Safe JunOS upgrade
There are many Juniper documents in the KB describing ways to upgrade Junipers. Most of them are "Expensive" (e.g. require downtime), some of them can be done in-line.
I'll explain my favourite upgrading methods below.
The Juniper Documentation will probably have a suitable upgrade method for you and also has in service (ISSU) upgrade options, however I find the easiest and least destructive way to do it on a clustered system is this:Login to the secondary device from the primary:
request routing-engine login other-routing-engine
Run the following command:
request system software add ftp://hostname/pathname unlink no-copy no-validate
(if you prefer another method you can try one of these)
request system software add http://hostname/pathname unlink no-copy no-validate
(available only for Canada and U.S. version)
request system software add scp://hostname/pathname unlink no-copy no-validate
When the download is finished the device will need a reboot. Kick it with
request system reboot
NOTE: None of these commands require you to be in configuration mode.
When the device loses its connection you will be kicked back to the console of the primary device
Keep issuing the command "request chassis cluster status" every 2 minutes until you see the device coming back up in secondary mode.
When the device comes back up type the following command to failover:
request chassis routing-engine master switch
Or
request chassis cluster failover reset redundancy-group 1 node 1
Repeat the above steps for the primary firewall, but first make sure your backup (which should now be your primary) is passing all connections
Don't forget to fail back to your primary Firewall once upgrade is complete on both devices