Discrepancy in Targeted Firewalls for Batch Upgrade in HA Configuration

Question

Discrepancy in Targeted Firewalls for Batch Upgrade in HA Configuration

Closed this issue 6 months ago · 0 comments

Summary

We have identified an issue in the batch upgrade script where the firewalls selected and confirmed for an upgrade are not being accurately targeted in a High Availability (HA) configuration. Specifically, one of the selected firewalls (katy-fw1) was not included in the upgrade process, and instead, a firewall not selected for upgrade (katy-fw2) was targeted.

Steps to Reproduce

Run the batch upgrade command with the -u, -p, -h, and -v options to initiate a batch upgrade through Panorama.
Select and confirm a list of firewalls for the upgrade, including firewalls in an HA configuration.
Observe the logs to verify which firewalls are targeted for the upgrade.

Expected Behavior

All and only the firewalls confirmed by the user in the selection process should be targeted and included in the upgrade process.

Actual Behavior

The confirmed firewall katy-fw1 was not targeted for the upgrade.
The non-confirmed firewall katy-fw2, which was not part of the user's selection, was targeted for the upgrade.

Logs/Output

Relevant logs show the user's confirmation of the selected firewalls, including katy-fw1, but the subsequent upgrade process logs indicate that katy-fw2 is being targeted instead of katy-fw1.

Possible Cause/Suspected Area

The issue may lie in the handling of firewall objects in HA configurations within the script. It's possible that the script is incorrectly mapping or identifying the HA pair, leading to one member of the HA pair being incorrectly excluded from the upgrade process.

Suggested Fix/Workaround

A thorough review and possibly a redesign of the logic handling HA configurations and firewall selection for upgrades are needed. Ensuring that the script accurately maps user-selected firewalls to their corresponding objects, especially in HA configurations, is crucial.

Impact

This issue can lead to unintended firewalls being upgraded, which may disrupt network operations and cause confusion. It undermines the reliability of the upgrade process in environments with HA configurations.

Additional Context

This issue was discovered during routine upgrade operations in a controlled environment. It is critical to address this issue to ensure the reliability and accuracy of the batch upgrade process, particularly for users managing firewalls in HA configurations through Panorama.