An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
[x] Ensure you are submitting your pull request to a branch dedicated to a specific topic/feature/bugfix. Avoid using the master branch for pull requests.
[x] Target your pull request to the main development branch in this repository.
[x] Ensure your commit messages follow the project's preferred format.
[x] Check that your code additions do not fail any linting checks or unit tests.
Pull Request Description
This pull request introduces support for active/active HA upgrades to the pan-os-upgrade tool. The enhanced feature recognizes and handles different HA status types, including active-primary, active-secondary, and Tentative, and accounts for the HA3 interface unique to active/active HA configurations. It implements the proper active/active HA upgrade workflow, ensuring a smooth and automated upgrade process.
What does this pull request accomplish?
Feature addition
Are there any breaking changes included?
[ ] Yes
[x] No
Changes made in this pull request
Added flatten_xml_to_dict to imports from pan_os_upgrade.components.utilities.
Modified the handle_firewall_ha function to:
Compare HA synchronization state instead of peer and local versions.
Handle active-primary and active-secondary states along with active and passive states.
Suspend the HA state of the passive or active-secondary device during the upgrade process.
Parse the XML response message using flatten_xml_to_dict to check the success of HA state suspension.
Updated conditional statements to include active-primary and active-secondary states along with active and passive states.
Moved the check_ha_compatibility before the suspension of the HA peer firewalls to prevent situations where a incompatible version was detected after the first firewall in a pair was suspended
Resolves issue
Resolves #108
Motivation behind this feature
Currently, the pan-os-upgrade tool only supports HA upgrades for active/passive configurations. This limitation prevents users from efficiently upgrading their PAN-OS devices in active/active HA setups, requiring manual intervention and increasing the risk of errors.
The addition of active/active HA upgrade support greatly enhances the usability and versatility of the pan-os-upgrade tool. This feature benefits organizations running PAN-OS devices in active/active HA configurations, allowing them to automate their upgrade process and reduce the risk of human error. By encompassing both active/passive and active/active HA upgrades, pan-os-upgrade becomes a comprehensive solution for upgrading PAN-OS devices in various HA setups.
Is there anything the reviewers should know?
Please review the changes carefully, especially the modifications to the handle_firewall_ha function, to ensure proper handling of active/active HA configurations and the HA3 interface during the upgrade process. Thorough testing with various active/active HA setups is recommended to validate the functionality and compatibility of the new feature.
Here's the updated GitHub pull request description for the feature enhancement:
Checklist for This Pull Request
🚨Please adhere to the guidelines for contributing to this repository.
Pull Request Description
This pull request introduces support for active/active HA upgrades to the pan-os-upgrade tool. The enhanced feature recognizes and handles different HA status types, including active-primary, active-secondary, and Tentative, and accounts for the HA3 interface unique to active/active HA configurations. It implements the proper active/active HA upgrade workflow, ensuring a smooth and automated upgrade process.
What does this pull request accomplish?
Are there any breaking changes included?
Changes made in this pull request
flatten_xml_to_dict
to imports frompan_os_upgrade.components.utilities
.handle_firewall_ha
function to:flatten_xml_to_dict
to check the success of HA state suspension.check_ha_compatibility
before the suspension of the HA peer firewalls to prevent situations where a incompatible version was detected after the first firewall in a pair was suspendedResolves issue
Resolves #108
Motivation behind this feature
Currently, the pan-os-upgrade tool only supports HA upgrades for active/passive configurations. This limitation prevents users from efficiently upgrading their PAN-OS devices in active/active HA setups, requiring manual intervention and increasing the risk of errors.
The addition of active/active HA upgrade support greatly enhances the usability and versatility of the pan-os-upgrade tool. This feature benefits organizations running PAN-OS devices in active/active HA configurations, allowing them to automate their upgrade process and reduce the risk of human error. By encompassing both active/passive and active/active HA upgrades, pan-os-upgrade becomes a comprehensive solution for upgrading PAN-OS devices in various HA setups.
Is there anything the reviewers should know?
Please review the changes carefully, especially the modifications to the
handle_firewall_ha
function, to ensure proper handling of active/active HA configurations and the HA3 interface during the upgrade process. Thorough testing with various active/active HA setups is recommended to validate the functionality and compatibility of the new feature.