An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Is your feature request related to a problem? Please describe.
When upgrading PAN-OS on firewalls using the pan-os-upgrade utility, users may have specific requirements or custom checks they want to perform before and after the upgrade. These checks often involve running "show" and "request" commands to capture outputs from the devices. Currently, the utility has a predefined set of commands and models the response output using pedantic models. However, this approach does not provide the flexibility for users to pass their own ad-hoc commands and capture the outputs for their specific needs.
Describe the solution you'd like
Enhance the pan-os-upgrade utility to support the ability for users to pass their own "show" and "request" commands and capture the outputs from the devices before and after an upgrade. The utility should:
Modify the existing settings command or introduce a new configuration option to allow users to specify a list of custom "show" and "request" commands they want to execute.
Parse the user-provided commands and validate their syntax to ensure they are valid PAN-OS commands.
Before initiating the upgrade process, execute the user-defined "show" and "request" commands on the firewall and capture the outputs.
Store the captured outputs in a structured format (e.g., JSON or XML) along with metadata such as the command, timestamp, and device information.
Proceed with the normal upgrade process.
After the upgrade is completed and the firewall is back online, execute the same set of user-defined commands again and capture the outputs.
Store the post-upgrade outputs in a similar structured format as the pre-upgrade outputs.
Provide a mechanism for users to easily retrieve and compare the pre-upgrade and post-upgrade outputs, either through a command-line interface or by generating a report.
Describe alternatives you've considered
An alternative approach could be to allow users to provide a script or a set of commands in a separate file, which the utility would execute before and after the upgrade. However, this might require additional file handling and security considerations, and it may not integrate seamlessly with the existing configuration and settings management of the utility.
Additional context
Here are a few additional points to consider:
The utility should validate the user-provided commands to ensure they are safe and do not make any unintended changes to the firewall configuration.
Consider implementing a limit on the number of commands or the execution time to prevent excessive resource consumption or long-running commands.
Provide clear documentation and examples on how to specify the custom commands in the settings or configuration file.
Handle scenarios where the user-provided commands may fail or return unexpected output gracefully, and provide appropriate error messages and logging.
Consider offering a way to store and manage frequently used command sets or templates that users can easily reuse across different upgrades.
Update the project's documentation to include information about this new feature, explaining how to configure and use the custom command functionality.
By implementing this feature, the pan-os-upgrade utility will offer greater flexibility and customization options for users, allowing them to perform specific checks and capture relevant outputs before and after an upgrade. This will enable users to tailor the upgrade process to their unique requirements and gain deeper insights into the behavior and state of their firewalls during the upgrade cycle.
Is your feature request related to a problem? Please describe. When upgrading PAN-OS on firewalls using the
pan-os-upgradeutility, users may have specific requirements or custom checks they want to perform before and after the upgrade. These checks often involve running "show" and "request" commands to capture outputs from the devices. Currently, the utility has a predefined set of commands and models the response output using pedantic models. However, this approach does not provide the flexibility for users to pass their own ad-hoc commands and capture the outputs for their specific needs.Describe the solution you'd like Enhance the
pan-os-upgradeutility to support the ability for users to pass their own "show" and "request" commands and capture the outputs from the devices before and after an upgrade. The utility should:settingscommand or introduce a new configuration option to allow users to specify a list of custom "show" and "request" commands they want to execute.Describe alternatives you've considered An alternative approach could be to allow users to provide a script or a set of commands in a separate file, which the utility would execute before and after the upgrade. However, this might require additional file handling and security considerations, and it may not integrate seamlessly with the existing configuration and settings management of the utility.
Additional context Here are a few additional points to consider:
settingsor configuration file.By implementing this feature, the
pan-os-upgradeutility will offer greater flexibility and customization options for users, allowing them to perform specific checks and capture relevant outputs before and after an upgrade. This will enable users to tailor the upgrade process to their unique requirements and gain deeper insights into the behavior and state of their firewalls during the upgrade cycle.