Python script to automate the upgrade process of PAN-OS firewalls.
Project description
PAN-OS Automation Project
Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Documentation Website ยป
View Demo
Report Bug
Request Feature
Table of Contents
About The Project
This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.
Project Link: https://github.com/cdot65/pan-os-upgrade Documentation: https://cdot65.github.io/pan-os-upgrade/
Key Features
- Three Unique Upgrade Workflows Supported:
firewall
: targets and upgrades an individual firewallpanorama
: targets and upgrades an individual Panorama appliancebatch
: targets a Panorama appliance and upgrades firewalls in batch- The script will support up to ten simultaneous upgrades
- Automation of Routine Tasks: Reduces manual errors and saves time by automating upgrades, configurations, and system checks.
- Support for Direct and Proxy Connections: Connect directly to firewalls or through a Panorama appliance, with support for targeting specific devices using filters.
- Active/Passive High Availability (HA) Workflow: Fully supports upgrading devices in active/passive HA configurations, ensuring both members are properly upgraded and synchronized.
- Multi-threading for Efficiency: Utilizes multi-threading to parallelize upgrades, especially beneficial when upgrading multiple devices through Panorama, enhancing performance and reducing overall upgrade time.
- Customizable and Extensible: Execution of the script can be tailored to fit diverse network environments and requirements, offering flexibility for various deployment scenarios.
- Comprehensive PAN-OS Interactions: Facilitates extensive interactions with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.
Note: While this script is optimized for standalone and active/passive HA environments, it has not been tested against active/active or clustered firewalls.
Example Execution
pan-os-upgrade batch
Panorama hostname or IP: panorama.cdot.io
Panorama username: cdot
Panorama password:
Firewall target version (ex: 10.1.2): 10.2.3
Filter string (ex: hostname=Woodlands*) []: hostname=Woodlands*
Dry Run? [y/N]:
===========================================================================
Welcome to the PAN-OS upgrade tool
You have selected to perform a batch upgrade of firewalls through Panorama.
No settings.yaml file was found. Default values will be used.
Create a settings.yaml file with 'pan-os-upgrade settings' command.
===========================================================================
โ
panorama.cdot.io: Connection to Panorama established. Firewall connections will be proxied!
๐ Woodlands-fw2: 007954000123452 192.168.255.44
๐ Woodlands-fw1: 007954000123451 192.168.255.43
๐ Woodlands-fw2: HA mode: passive
๐ Woodlands-fw1: HA mode: active
๐ Woodlands-fw1: Detected active target device in HA pair running the same version as its peer. Added target device to revisit list.
๐ Woodlands-fw2: Current version: 10.2.2-h2
๐ Woodlands-fw2: Target version: 10.2.3
โ
Woodlands-fw2: Upgrade required from 10.2.2-h2 to 10.2.3
โ
Woodlands-fw2: version 10.2.3 is available for download
โ
Woodlands-fw2: Base image for 10.2.3 is already downloaded
๐ Woodlands-fw2: Performing test to see if 10.2.3 is already downloaded...
โ
Woodlands-fw2: version 10.2.3 already on target device.
โ
Woodlands-fw2: 10.2.3 has been downloaded and sync'd to HA peer.
๐ Woodlands-fw2: Performing snapshot of network state information...
โ
Woodlands-fw2: Network snapshot created successfully
๐ Woodlands-fw2: Performing readiness checks to determine if firewall is ready for upgrade...
โ
Woodlands-fw2: Passed Readiness Check: Check if there are pending changes on device
โ
Woodlands-fw2: Passed Readiness Check: No Expired Licenses
โ
Woodlands-fw2: Passed Readiness Check: Checks HA pair status from the perspective of the current device
โ
Woodlands-fw2: Passed Readiness Check: Check if NTP is synchronized
โ
Woodlands-fw2: Passed Readiness Check: Check if the clock is synchronized between dataplane and management plane
โ
Woodlands-fw2: Passed Readiness Check: Check connectivity with the Panorama appliance
โ
Woodlands-fw2: Readiness Checks completed
๐ Woodlands-fw2: Checking if HA peer is in sync...
โ
Woodlands-fw2: HA peer sync test has been completed.
๐ Woodlands-fw2: Performing backup of configuration to local filesystem...
๐ Woodlands-fw2: Not a dry run, continue with upgrade...
๐ Woodlands-fw2: Performing upgrade to version 10.2.3...
๐ Woodlands-fw2: Attempting upgrade to version 10.2.3 (Attempt 1 of 3)...
Device 007954000123452 installing version: 10.2.3
โ
Woodlands-fw2: Upgrade completed successfully
๐ Woodlands-fw2: Rebooting the passive HA target device...
๐ Woodlands-fw2: Command succeeded with no output
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: Target device is rebooting...
๐ง Woodlands-fw2: HA passive target device rebooted but not yet synchronized with its peer. Will try again in 60 seconds.
๐ง Woodlands-fw2: HA passive target device rebooted but not yet synchronized with its peer. Will try again in 60 seconds.
๐ง Woodlands-fw2: HA passive target device rebooted but not yet synchronized with its peer. Will try again in 60 seconds.
๐ง Woodlands-fw2: HA passive target device rebooted but not yet synchronized with its peer. Will try again in 60 seconds.
๐ง Woodlands-fw2: HA passive target device rebooted but did not complete a configuration sync with the active after 5 attempts.
๐ panorama.cdot.io: Revisiting firewalls that were active in an HA pair and had the same version as their peers.
๐ Woodlands-fw1: 007954000123451 192.168.255.43
๐ Woodlands-fw1: HA mode: active
โ Woodlands-fw1: Error suspending active target device HA state: argument of type 'NoneType' is not iterable
๐ Woodlands-fw1: Current version: 10.2.2-h2
๐ Woodlands-fw1: Target version: 10.2.3
โ
Woodlands-fw1: Upgrade required from 10.2.2-h2 to 10.2.3
โ
Woodlands-fw1: version 10.2.3 is available for download
โ
Woodlands-fw1: Base image for 10.2.3 is already downloaded
๐ Woodlands-fw1: Performing test to see if 10.2.3 is already downloaded...
โ
Woodlands-fw1: version 10.2.3 already on target device.
โ
Woodlands-fw1: 10.2.3 has been downloaded and sync'd to HA peer.
๐ Woodlands-fw1: Performing snapshot of network state information...
โ
Woodlands-fw1: Network snapshot created successfully
๐ Woodlands-fw1: Performing readiness checks to determine if firewall is ready for upgrade...
โ
Woodlands-fw1: Passed Readiness Check: Check if there are pending changes on device
โ
Woodlands-fw1: Passed Readiness Check: No Expired Licenses
โ
Woodlands-fw1: Passed Readiness Check: Check if NTP is synchronized
โ
Woodlands-fw1: Passed Readiness Check: Check connectivity with the Panorama appliance
โ
Woodlands-fw1: Readiness Checks completed
๐ Woodlands-fw1: Checking if HA peer is in sync...
๐ง Woodlands-fw1: HA peer state is not in sync. This will be noted, but the script will continue.
๐ Woodlands-fw1: Performing backup of configuration to local filesystem...
๐ Woodlands-fw1: Not a dry run, continue with upgrade...
๐ Woodlands-fw1: Performing upgrade to version 10.2.3...
๐ Woodlands-fw1: Attempting upgrade to version 10.2.3 (Attempt 1 of 3)...
Device 007954000123451 installing version: 10.2.3
โ
Woodlands-fw1: Upgrade completed successfully
๐ Woodlands-fw1: Rebooting the passive HA target device...
๐ Woodlands-fw1: Command succeeded with no output
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
๐ง Woodlands-fw1: Target device is rebooting...
โ
Woodlands-fw1: HA passive target device rebooted and synchronized with its peer in 631 seconds
โ
panorama.cdot.io: Completed revisiting firewalls
Usage
There are two primary methods to utilize the pan-os-upgrade
tool: through a Python virtual environment or via a Docker container.
Please refer to the dedicated documentation website to understand how to use this tool.
Documentation Site: https://cdot65.github.io/pan-os-upgrade/
Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
See Contributing Guidelines for detailed instructions.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
Contact
Email Address - cremsburg.dev at gmail.com
Acknowledgments
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pan_os_upgrade-0.4.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e01a4c9775c857ffa02287b18047b0c9d0474535aba037daf1f5ebf4f6583ac6 |
|
MD5 | 0328ef54e7fc35815d024c275b6a9e47 |
|
BLAKE2b-256 | 88dcca70446470d9f1fe6d3fdb1581a3749408c1f488d3df6d5a6965bb4699a5 |