An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
We have identified an issue in the batch upgrade script where the firewalls selected and confirmed for an upgrade are not being accurately targeted in a High Availability (HA) configuration. Specifically, one of the selected firewalls (katy-fw1) was not included in the upgrade process, and instead, a firewall not selected for upgrade (katy-fw2) was targeted.
Steps to Reproduce
Run the batch upgrade command with the -u, -p, -h, and -v options to initiate a batch upgrade through Panorama.
Select and confirm a list of firewalls for the upgrade, including firewalls in an HA configuration.
Observe the logs to verify which firewalls are targeted for the upgrade.
Expected Behavior
All and only the firewalls confirmed by the user in the selection process should be targeted and included in the upgrade process.
Actual Behavior
The confirmed firewall katy-fw1 was not targeted for the upgrade.
The non-confirmed firewall katy-fw2, which was not part of the user's selection, was targeted for the upgrade.
Logs/Output
Relevant logs show the user's confirmation of the selected firewalls, including katy-fw1, but the subsequent upgrade process logs indicate that katy-fw2 is being targeted instead of katy-fw1.
Possible Cause/Suspected Area
The issue may lie in the handling of firewall objects in HA configurations within the script. It's possible that the script is incorrectly mapping or identifying the HA pair, leading to one member of the HA pair being incorrectly excluded from the upgrade process.
Suggested Fix/Workaround
A thorough review and possibly a redesign of the logic handling HA configurations and firewall selection for upgrades are needed. Ensuring that the script accurately maps user-selected firewalls to their corresponding objects, especially in HA configurations, is crucial.
Impact
This issue can lead to unintended firewalls being upgraded, which may disrupt network operations and cause confusion. It undermines the reliability of the upgrade process in environments with HA configurations.
Additional Context
This issue was discovered during routine upgrade operations in a controlled environment. It is critical to address this issue to ensure the reliability and accuracy of the batch upgrade process, particularly for users managing firewalls in HA configurations through Panorama.
Summary
We have identified an issue in the batch upgrade script where the firewalls selected and confirmed for an upgrade are not being accurately targeted in a High Availability (HA) configuration. Specifically, one of the selected firewalls (katy-fw1) was not included in the upgrade process, and instead, a firewall not selected for upgrade (katy-fw2) was targeted.
Steps to Reproduce
Run the batch upgrade command with the -u, -p, -h, and -v options to initiate a batch upgrade through Panorama. Select and confirm a list of firewalls for the upgrade, including firewalls in an HA configuration. Observe the logs to verify which firewalls are targeted for the upgrade.
Expected Behavior
All and only the firewalls confirmed by the user in the selection process should be targeted and included in the upgrade process.
Actual Behavior
The confirmed firewall katy-fw1 was not targeted for the upgrade. The non-confirmed firewall katy-fw2, which was not part of the user's selection, was targeted for the upgrade.
Logs/Output
Relevant logs show the user's confirmation of the selected firewalls, including katy-fw1, but the subsequent upgrade process logs indicate that katy-fw2 is being targeted instead of katy-fw1.
Possible Cause/Suspected Area
The issue may lie in the handling of firewall objects in HA configurations within the script. It's possible that the script is incorrectly mapping or identifying the HA pair, leading to one member of the HA pair being incorrectly excluded from the upgrade process.
Suggested Fix/Workaround
A thorough review and possibly a redesign of the logic handling HA configurations and firewall selection for upgrades are needed. Ensuring that the script accurately maps user-selected firewalls to their corresponding objects, especially in HA configurations, is crucial.
Impact
This issue can lead to unintended firewalls being upgraded, which may disrupt network operations and cause confusion. It undermines the reliability of the upgrade process in environments with HA configurations.
Additional Context
This issue was discovered during routine upgrade operations in a controlled environment. It is critical to address this issue to ensure the reliability and accuracy of the batch upgrade process, particularly for users managing firewalls in HA configurations through Panorama.