How to Upgrade a High Availability (HA) Pair

How to Upgrade a High Availability (HA) Pair

The following instructions for upgrading an HA pair are recommended because:

Ø  It verifies HA functionality before starting the upgrade.

Ø  It ensures the upgrade is successfully applied to the first device before starting the upgrade on the second.

Ø  At any point in the procedure, if any issue arises, the upgrade can be seamlessly reverted without any expected downtime.

Ø  When finished, the final active/passive device state will be the same as it was before the upgrade with the fewest number of failovers possible (2).

Steps

Before beginning, we recommend disabling preempt to avoid the possibility of unwanted failovers. Disabling preempt configuration change must be committed on both peers. Likewise, once completed, re-enabling must be committed on both peers.

To disable preempt,

 Go to Device > High Availability > Election Settings and uncheck Preemptive. Then, perform a commit.

First suspend the active unit from the CLI. Run the command:

> request high-availability state suspend

or
From the GUI, go to Device > High Availability > Operations > Suspend local device.

Note: This will cause an HA failover. It is recommended to do this first to verify the HA functionality is working before initiating the upgrade.

Ø  Verify network stability on the new active device with the previously active device suspended.

Ø  Install the new PAN-OS on the suspended device, then reboot the device to complete the install as below:

How to Upgrade PAN-OS

Note: Before upgrading PAN OS please validate latest stable version.

1-      PAN OS upgrade:

Go to Panorama tab---à Software--à check now (as below):

Ø  Click on download latest stable version 6.1.9 and install it on local PAN

Ø  Reboot the PAN to take effect.

When the upgraded device is rebooted, the CLI prompt should show passive (or non-operational, if on a different major release ie 5.0.15 to 6.X.X) and the PAN-OS version should reflect the new version.

On the current passive device, verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:

> show jobs all

Note: If the current passive device is in a non-functional state, run the following command to make it functional again:

> request high-availability state functional

Suspend the second device (current active device).

Upgrade the second device, then reboot it. When the second device reboots, the first device, already upgraded, takes over as active.

As HA functionality was verified (step 1) and the config was successfully pushed to the dataplane on the new PAN-OS (step 5), the failover should be seamless.

When the second unit reboots, it will come up as the passive unit. Validate the auto commit completes on this device by running the following command (on this device (as done in step 5) to complete the upgrade):

> show jobs all

The original active device before the upgrade will be the active device now.

Note: For upgrading an Active-Active HA pair, following the same steps for upgrading the Active-Passive pair. All the steps and terms used for Active and Passive devices can be correlated to Active-Primary and Active-Secondary, respectively.

How to Downgrade

If an issue occurs on the new version and a downgrade is necessary:

To revert to the previous PAN-OS screen, run the following CLI command:

> debug swm revert

This causes the firewall to boot from the partition in use prior to the upgrade. Nothing will be uninstalled and no configuration change will be made.