Palo Alto HA Firmware Upgrade Guide (GUI + Advanced Strategies)
4 min read
π§ Palo Alto HA Firmware Upgrade (GUI-Focused)
Phase 0 β Preconditions
Navigate to:
Dashboard
Check:
- Both firewalls visible
- No critical alerts
Then:
Device > High Availability > General
Verify:
- State = Active / Passive
- Config Sync = Synchronized
- Peer = Connected
If not healthy β stop. Fix HA first.
Phase 1 β Backup both firewalls
On each firewall:
Device > Setup > Operations
Perform:
- Save named configuration snapshot
- Export named configuration snapshot
- Export device state
Phase 2 β Validate Upgrade Path (CRITICAL)
Navigate to:
Device > Software
Click:
Check Now
π΄ Example: Large Major Version Upgrade
Current version:
PAN-OS 9.1.15
Target version:
PAN-OS 11.1.13-h3
β Wrong approach
9.1 β 11.1 (NOT allowed)
β Correct upgrade sequence
9.1.15
β
10.0.0 β 10.0.x
β
10.1.0 β 10.1.x
β
10.2.0 β 10.2.x
β
11.0.0 β 11.0.x
β
11.1.0 β 11.1.13-h3
How to execute this in GUI
For each step:
Device > Software
- Click Check Now
- Download base version (e.g. 10.0.0)
- Install
- Reboot
- Repeat
Important behavior
- Intermediate versions must be installed to unlock next versions
- Every major upgrade requires reboot
- Always go base (.0) β stable (.x)
HA-specific execution
Passive firewall:
Perform full upgrade chain
Failover
Second firewall:
Repeat same chain
Time expectation
1β2 hours per firewall
Phase 3 β Update dynamic content
Navigate to:
Device > Dynamic Updates
Update:
- Applications and Threats
- Antivirus
- WildFire
- URL Filtering
Phase 4 β Disable preemption
Device > High Availability > Election Settings
- Uncheck Preemptive
- Commit
Phase 5 β Upgrade PASSIVE firewall
Identify passive:
Dashboard > High Availability Widget
Then:
Device > Software
Steps:
- Check Now
- Download
- Install
- Reboot
Phase 6 β Validate passive firewall
Device > High Availability
- State = Passive
- Sync = Synchronized
Phase 7 β Force failover
Device > High Availability > Operational Commands
Click:
Suspend local device
Phase 8 β Validate failover
Check:
Monitor > Traffic
Network > IPSec Tunnels
If broken β stop.
Phase 9 β Upgrade second firewall
Repeat upgrade steps.
Phase 10 β Restore HA
Device > High Availability > Operational Commands
Click:
Make local device functional
Phase 11 β Re-enable preemption (optional)
Device > High Availability > Election Settings
Phase 12 β Final validation
Check:
- HA status
- Traffic logs
- VPN tunnels
- Routing
- System logs
π§ CLI Alternative (Condensed)
show high-availability state
request system software check
request system software download version <version>
request system software install version <version>
request restart system
request high-availability state suspend
# upgrade second firewall
request high-availability state functional
show system info
show vpn ipsec-sa
=========================
π½ ADD-ON ADVANCED GUIDES
=========================
π’ ADD-ON 1: Near Zero-Downtime Strategy
Requirements
Device > High Availability > General
- Session Sync = Enabled
- HA2 link up
Validate
show high-availability state
show session info
Mandatory failover test
Device > High Availability > Operational Commands
Suspend local device
VPN considerations
Network > IPSec Tunnels
- Enable monitoring
- Enable DPD
Reality
| Traffic | Impact |
|---|---|
| Web | Minimal |
| DB/RDP | Reset possible |
| IPsec | Reconnect |
| SSL VPN | Disconnect |
π§ ADD-ON 2: Panorama Upgrade
Using Palo Alto Panorama
Steps
Panorama > Device Deployment > Dynamic Updates
Panorama > Managed Devices (check sync)
Panorama > Device Deployment > Software
- Upgrade passive first
- Manual failover
- Upgrade second
Warning
Panorama does not enforce safe HA sequencing.
π₯ ADD-ON 3: Rollback Procedure
Fast recovery
Suspend upgraded firewall
Revert firmware
Device > Software β Install previous version
Restore config
Device > Setup > Operations
Load named configuration snapshot
CLI rollback
request system software install version <previous-version>
request restart system
Reality
Avoid:
.x.0 releases
Use:
h2 / h3 or later
Final Assessment
If you didnβt:
- Validate HA
- Test failover
- Plan upgrade path
- Prepare rollback
Then this is not a controlled upgrade.
Itβs a scheduled outage waiting to happen