Hello
I have a question about upgrading the Palo Alto Fire Wall OS.
From the 11.1.X version, we've seen that you can upgrade right away without a 10.2.X or 11.0.X install.
ex) OS Upgrade(10.1.13-h1 -> 11.1.5)
I ran the test on my Standalone firewall (10.1.13-h1) and verified that the upgrade was successful through 11.1.5 install after 11.1.0, 11.1.5 downloads.
My question is whether it applies to HA (Active/Passive).
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...
When you look at the HA Upgrade Guide document above, it says.
> For example, you are upgrading HA peers from PAN-OS 10.2 to PAN-OS 11.1. You must upgrade both HA peers to PAN-OS 11.0 before you can continue upgrading to the target PAN-OS 11.1 release. When HA peers are two or more feature releases apart, the firewall with the older release installed enters a suspended state with the message Peer version too old.
So I set up HA active/passive internally and conducted the test, and the process is as follows.
Prerequisites: PAN-OS 11.1.0, 11.1.5 download
1. Primary(Active) : 10.1.13-h1, Secondary(Passive) : 10.1.13-h1
[failover-User requested]
2. Primary(Suspend) : 10.1.13-h1, Secondary(Active) : 10.1.13-h1
[Primary 11.1.5 install and reboot]
3. Primary(Passive) : 11.1.5, Secondary(Active) : 10.1.13-h1
[failback-User requested]
4. Primary(Active) : 11.1.5, Secondary(Suspend) : 10.1.13-h1
[Secondary 11.1.5 install and reboot]
5. Primary(Active) : 11.1.5, Secondary(Passive) : 11.1.5
According to the above, I think the secondary device should enter the suspend state in number 3, "Primary(passive): 11.1.5, Secondary(Active): 10.1.13-h1".
However, even if the HA peer is separated into more than one release, the firewall with the old release was not put in a suspended state and functioned normally.
So I continued the No. 4 procedure and the two devices were upgraded to 11.1.5 OS normally.
Is there an improvement in the functionality to prevent the old release from entering the suspend in No.3?
