We have PA-820 deployed in Active-Passive HA mode running PANOS 8.0. Today i received a notification that PANOS 8.0 will be End of Life on 31st Oct 2019. Hence I have to upgrade the PANOS of both firewalls, preemption is enabled on both firewall. Please share the procedure / best practices of upgrading OS in HA (Active-Passive) with no traffic outage.
I manage an active/standby pair of PA-5220. Priority is 102 on standby and 101 on active, preemption and config sync enabled.
This is what I do:
- upgrade standby to new release
- let it run (as a standby) for a couple of hours
- set standby priority to 100, to switch roles with preemption
- let it run as active for some hours
- upgrade formerly active firewall to new release
- another couple of hours of monitoring...
- switch back priority to 102, to revert firewalls to original roles
I find this procedure to be "smoother" on clients than the standard/recommended one, which says to suspend the active to force failover. This might be due to my network topology, anyway, which combines OSPF and a lack of pre-negotiation mechanisms. We are working on that.
Of course you can cut it shorter on monitoring, esp. when the minor release is high and you can trust PAN-OS review a bit more (e.g. 8.1.9 to 8.1.10). I only "move" between preferred releases.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!