Upgrade the VM-Series Model in an HA Pair

Upgrading the VM-Series firewall allows you to increase the capacity on the firewall. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels, and SSL VPN tunnels that the VM-Series firewall is optimized to handle. When you apply a new capacity license on the VM-Series firewall, the model number and the associated capacities are implemented on the firewall.
This process is similar to that of upgrading a pair of hardware-based firewalls that are in an HA configuration. During the capacity upgrade process, session synchronization continues, if you have it enabled. To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time.
Do not make configuration change to the firewalls during the upgrade process. During the upgrade process, configuration sync is automatically disabled when a capacity mismatch is detected and is then re-enabled when both HA peers have matching capacity licenses.
If the firewalls in the HA pair have different major software versions (such as 7.1 and 8.0) and different capacities, both devices will enter the Suspended HA state. Therefore, it is recommended that you make sure both firewalls are running the same version of PAN-OS before upgrading capacity.
  1. Upgrade the capacity license on the passive firewall.
    Follow the procedure to Upgrade the VM-Series Model.
    The new VM-Series model displays on the dashboard after some processes restart on this passive peer. This upgraded peer is now is a non-functional state because of the capacity mismatch with its active peer.
    If you have enabled session synchronization, verify that sessions are synchronized across HA peers before you continue to the next step. To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
    • In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received.
      If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional which means that both peers transmit HA2 keep-alive packets.
    • In an active/active configuration, you will see packets received and packets transmitted on both peers.
  2. Upgrade the capacity license on the active firewall.
    Follow the procedure to Upgrade the VM-Series Model.
    The new VM-Series model displays on the dashboard after the critical processes restart. The passive firewall becomes active, and this peer (previously active firewall) moves from the initial state to becoming the passive peer in the HA pair.

Related Documentation