End-of-Life (EoL)
This use case highlights the ability of the PAN-OS XML API to automate a more complex procedure, namely upgrading firewalls set up as active-passive high-availability (HA) pair. Normally, this procedure involves multiple, manual steps on individual firewalls.
This is a high-level overview of the steps you must take in this procedure. You script or application must incorporate error-checking and logic to implement this sequence of steps.
Upgrade PAN-OS on Multiple Firewalls through Panorama
Check for the latest PAN-OS software update through Panorama Check for the latest available PAN-OS software updates. Include the firewall serial number in your request: https://panorama/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=apikey The response contains an array of results sorted to show the latest version first: <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> > <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
Download the latest PAN-OS software update. In this case, the latest version is 7.1.0-c65, so download that version: curl -X GET 'https://firewall/api/?type=op&cmd=<request><system><software><download><version>7.1.0 -c65</version></download></software></system></request>&key=apikey' Use the jobid in the response to ensure that the system update download completes successfully: curl -X GET 'https://firewall/api/?type=op&action=get&job-id=318&key=apikey' The response should include the following: <response status="success">…
Install the latest PAN-OS software update. To install the latest system update, include the version in a software install request: curl -X GET 'https://firewall/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=apikey'
Check on the software installation status. Use the jobid in the response to ensure that the system update installs successfully: curl -X GET 'https://firewall/api/?type=op&action=get&job-id=jobid&key=apikey' The response should include the following: <response status="success">…
Get a list of connected firewalls. Get a list of connected firewalls that Panorama manages: https://panorama/api/?type=op&cmd=<show><device><connected></connected></devices></show> The response includes the serial number ( serial ) of each firewall. <response status="success"> <result> <devices> name="007200002517"> <serial>007200002342</serial> <connected>yes</connected> <unsupported-version>no</unsupported-version> <deactivated>no</deactivated> <hostname>PM-6-1-VM</hostname> <ip-address>10.3.4.137</ip-address> <mac-addr /> <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-101074</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response> The response contains a <serial> XML element that contains each firewall serial number.
Check for the latest PAN-OS software update. Check to see if new software is available on your HA pair: https://panorama/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=serialnumber&key=apikey The response contains an array of results sorted to show the latest version first: <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=p anos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
Download the latest PAN-OS software update. After determining the latest system update, download it to both firewalls in the HA pair: https://panorama/api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=serialnumber&key=apikey The response contains a job ID: <response status="success" code="19"> <result> <msg> <line>Download job enqueued with jobid 3448</line> </msg> <job>3448</job> </result> </response> Use the job ID to check on the download status: https://panorama/api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=serialnumber&key=apikey The response contains a job status of FIN when the download is complete: <response status="success"> <result> <job> <tenq>2016/02/03 08:32:00</tenq> <id>3448</id> <user /> <type>Downld</type> <status>FIN</status> <stoppable>no</stoppable> <result>OK</result> <tfin>08:32:10</tfin> <progress>08:32:10</progress> <details> <line>Successfully downloaded</line> <line>Preloading into software manager</line> <line>Successfully loaded into software manager</line> </details> <warnings /> </job> </result> </response>
Suspend the active HA firewall. Suspend the active firewall in your high-availability firewall pair: https://panorama/api/?type=op&cmd=<request><high-availability><state><suspend></suspen d></state></high-availability></request>&target=serialnumber&key=apikey The response confirms the active firewall has been suspended: <response status="success"> <result>Successfully changed HA state to suspended</result> </response>
Install the latest software update on the suspended HA pair. After suspending the active HA firewall, install the system update on it: https://panorama/api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=serialnumber&key=apikey The response shows the system update is queued: <response status="success" code="19"> <result> <msg> <line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line> </msg> <job>3453</job> </result> </response>
Check on the software installation status. Use the jobid in the response to ensure that the system update installs successfully: curl -X GET 'https://panorama/api/?type=op&action=get&job-id=jobid&target=serialnumber&key=apikey The response should include the following: <response status="success">…
Reboot the suspended HA peer. After installing the latest system update, reboot the suspended HA peer: https://panorama/api/?type=op&cmd=<request><restart><system></system></restart></request>&target=serialnumber&key=apikey
Verify that the upgrade is successful. Show system information on your upgraded HA peer to ensure it has the latest system update and is operational: https://panorama/api/?type=op&cmd=<show><system><info></info></system></show>&target=serialnumber&key=apikey
Makes the suspended HA peer active. After you verify that the system update on the suspended HA peer is successful, make it active again: https://panorama/api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=serialnumber&key=apikey The response confirms the active firewall is now active: <response status="success"> <result>Successfully changed HA state to functional</result> </response>
Install the system update on the passive HA peer. Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.

Recommended For You