03-04-2026 05:45 AM
When upgrading PAN-OS on an Active/Passive pair, does any pause for 1 or more days after upgrading the first firewall (and before upgrading the second firewall)?
The idea here is we will have a bit more time to test for issues. If there is a failure post upgrade, we will have the option to suspend the upgraded firewall and make the firewall that did not yet get upgraded, active.
03-04-2026 06:17 AM
Hi @jambulo ,
I would recommend upgrading your FW02 to your target version first. Once it comes back up, you could manually fail over and make FW02 active to validate everything is working as expected. If you run into any issues, you can always fail back to FW01, which is still running the previous PAN-OS version.
Since you plan on validating for a bit longer, just be mindful of pushing configuration changes during that time. With mismatched PAN-OS versions, I wouldn’t rely on configuration sync between the two firewalls. If you do need to make changes, it’s best to document them so you can manually apply them to the other firewall IF needed.
I would also recommend creating a testing plan rather than keeping the upgraded unit active for an arbitrary amount of time. For example, test egress connectivity, inter-zone traffic, GlobalProtect, DMZ traffic, app traffic, verify routing, S2S tunnels, etc. If you coordinate the right stakeholders and walk through these tests together, you can usually validate everything much faster and reduce the amount of time the HA pair is running on mismatched versions.
03-04-2026 02:25 PM
I personally would not recommend having mismatched PAN-OS versions for any sort of extended period. In the event that you encounter an issue, you can easily swap partitions on your passive unit and then force it to take over the active role. I just don't see a need when reverting an update takes a minimal amount of time in an HA environment with minimal disruption, or no disruption, as you failover traffic.
As @JayGolf mentioned you're just kind of asking for something to be forgotten or configuration drift to occur. I've seen far too many people who have failed to remember to upgrade the passive unit, encounter issues after a failover because they neglected to sync the configuration, or mistakenly sync the "old" configuration between units.
03-06-2026 05:33 AM
Thanks for the response.
We're choosing to upgrade FW01(designated "active" firewall) first so we are certain that we are upgrading a firewall that is in a known healthy state.
Good call on the config changes, definitely something to keep in mind.
We do have a test plan to run through right after the upgrade, but in our experiences, issues/bugs do not show themselves until 1+ days after the upgrade.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
