This is my process for upgrading HA Palo Alto firewalls. Some steps will depend on your HA configuration; if you are not using preemption then you can’t disable it etc. So where possible refer to the official documentation. To start off you should take named snapshots of the config and export them off the firewall just to be safe. Below are the steps:

Primary

  • Disable preemption, commit
  • Fail over the firewall, CLI: request high-availability state suspend Note this will fail over the firewall
  • Check connectivity now the secondary is active
  • Install update and reboot
  • After device has rebooted log in and check the tasks for a successful autocommit, CLI: show jobs all
  • Enable HA, CLI: request high-availability state functional

Secondary

  • Fail the firewall over, CLI: request high-availability state suspend
  • Check connectivity now the primary is active
  • Install update and reboot
  • After device has rebooted log in and check the tasks for a successful autocommit, CLI: show jobs all
  • Enable HA, CLI: request high-availability state functional

Primary

  • Enable preemption, commit

You should check the notes for your specific version of PANOS especially when changing major version, see below:

PANOS 7.1 | PANOS 8.1 | PANOS 9.0 | PANOS 10.0 | PANOS 10.1