Upgrade Panorama in an HA Configuration

Upgrade the Panorama software on the Secondary_B (passive) peer.
Perform one of the following tasks on the Secondary_B peer:
Upgrade Panorama with an Internet Connection
Upgrade Panorama Without an Internet Connection
After the upgrade, this Panorama transitions to a non-functional state because the peers are no longer running the same software release.
(
Best Practices
) If you are leveraging Cortex Data Lake (CDL), install the Panorama device certificate on each Panorama HA peer.
Panorama automatically switches to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 11.0.
If you do not install the device certificate prior to upgrade to PAN-OS 11.0, Panorama continues to use the existing logging service certificates for authentication.
Suspend the Primary_A peer to force a failover.
On the Primary_A peer:
In the
Operational Commands
section (
Panorama
High Availability
),
Suspend local Panorama
.
Verify that state is
suspended
(displayed on bottom-right corner of the web interface).
The resulting failover should cause the Secondary_B peer to transition to
active
state.
Upgrade the Panorama software on the Primary_A (currently passive) peer.
Perform one of the following tasks on the Primary_A peer:
Upgrade Panorama with an Internet Connection
Upgrade Panorama Without an Internet Connection
After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state.
If you disabled preemption, manually Restore the Primary Panorama to the Active State.
Verify that both peers are now running any newly installed content release versions and the newly installed Panorama release.
On the
Dashboard
of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
(
Local Log Collectors in a Collector Group only
) Upgrade the remaining Log Collectors in the Collector Group.
Upgrade Log Collectors When Panorama Is Internet-Connected
Upgrade Log Collectors When Panorama Is Not Internet-Connected
(
Panorama and managed devices in FIPS-CC mode
) Upgrade Panorama and Managed Devices in FIPS-CC Mode.
Upgrading Panorama and managed devices in FIPS-CC mode requires you to reset the secure connection status of the devices in FIPS-CC mode if added to Panorama management while running a PAN-OS 11.0 release. You need to re-onboard the following managed devices to Panorama management:
Managed devices in FIPS-CC mode added to Panorama using the device registration authentication key.
Managed devices in the normal operational mode added to Panorama using the device registration authentication key
You do not need to re-onboard managed devices added to Panorama management while the managed device was running a PAN-OS 10.0 or earlier release.
(
PAN-OS 10.2 and later releases
) Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.
This step is required if you upgrade from PAN-OS 10.1 or earlier release to PAN-OS 11.0. Stip this step if you upgrade from PAN-OS 10.2 and have already regenerated or re-imported your certificates.
It is required that all certificates meet the following minimum requirements:
RSA 2048 bits or greater, or ECDSA 256 bits or greater
Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.
(
Recommended for Panorama mode
) Increase the memory of the Panorama virtual appliance to 64GB.
After you successfully upgrade the Panorama virtual appliance in Panorama mode to PAN-OS 11.0, Palo Alto Networks recommends increasing the memory of the Panorama virtual appliance to 64GB to meet the increased system requirements to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.