Upgrade HA firewall pairs from Panorama by using an orchestrated, automated upgrade
workflow.
With the
High Availability (HA) Firewall Pair Upgrade
Orchestration feature, you can simplify and automate the process of
upgrading HA firewall pairs. When you use this feature, Panorama orchestrates the
entire upgrade process for you, eliminating most of the manual steps that you need
to execute on each device. The feature intelligently manages the upgrade sequence by
following a careful and automated sequence:
Upgrades the passive (or active-secondary) peer first.
Automatically reboots the passive peer.
After the first passive peer is back online and the HA status is
synchronized, the system initiates HA failover and upgrades the other
peer.
The system automatically performs pre-checks to validate that your
environment is ready for the upgrade. It verifies that both firewalls are connected
to Panorama, confirms configuration synchronization, and validates that the HA links
are operational. If these checks pass, the upgrade process begins automatically.
After upgrade, the system automatically performs the necessary reboots without your
intervention. In the event of an upgrade failure, you must perform a manual upgrade
on the failed firewall.
This feature supports upgrading up to 200 HA pairs in a single workflow
job. The feature supports both upgrade and downgrade operations, giving you
flexibility in managing your firewall software versions. By automating and
orchestrating what was previously a manual process, this feature reduces operational
overhead and minimizes the potential for human error during firewall upgrades.
For this feature to be available, Panorama must be running 12.1.2 or a
later release, and the HA firewalls must be running PAN-OS 10.2.0 or a later
release.
