Below are the steps I used to perform an PAN-OS upgrade from 6.0.4 to 6.0.6 successfully.
- On the active fw (fw1), log into the cli and enter:
request high-availability state suspend. This will force a failover to the secondary firewall (fw2). I lost 2 pings during the failover.
- Install the new PAN-OS on fw1, and reboot when requested.
- Once rebooted, log into the CLI and enter:
show jobs allto verify auto commit has completed (it should show FIN OK). Then log into the web gui and verify the HA state of fw1 is Passive.
- Now, log into fw2 (which is currently the active fw), and force failover back to fw1 with:
request high-availability state suspend. I lost 0 pings during the fail-back.
- Install the new PAN-OS on fw2, and reboot when requested.
- From the web gui of fw1, monitor the HA state and verify fw2 comes back up in Passive mode.