Upgrade an HA Firewall Pair to PAN-OS 7.1
Review the PAN-OS 7.1 Release Notes and then use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration. This procedure applies to both active/passive and active/active configurations.
When upgrading peers in an HA configuration, you must upgrade each firewall separately. Consequently, there is a period of time when PAN-OS versions differ on the individual firewalls in the HA pair. If you have session synchronization enabled, this will continue to function during the upgrade process as long as you are upgrading from one feature release to the next consecutive feature release, PAN-OS 7.0.x to PAN-OS 7.1 in this case. If you are upgrading the pair from an older feature release of PAN-OS, session syncing between the firewalls will not work and, if a failover occurs before both firewalls are running the same version of PAN-OS, session forwarding could be impacted. In this case, if session continuity is required, you must temporarily permit non-syn-tcp while the session table is rebuilt as describe in the following procedure.
Ensure the devices are connected to a reliable power source. A loss of power during an upgrade can make the devices unusable.
When you upgrade to PAN-OS 7.1, the ARP table capacity automatically increases. To avoid a mismatch, you should upgrade both peers within a short period of time. You should also clear the ARP cache ( clear arp ) on both peers before you upgrade.
Upgrade PAN-OS
Save a backup of the current configuration file. Although the firewall automatically creates a backup of the configuration, it is a best practice to create and externally store a backup before you upgrade. Perform these steps on each firewall in the pair: Select Device > Setup > Operations and Export named configuration snapshot. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
Make sure each device is running content release version 564 or later. Select Device > Dynamic Updates. Check the Applications and Threats or Applications section to determine what update is currently running. If the firewall is not running the minimum required update, Check Now to retrieve a list of available updates. Locate and Download the content release version you intend to install. After the download completes, Install the update.
Determine the upgrade path. You cannot skip installation of any major releases in the path to your desired PAN-OS version. Therefore, if you intend to upgrade to a version that is more than one major release away, you must download, install, and reboot the firewall for each intermediate major PAN-OS releases along the upgrade path. For example, if you want to upgrade from PAN-OS 6.0.13 to PAN-OS 7.1.1, you must: Download and install PAN-OS 6.1.0 and reboot. Download and install PAN-OS 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release; not 7.0.0). Download PAN-OS 7.1.0 (you do not need to install it). Download and install PAN-OS 7.1.1 and reboot. Select Device > Software. Check which version has a check mark in the Currently Installed column and proceed as follows: If PAN-OS 7.0.1 or a later release is currently installed, continue to Step 4. If a version of PAN-OS prior to 7.0.1 is currently installed, you must follow the upgrade path to 7.0.1 before you can upgrade to 7.1. Refer to the Release Notes for your currently installed PAN-OS version for upgrade instructions.
Install PAN-OS 7.1 on the passive device (active/passive) or on the active-secondary device (active/active). If your firewall does not have Internet access from the management port, you can download the software update from the Palo Alto Networks Support Portal. You can then manually Upload it to your firewall. Check Now for the latest updates. Locate and Download the version to which you intend to upgrade. After the download completes, Install the update. After the installation completes successfully, reboot using one of the following methods: If you are prompted to reboot, click Yes. If you are not prompted to reboot, select Device > Setup > Operations and Reboot Device (Device Operations section). After the reboot, the device will not be functional until the active/active-primary device is suspended.
Suspend the active/active-primary firewall. On the active (active-passive) or active-primary (active-active) peer, select Device > High Availability > Operational Commands. Suspend local device. Select Dashboard and verify that the state of the passive device changes to active in the High Availability widget. Verify that the firewall that took over as active (or active-primary) and is passing traffic ( Monitor > Session Browser). ( Optional ) If you have session synchronization enabled and you are currently running a PAN-OS version prior to 6.1.0, run the set session tcp-reject-non-syn no operational command. This will rebuild the session table so that sessions that started prior to the upgrade will continue.
Install PAN-OS 7.1 on the other peer in the pair. If your firewall does not have Internet access from the management port, you can download the software update from the Palo Alto Networks Support Portal. You can then manually Upload it to your firewall. Check Now for the latest updates. Locate and Download the version to which you intend to upgrade. After the download completes, Install the update. After the installation completes successfully, reboot using one of the following methods: If you are prompted to reboot, click Yes. If you are not prompted to reboot, select Device > Setup > Operations and Reboot Device in the Device Operations section. After the reboot, the device will not be functional until the active/active-primary device is suspended. ( Optional ) If you configured the firewall to temporarily allow non-syn-tcp traffic in order to enable the firewall to rebuild the session table in Step 4, revert back by running the set session tcp-reject-non-syn yes command. If the preemptive option is configured, the current passive peer will revert to active when state synchronization is complete.
Verify that the firewalls are passing traffic as expected. In an active/passive deployment, the active peer (only) should be passing traffic while both peers should be passing traffic in an active/active deployment. Run the following CLI commands to confirm that the upgrade succeeded: ( Active peer(s) only ) To verify that active peers are passing traffic, run the show session all command. To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows: In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received. If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional which means that both peers transmit HA2 keep-alive packets. In an active/active configuration, you will see packets received and packets transmitted on both peers.

Related Documentation