I recently came across a python script to upgrade Palo Alto firewalls. This is a short post on my experience using it.
This operation utilises a python script called pan-os-upgrade
In this case, I’m using a test Palo Alto firewall.
My first step was to create my python virtual environment. For this project, my python environment is called panos-upgrade. So I’ve created the virtual environment using the following command:
python3.12 -m venv ~/.venvs/panos-upgradeI specifically used python 3.12 because another python package I needed to install for this operation (called cargo) required a version that only supported python3.12 and below
After creating my virtual environment, I activated it using the below command:
source ~/.venvs/panos-upgrade/bin/activateA brief note on virtual environments
It is best practice to use a separate virtual environment for your projects for a number of reasons.
Firstly, it helps with dependency isolation. Since your project might require specific versions of packages, it allows you isolate the specific versions of those packages to your project without conflicting with other projects.
Secondly, using virtual environments helps prevent changes that could have system-wide implications. Installing packages globally can break other python programs that rely on different versions.
Thirdly, a virtual environment helps with reproducibility. By using a virtual environment with a requirements.txt file, you or anyone else on a different machine can reproduce your virtual environment on a different endpoint
Let’s get back to our upgrade….
With my virtual environment now activated, I’m ready to upgrade my firewalls.
My firewall is currently running PAN-OS 10.2.11-h1. I want to upgrade it to 10.2.13-h5
From my terminal where my virtual environment is now activated I start of my upgrade by typing in pan-os-upgrade firewall. After that, I specify additional parameters as shown in the screenshot below:
Based on the above, the upgrade process begins as shown below:
On this occasion, the upgrade did not complete successfully. After a few minutes, the below error was seen on my terminal:
It’s unclear what caused this error. The reference to ‘no [hw] element present’ in the error message makes me thing this is unique to a VM firewall.
However, I can see this tool providing an easy way to upgrade multiple firewalls at the same time. While I have tested with a single firewall, this is likely to be more useful in an environment where multiple firewalls are managed by a Panorama appliance.
The panos-upgrade documentation provides details on how to choose your target firewalls for upgrade in that scenario.
The link to the documentation is here