: Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin
Focus
Focus

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Table of Contents

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Upgrade path and step-by-step procedure for the SD-WAN plugin version that your Panorama HA pair is running.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • SD-WAN
  • SD-WAN license
Follow the upgrade path based on the SD-WAN plugin version that your Panorama management server is running.
Panorama Running SD-WAN Plugin VersionFollow the Steps
1.0.x
2.1.x
2.2.6

Panorama HA Pair: Upgrade SD-WAN Plugin 1.0.4 to 2.2.6 Release

When your Panorama is installed with any of the SD-WAN plugin versions between 1.0.x to 2.2.x, and if you want to upgrade the SD-WAN plugin version, you must upgrade to SD-WAN plugin version 2.2.6 first (and not any intermediate version). Because the SD-WAN 2.2.6 version contains the new features, bug fixes, performance improvements, and enhancements.
It's recommended to always ensure that the Panorama software version is higher than the PAN-OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
Use the following workflow in the same order to upgrade your Panorama HA pair with SD-WAN 2.2.6 plugin version.
  1. Upgrade your Panorama management server version.
    1. From Panorama 9.1.x, download and install Panorama 10.0.7-h3 on both active and passive Panorama.
    2. From Panorama 10.0.7-h3, download and install the latest Panorama 10.1 release on both active and passive Panorama.
    3. After the Panorama is upgraded to the latest 10.1 release, check if the active Panorama remains as active and the passive Panorama remains as passive. If there is no change in the HA states, then the upgrade is successful. Otherwise, you need to perform a force switch over to maintain the state of the HA pairs that it was before the upgrade.
      To perform the force switchover, execute the following CLI commands in the same order from the current active HA peer.
      admin > request high-availbility state suspend
      admin > request high-availbility state functional
  2. Monitor the configd logs.
    (In administrator mode) Before upgrading the SD-WAN plugin to 2.2.6, start monitoring the configd log on both the Panorama HA pairs.
    admin> tail follow yes mp-log configd.log
    If you see the below error message on executing tail follow yes mp-log configd.log command, the Mongo DB of the active and passive Panorama has become out of sync.
    To resolve this issue:
    1. (In administrator mode) Drop the whole database pan_oplog on both the active and passive Panorama.
      admin > debug mongo drop database pan_oplog instance mdb 
    2. (In administrator mode) Restart configd on both the active and passive Panorama.
      admin > debug software restart process configd
    Once the configd is restarted, refresh the respective web interface and command line interface. After restart, you won't be seeing the mongo pan_oplog error on any of the commit processes.
    We recommend you to monitor the configd logs during the whole upgrade process.
  3. Download and install the SD-WAN plugin version 2.2.6 on both active and passive Panorama.
  4. (In administrator mode) Drop the SD-WAN collections on both active and passive Panorama.
    admin > debug mongo drop database pl_sd_wan instance mdb
    This step is required to make the SD-WAN Mongo DB collections in synchronization.
  5. (In configuration mode) Forcefully commit the changes from the active Panorama.
    After completing the SD-WAN plugin upgrade, you must perform a commit force through the CLI command (in the configuration mode) on the Palo Alto Networks device. If you perform commit all instead of commit force, then you will lose all the SD-WAN configurations on that device.
  6. Check the following after Panorama HA upgrade.
    1. Perform a selective push to branch devices first, followed by the hub devices from active Panorama.
    2. Select PanoramaManaged DevicesSummary and verify if the device group and templates are in synchronization on both active and passive Panorama under the devices summary page.
    3. Verify if the SD-WAN configurations such as, Tunnel, BGP, Key ID, and traffic are as expected.
      After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache, IPSec tunnel cache, and subnet cache will be refreshed which will not affect the functionalities of SD-WAN.
  7. (Recommended) Upgrade the connected firewalls.
    Once the Panorama HA pair upgrade is successful, the connected hub and branch devices can be upgraded one-by-one starting with the branch firewalls followed by hub firewalls (the branch and hub firewalls can be standalone firewalls or HA pairs).
    We recommend you to check the SD-WAN configuration and functionality after upgrading each firewall.
    1. Introduce a minor change on all the templates by modifying or adding the comment for an interface on the template, followed by a Commit and Push to Devices. This is just a verification activity to ensure that the configuration is good and the upgrade is working.
    2. Check the SD-WAN configuration and functionalities.
    3. Upgrade the branch firewall one-by-one till all the branches are upgraded.
    4. Follow the below steps for branch firewalls first.
      1. Start upgrading a pair of branch HA or standalone devices from Panorama version 9.1.x to 10.0.7-h3, and then to the latest Panorama 10.1 release.
      2. Introduce a minor change in the comment of an interface from the particular firewall template from the active Panorama where the upgrade was performed, Commit, and Push to Devices. Once the Commit All is completed, check the SD-WAN configurations and functionalities. This is just a verification activity to ensure that the configuration is good and the upgrade is working after the firewall is upgraded.
    5. Follow the below steps for the hub firewalls. It's important that you complete the upgrade of the branch firewalls and then start the upgrade of the hub firewalls.
      1. Start upgrading a pair of hub HA or standalone devices from Panorama version 9.1.x to 10.0.7-h3, and then to the latest Panorama 10.1 release.
      2. Introduce a minor change in the comment of an interface from the particular firewall template from the active Panorama where the upgrade was performed, Commit, and Push to Devices. Once the Commit All is completed, check the SD-WAN configurations and functionalities.
        This is just a verification activity to ensure that the configuration is good and the upgrade is working after the firewall is upgraded.
    6. Select PanoramaManaged DevicesSummary and verify if the device group and templates are in synchronization on both active and passive Panorama under the devices summary page.
    7. After the upgrade is complete, note the changes after the upgrade.

Panorama HA Pair: Upgrade SD-WAN Plugin 2.1.x to 2.2.6 Release

When your Panorama is installed with SD-WAN plugin version 2.1.x, and if you want to upgrade the SD-WAN plugin version, you must upgrade to SD-WAN plugin version 2.2.6 first (and not any intermediate version). Because the SD-WAN 2.2.6 version contains the new features, bug fixes, performance improvements, and enhancements.
It's recommended to always ensure that the Panorama software version is higher than the PAN-OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
Use the following workflow in the same order to upgrade your Panorama HA pair with the SD-WAN 2.2.6 plugin version.
  1. Upgrade your Panorama management server version.
    1. Download and install the latest Panorama 10.1 release on both active and passive Panorama.
    2. After the Panorama is upgraded to the latest 10.1 release, check if the active Panorama remains as active and the passive Panorama remains as passive. If there is no change in the HA states, then the upgrade is successful. Otherwise, you need to perform a force switch over to maintain the state of the HA pairs that it was before the upgrade.
      To perform the force switchover, execute the following CLI commands in the same order from the current active HA peer.
      admin > request high-availbility state suspend
      admin > request high-availbility state functional
  2. Monitor the configd logs.
    (In administrator mode) Before upgrading the SD-WAN plugin to 2.2.6, start monitoring the configd log on both the Panorama HA pairs.
    admin> tail follow yes mp-log configd.log
    If you see the below error message on executing admin > tail follow yes mp-log configd.log command, the mongo DB of the active and passive Panorama has become out of sync.
    To resolve this issue:
    1. (In administrator mode) Drop the whole database pan_oplog on both the active and passive Panorama.
      admin > debug mongo drop database pan_oplog instance mdb 
    2. (In administrator mode) Restart configd on both the active and passive Panorama.
      admin > debug software restart process configd
    Once the configd is restarted, refresh the respective web interface and command line interface. After restart, you won't be seeing the mongo pan_oplog error on any of the commit processes.
    We recommend you to monitor the configd logs during the whole upgrade process.
  3. Download and install the SD-WAN plugin version 2.2.6 on both active and passive Panorama.
  4. (In administrator mode) Drop the SD-WAN collections on both active and passive Panorama.
    admin > debug mongo drop database pl_sd_wan instance mdb
    This step is required to make the SD-WAN Mongo DB collections in synchronization.
  5. (In configuration mode) Forcefully commit the changes from the active Panorama.
    After completing the SD-WAN plugin upgrade, you must perform a commit force through the CLI command (in the configuration mode) on the Palo Alto Networks device. If you perform commit all instead of commit force, then you will lose all the SD-WAN configurations on that device.
  6. Check the following after Panorama HA upgrade.
    1. Perform a selective push to branch devices first, followed by the hub devices from active Panorama.
    2. Select PanoramaManaged DevicesSummary and verify if the device group and templates are in synchronization on both active and passive Panorama under the devices summary page.
    3. Verify if the SD-WAN configurations such as, tunnel, BGP, Key ID, and traffic are as expected.
      After successful upgrade of the Panorama HA pair, the Key ID, PSK, IP cache, IPSec tunnel cache, and subnet cache will be refreshed which will not affect the functionalities of SD-WAN.
  7. (Recommended) Upgrade the connected firewalls.
    Once the Panorama HA pair upgrade is successful, the connected hub and branch devices can be upgraded one-by-one starting with the branch firewalls followed by hub firewalls (the branch and hub firewalls can be standalone firewalls or HA pairs).
    We recommend you to check the SD-WAN configuration and functionality after upgrading each firewall.
    1. Introduce a minor change on all the templates by modifying or adding the comment for an interface on the template, followed by a Commit and Push to Devices. This is just a verification activity to ensure that the configuration is good and the upgrade is working.
    2. Check the SD-WAN configuration and functionalities.
    3. Upgrade the branch firewall one-by-one till all the branches are upgraded.
    4. Follow the below steps for branch firewalls first.
      1. Start upgrading a pair of branch HA or standalone devices from Panorama version 9.1.x to 10.0.7-h3, and then to the latest Panorama 10.1 release.
      2. Introduce a minor change in the comment of an interface from the particular firewall template from the active Panorama where the upgrade was performed, Commit, and Push to Devices. Once the Commit All is completed, check the SD-WAN configurations and functionalities. This is just a verification activity to ensure that the configuration is good and the upgrade is working after the firewall is upgraded.
    5. Follow the below steps for the hub firewalls. It's important that you complete the upgrade of the branch firewalls and then start the upgrade of the hub firewalls.
      1. Start upgrading a pair of hub HA or standalone devices from Panorama version 9.1.x to 10.0.7-h3, and then to the latest Panorama 10.1 release.
      2. Introduce a minor change in the comment of an interface from the particular firewall template from the active Panorama where the upgrade was performed, Commit, and Push to Devices. Once the Commit All is completed, check the SD-WAN configurations and functionalities.
        This is just a verification activity to ensure that the configuration is good and the upgrade is working after the firewall is upgraded.
    6. Select PanoramaManaged DevicesSummary and verify if the device group and templates are in synchronization on both active and passive Panorama under the devices summary page.
    7. After the upgrade is complete, note the changes after the upgrade.

Panorama HA Pair: Upgrade SD-WAN Plugin 2.2.6 to 3.0.7 Release

It's recommended to always ensure that the Panorama software version is higher than the PAN-OS version. For example, if your Panorama version is 10.1.9, then your PAN-OS version can be any of the earlier PAN-OS 10.1.9 releases.
Read the important considerations for upgrading Panorama before you start the upgrade process.
  1. Download the SD-WAN plugin 3.0.7 and delete all the 3.0.x plugins downloaded on both the Panorama HA pairs except SD-WAN plugin version 3.0.7.
  2. Upgrade the Panorama software version from the latest 10.1 version to the latest 10.2 version. After a successful upgrade to the latest 10.2 version, the SD-WAN plugin 3.0.7 will be installed automatically.
    To verify if the SD-WAN plugin 3.0.7 version is installed on your Panorama, check the General Information in the Panorama Dashboard.
  3. Once the upgrade is complete, check if the SD-WAN configurations and its functionalities are as expected.
  4. Perform a commit force through the CLI command (in the configuration mode) on the Palo Alto Networks device. If you perform commit all instead of commit force, then you will lose all the SD-WAN configurations on that device.
  5. (Recommended) Upgrade the connected devices one-by-one starting with the branch pairs followed by hub pairs.
  6. Once the devices are upgraded, check for SD-WAN configurations and its functionalities.
  7. After the upgrade is complete, note the changes after the upgrade.