Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)

This use case highlights the ability of the PAN-OS XML API to automate a more complex procedure, namely upgrading firewalls set up as active-passive high-availability (HA) pair. Normally, this procedure involves multiple, manual steps on individual firewalls.
This is a high-level overview of the steps you must take in this procedure. You script or application must incorporate error-checking and logic to implement this sequence of steps.
Because the PAN-OS XML API uses a tree of XML nodes, in your API request you must specify the correct type and action along with the XPath Node Selection. See Explore the API to learn how to construct XML requests.
  1. Check for the latest PAN-OS software update through Panorama
    Check for the latest available PAN-OS software updates. Include the firewall serial number in your request:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=<apikey>"
    The response contains an array of results sorted to show the latest version first:
    <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> > <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]
    ]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
  2. Download the latest PAN-OS software update.
    1. In this case, the latest version is 7.1.0-c65, so download that version:
      curl -X GET 'https://<firewall>/api/?key=apikey&type=op&cmd=<request><system><software><download><version>7.1.0 -c65</version></download></software></system></request>&key=<apikey>'
    2. Use the
      jobid
      in the response to ensure that the system update download completes successfully:
      curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=318&key=<apikey>'
      The response should include the following:
      <response status="success">…
  3. Install the latest PAN-OS software update.
    To install the latest system update, include the version in a software install request:
    curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=<apikey>'
  4. Check on the software installation status.
    Use the
    jobid
    in the response to ensure that the system update installs successfully:
    curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=<jobid>&key=<apikey>'
    The response should include the following:
    <response status="success">…
  5. Get a list of connected firewalls.
    Get a list of connected firewalls that Panorama manages:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<show><devices><https://<panorama>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>"
    The response includes the serial number (
    serial
    ) of each firewall.
    <response status="success"> : <result> : <devices> : name="007200002517"> : <serial>007200002342</serial> : <connected>yes</connected> : <unsupported-version>no</unsupported-version> : <deactivated>no</deactivated> : <hostname>PM-6-1-VM</hostname> : <ip-address>10.3.4.137</ip-address> : <mac-addr /> : <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-101074</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response>
    The response contains a
    <serial>
    XML element that contains each firewall serial number.
  6. Check for the latest PAN-OS software update.
    Check to see if new software is available on your HA pair:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=<serialnumber>&key=<apikey>"
    The response contains an array of results sorted to show the latest version first:
    <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]
    ]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
  7. Download the latest PAN-OS software update.
    After determining the latest system update, download it to both firewalls in the HA pair:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=<serialnumber>&key=<apikey>"
    The response contains a job ID:
    <response status="success" code="19"> <result> <msg> <line>Download job enqueued with jobid 3448</line> </msg> <job>3448</job> </result> </response>
    Use the job ID to check on the download status:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=<serialnumber>&key=<apikey>"
    The response contains a job status of FIN when the download is complete:
    <response status="success"> <result> <job> <tenq>2016/02/03 08:32:00</tenq> <id>3448</id> <user /> <type>Downld</type> <status>FIN</status> <stoppable>no</stoppable> <result>OK</result> <tfin>08:32:10</tfin> <progress>08:32:10</progress> <details> <line>Successfully downloaded</line> <line>Preloading into software manager</line> <line>Successfully loaded into software manager</line> </details> <warnings /> </job> </result> </response>
  8. Suspend the active HA firewall.
    Suspend the active firewall in your high-availability firewall pair:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><high-availability><state><suspend></suspend></state></high-availability></request>&target=<serialnumber>&key=<apikey>"
    The response confirms the active firewall has been suspended:
    <response status="success"> <result>Successfully changed HA state to suspended</result> </response>
  9. Install the latest software update on the suspended HA pair.
    After suspending the active HA firewall, install the system update on it:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=<serialnumber>&key=<apikey>"
    The response shows the system update is queued:
    <response status="success" code="19"> <result> <msg> <line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line> </msg> <job>3453</job> </result> </response>
  10. Check on the software installation status.
    Use the
    jobid
    in the response to ensure that the system update installs successfully:
    curl -X GET 'https://<panorama>/api/?type=op&action=get&job-id=jobid&target=<serialnumber>&key=<apikey>
    The response should include the following:
    <response status="success">…
  11. Reboot the suspended HA peer.
    After installing the latest system update, reboot the suspended HA peer:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><restart><system></system></restart></request>&target=<serialnumber>&key=<apikey>"
  12. Verify that the upgrade is successful.
    Show system information on your upgraded HA peer to ensure it has the latest system update and is operational:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<show><system><info></info></system></show>&target=<serialnumber>&key=<apikey>"
  13. Makes the suspended HA peer active.
    After you verify that the system update on the suspended HA peer is successful, make it active again:
    curl -X GET "https://<panorama>/api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=<serialnumber>&key=<apikey>"
    The response confirms the active firewall is now active:
    <response status="success"> <result>Successfully changed HA state to functional</result> </response>
  14. Install the system update on the passive HA peer.
    Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.

Recommended For You