Saturday, March 19, 2016

Panorama and PAN OS upgrade process


How to Upgrade PAN-OS

Note: Before upgrading PAN OS please validate latest stable version.

 

1-      Panorama OS upgrade:

 

Go to Panorama tab---à Software--à check now (as below):

 

Note : Download base version first (suppose you want to upgrade with 6.1.9 then first download 6.0.0 then check click on check now and download 6.1.9 and install it.)


 

 

Ø  Click on download latest stable version 6.1.9 or 7.0.4.

Ø  After download click on install on Panorama first.

 

2-      Now on PAN devices those are added on Panorama:

 

Go to Panorama tab---à Device Deployment-----àSoftware--à check now (as below):

 


Check Now

 

Ø  Click on download latest stable version 6.1.9 or 7.0.4.

Ø  After download click on install on Panorama first.


My personal suggestion is to deploy software one by one on PAN devices instead of at a time.

Base Version Note: The base version (first release of a major version, such as 4.1.0, 5.0.0, 6.0.0 or 6.1.0) must be downloaded onto the device first for the version that is being upgraded to. Once the base version is downloaded and the 'ACTION' appears as 'Install', the latest release on the same branch can be downloaded and installed.

For Example

If upgrading a Palo Alto Networks device from PAN-OS 5.0.5 to 6.1.6:

Note: Direct upgrade from 5.0.x to 6.1.x is not possible. It has to be a stepped upgrade from 5.0.x to 6.0.x to 6.1.x

  1. Download and install only the 6.0.0 base version. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect.
  2. Download only the 6.1.0 base version. The action PAN-OS 5.0.0 changes from "download" to "install." Do not install now.
  3. Download and install 6.1.2. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect.

Release Notes: To view a description of the changes in each release, including known issues, version features, and resolved issues, click "Release Notes" next to the release.

Deleting old versions

Older versions of the PAN-OS software can be deleted as long as you are no longer running that version. If running 6.0.6, then it is OK to delete all 5.1.x (Panorama) or 5.0.x (Firewall) software versions, even the base versions.
Posted by at No comments:

How to Upgrade a High Availability (HA) Pair


How to Upgrade a High Availability (HA) Pair

The following instructions for upgrading an HA pair are recommended because:

Ø  It verifies HA functionality before starting the upgrade.

Ø  It ensures the upgrade is successfully applied to the first device before starting the upgrade on the second.

Ø  At any point in the procedure, if any issue arises, the upgrade can be seamlessly reverted without any expected downtime.

Ø  When finished, the final active/passive device state will be the same as it was before the upgrade with the fewest number of failovers possible (2).

Steps

Before beginning, we recommend disabling preempt to avoid the possibility of unwanted failovers. Disabling preempt configuration change must be committed on both peers. Likewise, once completed, re-enabling must be committed on both peers.

To disable preempt,

 Go to Device > High Availability > Election Settings and uncheck Preemptive. Then, perform a commit.


First suspend the active unit from the CLI. Run the command:

> request high-availability state suspend

or
From the GUI, go to Device > High Availability > Operations > Suspend local device.



Note: This will cause an HA failover. It is recommended to do this first to verify the HA functionality is working before initiating the upgrade.

Ø  Verify network stability on the new active device with the previously active device suspended.

Ø  Install the new PAN-OS on the suspended device, then reboot the device to complete the install as below:

How to Upgrade PAN-OS

Note: Before upgrading PAN OS please validate latest stable version.


1-      PAN OS upgrade:


Go to Panorama tab---à Software--à check now (as below):




Ø  Click on download latest stable version 6.1.9 and install it on local PAN

Ø  Reboot the PAN to take effect.


When the upgraded device is rebooted, the CLI prompt should show passive (or non-operational, if on a different major release ie 5.0.15 to 6.X.X) and the PAN-OS version should reflect the new version.

On the current passive device, verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:

> show jobs all

Note: If the current passive device is in a non-functional state, run the following command to make it functional again:

> request high-availability state functional

Suspend the second device (current active device).

Upgrade the second device, then reboot it. When the second device reboots, the first device, already upgraded, takes over as active.

As HA functionality was verified (step 1) and the config was successfully pushed to the dataplane on the new PAN-OS (step 5), the failover should be seamless.

When the second unit reboots, it will come up as the passive unit. Validate the auto commit completes on this device by running the following command (on this device (as done in step 5) to complete the upgrade):

> show jobs all

The original active device before the upgrade will be the active device now.

Note: For upgrading an Active-Active HA pair, following the same steps for upgrading the Active-Passive pair. All the steps and terms used for Active and Passive devices can be correlated to Active-Primary and Active-Secondary, respectively.

How to Downgrade

If an issue occurs on the new version and a downgrade is necessary:

To revert to the previous PAN-OS screen, run the following CLI command:

> debug swm revert

This causes the firewall to boot from the partition in use prior to the upgrade. Nothing will be uninstalled and no configuration change will be made.
Posted by at 1 comment:
Subscribe to: Posts (Atom)