Palo Alto - eekbot/public GitHub Wiki
Software Upgrade Overview
Source: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair#id062f1ad5-adb3-4d25-b4a4-529bde5dc96a
1) Log in directly to both firewalls as admin.
2) Make sure Dynamic Updates are recent on both firewalls.
3) Turn Off Preemption per firewall.
4) Download the base code and sync that to HA peer. If the downloads regulary fail instantly,
try clicking Check Now before trying to download again.
5) Download the target code and sync that to HA peer.
6) Make sure firewalls look all green on the HA widget.
7) Take pre-upgrade backups, and export it somewhere safe.
9) Suspend A-side, confirm failover.
10) Validate B-side is working.
11) Install A-side target code (skip the base code) while it's suspended.
12) Reboot A-side after code installs.
13) A-side should come back out of suspended state. Make sure peering is back up. Don't worry about out-of-sync running config.
14) Suspend B-side to make A-side active.
15) Install B-side target code (skip the base code) while it's suspended.
16) Reboot B-side after code installs.
17) Verify Panorama sees the firewall on the new code, and maybe test a push. Do other validations.
18) Re-enable Preemption if it was on earlier.
Downloading the Global Protect Client
Log in into support.paloaltonetworks.com
On the left-hand side, the 2nd from the bottom option is Updates. Click that and pick software updates.
On the please select drop down at the top, start typing in GL and you'll see all the GlobalProtect options.
Resetting A BGP Peer
# THIS IS SIMILAR TO A SOFT RESET ON CISCO:
admin@BLAH-INT-A(active)> test routing bgp virtual-router DMZ refresh peer BLAH-DMZ-PEER
Send BGP refresh request to peer BLAH-DMZ-PEER for virtual-router DMZ.
# THIS IS A HARD RESET THAT WILL TAKE DOWN THE PEERING:
admin@BLAH-INT-A(active)> test routing bgp virtual-router DMZ restart peer BLAH-DMZ-PEER
waiting for shutdown BGP peer BLAH-DMZ-PEER...
waiting for bring up BGP peer BLAH-DMZ-PEER...
Restart BGP session with peer BLAH-DMZ-PEER for virtual-router DMZ performed.
View BGP Peer
admin@BLAH-NS-INT-A(active)> show routing protocol bgp peer peer-name BLAH-DMZ virtual-router DMZ
==========
Peer: BLAH-DMZ (id 5)
virtual router: DMZ
Peer router id: 10.11.12.34
Remote AS: 65535
Peer group: BLAH-DMZ-GROUP (id 6)
Peer status: Established, for 87 seconds
Password set: no
Passive: no
Multi-hop TTL: 1
Remote Address: 10.9.8.34:35529
Local Address: 10.9.8.33:179
(R) reflector client: not-client
same confederation: no
send aggr confed as-path: yes
peering type: Unspecified
Connect-Retry interval: 15
Open Delay: 0
Idle Hold: 15
Prefix limit: 5000
Holdtime: 90 (config 90)
Keep-Alive interval: 30 (config 30)
Update messages: in 0, out 0
Total messages: in 5, out 5
Last update age: 6
Last error:
Flap counts: 2, established 1 times
(R) ORF entries: 0
Nexthop set to self: no
use 3rd party as next-hop: yes
override nexthop to peer: no
----------
remove private AS number: no
----------
Capability: Multiprotocol Extensions(1) value: IPv4 Unicast
Capability: Route Refresh(yes)
Capability: Graceful Restart(64) value: 807800010180
Capability: Route Refresh (Cisco)(yes)
----------
Prefix counter for: bgpAfiIpv4 / unicast
Incoming Prefix: Accepted 0, Rejected 0, Policy Rej 0, Total 0
Outgoing Prefix: 0
Advertised Prefix: 0
Disable Weak Ciphers on Palo Alto
# DONE ON PANORAMA
set template blah-template config vsys vsys1 ssl-tls-service-profile blah-ssl-prof protocol-settings auth-algo-sha1 no
# DIRECTLY ON FIREWALL
set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no