Upgrade the VM-Series PAN-OS Software (HA Pair)
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade the VM-Series PAN-OS Software (HA Pair)
How do I upgrade the PAN-OS version of VM-Series firewalls
in an HA pair.
Use
the following procedure to upgrade a pair of firewalls in a high
availability (HA) configuration. This procedure applies to both
active/passive and active/active configurations.
To avoid
downtime when upgrading firewalls that are in a high availability
(HA) configuration, update one HA peer at a time: For active/active
firewalls, it doesn’t matter which peer you upgrade first (though
for simplicity, this procedure shows you how to upgrade the active-secondary
peer first). For active/passive firewalls, you must upgrade the
passive peer first, suspend the active peer (fail over), update
the active peer, and then return that peer to a functional state
(fail back). To prevent failover during the upgrade of the HA peers,
you must make sure preemption is disabled before proceeding with
the upgrade. You only need to disable preemption on one peer in
the pair.
To avoid impacting traffic,
plan to upgrade within the outage window. Ensure the firewalls are
connected to a reliable power source. A loss of power during an
upgrade can make firewalls unusable.
- Verify that enough hardware resources are available to the VM-Series firewall.Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.From the web interface, navigate to DeviceLicenses and make sure you have the correct VM-Series firewall license and that the license is activated.On the VM-Series firewall standalone version, navigate to DeviceSupport and make sure that you have activated the support license.Save a backup of the current configuration file.Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.Perform these steps on each firewall in the pair:
- Select DeviceSetupOperations and click Export named configuration snapshot.Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
- For IP address-to-username mappings:
- show user user-id-agent state all
- show user server-monitor state all
- For group mappings: show user group-mapping statistics
Ensure that each firewall in the HA pair is running the latest content release version.Refer to the release notes for the minimum content release version you must install for a PAN-OS 10.2 release. Make sure to follow the Best Practices for Application and Threat Updates.- Select DeviceDynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed.If the firewalls are not running the minimum required content release version or a later version required for the software version you are installing, Check Now to retrieve a list of available updates.Locate and Download the desired content release version.After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.Install the update. You must install the update on both peers.Upgrade the VM-Series plugin.
- Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.Do not install an upgrade that does not apply to your environment.Log in to the VM-Series firewall and check the dashboard to view the plugin version.Select DevicePlugins to view the plugin version. Use Check Now to check for updates.Select the version of the plugin and click Install in the Action column to install the plugin.When installing the plugin on VM-Series firewalls in an HA pair, install the higher version VM-Series plugin on the active peer before the passive peer. After installing the plugin on the active peer it transitions the passive peer to a non-functional state. Installing the plugin on the passive peer returns the passive peer to a functional state.Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
- Select DeviceHigh Availability and edit the Election Settings.If enabled, disable (clear) the Preemptive setting and click OK.Commit the change.Install the PAN-OS release on the first peer.To minimize downtime in an active/passive configuration, upgrade the passive peer first. For an active/active configuration, upgrade the secondary peer first. As a best practice, if you are using an active/active configuration, we recommend upgrading both peers during the same maintenance window.If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
- On the first peer, select DeviceSoftware and click Check Now for the latest updates.(PAN-OS 10.2.10 and later 10.2 releases) By default, the preferred releases and the corresponding base releases are displayed. To view the preferred releases only, disable (clear) the Base Releases checkbox. Similarly, to view the base releases only, disable (clear) the Preferred Releases checkbox.Locate and Download the target PAN-OS version.If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually Upload it to your firewall.After you download the image (or, for a manual upgrade, after you upload the image), Install the image.After the installation completes successfully, reboot using one of the following methods:
- If you are prompted to reboot, click Yes.
- If you are not prompted to reboot, select DeviceSetupOperations and Reboot Device.
After the device finishes rebooting, view the High Availability widget on the Dashboard and verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.Install the PAN-OS release on the second peer.- (Active/passive configurations only) Suspend the active peer so that HA fails over to the peer you just upgraded.
- On the active peer, select DeviceHigh AvailabilityOperational Commands and click Suspend local device.
- View the High Availability widget on the Dashboard and verify that the state changes to Passive.
- On the other peer, verify that it is active and is passing traffic (MonitorSession Browser).
On the second peer, select DeviceSoftware and click Check Now for the latest updates.Locate and Download the target PAN-OS version.After you download the image, Install it.After the installation completes successfully, reboot using one of the following methods:- If you are prompted to reboot, click Yes.
- If you are not prompted to reboot, select DeviceSetupOperations and Reboot Device.
(Active/passive configurations only) From the CLI of the peer you just upgraded, run the following command to make the firewall functional again:request high-availability state functionalVerify that both peers are passing traffic as expected.In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.Run the following CLI commands to confirm that the upgrade succeeded:- (Active peers only) To verify that active peers are passing traffic, run the show session all command.
- To verify session synchronization, run the show high-availability interface ha2 command
and make sure that the Hardware Interface counters on the CPU table
are increasing as follows:
- In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
- In an active/active configuration, you will see packets received and packets transmitted on both peers.
If you disabled preemption prior to the upgrade, re-enable it now.- Select DeviceHigh Availability and edit the Election Settings.Select Preemptive and click OK.Commit the change.