Upgrade an NGFW Cluster Firewall
Table of Contents
Upgrade an NGFW Cluster Firewall
Perform a rolling upgrade of an NGFW cluster firewall to a PAN-OS version later than
PAN-OS 11.1.7.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Perform this task to do a rolling upgrade of two PA-7500 Series firewalls in an NGFW
cluster to a PAN-OS release later than PAN-OS 11.1.7. You can upgrade to the next
release or skip releases. Before you begin, both firewalls in the cluster must be
online. Clustering plugin 2.0 is recommended so that you have node visibility during
the upgrade.
- Identify the leader node for the cluster and verify that the PA-7500 Series firewall is online. On the PA-7500 Series firewall, select . Notice that this firewall has Node ID 1 and is the Leader. The Local Node State is online.
![]()
In the General Information section, note the Serial # of the firewall.Access Panorama and select . In the Clusters field, select PA-Series. Scroll down until you find that serial number of the firewall in the Cluster Name column; select the checkbox to the left of the serial number. Click Suspend Node at the bottom of the screen.The Suspend Node window appears; the Delay indicates how many seconds it will take the firewall to change from online to suspended state (120 seconds in this case). During that time the firewall will transfer its sessions to the other firewall and traffic will fail over to the other firewall. Click OK to suspend the node.![]()
To confirm the node suspension happened, select Tasks at the bottom of the screen. In the Task Manager window, you can see a Troubleshooting task with a recent Start Time and a Status that indicates Completed.![]()
On the firewall, while the 120-second delay occurs, observe that the Firewall Cluster for Node ID 1 indicates the Local Node State is degraded (the state between online and suspended). Click the refresh arrows to refresh the screen; the Local Node state changes to suspended and the firewall is no longer the Leader.Access the second PA-7500 Series firewall, select . Notice that this firewall has Node ID 2 and is now the Leader. Its Local Node State is online.On the first firewall that you suspended, you can now download the PAN-OS release to which you are upgrading. Select and Check Now. Locate and Download the PAN-OS version you want.The download can take a little longer than downloading to a smaller firewall because the PA-7500 Series firewall downloads to an MPC and SFC and they must sync.Install the image. Click Yes to install.After the installation completes successfully, when you are prompted to reboot, click Yes.Verify that the first firewall is back online. Select . Notice that the firewall is not the Leader, but the Local Node State is online.![]()
Repeat the entire procedure on the second firewall to suspend it, at which point the Firewall Cluster for Node 2 will indicate suspended.![]()
Then download the same PAN-OS release you choose for Node 1, install the release on Node 2, reboot, and verify that Node 2 is back online.![]()
When you are finished upgrading both firewalls, you will see that Node ID 1 is the Leader again and both firewalls are online. On each firewall's Dashboard, the General Information section indicates the new Software Version to which you upgraded. Both before and after the upgrades, Node ID 1 and Node ID 2 indicate they are online and Node ID 1 is the Leader.![]()
![]()
(Optional) Access Panorama, select , and find the two serial numbers of the firewalls you upgraded, indicating that their Node Status is Online.
