the VM-Series firewall allows you to increase the capacity on the
firewall. Capacity is defined in terms of the number of sessions, rules,
security zones, address objects, IPSec VPN tunnels, and SSL VPN
tunnels that the VM-Series firewall is optimized to handle. When
you apply a new capacity license on the VM-Series firewall, the
model number and the associated capacities are implemented on the
Verify the VM-Series System Requirements for your
firewall model before you upgrade. If your firewall has less than 5.5GB memory,
the capacity (number of sessions, rules, security zones, address objects, etc)
on the firewall will be limited to that of the VM-50 Lite.
This process is similar to
that of upgrading a pair of hardware-based firewalls that are in
an HA configuration. During the capacity upgrade process, session synchronization
continues, if you have it enabled. To avoid downtime when upgrading
firewalls that are in a high availability (HA) configuration, update
one HA peer at a time.
Do not make
configuration change to the firewalls during the upgrade process.
During the upgrade process, configuration sync is automatically
disabled when a capacity mismatch is detected and is then re-enabled when
both HA peers have matching capacity licenses.
If the firewalls
in the HA pair have different major software versions (such as 9.1
and 9.0) and different capacities, both devices will enter the Suspended
HA state. Therefore, it is recommended that you make sure both firewalls
are running the same version of PAN-OS before upgrading capacity.
Upgrade the capacity license on the passive firewall.
new VM-Series model displays on the dashboard after some processes
restart on this passive peer. This upgraded peer is now is a non-functional state because of the capacity
mismatch with its active peer.
If you have enabled session synchronization,
verify that sessions are synchronized across HA peers before you
continue to the next step. To verify session synchronization, run
show high-availability interface ha2
and make sure that the Hardware Interface counters on the CPU table
are increasing as follows:
In an active/passive configuration,
only the active peer show packets transmitted and the passive device
will only show packets received.
If you have enabled HA2 keep-alive,
the hardware interface counters on the passive peer will show both
transmit and receive packets. This occurs because HA2 keep-alive
is bidirectional which means that both peers transmit HA2 keep-alive packets.
In an active/active configuration, you will see packets received
and packets transmitted on both peers.
Upgrade the capacity license on the active firewall.
new VM-Series model displays on the dashboard after the critical
processes restart. The passive firewall becomes active, and this
peer (previously active firewall) moves from the initial state to
becoming the passive peer in the HA pair.