Upgrade Panorama in an HA Configuration
Table of Contents
10.1
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Downgrade from Panorama 10.1
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade Panorama in an HA Configuration
To ensure a seamless failover when you update
the Panorama software in a high availability (HA) configuration,
the active and passive Panorama peers must be running the same Panorama
release with the same Applications database version. The following
example describes how to upgrade an HA pair (active peer is Primary_A
and passive peer is Secondary_B).
Before updating Panorama,
refer to the Release Notes for the
minimum content release version required for PAN-OS 10.1.
- Upgrade the Panorama software on the Secondary_B
(passive) peer.Perform one of the following tasks on the Secondary_B peer:After the upgrade, this Panorama transitions to a non-functional state because the peers are no longer running the same software release.
- (Panorama Interconnect plugin only) Synchronize the Panorama Node with the
Panorama Controller.Before you begin upgrading a Panorama Node, you must synchronize the Panorama Controller and Panorama Node configuration. This is required to successfully push the common Panorama Controller configuration to your Panorama Node after successful upgrade.
- (Best Practices) If you are leveraging Cortex
Data Lake (CDL), install the Panorama device certificate on
each Panorama HA peer. Panorama automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.1.If you do not install the device certificate prior to upgrade to PAN-OS 10.1, Panorama continues to use the existing logging service certificates for authentication.
- Suspend the Primary_A peer to force a failover.On the Primary_A peer:
- In the Operational Commands section (PanoramaHigh Availability), Suspend local Panorama.
- Verify that state is suspended (displayed
on bottom-right corner of the web interface).The resulting failover should cause the Secondary_B peer to transition to active state.
- Upgrade the Panorama software on the Primary_A (currently
passive) peer.Perform one of the following tasks on the Primary_A peer:After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state.If you disabled preemption, manually Restore the Primary Panorama to the Active State.
- Verify that both peers are now running any newly installed
content release versions and the newly installed Panorama release.On the Dashboard of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
- (Local Log Collectors in a Collector Group only) Upgrade the remaining Log Collectors in the Collector Group.