Snapshot Error on PAN-OS 10.1.8: Missing Session Counters in Batch Upgrade

Question

Snapshot Error on PAN-OS 10.1.8: Missing Session Counters in Batch Upgrade

Closed this issue 7 months ago · 0 comments

Issue Description

When performing a dry run batch upgrade using the pan-os-upgrade script with a filter targeting specific firewalls, an error occurred during the snapshot phase. The error was related to missing session statistics, specifically num-imsi and potentially tcp-cong-ctrl, which were not present in the response from a PAN-OS version 10.1.8 firewall.

Error Details

The script successfully established a connection to Panorama and identified the target firewall (tffw01). However, during the snapshot of network state information, the following validation errors were encountered:

❌ tffw01: Error running snapshots: 2 validation errors for SnapshotReport
session_stats.num-imsi
  Field required [type=missing, input_value={'tmo-5gcdelete': '15', '...'num-gtpu-pending': '0'}, input_type=dict]
session_stats.tcp-cong-ctrl
  Field required [type=missing, input_value={'tmo-5gcdelete': '15', '...'num-gtpu-pending': '0'}, input_type=dict]

This suggests that the session statistics expected by the script, particularly num-imsi and potentially tcp-cong-ctrl, were not available in the PAN-OS 10.1.8 firewall response.

Investigation

Upon reviewing the firewall's available counters, it was noted that the counters for "Hardware UDP session offloading" and "Number of active IMSI sessions" were indeed missing, which corresponds to the num-imsi counter error. The tcp-cong-ctrl error is suspected to be related, possibly due to the absence of the num-imsi counter.

Pydantic Model Configuration

The Pydantic model used for parsing session statistics (SessionStats) has all fields marked as Optional, which should theoretically allow for missing data without causing validation errors. However, the observed behavior suggests an issue with handling optional fields for missing session counters.

Steps to Reproduce

Execute the pan-os-upgrade batch command targeting a Panorama appliance with a filter for a specific firewall running PAN-OS 10.1.8.
Provide necessary authentication details and choose a dry run.
Observe the error during the snapshot phase.

Expected Behavior

The script should handle missing session counters gracefully, especially when they are marked as optional in the Pydantic model. The absence of specific counters should not prevent the snapshot process from completing.

Suggested Resolution

Investigate the handling of optional fields in the Pydantic model and ensure that missing session statistics do not result in validation errors. Consider implementing additional checks or fallback mechanisms for environments with older PAN-OS versions where certain counters may not be available.