HA cluster interoperability between PANOS version 5 and version 6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA cluster interoperability between PANOS version 5 and version 6

L4 Transporter

Hello

the migation between a PANOS version 5 to PANOS version 6.

is it supported without service interruption.

we will have to migrate all the cluster firewall in on shot. to minimize the interruption time frame. or another solution exist?

regard's

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Sir,

You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.

How to Upgrade an High Availability (HA) Pair

How to Upgrade PAN-OS and Panorama

Ideally there should not be any service interruption  but as a safer side you should take a maintenance window for the same.

But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:

In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code.

When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code.  This is supported in both Active/Passive as well as Active/Active HA Configurations.


Hope this helps.


Thanks

View solution in original post

3 REPLIES 3

L7 Applicator

Hello Sir,

You have to follow the DOC- to upgrade the HA pair from 5.0.x to 6.0.x version.

How to Upgrade an High Availability (HA) Pair

How to Upgrade PAN-OS and Panorama

Ideally there should not be any service interruption  but as a safer side you should take a maintenance window for the same.

But there are few new features has been introduced on PAN-OS version 6.0.0 onward for HA:

In v6.0, enhancements have been made to assure that existing sessions can be synchronized to a peer device, despite their being an OS mismatch/device running a newer major/minor version of code.

When you will upgrades one firewall in an HA pair from one major/minor version to the next, sessions are not synchronized. Without session synchronization, they are forced to compromise security by permitting non-syn-tcp. It can be difficult/impossible to determine how long this setting must be enabled when long-lived sessions exist. If you are not willing or able to sacrifice security, you are forced to take an outage which can have a monetary value attached due to missed SLA’s or even more severe, placing patient lives at risk in environments such as Hospitals where hiccups in uptime/accessibility to patient records, etc... is simply not an option. In v6.0, we have developed a session synchronization format and other runtime object synchronization mechanisms to ensure that an existing session can be synchronized to a peer device running a newer major/minor version of code.  This is supported in both Active/Passive as well as Active/Active HA Configurations.


Hope this helps.


Thanks

L7 Applicator

I have successfully upgraded HA pairs without service interruption.  But we do always schedule in a maintenance window for safety sake.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you for this information

  • 1 accepted solution
  • 2618 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!