Upgrade an HA Firewall Pair to PAN-OS 9.1
Table of Contents
Upgrade an HA Firewall Pair to PAN-OS 9.1
Follow these steps to upgrade an HA firewall pair to
PAN-OS 9.1.
Review the PAN-OS 9.1 Release Notes and then
use the following procedure to upgrade a pair of firewalls in a
high availability (HA) configuration. This procedure applies to
both active/passive and active/active configurations.
To avoid
downtime when upgrading firewalls that are in a high availability
(HA) configuration, update one HA peer at a time: For active/active
firewalls, it doesn’t matter which peer you upgrade first (though
for simplicity, this procedure shows you how to upgrade the active-secondary
peer first). For active/passive firewalls, you must upgrade the
passive peer first, suspend the active peer (fail over), update
the active peer, and then return that peer to a functional state
(fail back). To prevent failover during the upgrade of the HA peers,
you must make sure preemption is disabled before proceeding with
the upgrade. You only need to disable preemption on one peer in
the pair.
To avoid impacting traffic,
plan to upgrade within the outage window. Ensure the firewalls are
connected to a reliable power source. A loss of power during an
upgrade can make firewalls unusable.
- Save a backup of the current configuration file.Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.Perform these steps on each firewall in the pair:
- Selectand clickDeviceSetupOperationsExport named configuration snapshot.
- Select the XML file that contains your running configuration (for example,running-config.xml) and clickOKto export the configuration file.
- Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
- If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
- For IP address-to-username mappings:
- show user user-id-agent state all
- show user server-monitor state all
- For group mappings:show user group-mapping statistics
- Ensure that each firewall in the HA pair is running the latest content release version.Refer to the release notes for the minimum content release version you must install for a PAN-OS 9.1 release. Make sure to follow the Best Practices for Application and Threat Updates.
- Selectand check whichDeviceDynamic UpdatesApplicationsorApplications and Threatsto determine which update is Currently Installed.
- If the firewalls are not running the minimum required content release version or a later version required for PAN-OS 9.1,Check Nowto retrieve a list of available updates.
- Locate andDownloadthe desired content release version.After you successfully download a content update file, the link in the Action column changes fromDownloadtoInstallfor that content release version.
- Installthe update. You must install the update on both peers.
- Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
- Selectand edit theDeviceHigh AvailabilityElection Settings.
- If enabled, disable (clear) thePreemptivesetting and clickOK.
- Committhe change.
- You cannot skip installation of any feature release versions in the path from the currently running PAN-OS version to PAN-OS 9.1.0.Review the known issues and changes to default behavior in the Release Notes and upgrade/downgrade considerations in the New Features Guide for each release through which you pass as part of your upgrade path.
- Install PAN-OS 9.1 on the first peer.To minimize downtime in an active/passive configuration, upgrade the passive peer first. For an active/active configuration, upgrade the secondary peer first. As a best practice, if you are using an active/active configuration, we recommend upgrading both peers during the same maintenance window.If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
- On the first peer, selectand clickDeviceSoftwareCheck Nowfor the latest updates.
- Locate andDownloadPAN-OS 9.1.0.If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manuallyUploadit to your firewall.
- After you download the image (or, for a manual upgrade, after you upload the image),Installthe image.
- After the installation completes successfully, reboot using one of the following methods:
- If you are prompted to reboot, clickYes.
- If you are not prompted to reboot, selectandDeviceSetupOperationsReboot Device.
- After the device finishes rebooting, view the High Availability widget on theDashboardand verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.
- Install PAN-OS 9.1 on the second peer.
- (Active/passive configurations only)Suspend the active peer so that HA fails over to the peer you just upgraded.
- On the active peer, selectand clickDeviceHigh AvailabilityOperational CommandsSuspend local device.
- View the High Availability widget on theDashboardand verify that the state changes toPassive.
- On the other peer, verify that it is active and is passing traffic ().MonitorSession Browser
- On the second peer, selectand clickDeviceSoftwareCheck Nowfor the latest updates.
- Locate andDownloadPAN-OS 9.1.0.
- After you download the image,Installit.
- After the installation completes successfully, reboot using one of the following methods:
- If you are prompted to reboot, clickYes.
- If you are not prompted to reboot, selectandDeviceSetupOperationsReboot Device.
- (Active/passive configurations only)From the CLI of the peer you just upgraded, run the following command to make the firewall functional again:request high-availability state functionalIf your HA firewalls have local policy rules configured, upon upgrade to PAN-OS 9.1, each peer independently assigns UUIDs for each rule. Because of this, the peers will show as out of sync until you sync the configuration ().DashboardWidgetsSystemHigh AvailabilitySync to peer
- Verify that both peers are passing traffic as expected.In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.Run the following CLI commands to confirm that the upgrade succeeded:
- (Active peers only) To verify that active peers are passing traffic, run theshow session allcommand.
- To verify session synchronization, run theshow high-availability interface ha2command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
- In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
- In an active/active configuration, you will see packets received and packets transmitted on both peers.
- If you disabled preemption prior to the upgrade, re-enable it now.
- Selectand edit theDeviceHigh AvailabilityElection Settings.
- SelectPreemptiveand clickOK.
- Committhe change.