Install Updates for Panorama in an HA Configuration

To ensure a seamless failover when you update the Panorama software in a high availability (HA) configuration, the active and passive Panorama peers must be running the same Panorama release with the same Applications database version. The following example describes how to upgrade an HA pair (active peer is Primary_A and passive peer is Secondary_B).
Before updating Panorama, refer to the Release Notes. for the minimum content release version required for PAN-OS 8.1.
  1. Upgrade the Panorama software on the Secondary_B (passive) peer.
    Perform one of the following tasks on the Secondary_B peer:
    After the upgrade, this Panorama transitions to a non-functional state because the peers are no longer running the same software release.
  2. Suspend the Primary_A peer to force a failover.
    On the Primary_A peer:
    1. In the Operational Commands section (PanoramaHigh Availability), Suspend local Panorama.
    2. Verify that state is suspended (displayed on bottom-right corner of the web interface).
      The resulting failover should cause the Secondary_B peer to transition to active state.
  3. Upgrade the Panorama software on the Primary_A (currently passive) peer.
    Perform one of the following tasks on the Primary_A peer:
    After you reboot, the Primary_A peer is initially still in the passive state. Then, if preemption is enabled (default), the Primary_A peer automatically transitions to the active state and the Secondary_B peer reverts to the passive state.
    If you disabled preemption, manually Restore the Primary Panorama to the Active State.
  4. Verify that both peers are now running any newly installed content release versions and the newly installed Panorama release.
    On the Dashboard of each Panorama peer, check the Panorama Software Version and Application Version and confirm that they are the same on both peers and that the running configuration is synchronized.
  5. (Required if you upgraded from a 7.1 or earlier release)Migrate Panorama Logs to the New Log Format.
    When you upgrade to a Panorama 8.0 or later release, Panorama Log Collectors use a new log storage format. Because Panorama can no longer generate reports or ACC data from logs in the pre-8.0-release log format, you must migrate the existing logs as soon as you upgrade Panorama and its Log Collectors from a PAN-OS 7.1 or earlier release to a PAN-OS 8.0 or later release. Log migration is a one-time task; after you migrate the logs on the Log Collector as part an upgrade to a PAN-OS 8.0 or later release, you do not need to migrate them again.

Related Documentation