Palo Alto Firewall HA PAN-OS Upgrade

Below are the steps I used to perform an PAN-OS upgrade from 6.0.4 to 6.0.6 successfully.

  1. On the active fw (fw1), log into the cli and enter: request high-availability state suspend.  This will force a failover to the secondary firewall (fw2).  I lost 2 pings during the failover.
  2. Install the new PAN-OS on fw1, and reboot when requested.
  3. Once rebooted, log into the CLI and enter: show jobs all to verify auto commit has completed (it should show FIN OK).  Then log into the web gui and verify the HA state of fw1 is Passive.
  4. Now, log into fw2 (which is currently the active fw), and force failover back to fw1 with: request high-availability state suspend. I lost 0 pings during the fail-back.
  5. Install the new PAN-OS on fw2, and reboot when requested.
  6. From the web gui of fw1, monitor the HA state and verify fw2 comes back up in Passive mode.