Upgrading software on firewalls can be daunting.
It’s even scarier when they’re in high availability (HA) mode. Palo Alto Networks firewalls can be configured as an HA pair. But Network administrators are afraid of the pair breaking causing some sort of split-brain scenario.
Or maybe one of them doesn’t come back up properly. Some are afraid of losing connectivity.
If HA is configured properly on your Palo Alto Networks firewalls, you have configuration synchronized, and cabling is configured properly, then you should be good to go.
Here’s the approach 👉 Upgrade the passive firewall first. Disable HA Preemptive mode. Then failover the Active firewall. Turn on HA Preemptive mode.
Start with the Passive Firewall
Log into the passive firewall. This is where you should start the upgrade first. Since the passive firewall isn’t doing much, this will minimize the amount of downtime.
Head over to Device > High Availability > General and click on the gear icon under the Election Settings. Uncheck the Preemptive check box and click OK. Then commit the changes 👍
Download and Install Software
Next, you’ll want to download the software file you want to upgrade to. I’m currently on version 9.1.4 and I want to upgrade to 9.1.11-h3.
Go to Device > Software.
You might not see any software versions or not the full list. Click on Check Now to update the list.
Click on Download under the Action column for 9.1.11-h3 or your desired version. You can choose to sync to the HA if you like.
Once the file is downloaded, click on Install. You’ll get a progress bar and once it is completed you will be prompted to reboot the firewall.
In my experience, the reboot will take roughly 10-15 minutes to complete and the HA status widget will show the firewall as Passive but with a mismatch of PAN-OS version.
Move to the Active Firewall
Now that the passive firewall is upgraded to our desired version, it’s time to upgrade the active Palo Alto Networks firewall.
Prior to downloading the software, let’s move the active role to the peer firewall running the latest version.
You can do this in the GUI by navigating to Device > High Availability > Operational Commands and click on Suspend local device.
You’ll be prompted to confirm that you want to suspend HA state. Clicking OK will suspend HA and the active role should move to the peer firewall.
Now that HA is suspended. Let download the desired software version as we did previously, install, and reboot the firewall. Wait 10-15 minutes for the Palo Alto Networks firewall to fully boot up and rejoin HA.
You’ll notice that the firewall did not become Active or in other words, preempt the peer firewall.
Log into the peer firewall and navigate to Device > High Availability > General. Click on the gear icon for Election Settings and check the box for Preemptive.
Click OK and commit the changes.
Wait about a minute, or the length of your Monitor Fail Hold Time and wait for the firewall Active role to migrate to the firewall with the higher Device Priority.
Validate both firewalls are running your desired software version by looking at Software Version in the General Information widget.