Skip to main content

Upgrade Assurance CLI Tool

Project description

upgrade-assurance-cli — Test and Backup your PAN-OS Environment

PyPi Package Tests Supported Python versions Supported Python versions

Overview: What is upgrade-assurance-cli?

upgrade-assurance-cli is a tool for interacting with the library of tests written and maintained by Palo Alto Networks Professional Services, known as Upgrade Assurance.

This library, when implemented by the upgrade-assurance-cli tool, provide a way for users to:

  • Validate their PAN-OS environment is in an ok state before making any changes
  • Take configuration backups in preparation for changes
  • Compare their environment before and after those changes

Originally this tool was written explicitly for testing software upgrades, hence the name, but the methodology can be applied to any PAN-OS changes.

Installation

It is recommended to install this project with pipx.

Installing with pipx will automatically make the main script, assurance-cli available at the command line.

pipx install upgrade-assurance-cli

You can also install directly from this repository if you want to get changes as we develop them, but before they are formally released.

# Install from the main branch
pipx install git+https://github.com/PaloAltoNetworks/upgrade-assurance-cli.git 
# Install from <branch_name>, useful for testing.
pipx install git+https://github.com/PaloAltoNetworks/upgrade-assurance-cli.git@<branch_name> 

Quickstart

Run a readiness check ("pre-checks") against a given device.

assurance-cli readiness myfirewall.com

Read the last readiness report for a specific device

assurance-cli report --device myfirewall.com

Take a capacity report

assurance-cli capacity myfirewall.com

Take an operational snapshot

assurance-cli snapshot myfirewall.com

Compare two snapshots

assurance-cli compare-snapshots <first-snapshot-path> <second-snapshot-path>

Backup the configuration running-configuration

assurance-cli backup myfirewall.com

Backup the configuration device-state

assurance-cli backup myfirewall.com --export-type device-state

Create and export a tech-support file. Note: Does not support Panorama-proxied API connections

assurance-cli backup myfirewall.com --export-type tech-support

Configuration

Report storage

By default, assurance-cli uses the following directory structure to store all reports and artifacts:

.
├── ./
│   ├── snapshots/
│   │   ├── snapshot_<device-str>_<timestamp>.json
│   ├── store/
│   │   ├── capacity_<device-str>_<timestamp>.json
│   │   ├── readiness_<device-str>_<timestamp>.json
│   │   ├── snapshotr_<device-str>_<timestamp>.json
│   ├── backups/
│   │   ├── backup_<device-str>_<timestamp>.json

Running Against Multiple Devices

This tool allows you to run against multiple devices at once using multiprocessing.

Multiple devices can be passed to the command line as arguments to the readiness and snapshot commands.

assurance-cli readiness myfirstfirewall.com mysecondfirewall.com 

Or, they can be passed via a text file containing one device per line.

myfirstfirewall.com
mysecondfirewall.com
assurance-cli readiness <path_to_devices_file>

Connecting Via Panorama

Connections can be proxied via Panorama for simplicity. To do so, use the following format for the device string; <panorama_hostname>:<firewall_serial_number>

assurance-cli readiness my_panorama.com:1234567891011

Environment Variables

envvar description
UA_USERNAME Username to use for authentication - prompts if not given
UA_PASSWORD Username to use for authentication - prompts if not given

Customizing the Test Suite

All commands support passing the --config-path flag to pass in a config file. This CLI ships with the most commonly used tests but it is expected that most users will need to customize it.

The config file is in YAML format and specifies the tests used by the upgrade assurance library.

Complete example

pre_checks:
  - "active_support"
  - "candidate_config"
  - "expired_licenses"
  - "jobs"
  - "ntp_sync"
  - "panorama"
  # tests below have optional configuration
  - certificates_requirements:
      ecdsa:
        hash_method: "sha512"
      rsa:
        key_size: 1024
        hash_method: "sha1"
  - content_version:
      version: "8634-7678"
  - dp_cpu_utilization:
      threshold: 50
      minutes: 2
  - dynamic_updates:
      test_window: 120
  - expired_licenses:
      skip_licenses:
        - "Threat Prevention"
  - free_disk_space:
      image_version: "10.1.6-h6"
  - ha:
      skip_config_sync: true
  - mp_cpu_utilization:
      threshold: 40
  - planes_clock_sync:
      diff_threshold: 30
  # tests below require additional configuration
  - arp_entry_exist:
      ip: "10.0.1.1"
  - ip_sec_tunnel_status:
      tunnel_name: "ipsec_tun"
  - session_exist:
      source: "134.238.135.137"
      destination: "10.1.0.4"
      dest_port: "80"
snapshot_comparison_config:
  - ip_sec_tunnels:
      properties:
        - "state"
  - arp_table:
      properties:
        - "!ttl"
      count_change_threshold: 10
  - nics:
      count_change_threshold: 10
  - license:
      properties:
        - "!serial"
  - routes:
      properties:
        - "!flags"
      count_change_threshold: 10
  - fib_routes:
      properties:
        - "!flags"
      count_change_threshold: 10
  - are_routes:
      properties:
        - "!uptime"
        - "!internalNextHopNum"
      count_change_threshold: 10
  - are_fib_routes:
      properties:
        - "!flags"
      count_change_threshold: 10
  - bgp_peers:
      properties:
        - "status"
  - content_version
  - session_stats:
      thresholds:
        - num-max: 10
        - num-tcp: 10
  - mtu
snapshot_config:
 - routes
 - nics
 - are_fib_routes
 - arp_table
 - license
 - fib_routes
 - are_routes
 - are_fib_routes
 - bgp_peers
 - content_version
 - session_stats
 - mtu
 - ip_sec_tunnels

For a full list of checks and al their configuration options view the Upgrade Assurance Documentation site.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

upgrade_assurance_cli-1.2.0.tar.gz (17.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

upgrade_assurance_cli-1.2.0-py3-none-any.whl (19.2 kB view details)

Uploaded Python 3

File details

Details for the file upgrade_assurance_cli-1.2.0.tar.gz.

File metadata

  • Download URL: upgrade_assurance_cli-1.2.0.tar.gz
  • Upload date:
  • Size: 17.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for upgrade_assurance_cli-1.2.0.tar.gz
Algorithm Hash digest
SHA256 06272ecada1146b0eb4e9cd4f50be390236407d557aa216ceb9174c01916ebbb
MD5 8677ed18091f65fb4a879de3e4455289
BLAKE2b-256 91975dd0cf6712a4ea8f28931ffe7fe018e8aec03d3730ac25c9ad4aea982943

See more details on using hashes here.

Provenance

The following attestation bundles were made for upgrade_assurance_cli-1.2.0.tar.gz:

Publisher: release.yaml on PaloAltoNetworks/upgrade-assurance-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file upgrade_assurance_cli-1.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for upgrade_assurance_cli-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 5a5f297c556f6c3f43b567e8ae21aa5fe015f086b927453fa0284da2c93abb17
MD5 562aeffd79e4e3b3d2a50050bd84727f
BLAKE2b-256 3a8032bf29248f8e9971302bbd9036ad34c8494ee9d2f9d57ca3741f0634f27c

See more details on using hashes here.

Provenance

The following attestation bundles were made for upgrade_assurance_cli-1.2.0-py3-none-any.whl:

Publisher: release.yaml on PaloAltoNetworks/upgrade-assurance-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page