Upgrade Panorama in an HA Configuration

To ensure a seamless failover when you update the Panorama software in a high availability (HA) configuration, the active and passive Panorama peers must be running the same Panorama release with the same Applications database version. The following example describes how to upgrade an HA pair (active peer is Primary_A and passive peer is Secondary_B).
Before updating Panorama, refer to the Release Notes for the minimum content release version required for PAN-OS 10.1.
  1. Upgrade the Panorama software on the Secondary_B (passive) peer.
    Perform one of the following tasks on the Secondary_B peer:
    After the upgrade, this Panorama transitions to a non-functional state because the peers are no longer running the same software release.
  2. (
    Best Practices
    ) If you are leveraging Cortex Data Lake (CDL), install the Panorama device certificate on each Panorama HA peer.
    Panorama automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.1.
    If you do not install the device certificate prior to upgrade to PAN-OS 10.1, Panorama continues to use the existing logging service certificates for authentication.
  3. Suspend the Primary_A peer to force a failover.
    On the Primary_A peer:
    1. In the
      Operational Commands
      section (
      High Availability
      Suspend local Panorama
    2. Verify that state is
      (displayed on bottom-right corner of the web interface).
      The resulting failover should cause the Secondary_B peer to transition to
  4. Upgrade the Panorama software on the Primary_A (currently passive) peer.
    Perform one of the following tasks on the Primary_A peer:
    After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state.
    If you disabled preemption, manually Restore the Primary Panorama to the Active State.
  5. Verify that both peers are now running any newly installed content release versions and the newly installed Panorama release.
    On the
    of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
  6. (
    Local Log Collectors in a Collector Group only
    ) Upgrade the remaining Log Collectors in the Collector Group.

Recommended For You