PAN-OS Firewall Upgrade Procedure in HA Environment

From Notes_Wiki

Home > Enterprise security devices or applications > Paloalto firewall > PAN-OS Firewall Upgrade Procedure in HA Environment

PAN-OS Upgrade Guide

Save a backup of the current configuration file.

  • Select Device -> Setup -> Operations and click Export named configuration snapshot.
  • Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
  • Save the exported file, You can use this backup to restore the configuration if you have problems with the upgrade.

Select Device -> Support and Generate Tech Support File.

  • Click Yes when prompted to generate the tech support file.

Ensure that each firewall in the HA pair is running the latest content release version.

Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 10.2 release. Make sure to follow the Best Practices for Applications and Threats Content Updates.

  • Select Device -> Dynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed.
  • If the firewalls are not running the minimum required content release version or a later version required for PAN-OS 10.2, Check Now to retrieve a list of available updates.
  • Locate and Download the desired content release version. After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
  • Install the update. You must install the update on both peers.
> request content upgrade check
> request content upgrade download latest
> request content upgrade install version latest

Determine the Upgrade Path to PAN-OS 10.2

Review PAN-OS Upgrade Checklist, the known issues and changes to default behavior in the Release Notes and Upgrade/Downgrade Considerations for each release through which you pass as part of your upgrade path.

Disable preemption on the first peer in each pair.

You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.

  • Select Device -> High Availability and edit the Election Settings.
  • If enabled, disable (clear) the Preemptive setting and click OK.
  • Commit the change.
> configure
# set deviceconfig high-availability election-preemptive no
# commit
# exit

Suspend the primary HA peer to force a failover.

(Active/passive firewalls) For firewalls in an active/passive HA configuration, suspend and upgrade the active HA peer first. (Active/active firewalls) For firewalls in an active/active HA configuration, suspend and upgrade the active-primary HA peer first.

  • Select Device -> High Availability -> Operational Commands and Suspend local device for high availability.
  • on CLI:
# request high-availability state suspend
  • In the bottom-right corner, verify that the state is suspended. The resulting failover should cause the secondary HA peer to transition to active state.

Install PAN-OS 10.2 on the suspended HA peer.

  • On the primary HA peer, select Device -> Software and click Check Now for the latest updates.

Only the versions for the next available PAN-OS release are displayed. For example, if the PAN-OS 10.2 is installed on the firewall, then only PAN-OS 10.2 releases are displayed. (PAN-OS 10.2.10 and later 10.2 releases) By default, the preferred releases and the corresponding base releases are displayed. To view the preferred releases only, disable (clear) the Base Releases checkbox.

  • Locate and Download PAN-OS 10.2.0.

If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually Upload it to your firewall. If your firewall does have internet access and you encounter a file download error, click Check Now again to refresh the list of PAN-OS images.

  • After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
  • After the installation completes successfully, reboot using one of the following methods:
  • After the device finishes rebooting, view the High Availability widget on the Dashboard and verify that the device you just upgraded is in sync with the peer.
> request system software check
> request system software download version 10.2.0
> request system software install version 10.2.0
> request restart system

Restore HA functionality to the primary HA peer.

  • Select Device -> High Availability -> Operational Commands and Make local device functional for high availability.
  • In the bottom-right corner, verify that the state is Passive. For firewalls in an active/active configuration, verify that the state is Active.
  • Wait for the HA peer running configuration to synchronize.

In the Dashboard, monitor the Running Config status in the High Availability widget. 

> request high-availability state functional

On the secondary HA peer, suspend the HA peer.

  • Select Device -> High Availability -> Operational Commands and Suspend local device for high availability.
  • on CLI:
# request high-availability state suspend
  • In the bottom-right corner, verify that the state is suspended.

The resulting failover should cause the primary HA peer to transition to Active state.

Install PAN-OS 10.2 on the secondary HA peer.

  • On the secondary peer, select Device -> Software and click Check Now for the latest updates.
  • Locate and Download PAN-OS 10.2.0.
  • After you download the image, Install it.
  • After the installation completes successfully, reboot using one of the following methods:

If you are prompted to reboot, click Yes. If you are not prompted to reboot, select Device -> Setup -> Operations and Reboot Device. 

> request system software check
> request system software download version 10.2.0
> request system software install version 10.2.0
> request restart system

Restore HA functionality to the secondary HA peer.

  • Select Device -> High Availability -> Operational Commands and Make local device functional for high availability.
  • In the bottom-right corner, verify that the state is Passive. For firewalls in an active/active configuration, verify that the state is Active.
  • Wait for the HA peer running configuration to synchronize.

In the Dashboard, monitor the Running Config status High Availability widget. 

> request high-availability state functional

Re-enable preemption on the HA peer where it was disabled in the previous step.

  • Select Device -> High Availability and edit the Election Settings.
  • Enable (check) the Preemptive setting and click OK.
  • Commit the change.
> configure
# set deviceconfig high-availability election-preemptive yes
# commit
# exit

Verify that both peers are passing traffic as expected.

In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration. Run the following CLI commands to confirm that the upgrade succeeded:

(Active peers only) To verify that active peers are passing traffic, run the show session all command. To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows: In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received. 

> show session all
> show high-availability interface ha2

For reference, I am attaching the official Palo Alto documentation link here. 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair#id062f1ad5-adb3-4d25-b4a4-529bde5dc96a

Home > Enterprise security devices or applications > Paloalto firewall > PAN-OS Firewall Upgrade Procedure in HA Environment

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=PAN-OS_Firewall_Upgrade_Procedure_in_HA_Environment&oldid=9694"