Enhancement: Support for Upgrading Active Firewall First in HA Pairs

Question

Enhancement: Support for Upgrading Active Firewall First in HA Pairs

Opened this issue 6 months ago · 0 comments

Summary

Currently, our pan-os-upgrade script adopts a conservative approach by prioritizing upgrades for "passive" firewalls in an HA pair, moving "active" firewalls to a revisit list for post-upgrade actions. This workflow aligns with a common best practice of minimizing disruptions during upgrades. However, there are documented scenarios where upgrading the "active" firewall first is preferred. This enhancement aims to introduce flexibility into our upgrade process by allowing users to opt for a workflow that upgrades the "active" firewall first, thereby accommodating a broader range of upgrade strategies.

Enhancement Details

The proposed enhancement will introduce a new workflow option within the pan-os-upgrade script, enabling users to prioritize the upgrade of the "active" firewall in an HA pair. This workflow will involve:

Temporarily failing the HA state of the "active" firewall, prompting a failover to the "passive" firewall, which then becomes the new "active" member.
Initiating the upgrade process on the now "passive" firewall (formerly "active").
Upon successful upgrade and reboot of the first firewall, the script will proceed to upgrade the remaining firewalls, which are now in the "passive" state and were part of the initial "revisit" list.

Rationale

This enhancement is motivated by the need to provide a more versatile tool that accommodates various HA upgrade strategies documented across different best practices. It allows users to choose the upgrade sequence that best fits their operational requirements and risk management policies.

Use Cases

High Availability Environments: In environments where minimal downtime and immediate recovery are paramount, this option allows for a quicker return to full redundancy post-upgrade.
Compliance with Specific Upgrade Protocols: Certain network policies or compliance standards may dictate specific upgrade sequences for HA pairs, necessitating this flexible approach.

Implementation Considerations:

User Input: Introduce a command-line option or a configuration parameter allowing users to select the preferred upgrade workflow.
State Management: Ensure robust state management to handle failovers, upgrades, and potential rollback scenarios gracefully.
Documentation: Update the script documentation to clearly outline the new workflow, its use cases, and any additional steps required to initiate this upgrade path.

Potential Challenges

Risk of Downtime: Upgrading the "active" firewall first may entail a higher risk of temporary service disruption, which should be clearly communicated to the users.

Complexity in Rollback: In cases where the upgrade encounters issues, the rollback process may be more complex due to the involved failover and state changes.

Request for Comments

We invite feedback from the community on this proposed enhancement, particularly regarding its utility, potential impact on existing workflows, and any additional features that would make this option more effective for users' needs.