Python script to automate the upgrade process of PAN-OS firewalls.
Project description
PAN-OS Automation Project
Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Explore the docs »
View Demo
Report Bug
Request Feature
Table of Contents
About The Project
This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.
Key Features:
- Automates routine tasks, reducing manual errors and saving time.
- Customizable scripts to fit various network environments and requirements.
- Extensive interaction with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.
Note: this script is targeted towards standalone and
active-passive
HA environments, no testing has been performed againstactive-active
or clustered firewalls.
Example Screenshot
Getting Started
This guide will help you set up the pan_os_upgrade library in your environment, especially focusing on users who are new to Python and virtual environments.
Prerequisites
- Python 3.8 or newer.
- Access to a Palo Alto Networks firewall.
- An active internet connection to download the package from PyPI.
Installation
The pan_os_upgrade library is available on PyPI and can be installed within a Python virtual environment. A virtual environment is a self-contained directory that contains a Python installation for a particular version of Python, plus a number of additional packages.
Using python3 -m venv
(Recommended for Beginners)
-
Create a Virtual Environment:
python3 -m venv panos_env
This command creates a new directory panos_env which contains a copy of the Python interpreter, the standard library, and various supporting files.
-
Activate the Virtual Environment:
On Windows:
panos_env\Scripts\activate
On macOS and Linux:
source panos_env/bin/activate
After activation, your command line will indicate that you are now in the virtual environment.
-
Install pan_os_upgrade:
Within the activated environment, use pip to install the package:
pip install pan_os_upgrade
Using Poetry (Advanced Users)
Poetry is a tool for dependency management and packaging in Python. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.
-
Install Poetry:
Follow the official instructions to install Poetry on your system.
-
Create a New Project using Poetry:
poetry new panos_project cd panos_project
-
Add pan_os_upgrade as a Dependency:
poetry add pan_os_upgrade
This command will create a virtual environment and install the pan_os_upgrade package along with its dependencies.
-
Activate the Poetry Shell:
To activate the virtual environment created by Poetry, use:
poetry shell
Setting Up Your Environment
After setting up the virtual environment and installing the package, you can configure your environment to use the library. This can be done using command-line arguments or an .env file.
Option 1: Using an .env File
Update the .env
file in your project directory and fill it with your firewall's details:
# PAN-OS credentials - use either API key or username/password combination
PAN_USERNAME=admin
PAN_PASSWORD=paloalto123
API_KEY=
# Hostname or IP address of the firewall
HOSTNAME=firewall1.example.com
# Target PAN-OS version for the upgrade
TARGET_VERSION=11.0.2-h3
# Logging level (e.g., debug, info, warning, error, critical)
LOG_LEVEL=debug
# Set to true for a dry run
DRY_RUN=false
Option 2: Using Command-Line Arguments
Alternatively, you can pass these details as command-line arguments when running the script:
pan-os-upgrade --hostname 192.168.1.1 --username admin --password secret --version 10.1.0
For a dry run:
pan-os-upgrade --hostname 192.168.1.1 --username admin --password secret --version 10.1.0 --dry-run
Usage
The script can be run from the command line with various options. It requires at least the hostname (or IP address) and the target PAN-OS version for the firewall. Authentication can be done via API key or username and password.
CLI Arguments Description
--api-key
: API Key for authentication--dry-run
: Perform a dry run of all tests and downloads without performing the actual upgrade.--hostname
: Hostname or IP address of the PAN-OS firewall.--log-level
: Set the logging output level (e.g., debug, info, warning).--password
: Password for authentication.--username
: Username for authentication.--version
: Target PAN-OS version to upgrade to.
Refer to the documentation for more details on usage.
Output
The script generates several files containing the state of the firewall and readiness checks. These files are stored in the assurance
directory with the following structure:
snapshots
: Contains the pre and post-upgrade network state snapshots in JSON format.readiness_checks
: Contains the results of readiness checks in JSON format.configurations
: Contains the backup of the firewall's configuration in XML format.
Logging
Log messages are printed to the console and saved to a rotating log file located in the logs
directory. The log level can be set via the --log-level
argument.
Troubleshooting
Encountered an issue? Here are some common problems and solutions:
-
Problem: Script fails to connect to the PAN-OS device.
- Solution: Check if the hostname and credentials are correct. Ensure network connectivity to the PAN-OS device.
-
Problem: Script hangs during execution.
- Solution: Check the firewall and network settings. Ensure the PAN-OS device is responding correctly.
For more troubleshooting tips, visit our FAQ section.
Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
See Contributing Guidelines for detailed instructions.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Contact
Email Address - cremsburg.dev at gmail.com
Project Link: https://github.com/cdot65/pan-os-upgrade
Acknowledgments
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pan_os_upgrade-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2d64f72ed5c8d0c3d76d6a648c8493c3ce4dce16f053a897285e0629aa6beacf |
|
MD5 | 3b4ef775ad7b7f37955c486c6f50c35c |
|
BLAKE2b-256 | 1d8d80cebcad2aca3d072f7b278cc887b859999aacd5b2c9ff7652cb19f6afe3 |