Upgrade an HA Firewall Pair to PAN-OS 8.0

Review the PAN-OS 8.0 Release Notes and then use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations.
To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time: For active/active firewalls, it doesn’t matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-secondary peer first). For active/passive firewalls, you must upgrade the passive peer first, suspend the active peer (fail over), update the active peer, and then return that peer to a functional state (fail back). To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
Ensure the firewalls are connected to a reliable power source. A loss of power during an upgrade can make firewalls unusable.
  1. Save a backup of the current configuration file.
    Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.
    Perform these steps on each firewall in the pair:
    1. Select DeviceSetupOperations and click Export named configuration snapshot.
      fw-export-named-config-snapshot.png
    2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
      export-running-config.png
    3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  2. Ensure that each firewall in the HA pair is running the latest content release version.
    Refer to the Release Notes for the minimum content release version you must install for a PAN-OS 8.0 release. Make sure to follow the Best Practices for Application and Threat ContentUpdates.
    1. Select DeviceDynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed.
      fw-content-updates.png
    2. If the firewalls are not running the minimum required content release version or a later version required for PAN-OS 8.0, Check Now to retrieve a list of available updates.
    3. Locate and Download the desired content release version.
      After you successfully download a content update file, the link in the Action column changes from Download to Install for that content release version.
    4. Install the update. You must install the update on both peers.
  3. Disable preemption on the first peer in each pair. You need only disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
    1. Select DeviceHigh Availability and edit the Election Settings.
    2. If enabled, disable (clear) the Preemptive setting and click OK.
      preemptive.png
    3. Commit the change.
  4. Determine the Upgrade Path to PAN-OS 8.0.
    You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 8.0.
    Review the known issues and changes to default behavior in the PAN-OS 8.0 Release Notesand upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
  5. Install PAN-OS 8.0 on the first peer.
    It doesn’t really matter which peer you upgrade first. However, if you want to minimize downtime in an active/passive configuration, upgrade the passive peer first.
    If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
    1. On the first peer, select DeviceSoftware and click Check Now for the latest updates.
    2. Locate and Download PAN-OS 8.0.0.
      If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually Upload it to your firewall.
    3. After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
      As a best practice, when upgrading to a PAN-OS 8.0 release, install the PAN-OS 8.0.0 base image and reboot the firewall before you download and install a PAN-OS 8.0 maintenance release.
    4. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click Yes.
      • If you are not prompted to reboot, select DeviceSetupOperations and Reboot Device.
    5. After the device finishes rebooting, view the High Availability widget on the Dashboard and verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.
      passive-active-state.png
  6. Install PAN-OS 8.0 on the second peer.
    1. (Active/passive configurations only) Suspend the active peer so that HA fails over to the peer you just upgraded.
      1. On the active peer, select DeviceHigh AvailabilityOperational Commands and click Suspend local device.
        suspend-local-device.png
      2. View the High Availability widget on the Dashboard and verify that the state changes to Passive.
      3. On the other peer, verify that it is active and is passing traffic (MonitorSession Browser).
    2. On the second peer, select DeviceSoftware and click Check Now for the latest updates.
    3. Locate and Download PAN-OS 8.0.0.
    4. After you download the image, Install it.
    5. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click Yes.
      • If you are not prompted to reboot, select DeviceSetupOperations and Reboot Device.
    6. (Active/passive configurations only) From the CLI of the peer you just upgraded, run the following command to make the firewall functional again:
      request high-availability state functional
  7. Verify that both peers are passing traffic as expected.
    In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
    Run the following CLI commands to confirm that the upgrade succeeded:
    • (Active peers only) To verify that active peers are passing traffic, run the show session all command.
    • To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
      • In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
        If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
      • In an active/active configuration, you will see packets received and packets transmitted on both peers.
  8. If you disabled preemption prior to the upgrade, re-enable it now.
    1. Select DeviceHigh Availability and edit the Election Settings.
    2. Select Preemptive and click OK.
    3. Commit the change.

Related Documentation