Home
Security
Upgrade Palo Alto HA (High Availability) Firewall Pair

Upgrade Palo Alto HA (High Availability) Firewall Pair

Kerry Cordero
Security
2 min read

Step-by-step process to upgrade an HA (High Availability) firewall pair to PAN-OS 10.2. Here’s the summarized procedure:

 

  1. Review the PAN-OS 10.2 Release Notes: Understand the procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations. To avoid downtime, update one HA peer at a time. Disable preemption before proceeding with the upgrade.

 

  1. Save a backup of the current configuration file: It is a best practice to create and externally store a backup before upgrading. This process involves exporting the configuration file and saving the exported file to a location external to the firewall.

 

  1. Generate a tech support file: Go to “Device Support” and generate a tech support file.

 

  1. Ensure each firewall is running the latest content release version: Refer to the Release Notes for the minimum content release version required for a PAN-OS 10.2 release. If the firewalls are not running the required version or a later one, retrieve a list of available updates and install the update on both peers.

 

  1. Determine the Upgrade Path to PAN-OS 10.2: Review the PAN-OS Upgrade Checklist, the known issues, and changes to default behavior in the Release Notes and Upgrade/Downgrade Considerations for each release through which you pass as part of your upgrade path.

 

  1. Install the device certificate on each HA peer if you are leveraging Cortex Data Lake (CDL): The firewall will automatically switch to using the device certificate for authentication with CDL ingestion and query endpoints on upgrade to PAN-OS 10.2.

 

  1. Disable preemption on the first peer in each pair: This needs to be done only on one firewall in the HA pair. Ensure that the commit is successful before you proceed with the upgrade.

 

  1. Suspend the primary HA peer to force a failover: For active/passive firewalls, suspend and upgrade the active HA peer first. For active/active firewalls, suspend and upgrade the active-primary HA peer first. The resulting failover should cause the secondary HA peer to transition to the active state.
    • For firewalls in an active/passive HA configuration, suspend and upgrade the active HA peer first.
    • For firewalls in an active/active HA configuration, suspend and upgrade the active-primary HA peer first.
    1. Select Device High Availability Operational Commands and Suspend local device for high availability.
    2. In the bottom-right corner, verify that the state is suspended. The resulting failover should cause the secondary HA peer to transition to active state. The resulting failover verifies that HA failover is functioning properly before you upgrade”.
  1. Install PAN-OS 10.2 on the suspended HA peer: Download and install PAN-OS 10.2 on the suspended HA peer. After the installation completes successfully, reboot the device. After the device finishes rebooting, verify that the device you just upgraded is in sync with the peer.

 

  1. Restore HA functionality to the primary HA peer: Make the local device functional for high availability and verify the state. Wait for the HA peer running configuration to synchronize.

 

  1. Suspend the secondary HA peer: This should cause the primary HA peer to transition to the active state.

 

  1. Install PAN-OS 10.2 on the suspended HA peer: Repeat the process of downloading and installing PAN-OS 10.2 on the suspended HA peer. After the installation completes successfully, reboot the device.

 

  1. Restore HA functionality to the primary HA peer: Make the local device functional for high availability and verify the state.
© 2023 cordero.me • All Rights Reserved