Embedded Files
Maintenance Preperation
Maintenance Preperation
Confirm there are no pending changes to be committed.
Take a named configuration snapshot from both devices.
Export the named snapshots to your local workstation for backup.
Validate SSH access is available to both firewalls.
Review release notes and check for known issues with the target PAN-OS version.
If jumping multiple versions, determine if an intermediate upgrade is required.
Taking a device backup
Taking a device backup
Backups should be taken and exported prior to the upgrade.
Navigate to Device > Setup > Operations
Click Save Named Configuration Snapshot
3. Click Export Named Configuration Snapshot and download to your workstation
Minimizing Downtime
Minimizing Downtime
The upgrade process should be staged across both firewalls to limit impact:
Start with the passive (backup) node
After verifying the upgrade, fail over to the upgraded node
Then upgrade the second (previously active) node
Note: While downtime is minimized, some packets may be dropped during failover. Plan to perform the upgrade during a maintenance window.
Disable Preemtive failover
Disable Preemtive failover
Preemptive failover should be disabled to avoid unnecessary role changes during the upgrade process.
Navigate to Device > High Availability > General > Election Settings
Uncheck Preemptive on both firewalls
Commit the changes on each firewall
Upgrade Passive firewall
Upgrade Passive firewall
Navigate to Device > Software
Click Check Now to refresh available software versions
Download the desired PAN-OS version
If already downloaded, re-download to avoid potential issues
After download completes, click Install
Do not reboot immediately unless ready
Once installed, schedule or manually reboot the passive device to complete the upgrade
After reboot, confirm:
Device is running the new PAN-OS version
HA shows version mismatch (expected)
Configuration sync is still successful
Upgrade Active firewall
Upgrade Active firewall
On the active firewall, navigate to Device > High Availability > Operational Commands
Click Suspend local device
This forces a failover to the already-upgraded node
GlobalProtect and existing sessions should remain active during failover
On the now-passive firewall:
Navigate to Device > Software
Download and install the same PAN-OS version
Reboot the firewall when ready
Validation check
Validation check
After both firewalls are upgraded:
Confirm HA status is synchronized
Validate the following services:
DHCP service
Internet access and security services (URL filtering, WildFire, etc.)
VPN tunnel re-establishment
Remote access VPN functionality (GlobalProtect – both staff and admin)
Outbound and inbound traffic
Dynamic routing neighbors (BGP, OSPF, RIP) reestablish correctly
Enable Preemptive
Enable Preemptive
Navigate to Device > High Availability > General > Election Settings
Re-check the Preemptive box on both firewalls
Commit the changes
Page updated
Google Sites
Report abuse