Add to collection(s) Add to saved
  1. No category
Uploaded by Farouk Kahoul

Palo Alto PANOS upgrade HA cluster

advertisement 
Palo Alto PAN-OS Upgrade
Intro
You need to understand the following things before you start:
•
You cannot skip installation of any feature release versions in the path to your target PAN-OS
release. Additionally, it is best practice to always download and install the latest maintenance
release for each feature release and then reboot before you install the base image for the next
feature release. This applies to each feature release through which you pass in the upgrade path.
•
For any PAN-OS version prior to PAN-OS 8.0 (so PAN-OS 7.1 and lower) it is recommended to go to
the latest maintenance release to prevent running into snags or issues during the upgrade.
•
To maintain HA sync and activity, upgrade the HA pair in tandem one major release at a time. If you
upgrade one device by two major upgrades, the newly upgraded device will stay in suspended
mode with the error peer OS too old. So, when you go to start the first OS upgrade on the second
HA device, you will lose network connectivity until the upgrade is completed and the first device is
moved out of suspended mode and into passive mode and HA capabilities resume functioning.
•
ABCD firewall is configured in Active/Passive HA cluster managed by Panorama (this is the most
common configuration in use today). We are not covering Active/Active, non-HA scenarios or
scenarios where there is no Panorama installed.
• In this example, we are upgrading a hypothetical customer ABCD from PAN-OS 7.0.16 to 8.0.12
(with 7.1 as an interim step).
Terminology
Active firewall
The firewall in an HA cluster that’s passing traffic
Passive firewall
The firewall in an HA cluster that’s not passing traffic
Primary firewall
The firewall in an HA cluster that’s usually the active firewall
Secondary firewall
The firewall in an HA cluster that’s usually the passive firewall
Feature release
Maintenance release
Contains new features and bugfixes, typically ends with .0 (i.e. 8.0.0)
Bug fixes only, typically ends with .number (8.0.12)
The following things needs to be checked before you start:
•
Before upgrade, make sure the firewall is running a version of app + threat (content version) that
meets the minimum requirement of the new PAN-OS (see release
notes: https://www.paloaltonetworks.com/documentation.html). We recommend always running
the latest version of content to ensure the most accurate and effective protections are being
applied.
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
Before upgrading: Backup & Staging
•
Back up configuration and device state before upgrade.
Device > Setup > Operations > Save Named Configuration Snapshot
Device > Setup > Operations > Export Named Configuration Snapshot
Device > Setup > Operations > Export Device State
•
Stage/Download necessary PAN-OS images ahead of time. You will need both the base image and
the latest maintenance release. The base image should be installed but not rebooted. In this case,
we need to download the following versions:
7.0.18 (it is recommended to bring your current Feature release to the latest recommended
maintenance release before preceding)
7.1.0 (base image) (NOTE: If you are on a maintenance release version earlier than 7.0.6,
you must install 7.0.6 before 7.1.0 will show up on your software download page)
7.1.14
8.0.0 for firewalls, 8.0.2 for Panorama (base image) (NOTE: the 8.0 base image and
maintenance versions will not become visible in the download section until you have a
version of 7.1 installed)
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
8.0.12
•
•
•
Following the PAN-OS upgrade, you may need to upgrade associated software (such as Global
Protect agent or User ID agent). It’s strongly recommended to install the latest available userid
agent : 8.0.11
See the Associated Software Versions chart in the release notes
(Optional but recommended) Arrange for Out-of-Band access (Console access) to the firewall if
possible. This is to help recover from any unexpected situations where we lose connectivity to the
firewall after upgrade.
Firewall upgrade procedure (HA)
It is recommended to upgrade the Primary firewall first and then upgrade the Secondary firewall. This is
done for two reasons:
1.) Ensure that HA failover is functioning properly and
2.) Ensure that the passive firewall is functioning properly and is able to pass traffic without issues.
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
•
Disable Pre-emption if enabled. Disable preemption on High Availability settings to avoid
unexpected failovers. Disabling preempt configuration change must be committed on both peers.
Likewise, once completed, re-enabling must be committed on both peers.
To disable: Go to Device > High Availability >General > Election Settings <hit
edit> and uncheck Preemptive.
Then, perform a commit.
NOTE: This procedure relies on the administrator having foreseen access to their devices at all
times, either by being local or having OOB connectivity to the management network which is best
practice when upgrading the firewall. In the case where you do not have the option of achieving
either, it is a good idea to change the procedure slightly to ensure you dont lose connectivity at the
cost of having a less rigid upgrade path.
Having the preempt enabled will require you to keep this config change in mind during the whole
process as it could unexpectedly switch over the active membership while upgrading.
•
Primary firewall Upgrade procedure
1. On Primary firewall, Suspend Primary firewall to make Secondary firewall active
CLI
> request high-availability state suspend
2.
3.
4.
5.
GUI
Device > High Availability > Operations > click Suspend local device.
NOTE: This will cause an HA failover. We recommend doing this first to verify the HA
functionality is working before initiating the upgrade. Production traffic is now going through
the Secondary firewall which is now active.
Ask your business owners to verify all applications are working on the network. If there is a
problem, skip to troubleshooting section. If there is any problem, fix it before proceeding
with upgrade.
Upgrade Primary firewall. You can do this by either directly downloading and installing
software onto the firewall itself or via Panorama Device Deployment > Software option.
Download, install and reboot 7.0.18
Download and install 7.1.0 (base version).
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
6. Download and install 7.1.14, and reboot to complete the upgrade.
7. Save/export tech support and Device state and save named device config snapshots (this is in
case downgrade is needed).
8. Download 8.0.0 (base version) (Recommended) Install the 8.0 base image and reboot before
you install the target maintenance release..
9. Download and install 8.0.12, and reboot to complete the upgrade.
10. On the Primary firewall, verify auto commit completes successfully (FIN OK) by running the
command before proceeding to the next step:
> show jobs all
Run the following command to make Primary firewall functional again:
> request high-availability state functional
11. This concludes upgrade on the Primary firewall.
•
Secondary firewall upgrade procedure:
1. Suspend Secondary firewall to make Primary firewall active.
From Secondary firewall, suspend High Availability function
CLI:
> request high-availability state suspend
GUI:
Device > High Availability > Operations > click Suspend local device.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Note: This will cause an HA failover. Production traffic is now going through Primary firewall
with new software installed.
Ask your business owners to verify all applications are working on the network. If there is a
problem, skip to troubleshooting section. If there is any problem, fix it before proceeding
with upgrade.
Upgrade Secondary firewall. You can do this by either directly downloading and installing
software onto the firewall itself or via Panorama Device Deployment > Software option
Download, install and reboot 7.0.18
Download and install 7.1.0 (base version)
Download and install 7.1.14. reboot to complete the install
Save/export tech support and Device state and save named device config snapshots (this is in
case downgrade is needed)
Download 8.0.0 (base version) (Recommended) Install the 8.0 base image and reboot before
you install the target maintenance release.
Download and install 8.0.12. reboot to complete the install
Verify auto commit completes successfully (FIN OK) by running the command before
proceeding to the next step:
> show jobs all
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
Run the following command to make Secondary firewall functional again:
> request high-availability state functional
11. This concludes upgrade on the Secondary firewall
• (Optional but recommended) Arrange for Out-of-Band access (Console access) to the firewall if
possible.
This is again to help recover from any unexpected situation where we are unable to login to the
firewall.
•
•
•
•
•
•
•
•
•
Backup config and device state files just in case
Make sure no policy or configuration changes are being made by acquiring a config lock
Click on padlock icon on upper right hand corner of GUI
Make sure no pending commit jobs on firewall
(Optional but recommended) Post-upgrade verification
Now that both Primary and Secondary firewalls are both running the new software, it’s a
good idea to test failover functionality again.
Run the following comma to suspend Primary firewall to fail traffic to the Secondary firewall
> request high-availability state suspend
Ask your business owners to verify all applications are working on the network through the
Secondary firewall. If there is a problem, skip to troubleshooting section
Run the following CLI command to make Primary firewall functional again:
> request high-availability state functional
•
•
•
•
Repeat the process to verify traffic works fine through Primary firewall (suspend the
Secondary firewall, test functionality on Primary firewall, then re-enable Secondary firewall)
This concludes failover test
(Optional but recommended) Enable preemption if it was disabled due to upgrade
Re-enabling preempt configuration change must be committed on both Likewise, once
completed, re-enabling must be committed on both peers.
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
•
Go to Device > High Availability > Election Settings and check Preemptive. Then, perform a
commit.
•
This completes upgrade on the HA pair.
SecureLink N.V. • Uilenbaan 80 • 2160 Wommelgem
+32 3 641 9595 • info@securelink.be
www.securelink.net
Related documents
Fundamental Functions of the Internet 1
Fundamental Functions of the Internet 1
Information Technology Status March, 2009
Information Technology Status March, 2009
Clique/Trust Solution Suitable for Level 2 Grid
Clique/Trust Solution Suitable for Level 2 Grid
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Download
advertisement