Upgrade Palo Alto Firewall HA Pair (Active/Passive)

Upgrade Palo Alto Firewall HA Pair (Active/Passive)

Palo Alto has some great documentation about how to do basically everything. Sometimes it’s a bit buried. This is my short and long cheat sheets for upgrading a Palo Alto Networks firewall in an Active/Passive High Availability Pair.

Quick Cheat Sheet

Long Cheat Sheet

Upgrade path and sanity checks

For my example FW01 is the Primary firewall and currently Active firewall and FW02 is the Secondary firewall and currently Passive firewall and they are both running PAN-OS 10.1 version 10.1.6-h6 which is the current preferred release for that version. We will be upgrading them to PAN-OS 10.2 version 10.2.2-h2 which is the current preferred release for that version.

Checking Content Updates

  • Click on Device
  • Click on Dynamic Updates
  • Click Check Now
  • Install the newest Content Updates if there are any

HA Election Settings

If the HA Election Setting is set to Preemptive we need to disable that for the upgrade. In my example FW01 is the Primary and Active firewall so we will change that setting on that firewall. (We only need to change the setting on one of the Firewalls.)

  • On the Primary firewall click on Device
  • Click on High Availability
  • Uncheck Preemptive (if it isn’t selected you don’t need to do anything)
  • Commit the changes

Running Config Backup

On each firewall we need to take a running config backup.

  • Click on Device
  • Click on Setup
  • Click on Operations
  • Click on Export named configuration snapshot
  • Select running-config.xml
  • Repeat the steps on the other firewall

Generate Tech Support File

On each firewall we to generate a tech support file.

  • Click on Device
  • Click on Support
  • Click on Generate Tech Support File
  • Click Yes
  • Wait for the file to generate. It can take a bit.
  • Download the Tech Support File
  • Repeat the steps on the other firewall

Download PAN-OS Software

  • Click on Device
  • Click on Software

Because we are going from PAN-OS 10.1.6-h6 to 10.2.2-h2 we need to download two PAN-OS versions 10.2.0 and 10.2.2-h2

  • Download the version you need.
  • Select Sync to HA Peer
  • Wait for the software to download and sync to HA peer. (This can take a bit.)
  • Click Close
  • Repeat the steps to download the preferred release. In our example we will download PAN-OS version 10.2.2-h2

Suspending HA on the Active Firewall

In our example we have an Active/Passive configuration. FW01 is the Primary firewall and the Active firewall and FW02 is the Secondary firewall and the Passive firewall. We are going to suspend HA on the Primary firewall (FW01) which will cause the Secondary firewall (FW02) to take over. We will then install PAN-OS version10.2.2-h2 on the Primary firewall (FW01) which will now be the Passive firewall as the Secondary firewall (FW02) is now the Active firewall due to the HA suspension.

  • Click on Device
  • Click on High Availability
  • Click on Operational Commands
  • Click on Suspend local device for high availability
  • Click OK

We should now be failed over. FW01 the Primary firewall should now be the Passive firewall and FW02 the Secondary firewall should be the Active firewall.

  • On the Primary firewall (FW01) click on Dashboard
  • Confirm that the local status says Suspended
  • On the Secondary firewall (FW02) confirm that the local status says Active
  • Confirm that traffic is still working to confirm that your failover works

Doing the install on the Passive Firewall

Now that the Primary firewall (FW01) has been suspended it is now the Passive firewall, we can begin doing the install.

  • On the Passive firewall click on Device
  • Click on Software
  • Click Install for PAN-OS version 10.2.2-h2
  • Click OK
  • Wait for the install to complete
  • Click Yes to reboot the firewall
  • Wait for the firewall to come back up. (This can take awhile depending on your firewall.)
  • Once the Passive firewall is back online login to it
  • Confirm that the Primary firewall (FW01) is Passive and not suspended

Secondary Firewall Time

Now that the Primary firewall (FW01) is all upgraded we need to upgrade the Secondary firewall (FW02).

Suspending the HA on the Secondary firewall (FW02) will make the Primary firewall (FW01) the Active firewall again.

  • Confirm that the Primary firewall (FW01) is now the Active firewall
  • Confirm that traffic is still working to confirm that the failover worked.
  • Now that the Secondary firewall (FW02) is the Passive firewall again follow the same steps that we did in the section Doing the install on the Passive Firewall as we will now be doing them on the Secondary firewall (FW02).
  • Once the Secondary firewall (FW02) is online again make sure High Availability is all green again.

Final Step

  • If you had to change your HA Election Settings you can now change them back.

That’s all it takes to upgrade a Palo Alto Networks Firewall with an Active/Passive High Availability configuration.

Here is the official documentation from Palo Alto Networks how to do everything described above. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair

Leave a comment

Your email address will not be published.