An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Is your feature request related to a problem? Please describe.
After upgrading a PAN-OS firewall using the pan-os-upgrade utility, the user credentials may take some time to become available if an external authentication service is used. This delay can cause the utility to repeatedly attempt to log in, resulting in the user's account being locked out after a certain number of failed attempts. The current approach of relying solely on user credentials for post-upgrade verification can lead to unnecessary lockouts and inconvenience for users.
Describe the solution you'd like
Enhance the pan-os-upgrade utility to offer an alternative approach for checking the status of an upgraded firewall by leveraging the HA (High Availability) status information from the peer firewall, if available. The utility should:
Detect if the upgraded firewall is part of an HA pair.
If an HA peer is detected, retrieve the HA status information from the peer firewall after the upgrade process is completed.
Analyze the HA status to determine if the upgraded firewall has successfully rejoined the HA cluster and is functioning properly.
If the HA status indicates a successful upgrade, consider the upgrade process as completed and avoid relying on user credentials for further verification.
If no HA peer is detected or if the HA status check fails, fall back to the existing approach of using user credentials for post-upgrade verification.
Describe alternatives you've considered
An alternative approach could be to introduce a configurable delay or retry mechanism when using user credentials for post-upgrade verification. This would allow the utility to wait for a specified period or number of attempts before considering the upgrade process as failed. However, this approach might still lead to account lockouts if the external authentication service takes longer than expected to become available.
Additional context
Here are a few additional points to consider:
The utility should handle scenarios where the HA peer is not reachable or responds with an error, gracefully falling back to the user credentials approach.
Consider adding configuration options to allow users to specify the preferred post-upgrade verification method (HA status check or user credentials) and customize the behavior based on their environment.
Update the project's documentation to include information about this new feature, explaining how it enhances the upgrade process and reduces the risk of account lockouts.
By implementing this feature, the pan-os-upgrade utility will provide a more reliable and efficient way to verify the status of upgraded firewalls, minimizing the chances of user account lockouts and improving the overall upgrade experience.
Is your feature request related to a problem? Please describe.
After upgrading a PAN-OS firewall using the
pan-os-upgradeutility, the user credentials may take some time to become available if an external authentication service is used. This delay can cause the utility to repeatedly attempt to log in, resulting in the user's account being locked out after a certain number of failed attempts. The current approach of relying solely on user credentials for post-upgrade verification can lead to unnecessary lockouts and inconvenience for users.Describe the solution you'd like
Enhance the
pan-os-upgradeutility to offer an alternative approach for checking the status of an upgraded firewall by leveraging the HA (High Availability) status information from the peer firewall, if available. The utility should:Describe alternatives you've considered
An alternative approach could be to introduce a configurable delay or retry mechanism when using user credentials for post-upgrade verification. This would allow the utility to wait for a specified period or number of attempts before considering the upgrade process as failed. However, this approach might still lead to account lockouts if the external authentication service takes longer than expected to become available.
Additional context
Here are a few additional points to consider:
By implementing this feature, the
pan-os-upgradeutility will provide a more reliable and efficient way to verify the status of upgraded firewalls, minimizing the chances of user account lockouts and improving the overall upgrade experience.