pan-os-upgrade 0.1.1

Python script to automate the upgrade process of PAN-OS firewalls.

PAN-OS Automation Project

Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Explore the docs »

View Demo Report Bug Request Feature

Table of Contents

1. About The Project
2. Getting Started
3. Usage
4. Output
5. Logging
6. Contributing
7. License
8. Contact
9. Acknowledgments

About The Project

This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.

Key Features:

• Automates routine tasks, reducing manual errors and saving time.
• Customizable scripts to fit various network environments and requirements.
• Extensive interaction with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.

Note: this script is targeted towards standalone and active-passive HA environments, no testing has been performed against active-active or clustered firewalls.

Example Screenshot

(back to top)

Getting Started

This guide will help you set up the pan_os_upgrade library in your environment, especially focusing on users who are new to Python and virtual environments.

Prerequisites

• Python 3.8 or newer.
• Access to a Palo Alto Networks firewall.
• An active internet connection to download the package from PyPI.

Installation

The pan_os_upgrade library is available on PyPI and can be installed within a Python virtual environment. A virtual environment is a self-contained directory that contains a Python installation for a particular version of Python, plus a number of additional packages.

Using python3 -m venv (Recommended for Beginners)

1. Create a Virtual Environment:

   python3 -m venv panos_env
   

   This command creates a new directory panos_env which contains a copy of the Python interpreter, the standard library, and various supporting files.

2. Activate the Virtual Environment:

   On Windows:

   panos_env\Scripts\activate
   

   On macOS and Linux:

   source panos_env/bin/activate
   

   After activation, your command line will indicate that you are now in the virtual environment.

3. Install pan_os_upgrade:

   Within the activated environment, use pip to install the package:

   pip install pan_os_upgrade
   

Using Poetry (Advanced Users)

Poetry is a tool for dependency management and packaging in Python. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.

1. Install Poetry:

   Follow the official instructions to install Poetry on your system.

2. Create a New Project using Poetry:

   poetry new panos_project
   cd panos_project
   

3. Add pan_os_upgrade as a Dependency:

   poetry add pan_os_upgrade
   

   This command will create a virtual environment and install the pan_os_upgrade package along with its dependencies.

4. Activate the Poetry Shell:

   To activate the virtual environment created by Poetry, use:

   poetry shell
   

Setting Up Your Environment

After setting up the virtual environment and installing the package, you can configure your environment to use the library. This can be done using command-line arguments or an .env file.

Option 1: Using an .env File

Update the .env file in your project directory and fill it with your firewall's details:

# PAN-OS credentials - use either API key or username/password combination
PAN_USERNAME=admin
PAN_PASSWORD=paloalto123
API_KEY=

# Hostname or IP address of the firewall
HOSTNAME=firewall1.example.com

# Target PAN-OS version for the upgrade
TARGET_VERSION=11.0.2-h3

# Logging level (e.g., debug, info, warning, error, critical)
LOG_LEVEL=debug

# Set to true for a dry run
DRY_RUN=false

Option 2: Using Command-Line Arguments

Alternatively, you can pass these details as command-line arguments when running the script:

pan-os-upgrade --hostname 192.168.1.1 --username admin --password secret --version 10.1.0

For a dry run:

pan-os-upgrade --hostname 192.168.1.1 --username admin --password secret --version 10.1.0 --dry-run

(back to top)

Usage

The script can be run from the command line with various options. It requires at least the hostname (or IP address) and the target PAN-OS version for the firewall. Authentication can be done via API key or username and password.

CLI Arguments Description

• --api-key: API Key for authentication
• --dry-run: Perform a dry run of all tests and downloads without performing the actual upgrade.
• --hostname: Hostname or IP address of the PAN-OS firewall.
• --log-level: Set the logging output level (e.g., debug, info, warning).
• --password: Password for authentication.
• --username: Username for authentication.
• --version: Target PAN-OS version to upgrade to.

(back to top)

Refer to the documentation for more details on usage.

(back to top)

Output

The script generates several files containing the state of the firewall and readiness checks. These files are stored in the assurance directory with the following structure:

• snapshots: Contains the pre and post-upgrade network state snapshots in JSON format.
• readiness_checks: Contains the results of readiness checks in JSON format.
• configurations: Contains the backup of the firewall's configuration in XML format.

Logging

Log messages are printed to the console and saved to a rotating log file located in the logs directory. The log level can be set via the --log-level argument.

Troubleshooting

Encountered an issue? Here are some common problems and solutions:

• Problem: Script fails to connect to the PAN-OS device.

  • Solution: Check if the hostname and credentials are correct. Ensure network connectivity to the PAN-OS device.

• Problem: Script hangs during execution.

  • Solution: Check the firewall and network settings. Ensure the PAN-OS device is responding correctly.

For more troubleshooting tips, visit our FAQ section.

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

See Contributing Guidelines for detailed instructions.

(back to top)

License

This project is licensed under the MIT License - see the LICENSE file for details.

(back to top)

Contact

Email Address - cremsburg.dev at gmail.com

Project Link: https://github.com/cdot65/pan-os-upgrade

(back to top)

Acknowledgments

• Palo Alto Networks
• Python.org

(back to top)