I'm going to upgrade a PANOS 5.0.14 to version 7.1.
As I understand, the correct sequence is:
Update PAN-OS 5.0.14 to 7.1.x:
Download + install latest 6.0.x release (reboot)
Download+Install latest 6.1.x release (reboot)
Download + install latest 7.0.x release (reboot)
Download + Install latest 7.1.x release (reboot)
It's pretty straightforward to do this on a single device, but when you do this in an HA setup, is it a good idea to update 1 device to 7.1 while the other trails behind on version 5? Won't that create issues?
Or do I need to get primary and secondary to the same major version so there isn't a large difference between them?
F.e.: Get both from version 5 to 6 before carrying on to version 7,...
Thanks for your help
To be on the safe site, just do in stages. HA passive first>reboot>suspend Active>upgrade>Reboot. Advice to disable "preemption" while doing an upgrade.
Thanks for your reply. Exactly what I was thinking. 'Just to be safe'. Since HA can be very sensitive to version differences.
But there has to be some sort of official Palo Alto recommendation for situation like this, right?
So my upgrade path would now become something like this:
download 6.0 on both devices
Suspend Primary and upgrade to 6.0.X
Suspend secondary and upgrade to 6.0.X
Suspend Primary and upgrade to 6.1.X
I'm resuming this old thread instead of opening a new one.
After reading the best practices, knowledge base and hearing from some support engineers, I think the recommended way to upgrade a HA pair (active/passive) should be as follows. I will use the same terminology used in this document:
The firewall in an HA cluster that's passing traffic
The firewall in an HA cluster that's not passing traffic
The firewall in an HA cluster that's usually the active firewall
The firewall in an HA cluster that's usually the passive firewall
In the example I will upgrade a HA pair from 7.0.6 to 7.1.23
I know there are some extra-steps, and some support engineers say that we can upgrade from 7.0.6 straight to 7.1.23, but this document states that if you are running PAN-OS version older than 7.0.9 you should install the 7.0.9 or later release first. As per best practice, I always install the latest maintenance release before jumping to the next feature release.
What do you think about it?
@grenzi: yeah, that way looks good.
I would not recommend preemption in general, because you can get problems in case you have a link-flapping situation.
Please note, that a failover will cause minimal disruption (no up to 3 ping losses) depending on your environment.
That shouldn't be a problem at all, but if you are using highly sensitive network applications like a bad configured SAP, you may have session losses - as I said: shouldn't be a problem with most environment, but you cannot preclude that.
I never had an issue with the environments I usually manage. My biggest concerns are about multiple VPN tunnels terminating on the firewalls, but the support engineers ensure that VPN traffic will be preserved during the upgrade.
- download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;
It seems that on PA-3000 series you have to install the base image too (without reboot) prior to install the 7.1.23 version.
There is no need to suspend the "active" firewall. Installing on the "passive" firewall first reduces the number of failover events. Yes, you can install the latest image of the code train as long at the base x.x.0 image is downloaded to the firewall first. It's best to run the latest recommended version of your code train before jumping.
Here is my recommendation for the fewest failover events (ditch preemption and don't fixate on a "primary" firewall)
*5.0 so old you might want to verify versions jumps
*Always read HA version compatibility notes before large version hops
*Make sure to update threat prevention/wildfire/etc before upgrades (read the release notes)
1. Download 6.0.0 and latest 6.0.x to both devices (deviceA deviceB)
2. Install latest 6.0.x on PASSIVE deviceB
3. Failover to PASSIVE deviceB
4. Install latest 6.0.x on PASSIVE deviceA
5. Download 7.0.0 and latest 7.0.x to both devices (deviceA deviceB)
6. Install latest 7.0.x on PASSIVE deviceA
7. Failover to PASSIVE deviceA
8. Install latest 7.0.x on PASSIVE deviceB
9. Download 7.1.0 and latest 7.0.x to both devices (deviceA deviceB)
10. Install latest 7.1.x on PASSIVE deviceB
11. Failover to PASSIVE deviceB
12. Install latest 7.1.x on PASSIVE deviceA
... wash, rinse, repeat for 8.0/8.1/9.0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!