Académique Documents
Professionnel Documents
Culture Documents
created by djipp on Oct 29, 2012 5:27 PM, last modified by djipp on Feb 7, 2014 9:21 AM
Instructions
Before beginning, we recommend disabling preempt to avoid possibility of unwanted failovers. Disabling
preempt configuration change must be commited on BOTH peers. Likewise, once completed, re-enabling
must be commited on both peers.
1. First suspend the active unit from the CLI run the command:
>requesthighavailabilitystatesuspend
or
From the GUI go to Device > High Availability > Operations > Suspend local device.
Note: This will cause an HA failover. It is recommended to do this first to verify the HA functionality is
working before initiating the upgrade.
2. Verify network stability on the new active device with the previously active device suspended.
3. Install the new PAN-OS on the suspended device, then reboot the device to complete the install.
4. When the upgraded device is rebooted, the CLI prompt should show passive(or non-operational, if on
a different major release ie 4.0 to 4.1) and the PAN-OS version should reflect the new version.
5. On current passive device, verify auto commit completes successfully (FIN OK) by running command:
showjobsallbefore proceeding to the next step.
6. Suspend second device (should be current active device).
7. Upgrade the second device, then reboot it. When second device reboots, the first device that was
already upgraded, takes over as active.
8. As HA functionality was verified (step 1) and the config was successfully pushed to the dataplane on
the new PAN-OS (step 5), the failover should be seamless.
9. When the second unit reboots it will come up as the passive unit. Validate the auto commit completes
on this device by running command: showjobsallon this device (as done in step 5) to complete
the upgrade. The original active device before the upgrade will be the active device now.
Note: For upgrading Active-Active HA pair, the same steps are followed in the exact manner for upgrading
https://live.paloaltonetworks.com/docs/DOC-4043 1/3
6/2/2014 How to Upgrade an High Availability (HA) Pair | Palo Alto Networks Live
the Active-Passive pair. All the steps/terms used for Active and Passive devices can be correlated to
Active-Primary and Active-Secondary, respectively.
How to Downgrade
If an issue occurs on the new version and a downgrade is necessary:
Run the command debugswmrevertto revert back to the previous PAN-OS version.
This causes the firewall to boot from the partition in use prior to the upgrade. Nothing will be uninstalled and
no configuration change will be made.
Note: In some instances, when upgrading from PAN-OS 3.1 to PAN-OS 4.0 the web-server certificate may
get deleted from the configuration, this will result in the web GUI becoming unavailable after boot.
See also
Unable to Access the GUI after Upgrade to 4.0.1
Web UI Issues After Downgrading from PAN-OS 4.0
owner: djipp
(22 ratings)
4 Comments
Just wanted to share this info. I upgraded from 3.x to 5.x and after performing step #6 from above both
devices ended up in suspended mode - none were active. Apparently, the unit that was upgraded to
5.x remaind in suspended mode because the other HA unit version was "too old." I tried request high-
availability state functional on the 5.x unit but that didn't work. I was forced to disable HA on the 5.x
unit for it to be functional again.
Lesson: Don't expect HA functionality to work after upgrading couple major releases.
Like (0)
The correct upgrade path from 3.1 to 5.0 is 3.1.x -> 4.0.x -> 4.1.x -> 5.0.x. Each step must be
completed on both devices in the cluster before proceeding. Upgrades directly from PANOS
3.x to 5.x should not be attempted in HA.
Like (1)
https://live.paloaltonetworks.com/docs/DOC-4043 2/3
6/2/2014 How to Upgrade an High Availability (HA) Pair | Palo Alto Networks Live
If you want to upgrade and retain all of your configs then PANOS will not allow you to
skip major releases.
Like (0)
Like (0)
1.866.320.4788
PrivacyPolicy LegalNotices SiteIndex Subscriptions
Copyright20072013PaloAltoNetworks
https://live.paloaltonetworks.com/docs/DOC-4043 3/3