• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Rowell Dionicio

Get Techie With It

  • Home
  • About
  • Newsletter
  • Resources
    • Archives
    • Book List
    • YouTube
  • Learn
    • Wi-Fi 6E
    • CCNP Enterprise Core
    • DevNet Associate
    • PCNSA Certified
  • Blog
  • Contact
  • Show Search
Hide Search

Upgrade an HA Firewall Pair – Palo Alto Networks

December 15, 2021 By Rowell Leave a Comment

Upgrading software on firewalls can be daunting.

It’s even scarier when they’re in high availability (HA) mode. Palo Alto Networks firewalls can be configured as an HA pair. But Network administrators are afraid of the pair breaking causing some sort of split-brain scenario.

Or maybe one of them doesn’t come back up properly. Some are afraid of losing connectivity.

If HA is configured properly on your Palo Alto Networks firewalls, you have configuration synchronized, and cabling is configured properly, then you should be good to go.



Overview

Here’s the approach 👉 Upgrade the passive firewall first. Disable HA Preemptive mode. Then failover the Active firewall. Turn on HA Preemptive mode.

Start with the Passive Firewall

Log into the passive firewall. This is where you should start the upgrade first. Since the passive firewall isn’t doing much, this will minimize the amount of downtime.

Disable Preemptive

Head over to Device > High Availability > General and click on the gear icon under the Election Settings. Uncheck the Preemptive check box and click OK. Then commit the changes 👍

Download and Install Software

Next, you’ll want to download the software file you want to upgrade to. I’m currently on version 9.1.4 and I want to upgrade to 9.1.11-h3.

Go to Device > Software.

You might not see any software versions or not the full list. Click on Check Now to update the list.

Click on Download under the Action column for 9.1.11-h3 or your desired version. You can choose to sync to the HA if you like.

Once the file is downloaded, click on Install. You’ll get a progress bar and once it is completed you will be prompted to reboot the firewall.

In my experience, the reboot will take roughly 10-15 minutes to complete and the HA status widget will show the firewall as Passive but with a mismatch of PAN-OS version.

Move to the Active Firewall

Now that the passive firewall is upgraded to our desired version, it’s time to upgrade the active Palo Alto Networks firewall.

Prior to downloading the software, let’s move the active role to the peer firewall running the latest version.

You can do this in the GUI by navigating to Device > High Availability > Operational Commands and click on Suspend local device.

You’ll be prompted to confirm that you want to suspend HA state. Clicking OK will suspend HA and the active role should move to the peer firewall.

Now that HA is suspended. Let download the desired software version as we did previously, install, and reboot the firewall. Wait 10-15 minutes for the Palo Alto Networks firewall to fully boot up and rejoin HA.

Enable Preemptive

You’ll notice that the firewall did not become Active or in other words, preempt the peer firewall.

Log into the peer firewall and navigate to Device > High Availability > General. Click on the gear icon for Election Settings and check the box for Preemptive.

Click OK and commit the changes.

Wait about a minute, or the length of your Monitor Fail Hold Time and wait for the firewall Active role to migrate to the firewall with the higher Device Priority.

Validate both firewalls are running your desired software version by looking at Software Version in the General Information widget.

Share this:

  • Facebook
  • LinkedIn
  • Twitter

Related

Filed Under: Security Tagged With: high availability, palo alto networks

About Rowell

Wi-Fi expert. Coffee addict ☕️. Tech nerd. Business owner.

Reader Interactions

Leave a Reply Cancel reply

Primary Sidebar

Recent Posts

  • 6 GHz Frame Captures with EtherScope nXG
  • Manage Cisco Catalyst in the (Meraki) Cloud
  • Q1 2022 Income Report
  • First Look at Ekahau AI Pro – Network Simulator
  • PAN-OS Configuration Management – PCNSA

Categories

  • bschool
  • Certifications
  • Coding
  • DevNet Associate
  • Events
  • Lab
  • Networking
  • Personal
  • Podcasting
  • Professional
  • Reviews
  • Security
  • Short Stories
  • Uncategorized
  • Wireless

Archives

  • June 2022
  • May 2022
  • January 2022
  • December 2021
  • November 2021
  • August 2021
  • July 2021
  • April 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • November 2018
  • September 2018
  • August 2018

Copyright © 2022 · Written by Rowell Dionicio · You're awesome.

 

Loading Comments...