An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Is your feature request related to a problem? Please describe.
When upgrading PAN-OS firewalls in an HA pair, selecting a version that is two or more minor releases ahead of the current version can lead to compatibility issues. If one firewall is upgraded to a version that is significantly ahead of its peer, it may not be able to rejoin the HA pair after the upgrade, putting itself in a suspended state. When the upgrade process begins on the other firewall, it issues an HA state switch over. If the peer is in a suspended state, neither firewall will be able to forward traffic, as they both operate in a suspended state.
Describe the solution you'd like
To mitigate this issue, we propose implementing a safeguard in the pan-os-upgrade tool that gracefully exits the execution of an upgrade if the following conditions are met:
The user has selected an upgrade version that is two or more minor releases apart from the current release.
The selected firewalls are in an HA state.
The pan-os-upgrade tool should:
Check the current PAN-OS version of the firewalls and compare it with the user-selected upgrade version.
Determine if the firewalls are in an HA state.
If both conditions are met, display a warning message to the user, explaining the potential consequences of proceeding with the upgrade.
Gracefully exit the upgrade process to prevent any unintended downtime or compatibility issues.
Describe alternatives you've considered
An alternative approach could be to allow the upgrade to proceed but display a prominent warning message to the user, highlighting the potential risks associated with upgrading firewalls that are two or more minor releases apart. However, this approach may not be sufficient to prevent users from inadvertently causing compatibility issues and downtime.
Additional context
Implementing this safeguard feature will help prevent users from accidentally causing HA pair incompatibility issues when using the pan-os-upgrade tool. By gracefully exiting the upgrade process when the specified conditions are met, the tool will ensure that users are aware of the potential consequences and can make informed decisions about their upgrade path. This feature enhancement will contribute to a more robust and user-friendly upgrade experience, minimizing the risk of unintended downtime and compatibility problems.
Is your feature request related to a problem? Please describe. When upgrading PAN-OS firewalls in an HA pair, selecting a version that is two or more minor releases ahead of the current version can lead to compatibility issues. If one firewall is upgraded to a version that is significantly ahead of its peer, it may not be able to rejoin the HA pair after the upgrade, putting itself in a suspended state. When the upgrade process begins on the other firewall, it issues an HA state switch over. If the peer is in a suspended state, neither firewall will be able to forward traffic, as they both operate in a suspended state.
Describe the solution you'd like To mitigate this issue, we propose implementing a safeguard in the pan-os-upgrade tool that gracefully exits the execution of an upgrade if the following conditions are met:
The pan-os-upgrade tool should:
Describe alternatives you've considered An alternative approach could be to allow the upgrade to proceed but display a prominent warning message to the user, highlighting the potential risks associated with upgrading firewalls that are two or more minor releases apart. However, this approach may not be sufficient to prevent users from inadvertently causing compatibility issues and downtime.
Additional context Implementing this safeguard feature will help prevent users from accidentally causing HA pair incompatibility issues when using the pan-os-upgrade tool. By gracefully exiting the upgrade process when the specified conditions are met, the tool will ensure that users are aware of the potential consequences and can make informed decisions about their upgrade path. This feature enhancement will contribute to a more robust and user-friendly upgrade experience, minimizing the risk of unintended downtime and compatibility problems.