Background
Our current Python script for upgrading PAN-OS firewalls includes pre-upgrade snapshots and readiness checks. These are essential for ensuring that the firewall is in a suitable state before initiating the upgrade process.
Current Limitations
While the pre-upgrade checks are valuable, there is no equivalent functionality for post-upgrade evaluations. This limits our ability to automatically assess the impact of the upgrade and identify any immediate issues resulting from it.
Proposed Enhancement
This feature request aims to introduce post-upgrade snapshots and readiness checks, mirroring the pre-upgrade ones. Additionally, we propose implementing a differential analysis to compare pre and post-upgrade states. This enhancement will involve:
Post-Upgrade Readiness Checks and Snapshots: Implementing the same set of checks and snapshots as the pre-upgrade ones, to be executed after the upgrade process completes. This includes checks for active support, ARP entry existence, certificate requirements, content version, disk space, HA status, IPsec tunnel status, NTP synchronization, and more.
Differential Analysis: Developing a mechanism to compare the results of pre and post-upgrade checks and snapshots. This would highlight any changes, discrepancies, or issues introduced by the upgrade process.
Reporting and Logging: Enhancing the script's reporting and logging capabilities to include details of the differential analysis, providing clear insights into the impact of the upgrade.
Challenges and Considerations
Accuracy in Differential Analysis: Ensuring the comparison mechanism accurately identifies and reports meaningful changes without false positives.
Performance Impact: Minimizing the performance impact of additional checks and analyses on the firewall appliances.
User Interface and Experience: Designing a clear and user-friendly way to present the differential analysis results.
Error Handling and Rollback: Strengthening error handling procedures, particularly if post-upgrade checks reveal critical issues.
Request for Contributions
We are looking for community input and contributions to help develop this feature. Contributions can include code development, testing, documentation, or any insights related to PAN-OS upgrade processes and differential analysis.