search

cdot65 / pan-os-upgrade

An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
https://cdot65.github.io/pan-os-upgrade/
Apache License 2.0
39 stars 7 forks source link

Enhance Support for HA Panorama Upgrades in pan-os-upgrade Tool #70

Closed cdot65 closed 7 months ago

cdot65 commented 7 months ago

The current pan-os-upgrade CLI tool lacks dedicated support for upgrading High Availability (HA) Panorama instances, due to differences in the HA response structure compared to firewalls. Specifically, the existing handle_ha_logic function fails to accommodate Panorama's unique response to the "show high-availability state" command, which lacks a "group" concept present in firewall responses.

Current Limitation:

The handle_ha_logic function is not compatible with Panorama's HA state response structure, causing the upgrade process for HA Panorama setups to fail.

Example HA Panorama Response:

<response status="success">
    <result>
        <enabled>yes</enabled>
        <local-info>
            <version>1</version>
            <state>primary-active</state>
            <state-duration>74869</state-duration>
            <last-error-reason>Path down</last-error-reason>
            <last-error-state>primary-non-functional</last-error-state>
            <mgmt-ip>192.168.255.191/24</mgmt-ip>
            <mgmt-ipv6></mgmt-ipv6>
            <preemptive>yes</preemptive>
            <promotion-hold>2000</promotion-hold>
            <hello-interval>8000</hello-interval>
            <heartbeat-interval>2000</heartbeat-interval>
            <preempt-hold>1</preempt-hold>
            <monitor-fail-holdup>0</monitor-fail-holdup>
            <addon-master-holdup>7000</addon-master-holdup>
            <encrypt-imported>no</encrypt-imported>
            <mgmt-macaddr>82:2c:5b:03:6b:c1</mgmt-macaddr>
            <encrypt-enable>no</encrypt-enable>
            <link-mon-intv>3000</link-mon-intv>
            <priority>primary</priority>
            <build-rel>10.2.7-h3</build-rel>
            <url-version>Not Installed</url-version>
            <app-version>8804-8537</app-version>
            <iot-version>113-471</iot-version>
            <av-version>4719-5237</av-version>
            <VMS>Match</VMS>
            <build-compat>Match</build-compat>
            <url-compat>Match</url-compat>
            <app-compat>Match</app-compat>
            <iot-compat>Match</iot-compat>
            <av-compat>Match</av-compat>
        </local-info>
        <peer-info>
            <conn-ha1>
                <conn-status>up</conn-status>
                <conn-primary>yes</conn-primary>
                <conn-desc>heartbeat status</conn-desc>
            </conn-ha1>
            <conn-status>up</conn-status>
            <version>1</version>
            <state>secondary-passive</state>
            <state-duration>74319</state-duration>
            <last-error-reason>User requested</last-error-reason>
            <last-error-state>secondary-suspended</last-error-state>
            <preemptive>yes</preemptive>
            <mgmt-ip>192.168.255.192</mgmt-ip>
            <mgmt-macaddr>82:2c:5b:03:6b:c2</mgmt-macaddr>
            <priority>secondary</priority>
            <build-rel>10.2.7-h3</build-rel>
            <url-version>Not Installed</url-version>
            <app-version>8804-8537</app-version>
            <iot-version>113-471</iot-version>
            <av-version>4719-5237</av-version>
            <VMS>3.0.5</VMS>
        </peer-info>
        <path-monitoring>
            <enabled>yes</enabled>
            <failure-condition>any</failure-condition>
            <groups>
                <entry>
                    <name>panorama2</name>
                    <failure-condition>any</failure-condition>
                    <enabled>yes</enabled>
                    <ping-interval>5000</ping-interval>
                    <ping-count>3</ping-count>
                    <destination-groups>
                        <entry>
                            <name>panorama2</name>
                            <enabled>yes</enabled>
                            <failure-condition>any</failure-condition>
                            <dest-ip>
                                <entry>
                                    <addr>192.168.255.192</addr>
                                    <status>up</status>
                                </entry>
                            </dest-ip>
                        </entry>
                    </destination-groups>
                </entry>
            </groups>
        </path-monitoring>
        <running-sync>synchronized</running-sync>
        <running-sync-enabled>yes</running-sync-enabled>
    </result>
</response>

Required Enchancement

Develop a new function specifically designed for HA Panorama upgrades, acknowledging the absence of "group" structures in Panorama's HA state responses. This function should effectively manage the upgrade process, ensuring compatibility with Panorama's HA architecture and facilitating a seamless upgrade experience.

This enhancement is crucial for customers needing to safely and efficiently upgrade large numbers of HA Panorama instances in short time frames. Addressing this will significantly improve the tool's utility and reliability for complex Panorama environments.