Upgrade PAN-OS on Multiple Firewalls through Panorama
|
Check for the latest PAN-OS software update through Panorama
|
Check for the latest available PAN-OS software updates. Include the firewall serial number in your request:
https://panorama/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=apikey
The response contains an array of results sorted to show the latest version first:
<response status="success">
<result>
<sw-updates last-updated-at="2016/02/03 08:29:09">
<msg />
<versions>
>
<version>7.1</version>
<filename>PanOS_vm-7.1</filename>
<size>540</size>
<size-kb>553964</size-kb>
<released-on>2016/02/02 10:57:20</released-on>
<release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes>
<downloaded>no</downloaded>
<current>no</current>
<latest>yes</latest>
</entry>
<!-- truncated -->
</versions>
</sw-updates>
</result>
</response>
|
|
Download the latest PAN-OS software update.
|
In this case, the latest version is 7.1.0-c65, so download that version:
curl -X GET
'https://firewall/api/?type=op&cmd=<request><system><software><download><version>7.1.0
-c65</version></download></software></system></request>&key=apikey'
Use the
jobid
in the response to ensure that the system update download completes successfully:
curl -X GET 'https://firewall/api/?type=op&action=get&job-id=318&key=apikey'
The response should include the following:
<response status="success">…
|
|
Install the latest PAN-OS software update.
|
To install the latest system update, include the version in a software install request:
curl -X GET 'https://firewall/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=apikey'
|
|
Check on the software installation status.
|
Use the
jobid
in the response to ensure that the system update installs successfully:
curl -X GET 'https://firewall/api/?type=op&action=get&job-id=jobid&key=apikey'
The response should include the following:
<response status="success">…
|
|
Get a list of connected firewalls.
|
Get a list of connected firewalls that Panorama manages:
https://panorama/api/?type=op&cmd=<show><device><connected></connected></devices></show>
The response includes the serial number (
serial
) of each firewall.
<response status="success">
<result>
<devices>
name="007200002517">
<serial>007200002342</serial>
<connected>yes</connected>
<unsupported-version>no</unsupported-version>
<deactivated>no</deactivated>
<hostname>PM-6-1-VM</hostname>
<ip-address>10.3.4.137</ip-address>
<mac-addr />
<uptime>81 days, 20:39:41</uptime>
<family>vm</family>
<model>PA-VM</model>
<sw-version>6.1.3</sw-version>
<app-version>555-3129</app-version>
<av-version>2254-2693</av-version>
<wildfire-version>91873-101074</wildfire-version>
<threat-version>555-3129</threat-version>
<url-db>paloaltonetworks</url-db>
<url-filtering-version>2016.02.02.416</url-filtering-version>
<logdb-version>6.1.3</logdb-version>
<vpnclient-package-version />
<global-protect-client-package-version>0.0.0</global-protect-client-package-version>
<vpn-disable-mode>no</vpn-disable-mode>
<operational-mode>normal</operational-mode>
<multi-vsys>no</multi-vsys>
<vsys>
name="vsys1">
<display-name>vsys1</display-name>
<shared-policy-status />
<shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum>
</entry>
</vsys>
</entry>
<!--truncated -->
</devices>
</result>
</response>
The response contains a
<serial>
XML element that contains each firewall serial number.
|
|
Check for the latest PAN-OS software update.
|
Check to see if new software is available on your HA pair:
https://panorama/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=serialnumber&key=apikey
The response contains an array of results sorted to show the latest version first:
<response status="success">
<result>
<sw-updates last-updated-at="2016/02/03 08:29:09">
<msg />
<versions>
<version>7.1</version>
<filename>PanOS_vm-7.1</filename>
<size>540</size>
<size-kb>553964</size-kb>
<released-on>2016/02/02 10:57:20</released-on>
<release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=p
anos&platform=vm]]></release-notes>
<downloaded>no</downloaded>
<current>no</current>
<latest>yes</latest>
</entry>
<!-- truncated -->
</versions>
</sw-updates>
</result>
</response>
|
|
Download the latest PAN-OS software update.
|
After determining the latest system update, download it to both firewalls in the HA pair:
https://panorama/api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=serialnumber&key=apikey
The response contains a job ID:
<response status="success" code="19">
<result>
<msg>
<line>Download job enqueued with jobid 3448</line>
</msg>
<job>3448</job>
</result>
</response>
Use the job ID to check on the download status:
https://panorama/api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=serialnumber&key=apikey
The response contains a job status of FIN when the download is complete:
<response status="success">
<result>
<job>
<tenq>2016/02/03 08:32:00</tenq>
<id>3448</id>
<user />
<type>Downld</type>
<status>FIN</status>
<stoppable>no</stoppable>
<result>OK</result>
<tfin>08:32:10</tfin>
<progress>08:32:10</progress>
<details>
<line>Successfully downloaded</line>
<line>Preloading into software manager</line>
<line>Successfully loaded into software manager</line>
</details>
<warnings />
</job>
</result>
</response>
|
|
Suspend the active HA firewall.
|
Suspend the active firewall in your high-availability firewall pair:
https://panorama/api/?type=op&cmd=<request><high-availability><state><suspend></suspen
d></state></high-availability></request>&target=serialnumber&key=apikey
The response confirms the active firewall has been suspended:
<response status="success">
<result>Successfully changed HA state to suspended</result>
</response>
|
|
Install the latest software update on the suspended HA pair.
|
After suspending the active HA firewall, install the system update on it:
https://panorama/api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=serialnumber&key=apikey
The response shows the system update is queued:
<response status="success" code="19">
<result>
<msg>
<line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line>
</msg>
<job>3453</job>
</result>
</response>
|
|
Check on the software installation status.
|
Use the
jobid
in the response to ensure that the system update installs successfully:
curl -X GET 'https://panorama/api/?type=op&action=get&job-id=jobid&target=serialnumber&key=apikey
The response should include the following:
<response status="success">…
|
|
Reboot the suspended HA peer.
|
After installing the latest system update, reboot the suspended HA peer:
https://panorama/api/?type=op&cmd=<request><restart><system></system></restart></request>&target=serialnumber&key=apikey
|
|
Verify that the upgrade is successful.
|
Show system information on your upgraded HA peer to ensure it has the latest system update and is operational:
https://panorama/api/?type=op&cmd=<show><system><info></info></system></show>&target=serialnumber&key=apikey
|
|
Makes the suspended HA peer active.
|
After you verify that the system update on the suspended HA peer is successful, make it active again:
https://panorama/api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=serialnumber&key=apikey
The response confirms the active firewall is now active:
<response status="success">
<result>Successfully changed HA state to functional</result>
</response>
|
|
Install the system update on the passive HA peer.
|
Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.
|
