An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Is your feature request related to a problem? Please describe.
When upgrading PAN-OS on firewalls using the pan-os-upgrade utility, it is crucial to have a backup of the device state information before proceeding with the upgrade. The device state information includes critical data such as the running configuration, device group and template settings pushed from Panorama, and additional details if the firewall is a GlobalProtect portal (e.g., certificate information, satellite list, and authentication information). Having a backup of this state information allows for quick recovery and restoration in case of any issues during the upgrade process or if a firewall needs to be replaced. Currently, the utility does not provide a built-in mechanism to download and export the device state file as a bundle.
Describe the solution you'd like
Enhance the pan-os-upgrade utility to include the ability to download and export the device state file as a bundle before initiating the upgrade process. The utility should:
Provide a command or option to trigger the device state file download and export.
Use the PAN-OS SDK to execute the equivalent of the export device state command on the firewall to generate the state bundle.
Retrieve the generated state bundle file from the firewall using the appropriate SDK methods for file retrieval.
Save the downloaded state bundle file to a specified location on the local machine or a remote server.
Provide options to customize the state bundle export, such as specifying additional information to include or excluding sensitive data.
Implement error handling and retry mechanisms to handle scenarios where the state bundle export may fail due to network issues, API errors, or insufficient permissions.
Generate a report or display the status of the state bundle export process, including the location where the bundle file is saved.
Optionally, include the ability to automatically download and export the state bundle before the upgrade process as a precautionary measure.
Provide clear documentation and examples on how to use the device state file download and export feature, including any prerequisites or configuration steps.
Describe alternatives you've considered
An alternative approach could be to manually log in to the firewall's web interface or CLI and perform the state bundle export manually. However, this would require additional effort from the users and may not be as convenient or automated as having the functionality built into the pan-os-upgrade utility itself.
Additional context
Here are a few additional points to consider:
Ensure that the utility handles the SDK authentication and communication securely, using appropriate authentication mechanisms and encryption.
Consider implementing compression or encryption of the state bundle file to reduce file size and protect sensitive information during transit.
Provide options to set retention policies or automatically delete older state bundle files to optimize storage usage.
Explore the possibility of integrating with backup and recovery solutions or cloud storage services to automatically store and manage the exported state bundle files.
Update the project's documentation to include information about this new feature, explaining its benefits and how it can assist in disaster recovery and device replacement scenarios.
By implementing this feature, the pan-os-upgrade utility will provide a convenient and automated way to download and export the device state file as a bundle before the upgrade process. This will ensure that a backup of the critical device state information is available, enabling quick recovery and restoration in case of any issues or the need to replace a firewall. It adds an extra layer of protection and resilience to the upgrade workflow.
Is your feature request related to a problem? Please describe. When upgrading PAN-OS on firewalls using the
pan-os-upgrade
utility, it is crucial to have a backup of the device state information before proceeding with the upgrade. The device state information includes critical data such as the running configuration, device group and template settings pushed from Panorama, and additional details if the firewall is a GlobalProtect portal (e.g., certificate information, satellite list, and authentication information). Having a backup of this state information allows for quick recovery and restoration in case of any issues during the upgrade process or if a firewall needs to be replaced. Currently, the utility does not provide a built-in mechanism to download and export the device state file as a bundle.Describe the solution you'd like Enhance the
pan-os-upgrade
utility to include the ability to download and export the device state file as a bundle before initiating the upgrade process. The utility should:export device state
command on the firewall to generate the state bundle.Describe alternatives you've considered An alternative approach could be to manually log in to the firewall's web interface or CLI and perform the state bundle export manually. However, this would require additional effort from the users and may not be as convenient or automated as having the functionality built into the
pan-os-upgrade
utility itself.Additional context Here are a few additional points to consider:
By implementing this feature, the
pan-os-upgrade
utility will provide a convenient and automated way to download and export the device state file as a bundle before the upgrade process. This will ensure that a backup of the critical device state information is available, enabling quick recovery and restoration in case of any issues or the need to replace a firewall. It adds an extra layer of protection and resilience to the upgrade workflow.