Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Upgrading PANs in Serial Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Upgrading PANs in Serial Question

L3 Networker

I have two PAN 3220s operating as Virtual Wires behind a pair of ASA 5525s. Normally in upgrading a pair of PANs you upgrade the standby, then suspend the primary (secondary takes over), upgrade the primary. Repeat as necessary to get to your target version. But since these are behind another HA pair, I'm concerned I could end up with a situation where I stop traffic flowing to the Active ASA member. I'm trying to go from 8.1 to 9.1 (or maybe 10.0). Would it be possible upgrade one PAN 8.1 to 9.1 and then suspend and upgrade the primary peer while also making the secondary ASA the active member of its HA? Or do you always have to upgrade each member of the PAN pair to just the next step of code.

[ASA01]-in-if-----out-if[PAN01]-in-if----[Switch]

[ASA02]-in-if-----out-if[PAN02]-in-if----[Switch]

1 accepted solution

Accepted Solutions

Hi @palomed ,

Palo Alto will use the HA Group ID to identify which devices are part of the cluster. If one if the members in the group is with different OS version the one with highest OS version will automatically switch to Non-Functional state. Once you reboot the second member (the one with old version), if I am not mistaken, the one will automatically switch to active (since no other member in the group is present). In that moment you will need to switch your ASA cluster member (if there is no physical connection between PAN02 and ASA01). If your clusters are not cross connected you will definately have some interruption (while both cluster switch).

 

Reagarding the versions - Palo Alto recomments  to follow the full path 8.1 -> 9.0 -> 9.1 when upgrading.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/upgrade-to-pan-os-91/upgrade-the-fi...

As you can see it you need to download the base image and the latest maintenance release and install only the maintenance. However this means that you need to download 9.0, 9.0.latest, 9.1 and 9.1.latest. So it is possible that not your device is not able to hold all images at once. But if does, I believe you can actually install straight 9.1.latest (skipping 9.0), but you may have some unexpected issues, caused by configuration not properly migrated.

 

I would suggest you to follow the recommended path and either have longe rmaintenance windows that you can reboot firewalls several times, or split the upgrade and have it upgraded to 9.0 first and upgrade it to 9.1 after couple of day later.

View solution in original post

2 REPLIES 2

Hi @palomed ,

Palo Alto will use the HA Group ID to identify which devices are part of the cluster. If one if the members in the group is with different OS version the one with highest OS version will automatically switch to Non-Functional state. Once you reboot the second member (the one with old version), if I am not mistaken, the one will automatically switch to active (since no other member in the group is present). In that moment you will need to switch your ASA cluster member (if there is no physical connection between PAN02 and ASA01). If your clusters are not cross connected you will definately have some interruption (while both cluster switch).

 

Reagarding the versions - Palo Alto recomments  to follow the full path 8.1 -> 9.0 -> 9.1 when upgrading.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/upgrade-to-pan-os-91/upgrade-the-fi...

As you can see it you need to download the base image and the latest maintenance release and install only the maintenance. However this means that you need to download 9.0, 9.0.latest, 9.1 and 9.1.latest. So it is possible that not your device is not able to hold all images at once. But if does, I believe you can actually install straight 9.1.latest (skipping 9.0), but you may have some unexpected issues, caused by configuration not properly migrated.

 

I would suggest you to follow the recommended path and either have longe rmaintenance windows that you can reboot firewalls several times, or split the upgrade and have it upgraded to 9.0 first and upgrade it to 9.1 after couple of day later.

Outstanding. Thank you for the insight.

  • 1 accepted solution
  • 1931 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!