03-22-2023 08:23 AM
I have 2 firewalls in active/passive mode. Am I able to upgrade one of the PAN's and leave the other in standby or passive mode for a few days while I ensure there are no issues before upgrading the second PAN? It is a jump bigger than 2 versions so the PAN I do not upgrade should go into standby mode. Will I be able to then upgrade the device in standby mode and return to active/passive mode?
03-22-2023 09:09 AM
Ideally you would want to have the two on the same code version. However I would say make sure they are on the same family at least, ie 10.1.x. If the new code is going to be changing one of the two, i would recommend upgrading both. Or if your change management approves, run without HA or in a degraded state.
Check out this link for the recommended release version:
Also read the release notes, etc.
03-22-2023 09:27 AM
Thank you, I am just worried about, if the upgrade breaks anything I wanted an easy way to revert to known working config. The easiest way I could think of is to upgrade 1 PAN then the other after a day of use. Is there a better/smarter way to do this?
03-22-2023 09:28 AM
and thanks for the link, I do not have enough access into Palo Alto support to view the link though.
03-22-2023 10:28 AM
You might not have HA working correctly, but if your bosses are OK and have signed off in writing, then shouldnt be problem. Here is the recommended procedure to follow:
03-22-2023 12:38 PM
I think I will upgrade the pair tonight rather than doing one, waiting and doing the other. If I have to revert to the version I am currently on for some reason. Is the process difficult? It looks like If I take a snapshot between each installation on the way to 10.1 I should be able to work backwards to get back to the version I am currently on?
03-22-2023 03:06 PM
Its pretty much the same as the upgrade except in reverse.
03-23-2023 01:59 AM
I'd like to inject a word of caution here, in favor of doing both peers during the same maintenance window
If you upgrade a member to a +1 major release, the upgraded member will go into 'nonfunctional' state which means it will take on a passive role and only assume the active role if the not-upgraded member goes down or is suspended. if you intend to 'test' this OS for a while you'd need to manually suspend the not-upgraded peer
if you upgrade one member +2 major versions, it will go into a forced suspend mode that you cannot recover from unless the other member is down, and then you can manually activate (unsuspend) it. so for this to run for more than a few minutes, you'd have to shut down or disconnect your other member
reverting one upgrade down can be easily achieved by running `debug swm revert` + `request restart system` from CLI (because the previously installed OS is maintained on an inactive disk partition), going down further requires a software install
protip on the upgrades: unless you're working on an old hardware, you can download the base image, download the maintenance version, and then directly install and boot into the latest maintenance release for a major version (e.g. 10.0.x directly to 10.1.9). even for the 'inbetween' version i'd recommend going to the latest maintenance release immediately as you don't want to get snagged on a bug mid upgrade
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!