pan-os-upgrade panorama Licensing Check/Software Download Check

[josergithub]

Is your feature request related to a problem? Please describe.

This is not necessarily a problem. The script should tell us when there is a software download issue due to expired licensing.

Describe the solution you'd like When upgrading a single panorama appliance using the pan-os-upgrade panorama command the script halts and it tells us if panorama is in HA mode and the software version of each panorama appliance. It should tell us if there is a licensing issue. It was a bit confusing not knowing why the script was exiting as if we were in dry run mode. I did try both dry run mode and upgrade mode and the result was identical.

Describe alternatives you've considered At this point I will try to solve the panorama licensing issue and try again.

Additional context Add any other context or screenshots about the feature request here:

(.venv) pan_os_upgrade % pan-os-upgrade panorama Panorama hostname or IP: REMOVED Panorama username: REMOVED Panorama password: Target Panorama version: 11.1.1 Dry Run? [Y/n]: y

Welcome to the PAN-OS upgrade tool

This script software is provided on an 'as-is' basis with no warranties, and no support provided.

The selected panorama subcommand will upgrade a single Panorama appliance.

Settings: Custom configuration loaded file detected and loaded at: /Downloads/pan-os-upgrade-main/pan_os_upgrade/settings.yaml

🚀 REMOVED : Connection to the appliance successful. 📝 REMOVED: None REMOVED 📝REMOVED HA mode: primary-passive 📝 REMOVED: Local state: primary-passive, Local version: 10.2.7-h1, Peer version: 10.2.7-h1 📝 REMOVED:Version comparison: equal (.venv) pan_os_upgrade % pan-os-upgrade panorama Panorama hostname or IP: REMOVED Panorama username: REMOVED Panorama password: Target Panorama version: 11.0.3-h3 Dry Run? [Y/n]: n

Welcome to the PAN-OS upgrade tool

This script software is provided on an 'as-is' basis with no warranties, and no support provided.

The selected panorama subcommand will upgrade a single Panorama appliance.

Settings: Custom configuration loaded file detected and loaded at: /Downloads/pan-os-upgrade-main/pan_os_upgrade/settings.yaml

🚀 REMOVED Connection to the appliance successful. 📝 REMOVED: None REMOVED 📝 REMOVED: HA mode: primary-passive 📝 REMOVED: Local state: primary-passive, Local version: 10.2.7-h1, Peer version: 10.2.7-h1 📝 REMOVED: Version comparison: equal (.venv) pan_os_upgrade %

[josergithub]

Is it possible to perform both the licensing check as well as the software check using the pan-os-upgrade panorama command?

[cdot65]

Hello @josergithub!

You have discovered a limitation of the "Upgrade Assurance" package that we are using for snapshots and readiness checks: it does NOT support Panorama!

We can add these features ourselves by leveraging the same API calls that the dependency is, but it should be noted that we won't likely be able to replicate the functionality entirely within our first pass. Don't expect, for example, for snapshots to be captured and a PDF report generated before and after an upgrade, but we can check for license issues and software check into the project.

[josergithub]

Thank you! Does the panorama command have the ability to upgrade active/passive panoramas, or does it only upgrade standalone panoramas? It would be very useful if the panorama command on pan-os-upgrade could upgrade active passive panoramas.

[cdot65]

Yes we will be revisiting the workflow implemented for the firewall and panorama subcommands to support HA for these deployments. It will be tracked under #105

[cdot65]

To clarify, the tool can upgrade HA Panorama appliances but it can only do one of the pair at a time; there is an expectation that you target the correct appliance (passive) first, followed by the next (active) in a subsequent execution.

We will support upgrading both in a future release

[josergithub]

I basically suspended the passive device in the HA pair and attempted the upgrade without success. The results during dry run mode and upgrade mode were identical.

[cdot65]

To recap our conversation offline, the workflow is expecting that HA is active and healthy between the peers before running the script. We want to make sure that no upgrades are performed on HA pairs that are in an unhealthy state, and to instead gracefully exit and alert you when you have targeted an unhealthy HA pair.

Please do not suspend one of the other appliances

PR has been submitted to support license checks on Panorama appliances, it will gracefully exit if no license exists, or if the license are returned expired = True

[josergithub]

Thank you.