Upgrade the VM-Series Model in an HA Pair
Table of Contents
11.0
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade the VM-Series Model in an HA Pair
How do I upgrade my VM-Series Model if I have an HA pair?
Upgrading
the VM-Series firewall allows you to increase the capacity on the
firewall. Capacity is defined in terms of the number of sessions,
rules, security zones, address objects, IPSec VPN tunnels, and SSL
VPN tunnels that the VM-Series firewall is optimized to handle.
When you apply a new capacity license on the VM-Series firewall,
the model number and the associated capacities are implemented on the
firewall.
Verify the VM-Series System Requirements for
your firewall model before you upgrade. If your firewall has less than
5.5GB memory, the capacity (number of sessions, rules, security
zones, address objects, etc) on the firewall will be limited to
that of the VM-50 Lite.
This process is similar to
that of upgrading a pair of hardware-based firewalls that are in
an HA configuration. During the capacity upgrade process, session
synchronization continues, if you have it enabled. To avoid downtime
when upgrading firewalls that are in a high availability (HA) configuration,
update one HA peer at a time.
Do not
make configuration change to the firewalls during the upgrade process.
During the upgrade process, configuration sync is automatically
disabled when a capacity mismatch is detected and is then re-enabled
when both HA peers have matching capacity licenses.
If the
firewalls in the HA pair have different major software versions
(such as 9.1 and 9.0) and different capacities, both devices will
enter the Suspended HA state. Therefore, it is recommended that
you make sure both firewalls are running the same version of PAN-OS
before upgrading capacity.
- Upgrade the capacity license on the passive firewall.Follow the procedure to Upgrade the VM-Series Model.The new VM-Series model displays on the dashboard after some processes restart on this passive peer. This upgraded peer is now is a non-functional state because of the capacity mismatch with its active peer.If you have enabled session synchronization, verify that sessions are synchronized across HA peers before you continue to the next step. To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:
- In an active/passive configuration, only the active peer show packets transmitted and the passive device will only show packets received.If you have enabled HA2 keep-alive, the hardware interface counters on the passive peer will show both transmit and receive packets. This occurs because HA2 keep-alive is bidirectional which means that both peers transmit HA2 keep-alive packets.
- In an active/active configuration, you will see packets received and packets transmitted on both peers.
Upgrade the capacity license on the active firewall.Follow the procedure to Upgrade the VM-Series Model.The new VM-Series model displays on the dashboard after the critical processes restart. The passive firewall becomes active, and this peer (previously active firewall) moves from the initial state to becoming the passive peer in the HA pair.