Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
Table of Contents
Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
This use case highlights the ability of the
PAN-OS XML API to automate a more complex procedure, namely upgrading
firewalls set up as active-passive high-availability (HA) pair.
Normally, this procedure involves multiple, manual steps on individual
firewalls.
This is a high-level overview of the steps
you must take in this procedure. You script or application must
incorporate error-checking and logic to implement this sequence
of steps.
Because the PAN-OS XML API uses a tree of XML nodes,
in your API request you must specify the correct type and action
along with the XPath Node Selection. See Explore
the API to learn how to construct XML requests.
- Check for the latest PAN-OS software update through
PanoramaCheck for the latest available PAN-OS software updates. Include the firewall serial number in your request:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=007200002517&key=<apikey>"The response contains an array of results sorted to show the latest version first:<response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> > <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>
- Download the latest PAN-OS software update.
- In this case, the latest version is 7.1.0-c65,
so download that version:curl -X GET 'https://<firewall>/api/?key=apikey&type=op&cmd=<request><system><software><download><version>7.1.0 -c65</version></download></software></system></request>&key=<apikey>'
- Use the jobid in the response to ensure that the system update download completes successfully:
curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=318&key=<apikey>'The response should include the following:<response status="success">…- Install the latest PAN-OS software update.
To install the latest system update, include the version in a software install request:curl -X GET 'https://<firewall>/api/?type=op&cmd=<request><system><software><install><version>7.1.0-c65</version></install></software></system></request>&key=<apikey>'- Check on the software installation status.
Use the jobid in the response to ensure that the system update installs successfully:curl -X GET 'https://<firewall>/api/?type=op&action=get&job-id=<jobid>&key=<apikey>'The response should include the following:<response status="success">…- Get a list of connected firewalls.
Get a list of connected firewalls that Panorama manages:curl -X GET "https://<panorama>/api/?type=op&cmd=<show><devices><https://<panorama>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>"The response includes the serial number (serial) of each firewall.<response status="success"> : <result> : <devices> : name="007200002517"> : <serial>007200002342</serial> : <connected>yes</connected> : <unsupported-version>no</unsupported-version> : <deactivated>no</deactivated> : <hostname>PM-6-1-VM</hostname> : <ip-address>10.3.4.137</ip-address> : <mac-addr /> : <uptime>81 days, 20:39:41</uptime> <family>vm</family> <model>PA-VM</model> <sw-version>6.1.3</sw-version> <app-version>555-3129</app-version> <av-version>2254-2693</av-version> <wildfire-version>91873-101074</wildfire-version> <threat-version>555-3129</threat-version> <url-db>paloaltonetworks</url-db> <url-filtering-version>2016.02.02.416</url-filtering-version> <logdb-version>6.1.3</logdb-version> <vpnclient-package-version /> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <vpn-disable-mode>no</vpn-disable-mode> <operational-mode>normal</operational-mode> <multi-vsys>no</multi-vsys> <vsys> name="vsys1"> <display-name>vsys1</display-name> <shared-policy-status /> <shared-policy-md5sum>4a0913667df83ff1098492e2e2ec1756</shared-policy-md5sum> </entry> </vsys> </entry> <!--truncated --> </devices> </result> </response>The response contains a <serial> XML element that contains each firewall serial number.- Check for the latest PAN-OS software update.
Check to see if new software is available on your HA pair:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><check></check></software></system></request>&target=<serialnumber>&key=<apikey>"The response contains an array of results sorted to show the latest version first:<response status="success"> <result> <sw-updates last-updated-at="2016/02/03 08:29:09"> <msg /> <versions> <version>7.1</version> <filename>PanOS_vm-7.1</filename> <size>540</size> <size-kb>553964</size-kb> <released-on>2016/02/02 10:57:20</released-on> <release-notes><![CDATA[https://10.44.2.19/updates/ReleaseNotes.aspx?type=sw&versionNumber=7.1.0-c158&product=panos&platform=vm]]></release-notes> <downloaded>no</downloaded> <current>no</current> <latest>yes</latest> </entry> <!-- truncated --> </versions> </sw-updates> </result> </response>- Download the latest PAN-OS software update.
After determining the latest system update, download it to both firewalls in the HA pair:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><download><version>7.1</version></download></software></system></request>&target=<serialnumber>&key=<apikey>"The response contains a job ID:<response status="success" code="19"> <result> <msg> <line>Download job enqueued with jobid 3448</line> </msg> <job>3448</job> </result> </response>Use the job ID to check on the download status:curl -X GET "https://<panorama>/api/?type=op&cmd=<show><jobs><id>3448</id></jobs></show>&target=<serialnumber>&key=<apikey>"The response contains a job status of FIN when the download is complete:<response status="success"> <result> <job> <tenq>2016/02/03 08:32:00</tenq> <id>3448</id> <user/> <type>Downld</type> <status>FIN</status> <stoppable>no</stoppable> <result>OK</result> <tfin>08:32:10</tfin> <progress>08:32:10</progress> <details> <line>Successfully downloaded</line> <line>Preloading into software manager</line> <line>Successfully loaded into software manager</line> </details> <warnings/> </job> </result> </response>- Suspend the active HA firewall.
Suspend the active firewall in your high-availability firewall pair:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><high-availability><state><suspend></suspend></state></high-availability></request>&target=<serialnumber>&key=<apikey>"The response confirms the active firewall has been suspended:<response status="success"> <result>Successfully changed HA state to suspended</result> </response>- Install the latest software update on the suspended HA pair.
After suspending the active HA firewall, install the system update on it:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><system><software><install><version>version</version></install></software></system></request>&target=<serialnumber>&key=<apikey>"The response shows the system update is queued:<response status="success" code="19"> <result> <msg> <line>Software install job enqueued with jobid 3453. Run 'show jobs id 3453' to monitor its status. Please reboot the device after the installation is done.</line> </msg> <job>3453</job> </result> </response>- Check on the software installation status.
Use the jobid in the response to ensure that the system update installs successfully:curl -X GET 'https://<panorama>/api/?type=op&action=get&job-id=jobid&target=<serialnumber>&key=<apikey>The response should include the following:<response status="success">…- Reboot the suspended HA peer.
After installing the latest system update, reboot the suspended HA peer:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><restart><system></system></restart></request>&target=<serialnumber>&key=<apikey>"- Verify that the upgrade is successful.
Show system information on your upgraded HA peer to ensure it has the latest system update and is operational:curl -X GET "https://<panorama>/api/?type=op&cmd=<show><system><info></info></system></show>&target=<serialnumber>&key=<apikey>"- Makes the suspended HA peer active.
After you verify that the system update on the suspended HA peer is successful, make it active again:curl -X GET "https://<panorama>/api/?type=op&cmd=<request><high-availability><state><functional></functional></state></high-availability></request>&target=<serialnumber>&key=<apikey>"The response confirms the active firewall is now active:<response status="success"> <result>Successfully changed HA state to functional</result> </response>- Install the system update on the passive HA peer.
Once the suspended HA firewall is active, you can then repeat steps 5-8 on the now passive HA peer.
- Use the jobid in the response to ensure that the system update download completes successfully:
- Download the latest PAN-OS software update.