Hi I assume that active sessions means admin sessions to the Panorama, it would be a requirement to have all admins complete their changes and then log off the Panorama before continuing with the upgrade, the HA pair should Sync automatically as a result of the commit.
While performing Panorama upgrade you starting with secondary node first but when upgrading firewall you starting with primary node, is there any reason please ?.
Hi When upgrading firewalls there has to be the sessions that are running through that firewall to consider, so in that case I would failover the firewalls to check that there is no issues with traffic while we still have a working known good firewall, this is not the case with Panorama, Panorama is not in the traffic path and therefore we do not have the same considerations as with firewalls, so in this case I would (and have) confirmed that the Panoramas are in sync, check that the firewalls that are connected to one are also showing connected to the other in the HA pair, there is some telemetry between the firewalls and Panorama and so there is some need to make sure that we miss as little information as possible during the upgrade, but for me the most important thing is that the Panorama's are in sync and have the same configuration on both. I have said on other videos that really the process followed is up to the engineer completing the task, for instance simply upgrading the Primary firewall then the secondary would work in theory, but it would be risky, it is the risk tolerance of the engineer and the business that often determines the upgrade procedures, or content updates etc. Hope this helps.
can we sync to peer from active before installing OS on it, so it won;t drops any active sessions?
Hi
I assume that active sessions means admin sessions to the Panorama, it would be a requirement to have all admins complete their changes and then log off the Panorama before continuing with the upgrade, the HA pair should Sync automatically as a result of the commit.
While performing Panorama upgrade you starting with secondary node first but when upgrading firewall you starting with primary node, is there any reason please ?.
Hi
When upgrading firewalls there has to be the sessions that are running through that firewall to consider, so in that case I would failover the firewalls to check that there is no issues with traffic while we still have a working known good firewall, this is not the case with Panorama, Panorama is not in the traffic path and therefore we do not have the same considerations as with firewalls, so in this case I would (and have) confirmed that the Panoramas are in sync, check that the firewalls that are connected to one are also showing connected to the other in the HA pair, there is some telemetry between the firewalls and Panorama and so there is some need to make sure that we miss as little information as possible during the upgrade, but for me the most important thing is that the Panorama's are in sync and have the same configuration on both.
I have said on other videos that really the process followed is up to the engineer completing the task, for instance simply upgrading the Primary firewall then the secondary would work in theory, but it would be risky, it is the risk tolerance of the engineer and the business that often determines the upgrade procedures, or content updates etc.
Hope this helps.