An efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Currently, the pan-os-upgrade script upgrades firewalls without considering the preempt setting in High Availability (HA) configurations. This can lead to situations where an upgraded firewall with preempt enabled might take over as the active unit from a non-upgraded peer, potentially causing issues in the network.
Proposed Enhancement
It is proposed to enhance the script to check for the preempt setting in the HA configuration of a firewall pair before proceeding with the upgrade. If preempt is enabled, the script should inform the operator and prompt for confirmation to continue with the upgrade process.
Goals
Safety: Ensure that the upgrade process does not inadvertently cause an unexpected failover in HA configurations.
Awareness: Increase operator awareness of HA configurations that might impact the network during the upgrade process.
Control: Provide operators with the ability to make informed decisions before proceeding with upgrades in complex HA environments.
Non-Goals
Configuration Changes: The script will not modify any HA or firewall configurations, including the preempt setting. The responsibility for any configuration changes remains with the operator.
Implementation Notes
The script should query the firewall's HA configuration to determine if preempt is enabled.
If preempt is enabled, the script should display a clear message to the operator, indicating the potential implications.
The operator should be prompted to confirm if they wish to proceed with the upgrade, with a clear option to cancel or continue.
Use Cases
Upgrading HA Firewalls: Operators upgrading firewalls in an HA pair need to be aware of the preempt setting to prevent unexpected failovers.
Maintenance Windows: During planned maintenance, operators need to ensure that upgrades do not lead to unintended service disruptions.
Questions for Discussion
What is the best method to query the preempt setting from the firewall's HA configuration?
How should the script handle scenarios where it cannot determine the preempt setting due to connectivity issues or other errors?
Additional Context
This enhancement request stems from operational feedback where an unexpected failover occurred during an upgrade due to the preempt setting. Addressing this will improve the reliability and predictability of the upgrade process in HA environments.
Description
Currently, the
pan-os-upgrade
script upgrades firewalls without considering thepreempt
setting in High Availability (HA) configurations. This can lead to situations where an upgraded firewall withpreempt
enabled might take over as the active unit from a non-upgraded peer, potentially causing issues in the network.Proposed Enhancement
It is proposed to enhance the script to check for the
preempt
setting in the HA configuration of a firewall pair before proceeding with the upgrade. Ifpreempt
is enabled, the script should inform the operator and prompt for confirmation to continue with the upgrade process.Goals
Non-Goals
preempt
setting. The responsibility for any configuration changes remains with the operator.Implementation Notes
preempt
is enabled.preempt
is enabled, the script should display a clear message to the operator, indicating the potential implications.Use Cases
preempt
setting to prevent unexpected failovers.Questions for Discussion
preempt
setting from the firewall's HA configuration?preempt
setting due to connectivity issues or other errors?Additional Context
This enhancement request stems from operational feedback where an unexpected failover occurred during an upgrade due to the
preempt
setting. Addressing this will improve the reliability and predictability of the upgrade process in HA environments.