This article shows you how to upgrade the Palo Alto HA firewalls without downtime. This video is based on active/passive (HA) configuration and update one HA peer at a time.
Step 1: Save a backup of the current configuration file
• Select Device>Setup>Operations and click Export named configuration snapshot.
• Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
• Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
Step 2: Download and install 10.1.6-h6 (sync with peer)
• Go to Device>Software. Click Download on Version 10.1.6-h6
Step 3: Ensure that each firewall in the HA pair is running the latest content release version
• Select Device>Dynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed. If you are not sure, click on Check Now.
Step 4: Upgrade Software version on an HA Firewall Pair
For active/active firewalls, it doesn’t matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-primary peer first). For active/passive firewalls, you must suspend (fail over) and upgrade the active (primary) peer first. After you upgrade the primary peer, you must unsuspend the primary peer to return it to a functional state (passive). Next, you must suspend the passive (secondary) peer to make the primary peer active again. After the primary peer is active and the secondary peer is suspended, you can continue the upgrade. To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
1. Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
1) Select Device>High Availability and edit the Election Settings under General.
2) If enabled, disable (clear) the Preemptive setting and click OK.
3) Commit the change.
2. Suspend the primary HA peer to force a failover.
1) Select Device>High Availability>Operational Commands and Suspend local device for high availability.
2) Click OK on the popup.
3)In the bottom-right corner, verify that the state is Suspended.
4) The resulting failover should cause the secondary HA peer to transition to active state.
3. Install PAN-OS 10.1.6-h6 on the suspended HA peer.
1) On the primary HA peer, select Device>Software and click Check Now for the latest updates.
2) Locate and Download PAN-OS 10.1.6-h6 if you did do it before.
3) After you download the image (or, for a manual upgrade, after you upload the image), Install the image.
4) After the installation completes successfully, reboot using one of the following methods:
If you are prompted to reboot, click Yes.
If you are not prompted to reboot, select Device>Setup>Operations and Reboot Device.
5) After the device finishes rebooting (it may take a while), view the High Availability widget on the Dashboard and verify that the device you just upgraded is in sync with the peer.
* The status shows Passive on the just restarting Unit and Peer is Active.
4. Restore HA functionality to the primary HA peer. 1)Select Device>High Availability>Operational Commands and Make local device functional for high availability.
2) In the bottom-right corner, verify that the state is Passive.
3) Wait for the HA peer running configuration to synchronize. In the Dasbhoard, monitor the Running Config status in the High Availability widget.
5. On the secondary HA peer, suspend the HA peer.
1) Select Device>High Availability>Operational Commands and Suspend local device for high availability.
2) In the bottom-right corner on current unit, verify that the state is suspended.
3) The resulting failover should cause the primary HA peer (was upgraded successful unit) to transition to Active state.
6. Install PAN-OS 10.1.6-h6 on the secondary HA peer.
1) On the second peer, select Device>Software and click Check Now for the latest updates.
2) Locate and Download PAN-OS 10.1.6-h6 if it doesn’t sync from the first unit.
3) After you download the image, Install it.
4) After the installation completes successfully, reboot using one of the following methods:
• If you are prompted to reboot, click Yes.
• If you are not prompted to reboot, select Device>Setup>Operations and Reboot Device
7. Restore HA functionality to the secondary HA peer.
1) Select Device>High Availability>Operational Commands and Make local device functional for high availability.
2) In the bottom-right corner, verify that the state is Passive.
3) Wait for the HA peer running configuration to synchronize. In the Dasbhoard, monitor the Running Config status High Availability widget.
Active unit
Passive unit
8. Re-enable preemption on the HA peer where it was disabled in the previous step.
1) Select Device>High Availability and edit the Election Settings under General.
2) Enable (check) the Preemptive setting and click OK.
3) Commit the change.
9. Verify that both peers are passing traffic as expected.
• In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.
• Run the following CLI commands to confirm that the upgrade succeeded:
1) (Active peers only) To verify that active peers are passing traffic, run the show session all command.
2) To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
3) In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.
10. Test: The internet access and VPN.
Please review it on YouTube: