Support HA Upgrades for Firewalls and Panorama Using firewall Subcommand

[cdot65]

Is your feature request related to a problem? Please describe. Yes. The pan-os-upgrade tool's reliance on the batch subcommand for HA upgrades imposes limitations. It cannot directly upgrade standalone HA firewalls (those not managed by Panorama), nor can it handle HA upgrades for Panorama appliances themselves.

Describe the solution you'd like Extend the pan-os-upgrade tool to support HA upgrades using the firewall and panorama subcommands. This would allow direct upgrades of both standalone firewall HA pairs and Panorama HA pairs.

Describe alternatives you've considered Currently, the only way to upgrade HA pairs without the proposed change is by either:

Manual Process: Performing the upgrade manually, which can be time-consuming, complex, and error-prone. Panorama Reliance (for firewalls): Upgrading firewalls through Panorama, which isn't always feasible or desirable.

Additional context This enhancement would improve pan-os-upgrade in several significant ways:

• Greater Flexibility: Provides more options for upgrade workflows across various environments.
• Standalone Firewall Support: Empowers direct upgrades of firewalls not managed by Panorama.
• Panorama Upgrade Capability: Enables simpler upgrades for HA Panorama setups.

[smos]

When I target a member of the HA pair with the firewall command I get the following message. Firewall 3220 is running 10.1.12.

pan-os-upgrade firewall
Firewall hostname or IP: mgmt-firewall-a.domain.nl
Firewall username: adminuser
Firewall password:
Target version: 10.2.8
Dry Run? [Y/n]:

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /home/user/panosupgrade/lib/python3.11/site-packages/pan_os_upgrade/main.py:245 in firewall    │
│                                                                                                  │
│   242 │   )                                                                                      │
│   243 │                                                                                          │
│   244 │   # Perform upgrade                                                                      │
│ ❱ 245 │   upgrade_firewall(                                                                      │
│   246 │   │   dry_run=dry_run,                                                                   │
│   247 │   │   firewall=device,                                                                   │
│   248 │   │   settings_file=SETTINGS_FILE,                                                       │
│                                                                                                  │
│ ╭─────────────────────────────────────────── locals ───────────────────────────────────────────╮ │
│ │         banner = '\x1b[1;33m===============================================================… │ │
│ │         device = <Firewall '123456123456' None at 0x7f8af1e81b50>                            │ │
│ │        dry_run = True                                                                        │ │
│ │       hostname = 'mgmt-firewall-a.domain.nl'                                                     │ │

<snip>

TypeError: 'NoneType' object does not support the context manager protocol

[cdot65]

Yes, this is to be expected for now, although the error could be a bit more descriptive.

For HA firewalls, there is a check first to determine if the firewall is in a "revisit" list, which is dedicated for storing firewalls that are the "active" peer AND running the same PAN-OS version as the "passive" peer. We place firewalls in this list to revisit after the "passive" and standalone firewalls completed their upgrades and are in a stable phase.

Since the firewall subcommand doesn't generate this "revisit" list, because it was built to target an individual firewall, the execution will fail here:

│ /Users/cdot/development/public/pan-os-upgrade/pan_os_upgrade/components/ha.py:247 in             │
│ handle_firewall_ha                                                                               │
│                                                                                                  │
│   244 │   )                                                                                      │
│   245 │                                                                                          │
│   246 │   # Check if the firewall is in the revisit list                                         │
│ ❱ 247 │   with target_devices_to_revisit_lock:                                                   │
│   248 │   │   is_device_to_revisit = target_device in target_devices_to_revisit                  │
│   249 │                                                                                          │