pan-os-upgrade 0.2.0

Python script to automate the upgrade process of PAN-OS firewalls.

PAN-OS Automation Project

Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Explore the docs »

View Demo Report Bug Request Feature

Table of Contents

1. About The Project
2. Getting Started
3. Usage
4. Output
5. Logging
6. Contributing
7. License
8. Contact
9. Acknowledgments

About The Project

This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.

Key Features:

• Automates routine tasks, reducing manual errors and saving time.
• Customizable scripts to fit various network environments and requirements.
• Extensive interaction with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.

Note: this script is targeted towards standalone and active-passive HA environments, no testing has been performed against active-active or clustered firewalls.

Example Screenshot

(back to top)

Getting Started

This guide will help you set up the pan-os-upgrade library in your environment, especially focusing on users who are new to Python and virtual environments.

Prerequisites

• Python 3.8 or newer.
• Access to a Palo Alto Networks firewall.
• An active internet connection to download the package from PyPI.

Installation

The pan-os-upgrade library is available on PyPI and can be installed within a Python virtual environment. A virtual environment is a self-contained directory that contains a Python installation for a particular version of Python, plus a number of additional packages.

Creating a Python Virtual Environment

The steps below highlight the process for creating, activating, and installing pan-os-upgrade into a Python virtual environment. If you're new to Python, it may be beneficial to understand why this is such an important step, here is a good writeup to prime yourself.

1. Create a Virtual Environment:

   python3 -m venv panos_env
   

   This command creates a new directory panos_env which contains a copy of the Python interpreter, the standard library, and various supporting files.

2. Activate the Virtual Environment:

   On Windows:

   panos_env\Scripts\activate
   

   On macOS and Linux:

   source panos_env/bin/activate
   

   After activation, your command line will indicate that you are now in the virtual environment.

3. Install pan-os-upgrade:

   Within the activated environment, use pip to install the package:

   pip install pan-os-upgrade
   

Setting Up Your Environment

After setting up the virtual environment and installing the package, you can configure your environment to use the library. This can be done using command-line arguments or an .env file.

Option 1: Execute pan-os-upgrade without Command-Line Arguments

You can simply get started by issuing pan-os-upgrade from your current working directory, you will be guided to input the missing requirement arguments through an interactive shell.

$ pan-os-upgrade
IP address: 192.168.255.1
Username: admin
Password:
Target PAN-OS version: 11.1.1
INFO - ✅ Connection to firewall established
INFO - 📝 **021201123456** DataCenter 10.0.0.3
INFO - 📝 Firewall HA mode: disabled
INFO - 📝 Current PAN-OS version: 11.0.2
INFO - 📝 Target PAN-OS version: 11.1.1
INFO - ✅ Confirmed that moving from 11.0.2 to 11.1.1 is an upgrade
...continue until completed...

Option 2: Execute pan-os-upgrade Using Command-Line Arguments

Alternatively, you can pass these details as command-line arguments when running the script:

pan-os-upgrade --ip-address 192.168.1.1 --username admin --password secret --version 10.1.0

For a dry run:

pan-os-upgrade --ip-address 192.168.1.1 --username admin --password secret --version 10.1.0 --dry-run

(back to top)

Usage

The script can be run from the command line with various options.

You can view all arguments by passing the --help flag:

pan-os-upgrade --help

CLI Arguments Description

cli argument	shorthand	type	description
--dry-run	-d	n/a	Perform a dry run of all tests and downloads without performing the actual upgrade.
--ip-address	-i	text	IP address of target firewall.
--log-level	-l	text	Set the logging output level (e.g., debug, info, warning).
--password	-p	text	Password for authentication.
--username	-u	text	Username for authentication.
--version	-v	text	Target PAN-OS version to upgrade to.

(back to top)

Refer to the documentation for more details on usage.

(back to top)

Output

The script generates several files containing the state of the firewall and readiness checks. These files are stored in the assurance directory with the following structure:

• snapshots: Contains the pre and post-upgrade network state snapshots in JSON format.
• readiness_checks: Contains the results of readiness checks in JSON format.
• configurations: Contains the backup of the firewall's configuration in XML format.

Logging

Log messages are printed to the console and saved to a rotating log file located in the logs directory. The log level can be set via the --log-level argument.

Troubleshooting

Encountered an issue? Here are some common problems and solutions:

• Problem: Script fails to connect to the PAN-OS device.

  • Solution: Check if the hostname and credentials are correct. Ensure network connectivity to the PAN-OS device.

• Problem: Script hangs during execution.

  • Solution: Check the firewall and network settings. Ensure the PAN-OS device is responding correctly.

For more troubleshooting tips, visit our FAQ section.

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

See Contributing Guidelines for detailed instructions.

(back to top)

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

(back to top)

Contact

Email Address - cremsburg.dev at gmail.com

Project Link: https://github.com/cdot65/pan-os-upgrade

(back to top)

Acknowledgments

• Palo Alto Networks
• Python.org

(back to top)