Upgrade the PAN-OS Software Version (HA Pair)

Follow these steps to upgrade the PAN-OS version of VM-Series firewalls in an HA pair.
Use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations.
To avoid downtime when upgrading firewalls that are in a high availability (HA) configuration, update one HA peer at a time: For active/active firewalls, it doesn’t matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-secondary peer first). For active/passive firewalls, you must upgrade the passive peer first, suspend the active peer (fail over), update the active peer, and then return that peer to a functional state (fail back). To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
To avoid impacting traffic, plan to upgrade within the outage window. Ensure the firewalls are connected to a reliable power source. A loss of power during an upgrade can make firewalls unusable.
  1. Verify that enough hardware resources are available to the VM-Series firewall.
    Refer to the VM-Series System Requirements to see the resource requirements for each VM-Series model. Allocate additional hardware resources before continuing the upgrade process; the process for assigning additional hardware resources differs on each hypervisor.
    If the VM-Series firewall does not have the required resources for the model, it defaults to the capacity associated with the VM-50.
  2. From the web interface, navigate to
    Device
    Licenses
    and make sure you have the correct VM-Series firewall license and that the license is activated.
    On the VM-Series firewall standalone version, navigate to
    Device
    Support
    and make sure that you have activated the support license.
  3. Save a backup of the current configuration file.
    Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade.
    Perform these steps on each firewall in the pair:
    1. Select
      Device
      Setup
      Operations
      and click
      Export named configuration snapshot
      .
    2. Select the XML file that contains your running configuration (for example,
      running-config.xml
      ) and click
      OK
      to export the configuration file.
    3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  4. If you have enabled User-ID, after you upgrade, the firewall clears the current IP address-to-username and group mappings so that they can be repopulated with the attributes from the User-ID sources. To estimate the time required for your environment to repopulate the mappings, run the following CLI commands on the firewall.
    • For IP address-to-username mappings:
      • show user user-id-agent state all
      • show user server-monitor state all
    • For group mappings:
      show user group-mapping statistics
  5. Ensure that each firewall in the HA pair is running the latest content release version.
    Refer to the release notes for the minimum content release version you must install for a PAN-OS 9.1 release. Make sure to follow the Best Practices for Application and Threat Updates.
    1. Select
      Device
      Dynamic Updates
      and check which
      Applications
      or
      Applications and Threats
      to determine which update is Currently Installed.
    2. If the firewalls are not running the minimum required content release version or a later version required for the software version you are installing,
      Check Now
      to retrieve a list of available updates.
    3. Locate and
      Download
      the desired content release version.
      After you successfully download a content update file, the link in the Action column changes from
      Download
      to
      Install
      for that content release version.
    4. Install
      the update. You must install the update on both peers.
  6. Upgrade the VM-Series plugin.
    1. Before upgrading, check the latest Release Notes for details on whether a new VM-Series plugin affects your environment.
      For example, suppose a new VM-Series plugin version only includes AWS features. To take advantage of the new features, you must update the plugin on your VM-Series firewall instances on AWS.
      Do not install an upgrade that does not apply to your environment.
    2. Log in to the VM-Series firewall and check the dashboard to view the plugin version.
    3. Select
      Device
      Plugins
        to view the plugin version. Use
      Check Now
      to check for updates.
    4. Select the version of the plugin and click
      Install
      in the Action column to install the plugin.
      When installing the plugin on VM-Series firewalls in an HA pair, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a non-functional state. Installing the plugin on the active peer returns the passive peer to a functional state.
  7. Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
    1. Select
      Device
      High Availability
      and edit the
      Election Settings
      .
    2. If enabled, disable (clear) the
      Preemptive
      setting and click
      OK
      .
    3. Commit
      the change.
  8. Install the PAN-OS release on the first peer. If you are upgrading to an XFR release, install the version that corresponds to the XFR release.
    To minimize downtime in an active/passive configuration, upgrade the passive peer first. For an active/active configuration, upgrade the secondary peer first. As a best practice, if you are using an active/active configuration, we recommend upgrading both peers during the same maintenance window.
    If you want to test that HA is functioning properly before the upgrade, consider upgrading the active peer in an active/passive configuration first to ensure that failover occurs without incident.
    1. On the first peer, select
      Device
      Software
      and click
      Check Now
      for the latest updates.
    2. Locate and
      Download
      the target PAN-OS version.
      If your firewall does not have internet access from the management port, you can download the software image from the Palo Alto Networks Support Portal and then manually
      Upload
      it to your firewall.
    3. After you download the image (or, for a manual upgrade, after you upload the image),
      Install
      the image.
    4. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click
        Yes
        .
      • If you are not prompted to reboot, select
        Device
        Setup
        Operations
        and
        Reboot Device
        .
    5. After the device finishes rebooting, view the High Availability widget on the
      Dashboard
      and verify that the device you just upgraded is still the passive or active-secondary peer in the HA configuration.
  9. Install the PAN-OS release on the second peer. If you are upgrading to an XFR release, install the version that corresponds to the XFR release.
    1. (Active/passive configurations only)
      Suspend the active peer so that HA fails over to the peer you just upgraded.
      1. On the active peer, select
        Device
        High Availability
        Operational Commands
        and click
        Suspend local device
        .
      2. View the High Availability widget on the
        Dashboard
        and verify that the state changes to
        Passive
        .
      3. On the other peer, verify that it is active and is passing traffic (
        Monitor
        Session Browser
        ).
    2. On the second peer, select
      Device
      Software
      and click
      Check Now
      for the latest updates.
    3. Locate and
      Download
      the target PAN-OS version.
    4. After you download the image,
      Install
      it.
    5. After the installation completes successfully, reboot using one of the following methods:
      • If you are prompted to reboot, click
        Yes
        .
      • If you are not prompted to reboot, select
        Device
        Setup
        Operations
        and
        Reboot Device
        .
    6. (Active/passive configurations only)
      From the CLI of the peer you just upgraded, run the following command to make the firewall functional again:
      request high-availability state functional
  10. (
    PAN-OS XFR upgrade only
    ) Upgrade the first peer and second peer to PAN-OS XFR by repeating Step 8 and Step 9.
  11. Verify that both peers are passing traffic as expected.
    In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
    Run the following CLI commands to confirm that the upgrade succeeded:
    • (
      Active peers only
      ) To verify that active peers are passing traffic, run the
      show session all
      command.
    • To verify session synchronization, run the
      show high-availability interface ha2
      command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
      • In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
        If you enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bi-directional, which means that both peers transmit HA2 keep-alive packets.
      • In an active/active configuration, you will see packets received and packets transmitted on both peers.
  12. If you disabled preemption prior to the upgrade, re-enable it now.
    1. Select
      Device
      High Availability
      and edit the
      Election Settings
      .
    2. Select
      Preemptive
      and click
      OK
      .
    3. Commit
      the change.

Recommended For You