Upgrade PAN-OS on Multiple HA Firewalls through Panorama
(API)
This use case highlights the ability of the
PAN-OS XML API to automate a more complex procedure, namely upgrading
firewalls set up as active-passive high-availability (HA) pair.
Normally, this procedure involves multiple, manual steps on individual
firewalls.
This is a high-level overview of the steps
you must take in this procedure. You script or application must
incorporate error-checking and logic to implement this sequence
of steps.
- Check for the latest PAN-OS software update through PanoramaCheck for the latest available PAN-OS software updates. Include the firewall serial number in your request:https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=<apikey>The response contains an array of results sorted to show the latest version first:<response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> > <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>Download the latest PAN-OS software update.
- In this case, the latest version is 7.1.0-c65, so download that version:curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><download><version>7.1.0 -c65</version></download></software></system></request>&key=<apikey>'Use thejobidin the response to ensure that the system update download completes successfully:curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=318&key=<apikey>'The response should include the following:<response status="success">…Install the latest PAN-OS software update.To install the latest system update, include the version in a software install request:curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=<apikey>'Check on the software installation status.Use thejobidin the response to ensure that the system update installs successfully:curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=<jobid>&key=<apikey>'The response should include the following:<response status="success">…Get a list of connected firewalls.Get a list of connected firewalls that Panorama manages:https://<panorama>/api/?type=op&cmd=<show><devices><https://<panorama>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>The response includes the serial number (serial) of each firewall.<response status="success"> : <result> : <devices> : name="007200002517"> : <serial>007200002342</serial> : <connected>yes</connected> : <unsupported-version>no</unsupported-version> : <deactivated>no</deactivated> : <hostname>PM-6-1-VM</hostname> : <ip-address>10.3.4.137</ip-address> : <mac-addr /> : <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-101074</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response>The response contains a<serial>XML element that contains each firewall serial number.Check for the latest PAN-OS software update.Check to see if new software is available on your HA pair:https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=<serialnumber>&key=<apikey>The response contains an array of results sorted to show the latest version first:<response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>Download the latest PAN-OS software update.After determining the latest system update, download it to both firewalls in the HA pair:https://<panorama>/api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=<serialnumber>&key=<apikey>The response contains a job ID:<response status="success" code="19"> <result> <msg> <line>Download job enqueued with jobid 3448</line> </msg> <job>3448</job> </result> </response>Use the job ID to check on the download status:https://<panorama>/api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=<serialnumber>&key=<apikey>The response contains a job status of FIN when the download is complete:<response status="success"> <result> <job> <tenq>2016/02/03 08:32:00</tenq> <id>3448</id> <user /> <type>Downld</type> <status>FIN</status> <stoppable>no</stoppable> <result>OK</result> <tfin>08:32:10</tfin> <progress>08:32:10</progress> <details> <line>Successfully downloaded</line> <line>Preloading into software manager</line> <line>Successfully loaded into software manager</line> </details> <warnings /> </job> </result> </response>Suspend the active HA firewall.Suspend the active firewall in your high-availability firewall pair:https://<panorama>/api/?type=op&cmd=<request><high-availability><state><suspend></suspend></state></high-availability></request>&target=<serialnumber>&key=<apikey>The response confirms the active firewall has been suspended:<response status="success"> <result>Successfully changed HA state to suspended</result> </response>Install the latest software update on the suspended HA pair.After suspending the active HA firewall, install the system update on it:https://<panorama>/api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=<serialnumber>&key=<apikey>The response shows the system update is queued:<response status="success" code="19"> <result> <msg> <line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line> </msg> <job>3453</job> </result> </response>Check on the software installation status.Use thejobidin the response to ensure that the system update installs successfully:curl -X GET 'https://<panorama>/api/?type=op&action=get&job-id=jobid&target=<serialnumber>&key=<apikey>The response should include the following:<response status="success">…Reboot the suspended HA peer.After installing the latest system update, reboot the suspended HA peer:https://<panorama>/api/?type=op&cmd=<request><restart><system></system></restart></request>&target=<serialnumber>&key=<apikey>Verify that the upgrade is successful.Show system information on your upgraded HA peer to ensure it has the latest system update and is operational:https://<panorama>/api/?type=op&cmd=<show><system><info></info></system></show>&target=<serialnumber>&key=<apikey>Makes the suspended HA peer active.After you verify that the system update on the suspended HA peer is successful, make it active again:https://<panorama>/api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=<serialnumber>&key=<apikey>The response confirms the active firewall is now active:<response status="success"> <result>Successfully changed HA state to functional</result> </response>Install the system update on the passive HA peer.Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.
