How to Upgrade Paloalto Firewall

Paloalto firewall upgrade procedure from any version. we live in a time where keeping your devices up to date is very essential for network security. In this article, we will demonstrate how to upgrade a Paloalto firewall to the latest version.

Pre-Upgrade activities

STEP 1 – Save a backup of the current configuration file (Take a backup of the configuration from both HA Peers)

Perform these steps on each firewall in the pair:

  1. Select Device > Setup Operations and click save named configuration snapshot (optional) or go to step 2
  2. Select Device > Setup > Operations and click Export named configuration snapshot.
  3. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
  4. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
  5. Select Device > Setup > Operations > Export Device State (For devices that are managed from panorama

STEP 2 – Verify HA Settings

  1. Priorities are set properly: Device > high-availability > Election Settings > Device priority

(Make sure active device has lower priority value)

  1. Verify Preemptive is disabled: Device > high-availability > Election Settings > Preemptive is unchecked

(This is to verify there is no sudden role change) 

STEP 3 – Make sure each device running Content Release version 401 or later.

  1. Select Device > Dynamic Updates.
  2. Check the Applications and Threats or Applications section to determine what update is currently running.
  3. If the firewall is not running the required update or later, click Check Now to retrieve a list of available updates.
  4. Locate the desired update and click Download.
  5. After the download completes, click Install.

STEP 4 – Verify all are in sync (apps & threats, url db & running configs are in sync )

This can be done from the Firewall dashboard GUI-> High Availability

FW UPGRADE STEPS FROM PANORAMA

STEP 1 – Upgrade FW B (Standby/Passive) fw & Reboot – Upgrade to 7.0.19 (Usually Node B but Please check and see which node is Passive)

Login to Panorama and then go to the Secondary B Firewall that will be upgraded and do the following:

  1. Go to Device – Software
  2. Click Check Now to check for the latest updates.
  3. Locate the base and Target versions you want to upgrade to (7.0.1) and (7.0.19) then click Download for both.
  4. After the downloads complete, click Install on (7.0.19)
  5. After the install completes, reboot using one of the following methods:
  • If you are prompted to reboot, click Yes.
  • If you are not prompted to reboot, select Device > Setup > Operations and click Reboot Device in the Device Operations section. After the reboot, the device will not be functional until the active/active-primary device is suspended.
  1. Switch back to Panorama to check firewall reboot status by going to Panorama->Managed Devices-> look for your Firewall for status (If connected and what version its on)

STEP 2 – Make FW B active & A passive (Suspend FW A)

Fail traffic over from FW A to FW B and check traffic on B – Suspend the Primary firewall usually Node A (Here secondary fw will take over and be active so check traffic on the upgraded fw and Primary fw is passive ready for upgrade)

  1. Login FW A from Panorama, select Device > High Availability > Operational Commands.
  2. Click Suspend local device.
  3. Select the Dashboard and verify that the state of the passive device changes to active in the High Availability widget.
  4. Verify that the firewall that took over as active or active-primary (Secondary fw) is passing traffic by selecting Monitor > Session Browser.
  5. Revert the suspended mode on this firewall back to functional – Device-> high availability-> operational command-> Make device functional (now it will show suspend local device)

STEP 3 – Upgrade FW A (standby) fw & Reboot – Upgrade to 7.X.XX

  1. Go to Device – Software
  2. Click Check Now to check for the latest updates.
  3. Locate the base and Target versions you want to upgrade to (7.0.1) and (7.0.19) then click Download for both.
  4. After the downloads complete, click Install on (7.0.19)
  5. After the install completes, reboot using one of the following methods:
  • If you are prompted to reboot, click Yes.
  • If you are not prompted to reboot, select Device > Setup > Operations and click Reboot Device in the Device Operations section. After the reboot, the device will not be functional until the active (or active-primary) device is suspended.
  1. Switch back to Panorama to check firewall reboot status by going to Panorama->Managed Devices-> look for your Firewall for status. (If connected and what version its on)

STEP 4 – Make FW A active & B passive – (Suspend FW B)

Fail-over from FW B firewall to FW A (Suspend FW B) and check traffic on FW A

  1. Login FW B from Panorama, select Device > High Availability > Operational Commands.
  2. Click Suspend local device.
  3. Select Dashboard and verify that the state of the passive device changes to active in the High Availability widget.
  4. Login FW A & Verify that the firewall that took over as active or active-primary is passing traffic by selecting Monitor > Session Browser.
  5. Revert the suspended mode on this firewall back to functional – Device-> high availability-> operational command-> Make device functional (now it will show suspend local device)

STEP 5 – Upgrade FW B (standby) & Reboot – Upgrade to 7.1.14

  1. Go to Device – Software
  2. Click Check Now to check for the latest updates.
  3. Locate the base and Target versions you want to upgrade to (7.1.0) and (7.1.14) then click Download for both.
  4. After the download completes, click Install on (7.1.14).
  5. After the install completes, reboot using one of the following methods:
  • If you are prompted to reboot, click Yes.
  • If you are not prompted to reboot, select Device > Setup > Operations and click  Reboot Device in the Device Operations section. After the reboot, the device will not be functional until the active (or active-primary) device is suspended.
  1. Switch back to Panorama to check firewall reboot status by going to Panorama->Managed Devices-> look for your Firewall for status. (If connected and what version it’s on)

STEP 6 – Make FW B active & A passive (Suspend FW A)

Fail traffic over from FW A to FW B and check traffic on B – Suspend the FW A.

  1. Login FW A from Panorama, select Device > High Availability > Operational Commands.
  2. Click Suspend local device.
  3. Select Dashboard and verify that the state of the passive device changes to active in the High Availability widget.
  4. Verify that the firewall that took over as active or active-primary (Secondary fw) is passing traffic by selecting Monitor > Session Browser.

STEP 7 – Upgrade FW A (Standby) & Reboot – Upgrade to 7.1.14

  1. Go to Device – Software
  2. Click Check Now to check for the latest updates.
  3. Locate the base and Target versions you want to upgrade to (7.1.0) and (7.1.14) then click Download for both.
  4. After the downloads complete, click Install on (7.1.14)
  5. After the install completes, reboot using one of the following methods:
  • If you are prompted to reboot, click Yes.
  • If you are not prompted to reboot, select Device > Setup > Operations and click  Reboot Device in the Device Operations section. After the reboot, the device will not be functional until the active (or active-primary) device is suspended.
  1. Switch back to Panorama to check firewall reboot status by going to Panorama->Managed Devices-> look for your Firewall for status. (If connected and what version its on)
  2. If you configured the firewall to temporarily allow non-syn-tcp traffic in order to enable the firewall to rebuild the session table, revert back by running

Configure
set deviceconfig setting session tcp-reject-non-syn yes
commit

STEP 8 – Make FW A active & B passive – (Suspend FW B)

Fail-over from FW B firewall to FW A (Suspend FW B) and check traffic on FW A

  1. Login FW B from Panorama, select Device > High Availability > Operational Commands.
  2. Click Suspend local device.
  3. Select Dashboard and verify that the state of the passive device changes to active in the High Availability widget.
  4. Login FW A & Verify that the firewall that took over as active or active-primary is passing traffic by selecting Monitor > Session Browser.
  5. Revert the suspended mode on this firewall back to functional – Device-> high availability-> operational command-> Make device functional (now it will show suspend local device)

Post-Upgrade activities

STEP 1 – Verify that the devices are passing traffic as expected.

  1. (Active device(s) only) To verify that the upgrade succeeded and that active devices are passing traffic, run show session all , also from CLI can do-> show session info
  2. Go to the Monitor Tab and check for Live traffic-> session browser
  3.  Check HA status and that all is synced.
Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
Arun
Arun
5 years ago

Thanks for the article, it was really helpful

Reply
0
Would love your thoughts, please comment.x
()
x