An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
The current Python script for upgrading PAN-OS firewalls efficiently handles upgrades for hotfix and maintenance releases. However, it's limited in scope and does not support upgrading between minor or major releases of PAN-OS.
Issue
When attempting to upgrade to a different minor or major release, the script halts if the base image for the target version is not present on the device. This limitation hinders users who need to perform such upgrades, especially in scenarios requiring a transition across multiple version levels.
Proposed Enhancement
The enhancement aims to expand the script's capability to include the upgrade process for minor and major PAN-OS releases. This would involve:
Identifying and Handling Base Images: Implementing a method to identify, download (if not present), and utilize the correct base images required for major/minor version upgrades.
Workflow Adjustments for HA Setups: Addressing the challenges posed by active/passive High Availability (HA) setups, where both firewalls in an HA pair cannot have drastic version differences during the upgrade process. This would require a careful synchronization and staging strategy to ensure both units in the HA pair are upgraded consistently and without causing service disruptions.
Challenges and Considerations:
HA Synchronization: Developing a mechanism to ensure that both units in an HA pair are upgraded in a manner that maintains their compatibility and avoids service disruption.
Rollback Procedures: Establishing reliable rollback procedures in case of upgrade failures, especially critical in HA environments.
Testing Across Versions: Extensive testing will be required to ensure the script's reliability across different upgrade paths and PAN-OS versions.
User Guidance: Updating documentation and user guidelines to cover the new upgrade scenarios and best practices.
Request for Contributions
We are seeking contributions from the community to address these challenges. Input, suggestions, and code contributions are highly welcomed, especially from those with experience in PAN-OS upgrades and HA environments.
Background
The current Python script for upgrading PAN-OS firewalls efficiently handles upgrades for hotfix and maintenance releases. However, it's limited in scope and does not support upgrading between minor or major releases of PAN-OS.
Issue
When attempting to upgrade to a different minor or major release, the script halts if the base image for the target version is not present on the device. This limitation hinders users who need to perform such upgrades, especially in scenarios requiring a transition across multiple version levels.
Proposed Enhancement
The enhancement aims to expand the script's capability to include the upgrade process for minor and major PAN-OS releases. This would involve:
Identifying and Handling Base Images: Implementing a method to identify, download (if not present), and utilize the correct base images required for major/minor version upgrades.
Workflow Adjustments for HA Setups: Addressing the challenges posed by active/passive High Availability (HA) setups, where both firewalls in an HA pair cannot have drastic version differences during the upgrade process. This would require a careful synchronization and staging strategy to ensure both units in the HA pair are upgraded consistently and without causing service disruptions.
Challenges and Considerations:
HA Synchronization: Developing a mechanism to ensure that both units in an HA pair are upgraded in a manner that maintains their compatibility and avoids service disruption.
Rollback Procedures: Establishing reliable rollback procedures in case of upgrade failures, especially critical in HA environments.
Testing Across Versions: Extensive testing will be required to ensure the script's reliability across different upgrade paths and PAN-OS versions.
User Guidance: Updating documentation and user guidelines to cover the new upgrade scenarios and best practices.
Request for Contributions
We are seeking contributions from the community to address these challenges. Input, suggestions, and code contributions are highly welcomed, especially from those with experience in PAN-OS upgrades and HA environments.