03-04-2026 05:45 AM
When upgrading PAN-OS on an Active/Passive pair, does any pause for 1 or more days after upgrading the first firewall (and before upgrading the second firewall)?
The idea here is we will have a bit more time to test for issues. If there is a failure post upgrade, we will have the option to suspend the upgraded firewall and make the firewall that did not yet get upgraded, active.
03-04-2026 06:17 AM
Hi @jambulo ,
I would recommend upgrading your FW02 to your target version first. Once it comes back up, you could manually fail over and make FW02 active to validate everything is working as expected. If you run into any issues, you can always fail back to FW01, which is still running the previous PAN-OS version.
Since you plan on validating for a bit longer, just be mindful of pushing configuration changes during that time. With mismatched PAN-OS versions, I wouldn’t rely on configuration sync between the two firewalls. If you do need to make changes, it’s best to document them so you can manually apply them to the other firewall IF needed.
I would also recommend creating a testing plan rather than keeping the upgraded unit active for an arbitrary amount of time. For example, test egress connectivity, inter-zone traffic, GlobalProtect, DMZ traffic, app traffic, verify routing, S2S tunnels, etc. If you coordinate the right stakeholders and walk through these tests together, you can usually validate everything much faster and reduce the amount of time the HA pair is running on mismatched versions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
