Paloalto FW HA(Active/Passive) OS Upgrade Procedure 10.1.X -> 11.1.X

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Paloalto FW HA(Active/Passive) OS Upgrade Procedure 10.1.X -> 11.1.X

L0 Member

Hello

I have a question about upgrading the Palo Alto Fire Wall OS.

From the 11.1.X version, we've seen that you can upgrade right away without a 10.2.X or 11.0.X install.

sky95hhhh_0-1730177508043.png

ex) OS Upgrade(10.1.13-h1 -> 11.1.5)
I ran the test on my Standalone firewall (10.1.13-h1) and verified that the upgrade was successful through 11.1.5 install after 11.1.0, 11.1.5 downloads.


My question is whether it applies to HA (Active/Passive).

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

When you look at the HA Upgrade Guide document above, it says.

> For example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1 release. When HA peers are two or more feature releases apart, the firewall with the older release installed enters a suspended state with the message Peer version too old.

So I set up HA active/passive internally and conducted the test, and the process is as follows.


Prerequisites: PAN-OS 11.1.0, 11.1.5 download

1. Primary(Active) : 10.1.13-h1, Secondary(Passive) : 10.1.13-h1

[failover-User requested]
2. Primary(Suspend) : 10.1.13-h1, Secondary(Active) : 10.1.13-h1

[Primary 11.1.5 install and reboot]
3. Primary(Passive) : 11.1.5, Secondary(Active) : 10.1.13-h1

[failback-User requested]
4. Primary(Active) : 11.1.5, Secondary(Suspend) : 10.1.13-h1

[Secondary 11.1.5 install and reboot]
5. Primary(Active) : 11.1.5, Secondary(Passive) : 11.1.5

According to the above, I think the secondary device should enter the suspend state in number 3, "Primary(passive): 11.1.5, Secondary(Active): 10.1.13-h1".

However, even if the HA peer is separated into more than one release, the firewall with the old release was not put in a suspended state and functioned normally.

So I continued the No. 4 procedure and the two devices were upgraded to 11.1.5 OS normally.


Is there an improvement in the functionality to prevent the old release from entering the suspend in No.3?

 

 

0 REPLIES 0
  • 325 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!