Upgrade the VM-Series Model in an HA Pair
Table of Contents
Expand all | Collapse all
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
- PAN-OS Upgrade Checklist
- Upgrade/Downgrade Considerations
- Troubleshoot Your PAN-OS Upgrade
- Upgrade the VM-Series PAN-OS Software (Standalone)
- Upgrade the VM-Series PAN-OS Software (HA Pair)
- Upgrade the VM-Series PAN-OS Software Using Panorama
- Upgrade the VM-Series Model
- Upgrade the VM-Series Model in an HA Pair
- Downgrade a VM-Series Firewall to a Previous Release
Upgrade the VM-Series Model in an HA Pair
How do I upgrade my VM-Series Model if I have an HA pair?
Upgrading the VM-Series firewall allows you to increase the capacity on the firewall. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels, and SSL VPN tunnels that the VM-Series firewall is optimized to handle. When you apply a new capacity license on the VM-Series firewall, the model number and the associated capacities are implemented on the firewall.
Verify the VM-Series System Requirements for your firewall model before you upgrade. If your firewall has less than 5.5GB memory, the capacity (number of sessions, rules, security zones, address objects, etc) on the firewall will be limited to that of the VM-50 Lite.
This process is similar to that of upgrading a pair of hardware-based firewalls that are in an HA configuration. During the capacity upgrade process, session synchronization continues, if you have it enabled. To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time.
Do not make configuration change to the firewalls during the upgrade process. During the upgrade process, configuration sync is automatically disabled when a capacity mismatch is detected and is then re-enabled when both HA peers have matching capacity licenses.
If the firewalls in the HA pair have different major software versions (such as 9.1 and 9.0) and different capacities, both devices will enter the Suspended HA state. Therefore, it is recommended that you make sure both firewalls are running the same version of PAN-OS before upgrading capacity.
- Upgrade the capacity license on the passive firewall.If you have enabled session synchronization, verify that sessions are synchronized across HA peers before you continue to the next step. To verify session synchronization, run theThe new VM-Series model displays on the dashboard after some processes restart on this passive peer. This upgraded peer is now is a non-functional state because of the capacity mismatch with its active peer.show high-availability interface ha2command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
- In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received.If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional which means that both peers transmit HA2 keep-alive packets.
- In an active/active configuration, you will see packets received and packets transmitted on both peers.
- Upgrade the capacity license on the active firewall.The new VM-Series model displays on the dashboard after the critical processes restart. The passive firewall becomes active, and this peer (previously active firewall) moves from the initial state to becoming the passive peer in the HA pair.