An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
This pull request addresses an issue where Panorama upgrades in an HA configuration are unnecessarily blocked due to strict configuration sync checks. By changing the strict_sync_check parameter from True to False, we allow upgrades to proceed in the face of non-critical sync discrepancies, enhancing the upgrade process's resilience and user experience.
Changes
Modified the default value of the strict_sync_check parameter from True to False within the upgrade logic.
Introduced a user-configurable option to enable strict sync checks when necessary, providing flexibility to users based on their specific requirements.
Rationale
The strict sync checks in place for Panorama HA configurations can prevent upgrades from proceeding even in cases where sync discrepancies are not critical to the upgrade process. This behavior leads to unnecessary interruptions and complications in maintaining Panorama's currency. By making the sync checks more lenient, we aim to improve the reliability and smoothness of the upgrade process while still providing users the option to enforce strict checks if they deem it necessary for their environment.
Testing
Conducted upgrades on Panorama instances in HA configurations with both critical and non-critical sync discrepancies to validate that non-critical issues no longer block the upgrade.
Verified that setting strict_sync_check to True restores the original strict behavior, allowing users to enforce sync checks when needed.
Backward Compatibility
This change is backward compatible, as it modifies a default behavior to be more permissive while still offering the previous behavior as an option. Users relying on strict sync checks can re-enable this behavior through configuration.
Summary
This pull request addresses an issue where Panorama upgrades in an HA configuration are unnecessarily blocked due to strict configuration sync checks. By changing the strict_sync_check parameter from True to False, we allow upgrades to proceed in the face of non-critical sync discrepancies, enhancing the upgrade process's resilience and user experience.
Changes
Modified the default value of the strict_sync_check parameter from True to False within the upgrade logic. Introduced a user-configurable option to enable strict sync checks when necessary, providing flexibility to users based on their specific requirements.
Rationale
The strict sync checks in place for Panorama HA configurations can prevent upgrades from proceeding even in cases where sync discrepancies are not critical to the upgrade process. This behavior leads to unnecessary interruptions and complications in maintaining Panorama's currency. By making the sync checks more lenient, we aim to improve the reliability and smoothness of the upgrade process while still providing users the option to enforce strict checks if they deem it necessary for their environment.
Testing
Conducted upgrades on Panorama instances in HA configurations with both critical and non-critical sync discrepancies to validate that non-critical issues no longer block the upgrade. Verified that setting strict_sync_check to True restores the original strict behavior, allowing users to enforce sync checks when needed.
Backward Compatibility
This change is backward compatible, as it modifies a default behavior to be more permissive while still offering the previous behavior as an option. Users relying on strict sync checks can re-enable this behavior through configuration.