Python script to automate the upgrade process of PAN-OS firewalls.
Project description
PAN-OS Automation Project
Streamlining Palo Alto Networks Firewall Upgrades with Python Automation
Documentation Website ยป
View Demo
Report Bug
Request Feature
Table of Contents
About The Project
This project is a comprehensive Python-based solution for automating PAN-OS upgrades. It's designed to provide network administrators and security professionals with an efficient tool to manage upgrades, configurations, and system checks of Palo Alto Networks appliances.
Project Link: https://github.com/cdot65/pan-os-upgrade Documentation: https://cdot65.github.io/pan-os-upgrade/
Key Features
- Three Unique Upgrade Workflows Supported:
firewall
: targets and upgrades an individual firewallpanorama
: targets and upgrades an individual Panorama appliancebatch
: targets a Panorama appliance and upgrades firewalls in batch
- Automation of Routine Tasks: Reduces manual errors and saves time by automating upgrades, configurations, and system checks.
- Support for Direct and Proxy Connections: Connect directly to firewalls or through a Panorama appliance, with support for targeting specific devices using filters.
- Pre/Post Diff: Network snapshots are taken before and after the upgrade process, providing a PDF report of changes within the network environment after the upgrade completes.
- Active/Passive High Availability (HA) Workflow: Fully supports upgrading devices in active/passive HA configurations, ensuring both members are properly upgraded and synchronized.
- Multi-threading for Efficiency: Utilizes multi-threading to parallelize upgrades, especially beneficial when upgrading multiple devices through Panorama, enhancing performance and reducing overall upgrade time.
- Customizable and Extensible: Execution of the script can be tailored to fit diverse network environments and requirements, offering flexibility for various deployment scenarios.
- Comprehensive PAN-OS Interactions: Facilitates extensive interactions with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.
Note: While this script is optimized for standalone and active/passive HA environments, it has not been tested against active/active or clustered firewalls.
Example Execution
pan-os-upgrade batch
Panorama hostname or IP: panorama.cdot.io
Panorama username: officehours
Panorama password:
Firewall target version (ex: 10.1.2): 10.1.3-h2
Dry Run? [Y/n]: n
===========================================================================
Welcome to the PAN-OS upgrade tool
You have selected to perform a batch upgrade of firewalls through Panorama.
No settings.yaml file was found, the script's default values will be used.
Create a settings.yaml file with 'pan-os-upgrade settings' command.
No inventory.yaml file was found, getting firewalls connected to Panorama.
Create an inventory.yaml file with 'pan-os-upgrade inventory' command.
===========================================================================
โ
panorama.cdot.io: Connection to Panorama established. Firewall connections will be proxied!
๐ง panorama.cdot.io: Retrieving a list of all firewalls connected to Panorama...
๐ง panorama.cdot.io: Retrieving detailed information of each firewall...
โโโโโโโคโโโโโโโโโโโโโโโโคโโโโโโโโโโโโโโโโโโคโโโโโโโโโโคโโโโโโโโโโโโโโโโโโคโโโโโโโโโโโโโโโคโโโโโโโโโโโโโโโโ
โ # โ Hostname โ IP Address โ Model โ Serial โ SW Version โ App Version โ
โโโโโโโชโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโโชโโโโโโโโโโชโโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโก
โ 1 โ Woodlands-fw1 โ 192.168.255.43 โ PA-VM โ 007954000123451 โ 10.1.3 โ 8729-8157 โ
โโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโค
โ 2 โ Woodlands-fw2 โ 192.168.255.44 โ PA-VM โ 007954000123452 โ 10.1.3 โ 8729-8157 โ
โโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโค
โ 3 โ houston โ 192.168.255.211 โ PA-VM โ 007954000123453 โ 10.1.3 โ 8797-8498 โ
โโโโโโโงโโโโโโโโโโโโโโโโงโโโโโโโโโโโโโโโโโโงโโโโโโโโโโงโโโโโโโโโโโโโโโโโโงโโโโโโโโโโโโโโโงโโโโโโโโโโโโโโโโ
You can select devices by entering their numbers, ranges, or separated by commas.
Examples: '1', '2-4', '1,3,5-7'.
Type 'done' on a new line when finished.
Enter your selection(s): 1,2
Woodlands-fw1 selected.
Woodlands-fw2 selected.
Enter your selection(s): done
๐ panorama.cdot.io: Upgrading 2 devices to version 10.1.3-h2...
๐ panorama.cdot.io: Please confirm the selected firewalls:
- Woodlands-fw1 (192.168.255.43)
- Woodlands-fw2 (192.168.255.44)
๐ง panorama.cdot.io: Dry run mode is disabled, upgrade workflow will be executed.
Do you want to proceed with the upgrade? [y/N]: y
๐ Proceeding with the upgrade...
๐ Proceeding with the upgrade...
๐ง panorama.cdot.io: Using 10 threads.
๐ Woodlands-fw1: 007954000123451 192.168.255.43
๐ Woodlands-fw2: 007954000123452 192.168.255.44
๐ Woodlands-fw1: HA mode: active
๐ Woodlands-fw2: HA mode: passive
๐ Woodlands-fw1: Local state: active, Local version: 10.1.3, Peer version: 10.1.3
๐ Woodlands-fw1: Version comparison: equal
๐ Woodlands-fw1: Detected active target device in HA pair running the same version as its peer. Added target device to revisit list.
๐ Woodlands-fw2: Local state: passive, Local version: 10.1.3, Peer version: 10.1.3
๐ Woodlands-fw2: Version comparison: equal
๐ Woodlands-fw2: Target device is passive
๐ Woodlands-fw2: Current version: 10.1.3
๐ Woodlands-fw2: Target version: 10.1.3-h2
โ
Woodlands-fw2: Upgrade required from 10.1.3 to 10.1.3-h2
๐ง Woodlands-fw2: Refreshing list of available software versions
โ
Woodlands-fw2: version 10.1.3-h2 is available for download
โ
Woodlands-fw2: Base image for 10.1.3-h2 is already downloaded
๐ Woodlands-fw2: Performing test to see if 10.1.3-h2 is already downloaded.
โ
Woodlands-fw2: version 10.1.3-h2 already on target device.
โ
Woodlands-fw2: 10.1.3-h2 has been downloaded and sync'd to HA peer.
๐ Woodlands-fw2: Performing snapshot of network state information.
๐ Woodlands-fw2: Attempting to capture network state snapshot (Attempt 1 of 3).
โ
Woodlands-fw2: Network snapshot created successfully on attempt 1.
๐พ Woodlands-fw2: Network state snapshot collected and saved to assurance/snapshots/Woodlands-fw2/pre/2024-02-13_14-18-09.json
๐ Woodlands-fw2: Performing readiness checks of target firewall.
๐ Woodlands-fw2: Performing readiness checks to determine if firewall is ready for upgrade.
โ
Woodlands-fw2: Passed Readiness Check: Check if active support is available
๐จ Woodlands-fw2: Skipped Readiness Check: Check if a given ARP entry is available in the ARP table
โ
Woodlands-fw2: Passed Readiness Check: Check if there are pending changes on device
๐จ Woodlands-fw2: Skipped Readiness Check: Check if the certificates' keys meet minimum size requirements
๐จ Woodlands-fw2: Skipped Readiness Check: Running Latest Content Version
โ
Woodlands-fw2: Passed Readiness Check: Check if any Dynamic Update job is scheduled to run within the specified time window
โ
Woodlands-fw2: Passed Readiness Check: No Expired Licenses
๐จ Woodlands-fw2: Skipped Readiness Check: Check if a there is enough space on the `/opt/panrepo` volume for downloading an PanOS image.
โ
Woodlands-fw2: Passed Readiness Check: Checks HA pair status from the perspective of the current device
๐จ Woodlands-fw2: Skipped Readiness Check: Check if a given IPsec tunnel is in active state
๐จ Woodlands-fw2: Skipped Readiness Check: Check for any job with status different than FIN
๐จ Woodlands-fw2: Skipped Readiness Check: Check if NTP is synchronized
โ
Woodlands-fw2: Passed Readiness Check: Check if the clock is synchronized between dataplane and management plane
โ
Woodlands-fw2: Passed Readiness Check: Check connectivity with the Panorama appliance
๐จ Woodlands-fw2: Skipped Readiness Check: Check if a critical session is present in the sessions table
โ
Woodlands-fw2: Readiness Checks completed
๐ Woodlands-fw2: Checking if HA peer is in sync.
โ
Woodlands-fw2: HA peer sync test has been completed.
๐ Woodlands-fw2: Performing backup of configuration to local filesystem.
๐ Woodlands-fw2: Not a dry run, continue with upgrade.
๐ Woodlands-fw2: Performing upgrade to version 10.1.3-h2.
๐ Woodlands-fw2: The install will take several minutes, check for status details within the GUI.
๐ Woodlands-fw2: Attempting upgrade to version 10.1.3-h2 (Attempt 1 of 3).
Device 007954000123452 installing version: 10.1.3-h2
โ
Woodlands-fw2: Upgrade completed successfully
๐ Woodlands-fw2: Rebooting the target device.
๐ Woodlands-fw2: Command succeeded with no output
๐ง Woodlands-fw2: Retry attempt 1 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 2 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 3 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 4 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 5 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 6 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 7 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 8 due to error: 007954000123452 not connected
๐ง Woodlands-fw2: Retry attempt 9 due to error: 007954000123452 not connected
๐ Woodlands-fw2: Current device version: 10.1.3-h2
โ
Woodlands-fw2: Device rebooted to the target version successfully.
๐ Woodlands-fw2: Performing backup of configuration to local filesystem.
๐ง Woodlands-fw2: Waiting for the device to become ready for the post upgrade snapshot.
๐ panorama.cdot.io: Revisiting firewalls that were active in an HA pair and had the same version as their peers.
๐ Woodlands-fw1: 007954000123451 192.168.255.43
๐ Woodlands-fw1: HA mode: active
๐ Woodlands-fw1: Local state: active, Local version: 10.1.3, Peer version: 10.1.3-h2
Waiting for HA synchronization to complete on Woodlands-fw1. Attempt 1/3
HA synchronization complete on Woodlands-fw1. Proceeding with upgrade.
๐ Woodlands-fw1: Version comparison: older
๐ Woodlands-fw1: Target device is on an older version
๐ Woodlands-fw1: Suspending HA state of active
๐ง Woodlands-fw1: Error received when suspending active target device HA state: argument of type 'NoneType' is not iterable
๐ Woodlands-fw1: Current version: 10.1.3
๐ Woodlands-fw1: Target version: 10.1.3-h2
โ
Woodlands-fw1: Upgrade required from 10.1.3 to 10.1.3-h2
๐ง Woodlands-fw1: Refreshing list of available software versions
โ
Woodlands-fw1: version 10.1.3-h2 is available for download
โ
Woodlands-fw1: Base image for 10.1.3-h2 is already downloaded
๐ Woodlands-fw1: Performing test to see if 10.1.3-h2 is already downloaded.
โ
Woodlands-fw1: version 10.1.3-h2 already on target device.
โ
Woodlands-fw1: 10.1.3-h2 has been downloaded and sync'd to HA peer.
๐ Woodlands-fw1: Performing snapshot of network state information.
๐ Woodlands-fw1: Attempting to capture network state snapshot (Attempt 1 of 3).
โ
Woodlands-fw1: Network snapshot created successfully on attempt 1.
๐พ Woodlands-fw1: Network state snapshot collected and saved to assurance/snapshots/Woodlands-fw1/pre/2024-02-13_14-37-49.json
๐ Woodlands-fw1: Performing readiness checks of target firewall.
๐ Woodlands-fw1: Performing readiness checks to determine if firewall is ready for upgrade.
โ
Woodlands-fw1: Passed Readiness Check: Check if active support is available
๐จ Woodlands-fw1: Skipped Readiness Check: Check if a given ARP entry is available in the ARP table
โ
Woodlands-fw1: Passed Readiness Check: Check if there are pending changes on device
๐จ Woodlands-fw1: Skipped Readiness Check: Check if the certificates' keys meet minimum size requirements
๐จ Woodlands-fw1: Skipped Readiness Check: Running Latest Content Version
โ
Woodlands-fw1: Passed Readiness Check: Check if any Dynamic Update job is scheduled to run within the specified time window
โ
Woodlands-fw1: Passed Readiness Check: No Expired Licenses
๐จ Woodlands-fw1: Skipped Readiness Check: Check if a there is enough space on the `/opt/panrepo` volume for downloading an PanOS image.
๐จ Woodlands-fw1: Skipped Readiness Check: Checks HA pair status from the perspective of the current device
๐จ Woodlands-fw1: Skipped Readiness Check: Check if a given IPsec tunnel is in active state
๐จ Woodlands-fw1: Skipped Readiness Check: Check for any job with status different than FIN
๐จ Woodlands-fw1: Skipped Readiness Check: Check if NTP is synchronized
โ
Woodlands-fw1: Passed Readiness Check: Check if the clock is synchronized between dataplane and management plane
โ
Woodlands-fw1: Passed Readiness Check: Check connectivity with the Panorama appliance
๐จ Woodlands-fw1: Skipped Readiness Check: Check if a critical session is present in the sessions table
โ
Woodlands-fw1: Readiness Checks completed
๐ Woodlands-fw1: Checking if HA peer is in sync.
โ
Woodlands-fw1: HA peer sync test has been completed.
๐ Woodlands-fw1: Performing backup of configuration to local filesystem.
๐ Woodlands-fw1: Not a dry run, continue with upgrade.
๐ Woodlands-fw1: Performing upgrade to version 10.1.3-h2.
๐ Woodlands-fw1: The install will take several minutes, check for status details within the GUI.
๐ Woodlands-fw1: Attempting upgrade to version 10.1.3-h2 (Attempt 1 of 3).
Device 007954000123451 installing version: 10.1.3-h2
โ
Woodlands-fw1: Upgrade completed successfully
๐ Woodlands-fw1: Rebooting the target device.
๐ Woodlands-fw1: Command succeeded with no output
๐ง Woodlands-fw1: Retry attempt 1 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 2 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 3 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 4 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 5 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 6 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 7 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 8 due to error: 007954000123451 not connected
๐ง Woodlands-fw1: Retry attempt 9 due to error: 007954000123451 not connected
๐ Woodlands-fw1: Current device version: 10.1.3-h2
โ
Woodlands-fw1: Device rebooted to the target version successfully.
๐ Woodlands-fw1: Performing backup of configuration to local filesystem.
๐ง Woodlands-fw1: Waiting for the device to become ready for the post upgrade snapshot.
โ
panorama.cdot.io: Completed revisiting firewalls
Usage
There are two primary methods to utilize the pan-os-upgrade
tool: through a Python virtual environment or via a Docker container.
Please refer to the dedicated documentation website to understand how to use this tool.
Documentation Site: https://cdot65.github.io/pan-os-upgrade/
Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request or open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
See Contributing Guidelines for detailed instructions.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
Contact
Email Address - cremsburg.dev at gmail.com
Acknowledgments
This project is built upon the shoulders of two powerful Python libraries: pan-os-python
and panos-upgrade-assurance
. Both of these libraries are developed and maintained by Palo Alto Networks, providing an incredible amount of capabilities when automating PAN-OS and Panorama with Python.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pan_os_upgrade-1.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d7ca5809ba709497e0fdcea7592b7677a2b28e433566188c723f06cd104f76b2 |
|
MD5 | 29b2efbcbf759cd181702a26497a999f |
|
BLAKE2b-256 | cb0f02c8e4b342c373effaafe8bb013d948f2a64f3dc96731b489e6054d231f5 |