Palo Alto Firewall HA PAN-OS Upgrade

I followed the steps HERE to perform an upgrade from 6.0.4 to 6.0.6 successfully.  To summarize, the steps are:

  1. On the active fw (fw1), log into the cli and enter: request high-availability state suspend.  This will force a failover to the secondary firewall (fw2).  I lost 2 pings during the failover.
  2. Install the new PAN-OS on fw1, and reboot when requested.
  3. Once rebooted, log into the CLI and enter: show jobs all to verify auto commit has completed (it should show FIN OK).  Then log into the web gui and verify the HA state of fw1 is Passive.
  4. Now, log into fw2 (which is currently the active fw), and force failover back to fw1 with: request high-availability state suspend. I lost 0 pings during the fail-back.
  5. Install the new PAN-OS on fw2, and reboot when requested.
  6. From the web gui of fw1, monitor the HA state and verify fw2 comes back up in Passive mode.
Advertisements

Palo Alto Firewall HA CLI Commands

>show high-availability all
>show high-availability state
>show high-availability link-monitoring
>show high-availability path-monitoring

Configuring High Availability: https://live.paloaltonetworks.com/docs/DOC-2926

After enabling HA, the interfaces on the firewall will switch from using the interface MAC address to a virtual MAC address.  In my case, the Palo Alto updated the MAC address to connected devices, except for the loopback interfaces. I had to clear the arp table of my internet edge routers to update the MAC of the loopbacks (I’m terminating GlobalProtect to the loopback interfaces).

More information regarding the MAC address change can be found here: https://live.paloaltonetworks.com/docs/DOC-4144

Updating Dell R710 Firmware

Deploying ESXi on some Dell R710 servers we had, so I wanted to update the firmware to latest and greatest.  I came across some issues updating, which is why I’m posting this.

First, I updated the iDRAC, using information from here:

http://en.community.dell.com/techcenter/systems-management/w/wiki/3206.updating-drac-firmware

Second, I couldn’t download updates using the USC/Lifecycle Controller because of the error “The updates you are trying to apply are not Dell-authorized updates”.  I was able to resolve this by updating the USC (Unified Server Configurator).  This can be easily upgraded by downloading the package and uploading it to the iDRAC update utility.  The package can be downloaded here:

http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverID=G3G5F&fileId=3093677794-SV&urlProductCode=False#

After USC is updated, you can access USC by hitting F10 on startup and navigating to Platform Update.  This will allow you to upgrade firmware on all the available devices.  Step-by-step instructions here:

http://kb.eclipseinc.com/kb/dell-firmware-update/