Upgrade Panorama in an HA Configuration
To ensure a seamless failover when you update
the Panorama software in a high availability (HA) configuration,
the active and passive Panorama peers must be running the same Panorama
release with the same Applications database version. The following
example describes how to upgrade an HA pair (active peer is Primary_A
and passive peer is Secondary_B).
If you are upgrading Panorama
and managed devices in FIPS-CC mode to PAN-OS 11.0 from PAN-OS 10.2
or earlier release, you must take the additional steps of resetting
the secure connection status of the devices in FIPS-CC mode if added
to Panorama management while running a PAN-OS 10.2 release. See Upgrade Panorama and Managed Devices in FIPS-CC Mode for more details
on upgrading Panorama and FIPS-CC devices in FIPS-CC mode.
Before
updating Panorama, refer to the Release Notes for the minimum
content release version required for PAN-OS 11.0.
- Upgrade the Panorama software on the Secondary_B (passive) peer.Perform one of the following tasks on the Secondary_B peer:After the upgrade, this Panorama transitions to a non-functional state because the peers are no longer running the same software release.
- (Best Practices) If you are leveraging Cortex Data Lake (CDL), install the Panorama device certificate on each Panorama HA peer.Panorama automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 11.0.If you do not install the device certificate prior to upgrade to PAN-OS 11.0, Panorama continues to use the existing logging service certificates for authentication.
- Suspend the Primary_A peer to force a failover.On the Primary_A peer:
- In theOperational Commandssection (),PanoramaHigh AvailabilitySuspend local Panorama.
- Verify that state issuspended(displayed on bottom-right corner of the web interface).The resulting failover should cause the Secondary_B peer to transition toactivestate.
- Upgrade the Panorama software on the Primary_A (currently passive) peer.Perform one of the following tasks on the Primary_A peer:After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state.If you disabled preemption, manually Restore the Primary Panorama to the Active State.
- Verify that both peers are now running any newly installed content release versions and the newly installed Panorama release.On theDashboardof each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
- (Local Log Collectors in a Collector Group only) Upgrade the remaining Log Collectors in the Collector Group.
- (Panorama and managed devices in FIPS-CC mode) Upgrade Panorama and Managed Devices in FIPS-CC Mode.Upgrading Panorama and managed devices in FIPS-CC mode requires you to reset the secure connection status of the devices in FIPS-CC mode if added to Panorama management while running a PAN-OS 11.0 release. You need to re-onboard the following managed devices to Panorama management:
- Managed devices in FIPS-CC mode added to Panorama using the device registration authentication key.
- Managed devices in the normal operational mode added to Panorama using the device registration authentication key
- (PAN-OS 10.2 and later releases) Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.0. Stip this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your certificates.It is required that all certificates meet the following minimum requirements:
- RSA 2048 bits or greater, or ECDSA 256 bits or greater
- Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates. - (Recommended for Panorama mode) Increase the memory of the Panorama virtual appliance to 64GB.After you successfully upgrade the Panorama virtual appliance in Panorama mode to PAN-OS 11.0, Palo Alto Networks recommends increasing the memory of the Panorama virtual appliance to 64GB to meet the increased system requirements to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.