Palo Alto HA Firewall Upgrade Guide

Overview

Upgrading a High Availability (HA) pair of Palo Alto Networks firewalls requires careful planning to ensure minimal disruption. The following guide outlines the recommended steps for upgrading an HA pair, whether in active/passive or active/active configuration.

Upgrade Steps

Review Release Notes and Upgrade Path: Consult the PAN-OS Upgrade Guide to determine the appropriate upgrade path. If upgrading across multiple major versions (e.g., from 8.1 to 10.1), upgrade sequentially through each major version to maintain HA compatibility.
Backup Configurations: Export and securely store the current configurations from both firewalls.
Disable Preemption: On the primary firewall, navigate to Device > High Availability > Election Settings and disable the "Preemptive" option. Commit the changes.
Upgrade the Passive Firewall:
- Suspend the passive firewall by selecting Device > High Availability > Operational Commands and clicking "Suspend local device for high availability."
- Upgrade the PAN-OS software on the suspended firewall.
- Reboot the firewall after the upgrade completes.
- Once rebooted, restore HA functionality by selecting "Make local device functional for high availability."
Upgrade the Active Firewall:
- Suspend the active firewall to trigger a failover to the upgraded passive firewall.
- Repeat the upgrade process on the now-passive firewall.
- After rebooting, restore HA functionality.
Re-enable Preemption: On the primary firewall, re-enable the "Preemptive" option in the Election Settings and commit the changes.
Verify HA Status: Ensure both firewalls are synchronized and operating in their respective HA states. Use the show high-availability state CLI command to confirm HA status.

Mermaid Sequence Diagram

sequenceDiagram participant Admin participant FW1 as Firewall 1 participant FW2 as Firewall 2 Admin->>FW2: Suspend FW2 (Passive) Admin->>FW2: Upgrade PAN-OS Admin->>FW2: Reboot and restore HA Admin->>FW1: Suspend FW1 (Active) Admin->>FW1: Upgrade PAN-OS Admin->>FW1: Reboot and restore HA Admin->>FW1: Re-enable Preemption Admin->>FW1: Verify HA Status

Sample PCNSE Exam Questions

Question 1: An administrator plans to upgrade an HA pair from PAN-OS 8.1.17 to 10.1. What is the recommended upgrade path to maintain HA synchronization?

A. Upgrade directly to PAN-OS 10.1
B. Upgrade both firewalls simultaneously
C. Upgrade sequentially through each major version (e.g., 8.1 → 9.0 → 10.0 → 10.1)
D. Upgrade the active firewall first, then the passive

Correct Answer: C

Explanation: When upgrading across multiple major versions, it's essential to upgrade sequentially through each major version to ensure HA compatibility and prevent synchronization issues. Source

Question 2: Which two conditions must be met when configuring a high availability (HA) pair? (Choose two.)

A. Both firewalls must have identical licenses.
B. Firewalls can have different hardware models.
C. Both firewalls must run the same PAN-OS version.
D. Firewalls can have different interface configurations.

Correct Answers: A, C

Explanation (continued): For a successful High Availability (HA) configuration, both firewalls must meet specific requirements:

Identical Licenses: Each firewall must have the same set of licenses. Discrepancies in licensing can prevent configuration synchronization and seamless failover. Source
Same PAN-OS Version: Both firewalls should run the same PAN-OS version to ensure compatibility and proper synchronization. Source
Same Model and Interface Types: The firewalls must be of the same model and have the same type of interfaces configured for HA. Source
HA1 and HA2 IP Address Configuration: Proper configuration of HA1 (control link) and HA2 (data link) IP addresses is essential. The HA1 IP addresses must be on the same subnet if directly connected or connected to the same switch. Source

Upgrade Guide for Palo Alto HA Firewall Pair

Overview

Upgrade Steps

Mermaid Sequence Diagram

Sample PCNSE Exam Questions

Additional Resources