Upgrade Palo Firewalls (CLI)

Upgrade a standalone firewall:
1. On Primary firewall, Suspend Primary firewall to make Secondary firewall active
CLI
> request high-availability state suspend
GUI
Device > High Availability > Operations > click Suspend local device.
NOTE: This will cause an HA failover. We recommend doing this first to verify the HA functionality is working before initiating the upgrade. Production traffic is now going through the Secondary firewall which is now active.

2. Ask your business owners to verify all applications are working on the network. If there is a problem, skip to troubleshooting section. If there is any problem, fix it before proceeding with upgrade.

3. Upgrade Primary firewall. You can do this by either directly downloading and installing software onto the firewall itself or via Panorama Device Deployment > Software option.
To display a list of available PAN-OS software, use the following command:
> request system software info
If the desired software version is not listed, the list of available PANOS can be retrieved with the following command:
> request system software check
If the desired software version has not been marked as downloaded, download it first:
> request system software download version 7.1.14
Use the following command to install the downloaded software:
> request system software install version 6.1.2
After installation, reboot the device using the below command:
> request restart system

4. Download and install 7.1.14 reboot to complete the install.

5. On the Primary firewall, verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:
> show jobs all
Run the following command to make Primary firewall functional again:
> request high-availability state functional

6. This concludes upgrade on the Primary firewall.

Upgrade HA firewalls (Same Maintenacne release):
1. Download the software and let is sync between the two.

It is recommended to upgrade the Primary firewall first and then upgrade the Secondary firewall. This is done for 2 reasons:

1.) Ensure that HA failover is working properly and
2.) Ensure that the passive firewall is working properly and passing traffic fine.

Disable Pre-emption if enabled. Disable preemption on High Availability settings to avoid unexpected failovers. Disabling preempt configuration change must be committed on both peers. Likewise, once completed, re-enabling must be committed on both peers.
To disable: Go to Device > High Availability >General > Election Settings <hit edit> and uncheck Preemptive.
Then, perform a commit.

NOTE: This procedure relies on the administrator having foreseen access to their devices at all times, either by being local or having OOB connectivity to the management network which is best practice when upgrading the firewall. In the case where you do not have the option of achieving either, it is a good idea to change the procedure slightly to ensure you dont lose connectivity at the cost of having a less rigid upgrade path.

Having the preempt enabled will require you to keep this config change in mind during the whole process as it could unexpectedly switch over the active membership while upgrading.

Primary firewall Upgrade procedure:
1. On Primary firewall, Suspend Primary firewall to make Secondary firewall active
CLI
> request high-availability state suspend
GUI
Device > High Availability > Operations > click Suspend local device.
NOTE: This will cause an HA failover. We recommend doing this first to verify the HA functionality is working before initiating the upgrade. Production traffic is now going through the Secondary firewall which is now active.

2. Ask your business owners to verify all applications are working on the network. If there is a problem, skip to troubleshooting section. If there is any problem, fix it before proceeding with upgrade.

3. Upgrade Primary firewall. You can do this by either directly downloading and installing software onto the firewall itself or via Panorama Device Deployment > Software option.
To display a list of available PAN-OS software, use the following command:
> request system software info
If the desired software version is not listed, the list of available PANOS can be retrieved with the following command:
> request system software check
If the desired software version has not been marked as downloaded, download it first:
> request system software download version 7.1.14
Use the following command to install the downloaded software:
> request system software install version 7.1.14
After installation, reboot the device using the below command:
> request restart system

4. Download and install 7.1.14 reboot to complete the install.

5. On the Primary firewall, verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:
> show jobs all
Run the following command to make Primary firewall functional again:
> request high-availability state functional

6. This concludes upgrade on the Primary firewall.

Secondary firewall upgrade procedure:
1. Suspend Secondary firewall to make Primary firewall active.
From Secondary firewall, suspend High Availability function
CLI:
> request high-availability state suspend
GUI:
Device > High Availability > Operations > click Suspend local device.

Note: This will cause an HA failover. Production traffic is now going through Primary firewall with new software installed.

2. Ask your business owners to verify all applications are working on the network. If there is a problem, skip to troubleshooting section. If there is any problem, fix it before proceeding with upgrade.

3. Upgrade Secondary firewall. You can do this by either directly downloading and installing software onto the firewall itself or via Panorama Device Deployment > Software option

4. Download and install 8.0.5. reboot to complete the install

5. Verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:
> show jobs all
Run the following command to make Secondary firewall functional again:
> request high-availability state functional

6. This concludes upgrade on the Secondary firewall

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s