 AM
Thank you for this information
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
