Enhance Support for HA Panorama Upgrades in pan-os-upgrade Tool
Closed this issue · 0 comments
The current pan-os-upgrade CLI tool lacks dedicated support for upgrading High Availability (HA) Panorama instances, due to differences in the HA response structure compared to firewalls. Specifically, the existing handle_ha_logic function fails to accommodate Panorama's unique response to the "show high-availability state" command, which lacks a "group" concept present in firewall responses.
Current Limitation:
The handle_ha_logic function is not compatible with Panorama's HA state response structure, causing the upgrade process for HA Panorama setups to fail.
Example HA Panorama Response:
<response status="success">
<result>
<enabled>yes</enabled>
<local-info>
<version>1</version>
<state>primary-active</state>
<state-duration>74869</state-duration>
<last-error-reason>Path down</last-error-reason>
<last-error-state>primary-non-functional</last-error-state>
<mgmt-ip>192.168.255.191/24</mgmt-ip>
<mgmt-ipv6></mgmt-ipv6>
<preemptive>yes</preemptive>
<promotion-hold>2000</promotion-hold>
<hello-interval>8000</hello-interval>
<heartbeat-interval>2000</heartbeat-interval>
<preempt-hold>1</preempt-hold>
<monitor-fail-holdup>0</monitor-fail-holdup>
<addon-master-holdup>7000</addon-master-holdup>
<encrypt-imported>no</encrypt-imported>
<mgmt-macaddr>82:2c:5b:03:6b:c1</mgmt-macaddr>
<encrypt-enable>no</encrypt-enable>
<link-mon-intv>3000</link-mon-intv>
<priority>primary</priority>
<build-rel>10.2.7-h3</build-rel>
<url-version>Not Installed</url-version>
<app-version>8804-8537</app-version>
<iot-version>113-471</iot-version>
<av-version>4719-5237</av-version>
<VMS>Match</VMS>
<build-compat>Match</build-compat>
<url-compat>Match</url-compat>
<app-compat>Match</app-compat>
<iot-compat>Match</iot-compat>
<av-compat>Match</av-compat>
</local-info>
<peer-info>
<conn-ha1>
<conn-status>up</conn-status>
<conn-primary>yes</conn-primary>
<conn-desc>heartbeat status</conn-desc>
</conn-ha1>
<conn-status>up</conn-status>
<version>1</version>
<state>secondary-passive</state>
<state-duration>74319</state-duration>
<last-error-reason>User requested</last-error-reason>
<last-error-state>secondary-suspended</last-error-state>
<preemptive>yes</preemptive>
<mgmt-ip>192.168.255.192</mgmt-ip>
<mgmt-macaddr>82:2c:5b:03:6b:c2</mgmt-macaddr>
<priority>secondary</priority>
<build-rel>10.2.7-h3</build-rel>
<url-version>Not Installed</url-version>
<app-version>8804-8537</app-version>
<iot-version>113-471</iot-version>
<av-version>4719-5237</av-version>
<VMS>3.0.5</VMS>
</peer-info>
<path-monitoring>
<enabled>yes</enabled>
<failure-condition>any</failure-condition>
<groups>
<entry>
<name>panorama2</name>
<failure-condition>any</failure-condition>
<enabled>yes</enabled>
<ping-interval>5000</ping-interval>
<ping-count>3</ping-count>
<destination-groups>
<entry>
<name>panorama2</name>
<enabled>yes</enabled>
<failure-condition>any</failure-condition>
<dest-ip>
<entry>
<addr>192.168.255.192</addr>
<status>up</status>
</entry>
</dest-ip>
</entry>
</destination-groups>
</entry>
</groups>
</path-monitoring>
<running-sync>synchronized</running-sync>
<running-sync-enabled>yes</running-sync-enabled>
</result>
</response>Required Enchancement
Develop a new function specifically designed for HA Panorama upgrades, acknowledging the absence of "group" structures in Panorama's HA state responses. This function should effectively manage the upgrade process, ensuring compatibility with Panorama's HA architecture and facilitating a seamless upgrade experience.
This enhancement is crucial for customers needing to safely and efficiently upgrade large numbers of HA Panorama instances in short time frames. Addressing this will significantly improve the tool's utility and reliability for complex Panorama environments.