Upgrade an HA Firewall Pair to PAN-OS 8.0

Review the PAN-OS 8.0 Release Notes and then use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations.
To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time: For active/active firewalls, it doesn’t matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-secondary peer first). For active/passive firewalls, you must upgrade the passive peer first, suspend the active peer (fail over), update the active peer, and then return that peer to a functional state (fail back). To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
Ensure the firewalls are connected to a reliable power source. A loss of power during an upgrade can make firewalls unusable.
  1. Save a backup of the current configuration file.
    Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.
    Perform these steps on each firewall in the pair:
    1. Select
      Device
      Setup
      Operations
      and click
      Export named configuration snapshot
      .
      fw-export-named-config-snapshot.png
    2. Select the XML file that contains your running configuration (for example,
      running-config.xml
      ) and click
      OK
      to export the configuration file.
      export-running-config.png
    3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. Ensure that each firewall in the HA pair is running the latest content release version.
    Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 8.0 release. Make sure to follow the Best Practices for Application and Threat ContentUpdates.
    1. Select
      Device
      Dynamic Updates
      and check which
      Applications
      or
      Applications and Threats
      to determine which update is Currently Installed.
      fw-content-updates.png
    2. If the firewalls are not running the minimum required content release version or a later version required for PAN-OS 8.0,
      Check Now
      to retrieve a list of available updates.
    3. Locate and
      Download
      the desired content release version.
      After you successfully download a content update file, the link in the Action column changes from
      Download
      to
      Install
      for that content release version.
    4. Install
      the update. You must install the update on both peers.
  3. Disable preemption on the first peer in each pair. You need only disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
    1. Select
      Device
      High Availability
      and edit the
      Election Settings
      .
    2. If enabled, disable (clear) the
      Preemptive
      setting and click
      OK
      .
      preemptive.png
    3. Commit
      the change.
  4. You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 8.0.
    Review the known issues and changes to default behavior in the PAN-OS 8.0 Release Notesand upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
  5. Install PAN-OS 8.0 on the first peer.
    It doesn’t really matter which peer you upgrade first. However, if you want to minimize downtime in an active/passive configuration, upgrade the passive peer first.
    If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
    1. On the first peer, select
      Device
      Software
      and click
      Check Now
      for the latest updates.
    2. Locate and
      Download
      PAN-OS 8.0.0.
      If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually
      Upload
      it to your firewall.
    3. After you download the image (or, for a manual upgrade, after you upload the image),
      Install
      the image.
      As a best practice, when upgrading to a PAN-OS 8.0 release, install the PAN-OS 8.0.0 base image and reboot the firewall before you download and install a PAN-OS 8.0 maintenance release.
    4. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click
        Yes
        .
      • If you are not prompted to reboot, select
        Device
        Setup
        Operations
        and
        Reboot Device
        .
    5. After the device finishes rebooting, view the High Availability widget on the
      Dashboard
      and verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.
      passive-active-state.png
  6. Install PAN-OS 8.0 on the second peer.
    1. (Active/passive configurations only)
      Suspend the active peer so that HA fails over to the peer you just upgraded.
      1. On the active peer, select
        Device
        High Availability
        Operational Commands
        and click
        Suspend local device
        .
        suspend-local-device.png
      2. View the High Availability widget on the
        Dashboard
        and verify that the state changes to
        Passive
        .
      3. On the other peer, verify that it is active and is passing traffic (
        Monitor
        Session Browser
        ).
    2. On the second peer, select
      Device
      Software
      and click
      Check Now
      for the latest updates.
    3. Locate and
      Download
      PAN-OS 8.0.0.
    4. After you download the image,
      Install
      it.
    5. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click
        Yes
        .
      • If you are not prompted to reboot, select
        Device
        Setup
        Operations
        and
        Reboot Device
        .
    6. (Active/passive configurations only)
      From the CLI of the peer you just upgraded, run the following command to make the firewall functional again:
      request high-availability state functional
  7. Verify that both peers are passing traffic as expected.
    In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
    Run the following CLI commands to confirm that the upgrade succeeded:
    • (
      Active peers only
      ) To verify that active peers are passing traffic, run the
      show session all
      command.
    • To verify session synchronization, run the
      show high-availability interface ha2
      command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
      • In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
        If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
      • In an active/active configuration, you will see packets received and packets transmitted on both peers.
  8. If you disabled preemption prior to the upgrade, re-enable it now.
    1. Select
      Device
      High Availability
      and edit the
      Election Settings
      .
    2. Select
      Preemptive
      and click
      OK
      .
    3. Commit
      the change.

Related Documentation