Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Upgrading HA setup in large steps

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Upgrading HA setup in large steps

L1 Bithead

Hi,

I'm going to upgrade a PANOS 5.0.14 to version 7.1.

As I understand, the correct sequence is:
Update PAN-OS 5.0.14 to 7.1.x:
Download 6.0.0
Download + install latest 6.0.x release (reboot)
Download 6.1.0
Download+Install latest 6.1.x release (reboot)
Download 7.0.1
Download + install latest 7.0.x release (reboot)
Download 7.1.0
Download + Install latest 7.1.x release (reboot)

It's pretty straightforward to do this on a single device, but when you do this in an HA setup, is it a good idea to update 1 device to 7.1 while the other trails behind on version 5? Won't that create issues?
Or do I need to get primary and secondary to the same major version so there isn't a large difference between them?

F.e.: Get both from version 5 to 6 before carrying on to version 7,...

Thanks for your help

Tim Schepers

9 REPLIES 9

L6 Presenter

Hi, 

 

To be on the safe site, just do in stages. HA passive first>reboot>suspend Active>upgrade>Reboot. Advice to disable "preemption" while doing an upgrade.

 

Thx

Thanks for your reply. Exactly what I was thinking. 'Just to be safe'. Since HA can be very sensitive to version differences.
But there has to be some sort of official Palo Alto recommendation for situation like this, right?

So my upgrade path would now become something like this:
download 6.0 on both devices
Suspend Primary and upgrade to 6.0.X
Suspend secondary and upgrade to 6.0.X
Suspend Primary and upgrade to 6.1.X
Suspend Secondary....

Hello everyone,

 

  I'm resuming this old thread instead of opening a new one.

 

After reading the best practices, knowledge base and hearing from some support engineers, I think the recommended way to upgrade a HA pair (active/passive) should be as follows. I will use the same terminology used in this document

 

Terminology

Active firewall

The firewall in an HA cluster that's passing traffic

Passive firewall

The firewall in an HA cluster that's not passing traffic

Primary firewall

The firewall in an HA cluster that's usually the active firewall

Secondary firewall

The firewall in an HA cluster that's usually the passive firewall

 

In the example I will upgrade a HA pair from 7.0.6 to 7.1.23

 

  1. disable preemption on both firewalls;
  2. suspend the primary (currently active) firewall; this will cause a failover, but there will be no traffic disruption and you can confirm that the secondary firewall is working as expected;
  3. download and install PAN-OS 7.0.19 on the primary firewall and reboot it. After rebooting, the primary firewall returns in the passive state and HA sync is working even though the firewalls are running a different PAN-OS version;
  4. suspend the secondary (currently active) firewall; this will cause another failover without traffic disruption;
  5. download and install PAN-OS 7.0.19 on the secondary firewall and reboot it. After rebooting, both firewalls are running PAN-OS 7.0.19;
  6. download PAN-OS 7.1 base image on the secondary (currently passive) firewall; do not install it. Download and install PAN-OS 7.1.23 on the secondary firewall and then reboot it. After rebooting, the secondary firewall is in the passive state and HA sync is working even though the PAN-OS versions mismatch (the secondary firewall is only one major version ahead of the primary one);
  7. suspend the primary (currently active) firewall; this will cause a failover without traffic disruption;
  8. download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;
  9. restore the preemption settings (if needed) and wait until the primary firewall takes over the secondary one.

I know there are some extra-steps, and some support engineers say that we can upgrade from 7.0.6 straight to 7.1.23, but this document states that if you are running PAN-OS version older than 7.0.9 you should install the 7.0.9 or later release first. As per best practice, I always install the latest maintenance release before jumping to the next feature release.

 

What do you think about it?

 

Regards

Linus does not push the flush toilet button. He simply says: make clean!

@grenzi: yeah, that way looks good.

I would not recommend preemption in general, because you can get problems in case you have a link-flapping situation.

Please note, that a failover will cause minimal disruption (no up to 3 ping losses) depending on your environment.

That shouldn't be a problem at all, but if you are using highly sensitive network applications like a bad configured SAP, you may have session losses - as I said: shouldn't be a problem with most environment, but you cannot preclude that.

Best Regards
Chacko

Thanks @Chacko42

I never had an issue with the environments I usually manage. My biggest concerns are about multiple VPN tunnels terminating on the firewalls, but the support engineers ensure that VPN traffic will be preserved during the upgrade.

Linus does not push the flush toilet button. He simply says: make clean!

@grenzi: Right, the SAs are included in the session synced

Best Regards
Chacko


@grenzi wrote:
  1. download PAN-OS 7.1 base image on the primary (currently suspended) firewall; do not install it. Download and install PAN-OS 7.1.23 on the primary firewall and reboot. After rebooting, both firewalls are running PAN-OS 7.1.23;

 

It seems that on PA-3000 series you have to install the base image too (without reboot) prior to install the 7.1.23 version.

Linus does not push the flush toilet button. He simply says: make clean!

There is no need to suspend the "active" firewall.  Installing on the "passive" firewall first reduces the number of failover events.  Yes, you can install the latest image of the code train as long at the base x.x.0 image is downloaded to the firewall first.  It's best to run the latest recommended version of your code train before jumping.

 

Here is my recommendation for the fewest failover events (ditch preemption and don't fixate on a "primary" firewall) 

*5.0 so old you might want to verify versions jumps

*Always read HA version compatibility notes before large version hops

*Make sure to update threat prevention/wildfire/etc before upgrades (read the release notes)

 

1. Download 6.0.0 and latest 6.0.x to both devices (deviceA deviceB)

2. Install latest 6.0.x on PASSIVE deviceB

3. Failover to PASSIVE deviceB

4. Install latest 6.0.x on PASSIVE deviceA

5. Download 7.0.0 and latest 7.0.x to both devices (deviceA deviceB)

6. Install latest 7.0.x on PASSIVE deviceA

7. Failover to PASSIVE deviceA

8. Install latest 7.0.x on PASSIVE deviceB

9. Download 7.1.0 and latest 7.0.x to both devices (deviceA deviceB)

10. Install latest 7.1.x on PASSIVE deviceB

11. Failover to PASSIVE deviceB

12. Install latest 7.1.x on PASSIVE deviceA

... wash, rinse, repeat for 8.0/8.1/9.0

  • 8797 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!