Upgrade Assurance CLI Tool
Project description
Upgrade Assurance CLI Tool
This project is a simple CLI wrapper around the PAN-OS Upgrade Assurance library.
Installation
It is recommended to install this project with pipx.
Installing with pipx will automatically make the main script, assurance-cli available at the command line.
pipx install upgrade-assurance-cli
You can also install directly from this repository if you want to get changes as we develop them, but before they are formally released.
# Install from the main branch
pipx install git+https://github.com/PaloAltoNetworks/upgrade-assurance-cli.git
# Install from <branch_name>, useful for testing.
pipx install git+https://github.com/PaloAltoNetworks/upgrade-assurance-cli.git@<branch_name>
Quickstart
Run a readiness check ("pre-checks") against a given device.
assurance-cli readiness myfirewall.com
Read the last readiness report for a specific device
assurance-cli report --device myfirewall.com
Take a capacity report
assurance-cli capacity myfirewall.com
Take an operational snapshot
assurance-cli snapshot myfirewall.com
Compare two snapshots
assurance-cli compare-snapshots <first-snapshot-path> <second-snapshot-path>
Backup the configuration running-configuration
assurance-cli backup myfirewall.com
Backup the configuration device-state
assurance-cli backup myfirewall.com --export-type device-state
Configuration
Report storage
By default, assurance-cli uses the following directory structure to store all
reports and artifacts:
.
├── ./
│ ├── snapshots/
│ │ ├── snapshot_<device-str>_<timestamp>.json
│ ├── store/
│ │ ├── capacity_<device-str>_<timestamp>.json
│ │ ├── readiness_<device-str>_<timestamp>.json
│ │ ├── snapshotr_<device-str>_<timestamp>.json
│ ├── backups/
│ │ ├── backup_<device-str>_<timestamp>.json
Running Against Multiple Devices
This tool allows you to run against multiple devices at once using multiprocessing.
Multiple devices can be passed to the comand line as arguments to the readiness and snapshot commands.
assurance-cli readiness myfirstfirewall.com mysecondfirewall.com
Or, they can be passed via a text file containing one device per line.
myfirstfirewall.com
mysecondfirewall.com
assurance-cli readiness <path_to_devices_file>
Connecting Via Panorama
Connections can be proxied via Panorama for simplicity. To do so, use the following format for the device string;
<panorama_hostname>:<firewall_serial_number>
assurance-cli readiness my_panorama.com:1234567891011
Environment Variables
| envvar | description |
|---|---|
| UA_USERNAME | Username to use for authentication - prompts if not given |
| UA_PASSWORD | Username to use for authentication - prompts if not given |
Customizing the Test Suite
All commands support passing the --config-path flag to pass in a config file. This CLI ships with the most commonly
used tests but it is expected that most users will need to customize it.
The config file is in YAML format and specifies the tests used by the upgrade assurance library.
Complete example
pre_checks:
- "active_support"
- "candidate_config"
- "expired_licenses"
- "jobs"
- "ntp_sync"
- "panorama"
# tests below have optional configuration
- certificates_requirements:
ecdsa:
hash_method: "sha512"
rsa:
key_size: 1024
hash_method: "sha1"
- content_version:
version: "8634-7678"
- dp_cpu_utilization:
threshold: 50
minutes: 2
- dynamic_updates:
test_window: 120
- expired_licenses:
skip_licenses:
- "Threat Prevention"
- free_disk_space:
image_version: "10.1.6-h6"
- ha:
skip_config_sync: true
- mp_cpu_utilization:
threshold: 40
- planes_clock_sync:
diff_threshold: 30
# tests below require additional configuration
- arp_entry_exist:
ip: "10.0.1.1"
- ip_sec_tunnel_status:
tunnel_name: "ipsec_tun"
- session_exist:
source: "134.238.135.137"
destination: "10.1.0.4"
dest_port: "80"
snapshot_comparison_config:
- ip_sec_tunnels:
properties:
- "state"
- arp_table:
properties:
- "!ttl"
count_change_threshold: 10
- nics:
count_change_threshold: 10
- license:
properties:
- "!serial"
- routes:
properties:
- "!flags"
count_change_threshold: 10
- fib_routes:
properties:
- "!flags"
count_change_threshold: 10
- are_routes:
properties:
- "!uptime"
- "!internalNextHopNum"
count_change_threshold: 10
- are_fib_routes:
properties:
- "!flags"
count_change_threshold: 10
- bgp_peers:
properties:
- "status"
- content_version
- session_stats:
thresholds:
- num-max: 10
- num-tcp: 10
- mtu
snapshot_config:
- routes
- nics
- are_fib_routes
- arp_table
- license
- fib_routes
- are_routes
- are_fib_routes
- bgp_peers
- content_version
- session_stats
- mtu
- ip_sec_tunnels
For a full list of checks and al their configuration options view the Upgrade Assurance Documentation site.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file upgrade_assurance_cli-1.1.0.tar.gz.
File metadata
- Download URL: upgrade_assurance_cli-1.1.0.tar.gz
- Upload date:
- Size: 15.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d6822e3444cacd68ed08a3e53d8ef6cf9d05c1301c438e2ef86d52ca499ffd8f
|
|
| MD5 |
89ebbdb7ef4f5d11096ab3961c079364
|
|
| BLAKE2b-256 |
42a6f2451438637a440dd6d6cac972547cacf05b8373d5149e50edbb3843dbd7
|
Provenance
The following attestation bundles were made for upgrade_assurance_cli-1.1.0.tar.gz:
Publisher:
release.yaml on PaloAltoNetworks/upgrade-assurance-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
upgrade_assurance_cli-1.1.0.tar.gz -
Subject digest:
d6822e3444cacd68ed08a3e53d8ef6cf9d05c1301c438e2ef86d52ca499ffd8f - Sigstore transparency entry: 1204155715
- Sigstore integration time:
-
Permalink:
PaloAltoNetworks/upgrade-assurance-cli@49346736e890e4474746fa7945c509a31148b8b0 -
Branch / Tag:
refs/heads/master - Owner: https://github.com/PaloAltoNetworks
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yaml@49346736e890e4474746fa7945c509a31148b8b0 -
Trigger Event:
push
-
Statement type:
File details
Details for the file upgrade_assurance_cli-1.1.0-py3-none-any.whl.
File metadata
- Download URL: upgrade_assurance_cli-1.1.0-py3-none-any.whl
- Upload date:
- Size: 17.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5f51af848c4ed11b1b81bc457ecc831fa03596a6ae9bf3b44231dc0858b592f2
|
|
| MD5 |
49e2b82a449c1b536456690e6f378587
|
|
| BLAKE2b-256 |
facab67d682d5123ca1d4dbc2d37fdef0457dcea6e04e3f68a3d31ba243ce5dc
|
Provenance
The following attestation bundles were made for upgrade_assurance_cli-1.1.0-py3-none-any.whl:
Publisher:
release.yaml on PaloAltoNetworks/upgrade-assurance-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
upgrade_assurance_cli-1.1.0-py3-none-any.whl -
Subject digest:
5f51af848c4ed11b1b81bc457ecc831fa03596a6ae9bf3b44231dc0858b592f2 - Sigstore transparency entry: 1204155764
- Sigstore integration time:
-
Permalink:
PaloAltoNetworks/upgrade-assurance-cli@49346736e890e4474746fa7945c509a31148b8b0 -
Branch / Tag:
refs/heads/master - Owner: https://github.com/PaloAltoNetworks
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yaml@49346736e890e4474746fa7945c509a31148b8b0 -
Trigger Event:
push
-
Statement type:
