07-20-2016 03:07 AM
Hi,
I'm going to upgrade a PANOS 5.0.14 to version 7.1.
As I understand, the correct sequence is:
Update PAN-OS 5.0.14 to 7.1.x:
Download 6.0.0
Download + install latest 6.0.x release (reboot)
Download 6.1.0
Download+Install latest 6.1.x release (reboot)
Download 7.0.1
Download + install latest 7.0.x release (reboot)
Download 7.1.0
Download + Install latest 7.1.x release (reboot)
It's pretty straightforward to do this on a single device, but when you do this in an HA setup, is it a good idea to update 1 device to 7.1 while the other trails behind on version 5? Won't that create issues?
Or do I need to get primary and secondary to the same major version so there isn't a large difference between them?
F.e.: Get both from version 5 to 6 before carrying on to version 7,...
Thanks for your help
Tim Schepers
07-20-2016 04:26 AM - edited 07-20-2016 04:26 AM
Hi,
To be on the safe site, just do in stages. HA passive first>reboot>suspend Active>upgrade>Reboot. Advice to disable "preemption" while doing an upgrade.
Thx
07-20-2016 04:41 AM
Thanks for your reply. Exactly what I was thinking. 'Just to be safe'. Since HA can be very sensitive to version differences.
But there has to be some sort of official Palo Alto recommendation for situation like this, right?
So my upgrade path would now become something like this:
download 6.0 on both devices
Suspend Primary and upgrade to 6.0.X
Suspend secondary and upgrade to 6.0.X
Suspend Primary and upgrade to 6.1.X
Suspend Secondary....
07-20-2016 05:17 AM
Hi,
Please see below:
Thx
05-13-2019 03:21 AM - edited 05-13-2019 03:25 AM
Hello everyone,
I'm resuming this old thread instead of opening a new one.
After reading the best practices, knowledge base and hearing from some support engineers, I think the recommended way to upgrade a HA pair (active/passive) should be as follows. I will use the same terminology used in this document:
Terminology
Active firewall | The firewall in an HA cluster that's passing traffic |
Passive firewall | The firewall in an HA cluster that's not passing traffic |
Primary firewall | The firewall in an HA cluster that's usually the active firewall |
Secondary firewall | The firewall in an HA cluster that's usually the passive firewall |
In the example I will upgrade a HA pair from 7.0.6 to 7.1.23
I know there are some extra-steps, and some support engineers say that we can upgrade from 7.0.6 straight to 7.1.23, but this document states that if you are running PAN-OS version older than 7.0.9 you should install the 7.0.9 or later release first. As per best practice, I always install the latest maintenance release before jumping to the next feature release.
What do you think about it?
Regards
05-13-2019 03:55 AM
@grenzi: yeah, that way looks good.
I would not recommend preemption in general, because you can get problems in case you have a link-flapping situation.
Please note, that a failover will cause minimal disruption (no up to 3 ping losses) depending on your environment.
That shouldn't be a problem at all, but if you are using highly sensitive network applications like a bad configured SAP, you may have session losses - as I said: shouldn't be a problem with most environment, but you cannot preclude that.
05-13-2019 04:11 AM
Thanks @Chacko42
I never had an issue with the environments I usually manage. My biggest concerns are about multiple VPN tunnels terminating on the firewalls, but the support engineers ensure that VPN traffic will be preserved during the upgrade.
05-13-2019 04:32 AM
@grenzi: Right, the SAs are included in the session synced
05-29-2019 06:45 AM
@grenzi wrote:
- download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;
It seems that on PA-3000 series you have to install the base image too (without reboot) prior to install the 7.1.23 version.
06-03-2019 08:04 AM - edited 06-03-2019 08:05 AM
There is no need to suspend the "active" firewall. Installing on the "passive" firewall first reduces the number of failover events. Yes, you can install the latest image of the code train as long at the base x.x.0 image is downloaded to the firewall first. It's best to run the latest recommended version of your code train before jumping.
Here is my recommendation for the fewest failover events (ditch preemption and don't fixate on a "primary" firewall)
*5.0 so old you might want to verify versions jumps
*Always read HA version compatibility notes before large version hops
*Make sure to update threat prevention/wildfire/etc before upgrades (read the release notes)
1. Download 6.0.0 and latest 6.0.x to both devices (deviceA deviceB)
2. Install latest 6.0.x on PASSIVE deviceB
3. Failover to PASSIVE deviceB
4. Install latest 6.0.x on PASSIVE deviceA
5. Download 7.0.0 and latest 7.0.x to both devices (deviceA deviceB)
6. Install latest 7.0.x on PASSIVE deviceA
7. Failover to PASSIVE deviceA
8. Install latest 7.0.x on PASSIVE deviceB
9. Download 7.1.0 and latest 7.0.x to both devices (deviceA deviceB)
10. Install latest 7.1.x on PASSIVE deviceB
11. Failover to PASSIVE deviceB
12. Install latest 7.1.x on PASSIVE deviceA
... wash, rinse, repeat for 8.0/8.1/9.0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
