Python script to automate the upgrade process of PAN-OS firewalls.
Project description
PAN-OS Automation Project
Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Explore the docs »
View Demo
Report Bug
Request Feature
Table of Contents
About The Project
This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.
Key Features:
- Automates routine tasks, reducing manual errors and saving time.
- Customizable scripts to fit various network environments and requirements.
- Extensive interaction with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.
Note: this script is targeted towards standalone and
active-passive
HA environments, no testing has been performed againstactive-active
or clustered firewalls.
Example Screenshot
Getting Started
This guide will help you set up the pan-os-upgrade
library in your environment, especially focusing on users who are new to Python and virtual environments.
Prerequisites
- Python 3.8 or newer.
- Access to a Palo Alto Networks firewall.
- An active internet connection to download the package from PyPI.
Installation
The pan-os-upgrade
library is available on PyPI and can be installed within a Python virtual environment. A virtual environment is a self-contained directory that contains a Python installation for a particular version of Python, plus a number of additional packages.
Creating a Python Virtual Environment
The steps below highlight the process for creating, activating, and installing pan-os-upgrade
into a Python virtual environment. If you're new to Python, it may be beneficial to understand why this is such an important step, here is a good writeup to prime yourself.
-
Create a Virtual Environment:
python3 -m venv panos_env
This command creates a new directory panos_env which contains a copy of the Python interpreter, the standard library, and various supporting files.
-
Activate the Virtual Environment:
On Windows:
panos_env\Scripts\activate
On macOS and Linux:
source panos_env/bin/activate
After activation, your command line will indicate that you are now in the virtual environment.
-
Install
pan-os-upgrade
:Within the activated environment, use pip to install the package:
pip install pan-os-upgrade
Setting Up Your Environment
After setting up the virtual environment and installing the package, you can configure your environment to use the library. This can be done using command-line arguments or an .env file.
Option 1: Execute pan-os-upgrade
without Command-Line Arguments
You can simply get started by issuing pan-os-upgrade
from your current working directory, you will be guided to input the missing requirement arguments through an interactive shell.
$ pan-os-upgrade
IP address: 192.168.255.1
Username: admin
Password:
Target PAN-OS version: 11.1.1
INFO - ✅ Connection to firewall established
INFO - 📝 **021201123456** DataCenter 10.0.0.3
INFO - 📝 Firewall HA mode: disabled
INFO - 📝 Current PAN-OS version: 11.0.2
INFO - 📝 Target PAN-OS version: 11.1.1
INFO - ✅ Confirmed that moving from 11.0.2 to 11.1.1 is an upgrade
...continue until completed...
Option 2: Execute pan-os-upgrade
Using Command-Line Arguments
Alternatively, you can pass these details as command-line arguments when running the script:
pan-os-upgrade --ip-address 192.168.1.1 --username admin --password secret --version 10.1.0
For a dry run:
pan-os-upgrade --ip-address 192.168.1.1 --username admin --password secret --version 10.1.0 --dry-run
Usage
The script can be run from the command line with various options.
You can view all arguments by passing the --help
flag:
pan-os-upgrade --help
CLI Arguments Description
cli argument | shorthand | type | description |
---|---|---|---|
--dry-run |
-d |
n/a | Perform a dry run of all tests and downloads without performing the actual upgrade. |
--ip-address |
-i |
text | IP address of target firewall. |
--log-level |
-l |
text | Set the logging output level (e.g., debug, info, warning). |
--password |
-p |
text | Password for authentication. |
--username |
-u |
text | Username for authentication. |
--version |
-v |
text | Target PAN-OS version to upgrade to. |
Refer to the documentation for more details on usage.
Output
The script generates several files containing the state of the firewall and readiness checks. These files are stored in the assurance
directory with the following structure:
snapshots
: Contains the pre and post-upgrade network state snapshots in JSON format.readiness_checks
: Contains the results of readiness checks in JSON format.configurations
: Contains the backup of the firewall's configuration in XML format.
Logging
Log messages are printed to the console and saved to a rotating log file located in the logs
directory. The log level can be set via the --log-level
argument.
Troubleshooting
Encountered an issue? Here are some common problems and solutions:
-
Problem: Script fails to connect to the PAN-OS device.
- Solution: Check if the hostname and credentials are correct. Ensure network connectivity to the PAN-OS device.
-
Problem: Script hangs during execution.
- Solution: Check the firewall and network settings. Ensure the PAN-OS device is responding correctly.
For more troubleshooting tips, visit our FAQ section.
Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
See Contributing Guidelines for detailed instructions.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
Contact
Email Address - cremsburg.dev at gmail.com
Project Link: https://github.com/cdot65/pan-os-upgrade
Acknowledgments
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pan_os_upgrade-0.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2dac572f6d6bb6e8803d9901a051f1de381d210e60ec67bcd5b699fd5b7604c8 |
|
MD5 | ac4be54858bdddc68199b38118329f74 |
|
BLAKE2b-256 | e11b291bc6cc5437b38aa5b6ebca76342adce287e0855cf046d449ede10665fb |