End-of-Life (EoL)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)

This use case highlights the ability of the PAN-OS XML API to automate a more complex procedure, namely upgrading firewalls set up as active-passive high-availability (HA) pair. Normally, this procedure involves multiple, manual steps on individual firewalls.
This is a high-level overview of the steps you must take in this procedure. You script or application must incorporate error-checking and logic to implement this sequence of steps.
  1. Check for the latest PAN-OS software update through Panorama
    Check for the latest available PAN-OS software updates. Include the firewall serial number in your request:
    https://
    <panorama>
    /api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=
    <apikey>
    The response contains an array of results sorted to show the latest version first:
    <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> > <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]
    ]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
  2. Download the latest PAN-OS software update.
    1. In this case, the latest version is 7.1.0-c65, so download that version:
      curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><download><version>7.1.0 -c65</version></download></software></system></request>&key=<apikey>'
    2. Use the
      jobid
      in the response to ensure that the system update download completes successfully:
      curl -X GET 'https://
      <firewall>
      /api/?type=op&action=get&job-id=318&key=
      <apikey>
      '
      The response should include the following:
      <response status="success">…
  3. Install the latest PAN-OS software update.
    To install the latest system update, include the version in a software install request:
    curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=<apikey>'
  4. Check on the software installation status.
    Use the
    jobid
    in the response to ensure that the system update installs successfully:
    curl -X GET 'https://
    <firewall>
    /api/?type=op&action=get&job-id=<jobid>&key=
    <apikey>
    '
    The response should include the following:
    <response status="success">…
  5. Get a list of connected firewalls.
    Get a list of connected firewalls that Panorama manages:
    https://
    <panorama>
    /api/?type=op&cmd=<show><devices><https://<panorama>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>
    The response includes the serial number (
    serial
    ) of each firewall.
    <response status="success"> : <result> : <devices> : name="007200002517"> : <serial>007200002342</serial> : <connected>yes</connected> : <unsupported-version>no</unsupported-version> : <deactivated>no</deactivated> : <hostname>PM-6-1-VM</hostname> : <ip-address>10.3.4.137</ip-address> : <mac-addr /> : <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-101074</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response>
    The response contains a
    <serial>
    XML element that contains each firewall serial number.
  6. Check for the latest PAN-OS software update.
    Check to see if new software is available on your HA pair:
    https://
    <panorama>
    /api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=<serialnumber>&key=
    <apikey>
    The response contains an array of results sorted to show the latest version first:
    <response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]
    ]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
  7. Download the latest PAN-OS software update.
    After determining the latest system update, download it to both firewalls in the HA pair:
    https://
    <panorama>
    /api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=<serialnumber>&key=
    <apikey>
    The response contains a job ID:
    <response status="success" code="19"> <result> <msg> <line>Download job enqueued with jobid 3448</line> </msg> <job>3448</job> </result> </response>
    Use the job ID to check on the download status:
    https://
    <panorama>
    /api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=<serialnumber>&key=
    <apikey>
    The response contains a job status of FIN when the download is complete:
    <response status="success"> <result> <job> <tenq>2016/02/03 08:32:00</tenq> <id>3448</id> <user /> <type>Downld</type> <status>FIN</status> <stoppable>no</stoppable> <result>OK</result> <tfin>08:32:10</tfin> <progress>08:32:10</progress> <details> <line>Successfully downloaded</line> <line>Preloading into software manager</line> <line>Successfully loaded into software manager</line> </details> <warnings /> </job> </result> </response>
  8. Suspend the active HA firewall.
    Suspend the active firewall in your high-availability firewall pair:
    https://
    <panorama>
    /api/?type=op&cmd=<request><high-availability><state><suspend></suspend></state></high-availability></request>&target=<serialnumber>&key=
    <apikey>
    The response confirms the active firewall has been suspended:
    <response status="success"> <result>Successfully changed HA state to suspended</result> </response>
  9. Install the latest software update on the suspended HA pair.
    After suspending the active HA firewall, install the system update on it:
    https://
    <panorama>
    /api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=<serialnumber>&key=
    <apikey>
    The response shows the system update is queued:
    <response status="success" code="19"> <result> <msg> <line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line> </msg> <job>3453</job> </result> </response>
  10. Check on the software installation status.
    Use the
    jobid
    in the response to ensure that the system update installs successfully:
    curl -X GET 'https://
    <panorama>
    /api/?type=op&action=get&job-id=jobid&target=<serialnumber>&key=
    <apikey>
    The response should include the following:
    <response status="success">…
  11. Reboot the suspended HA peer.
    After installing the latest system update, reboot the suspended HA peer:
    https://
    <panorama>
    /api/?type=op&cmd=<request><restart><system></system></restart></request>&target=<serialnumber>&key=
    <apikey>
  12. Verify that the upgrade is successful.
    Show system information on your upgraded HA peer to ensure it has the latest system update and is operational:
    https://
    <panorama>
    /api/?type=op&cmd=<show><system><info></info></system></show>&target=<serialnumber>&key=
    <apikey>
  13. Makes the suspended HA peer active.
    After you verify that the system update on the suspended HA peer is successful, make it active again:
    https://
    <panorama>
    /api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=<serialnumber>&key=
    <apikey>
    The response confirms the active firewall is now active:
    <response status="success"> <result>Successfully changed HA state to functional</result> </response>
  14. Install the system update on the passive HA peer.
    Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.

Recommended For You