Merge pull request #51 from cdot65/48-standalone-firewall-upgrade-com…

…pletion-signal-issue

Update pan-os-upgrade version to 0.25

README.md

@@ -47,6 +47,7 @@ This project is a comprehensive Python-based solution for automating PAN-OS upgr
 Key Features:
 
 * Automates routine tasks, reducing manual errors and saving time.
+* Connect to firewalls directly or through a Panorama appliance as a proxy.
 * Customizable scripts to fit various network environments and requirements.
 * Extensive interaction with Palo Alto Networks appliances for operations like readiness checks, state snapshots, and report generation.
 
@@ -173,19 +174,119 @@ After setting up the virtual environment and installing the package, you can con
 
 You can simply get started by issuing `pan-os-upgrade` from your current working directory, you will be guided to input the missing requirement arguments through an interactive shell.
 
-```bash
+```console
 $ pan-os-upgrade
-Firewall Hostname or IP: 192.168.255.1
-Username: admin
+Hostname or IP: houston.cdot.io
+Username: cdot
 Password:
-Target PAN-OS version: 11.1.1
-INFO - ✅ Connection to firewall established
-INFO - 📝 **021201123456** DataCenter 10.0.0.3
-INFO - 📝 Firewall HA mode: disabled
-INFO - 📝 Current PAN-OS version: 11.0.2
-INFO - 📝 Target PAN-OS version: 11.1.1
-INFO - ✅ Confirmed that moving from 11.0.2 to 11.1.1 is an upgrade
-...continue until completed...
+Target PAN-OS version: 10.2.3-h4
+✅ Connection to firewall established
+📝 007054000123456 houston 192.168.255.211
+📝 Firewall HA mode: disabled
+📝 Current PAN-OS version: 10.2.3-h2
+📝 Target PAN-OS version: 10.2.3-h4
+✅ Confirmed that moving from 10.2.3-h2 to 10.2.3-h4 is an upgrade
+✅ PAN-OS version 10.2.3-h4 is available for download
+✅ Base image for 10.2.3-h4 is already downloaded
+🚀 Performing test to see if 10.2.3-h4 is already downloaded...
+🔍 PAN-OS version 10.2.3-h4 is not on the firewall
+🚀 PAN-OS version 10.2.3-h4 is beginning download
+Device 007054000123456 downloading version: 10.2.3-h4
+Downloading PAN-OS version 10.2.3-h4 - Elapsed time: 4 seconds
+Downloading PAN-OS version 10.2.3-h4 - Elapsed time: 36 seconds
+Downloading PAN-OS version 10.2.3-h4 - Elapsed time: 68 seconds
+Downloading PAN-OS version 10.2.3-h4 - Elapsed time: 101 seconds
+✅ 10.2.3-h4 downloaded in 134 seconds
+✅ PAN-OS version 10.2.3-h4 has been downloaded.
+🚀 Performing snapshot of network state information...
+✅ Network snapshot created successfully
+🚀 Performing readiness checks to determine if firewall is ready for upgrade...
+✅ Passed Readiness Check: Check if there are pending changes on device
+✅ Passed Readiness Check: No Expired Licenses
+✅ Passed Readiness Check: Check if NTP is synchronized
+✅ Passed Readiness Check: Check connectivity with the Panorama appliance
+✅ Readiness Checks completed
+🚀 Performing backup of houston's configuration to local filesystem...
+🚀 Not a dry run, continue with upgrade...
+🚀 Performing upgrade on houston to version 10.2.3-h4...
+🚀 Attempting upgrade houston to version 10.2.3-h4 (Attempt 1 of 3)...
+Device 007054000123456 installing version: 10.2.3-h4
+❌ houston upgrade error: Device 007054000123456 attempt to install version 10.2.3-h4 failed: ['Failed to install 10.2.3-h4 with the following errors.\nSW version is 10.2.3-h4\nThe software manager is currently in use. Please try again later.\nFailed to install   version  10.2.3-h4  type  panos\n\n']
+⚠️ Software manager is busy. Retrying in 60 seconds...
+🚀 Attempting upgrade houston to version 10.2.3-h4 (Attempt 2 of 3)...
+Device 007054000123456 installing version: 10.2.3-h4
+✅ houston upgrade completed successfully
+🚀 Rebooting the standalone firewall...
+📝 Command succeeded with no output
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+📝 Firewall version: 10.2.3-h4
+✅ Firewall rebooted in 473 seconds
+```
+
+As an alternative to targeting firewalls directly, you can target a Panorama appliance to act as the communication proxy. If you'd like to go down this path, make sure that you add an extra CLI option of `--filter` and pass a string representation of your filter.
+
+As of version 0.2.5, the available filters are:
+
+| filter type | description                                       | example                             |
+| ----------- | ------------------------------------------------- | ----------------------------------- |
+| hostname    | use the firewall's hostname as selection criteria | `--filter "hostname=houston"`       |
+| serial      | use the firewall's serial as selection criteria   | `--filter "serial=007054000123456"` |
+
+```console
+$ pan-os-upgrade --filter 'hostname=houston'
+Hostname or IP: panorama.cdot.io
+Username: cdot
+Password:
+Target PAN-OS version: 10.2.3-h2
+✅ Connection to Panorama established. Firewall connections will be proxied!
+📝 007054000123456 houston 192.168.255.211
+📝 Firewall HA mode: disabled
+📝 Current PAN-OS version: 10.2.3
+📝 Target PAN-OS version: 10.2.3-h2
+✅ Confirmed that moving from 10.2.3 to 10.2.3-h2 is an upgrade
+✅ PAN-OS version 10.2.3-h2 is available for download
+✅ Base image for 10.2.3-h2 is already downloaded
+🚀 Performing test to see if 10.2.3-h2 is already downloaded...
+🔍 PAN-OS version 10.2.3-h2 is not on the firewall
+🚀 PAN-OS version 10.2.3-h2 is beginning download
+Device 007054000123456 downloading version: 10.2.3-h2
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 8 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 42 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 75 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 110 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 151 seconds
+✅ 10.2.3-h2 downloaded in 182 seconds
+✅ PAN-OS version 10.2.3-h2 has been downloaded.
+🚀 Performing snapshot of network state information...
+✅ Network snapshot created successfully
+🚀 Performing readiness checks to determine if firewall is ready for upgrade...
+✅ Passed Readiness Check: Check if there are pending changes on device
+✅ Passed Readiness Check: No Expired Licenses
+✅ Passed Readiness Check: Check if NTP is synchronized
+✅ Passed Readiness Check: Check if the clock is synchronized between dataplane and management plane
+✅ Passed Readiness Check: Check connectivity with the Panorama appliance
+✅ Readiness Checks completed
+🚀 Performing backup of houston's configuration to local filesystem...
+🚀 Not a dry run, continue with upgrade...
+🚀 Performing upgrade on houston to version 10.2.3-h2...
+🚀 Attempting upgrade houston to version 10.2.3-h2 (Attempt 1 of 3)...
+Device 007054000123456 installing version: 10.2.3-h2
+✅ houston upgrade completed successfully
+🚀 Rebooting the standalone firewall...
+📝 Command succeeded with no output
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+📝 Firewall version: 10.2.3-h2
+✅ Firewall rebooted in 484 seconds
 ```
 
 ##### Option 2: Execute `pan-os-upgrade` Using Command-Line Arguments
@@ -202,6 +303,12 @@ For a dry run:
 pan-os-upgrade --hostname 192.168.1.1 --username admin --password secret --version 10.1.0 --dry-run
 ```
 
+If you're targeting a Panorama appliance to act as a proxy for communications to the firewall, make sure you also pass a filter pattern:
+
+```bash
+pan-os-upgrade --hostname panorama.cdot.io --username admin --password secret --version 10.1.0 --filter "hostname=houston"
+```
+
 <p align="right">(<a href="#readme-top">back to top</a>)</p>
 
 ### Running with Docker
@@ -261,14 +368,15 @@ pan-os-upgrade --help
 
 ### CLI Arguments Description
 
-| cli argument  | shorthand | type | description                                                                         |
-| ------------- | --------- | ---- | ----------------------------------------------------------------------------------- |
-| `--dry-run`   | `-d`      | n/a  | Perform a dry run of all tests and downloads without performing the actual upgrade. |
-| `--hostname`  | `-h`      | text | Hostname or IP address of target firewall.                                          |
-| `--log-level` | `-l`      | text | Set the logging output level (e.g., debug, info, warning).                          |
-| `--password`  | `-p`      | text | Password for authentication.                                                        |
-| `--username`  | `-u`      | text | Username for authentication.                                                        |
-| `--version`   | `-v`      | text | Target PAN-OS version to upgrade to.                                                |
+| cli argument  | shorthand | type        | description                                                                         |
+| ------------- | --------- | ----------- | ----------------------------------------------------------------------------------- |
+| `--dry-run`   | `-d`      | n/a         | Perform a dry run of all tests and downloads without performing the actual upgrade. |
+| `--filter`    | `-f`      | conditional | Filter criteria for selecting devices when using Panorama.                          |
+| `--hostname`  | `-h`      | text        | Hostname or IP address of target firewall.                                          |
+| `--log-level` | `-l`      | text        | Set the logging output level (e.g., debug, info, warning).                          |
+| `--password`  | `-p`      | text        | Password for authentication.                                                        |
+| `--username`  | `-u`      | text        | Username for authentication.                                                        |
+| `--version`   | `-v`      | text        | Target PAN-OS version to upgrade to.                                                |
 
 <p align="right">(<a href="#readme-top">back to top</a>)</p>
 

docker/Dockerfile

@@ -11,8 +11,8 @@ RUN apk add --no-cache gcc musl-dev libffi-dev make
 WORKDIR /app
 
 # Install any needed packages specified in requirements.txt
-# Note: The requirements.txt should contain pan-os-upgrade==0.2.4
-RUN pip install --no-cache-dir pan-os-upgrade==0.2.4
+# Note: The requirements.txt should contain pan-os-upgrade==0.25
+RUN pip install --no-cache-dir pan-os-upgrade==0.25
 
 # Set the locale to avoid issues with emoji rendering
 ENV LANG C.UTF-8

docs/about/release-notes.md

@@ -2,10 +2,22 @@
 
 Welcome to the release notes for the `pan-os-upgrade` tool. This document provides a detailed record of changes, enhancements, and fixes in each version of the tool.
 
+## Version 0.2.5
+
+**Release Date:** *<20240123>*
+
+### What's New
+
+- Supports the ability to connect to Panorama as a proxy for firewall connections
+- Added new `--filter` CLI option for Panorama connections
+- Resolved issue where standalone firewalls were not properly signaling their completion
+- Added additional validation step to ensure the upgraded firewall matches the target version after reboot
+
 ## Version 0.2.4
 
 **Release Date:** *<20240122>*
 
+<!-- trunk-ignore(markdownlint/MD024) -->
 ### What's New
 
 - Resolved a bug where console logging was duplicated

docs/index.md

@@ -77,53 +77,56 @@ Visit the [User Guide](user-guide/introduction.md) for detailed insights into se
 <div class="termy">
 
 ```console
-$ pan-os-upgrade --hostname 192.168.255.211 --version 10.2.0-h2 --username admin --password paloalto#1
-INFO - ✅ Connection to firewall established
-INFO - 📝 007054000123456 houston 192.168.255.211
-INFO - 📝 Firewall HA mode: disabled
-INFO - 📝 Current PAN-OS version: 10.2.0
-INFO - 📝 Target PAN-OS version: 10.2.0-h2
-INFO - ✅ Confirmed that moving from 10.2.0 to 10.2.0-h2 is an upgrade
-INFO - ✅ Target PAN-OS version 10.2.0-h2 is available for download
-INFO - ✅ Base image for 10.2.0-h2 is already downloaded
-INFO - 🚀 Performing test to see if 10.2.0-h2 is already downloaded...
-INFO - 🔍 PAN-OS version 10.2.0-h2 is not on the firewall
-INFO - 🚀 PAN-OS version 10.2.0-h2 is beginning download
-INFO - Device 007054000123456 downloading version: 10.2.0-h2
-INFO - ⚙️ Downloading PAN-OS version 10.2.0-h2 - Elapsed time: 4 seconds
-INFO - ⚙️ Downloading PAN-OS version 10.2.0-h2 - Elapsed time: 36 seconds
-INFO - ⚙️ Downloading PAN-OS version 10.2.0-h2 - Elapsed time: 71 seconds
-INFO - ✅ 10.2.0-h2 downloaded in 103 seconds
-INFO - ✅ PAN-OS version 10.2.0-h2 has been downloaded.
-INFO - 🚀 Performing snapshot of network state information...
-INFO - ✅ Network snapshot created successfully
-INFO - 🚀 Performing readiness checks to determine if firewall is ready for upgrade...
-INFO - ✅ Passed Readiness Check: Check if there are pending changes on device
-INFO - ✅ Passed Readiness Check: No Expired Licenses
-INFO - ✅ Passed Readiness Check: Check if a there is enough space on the `/opt/panrepo` volume for downloading an PanOS image.
-INFO - ✅ Passed Readiness Check: Check if NTP is synchronized
-INFO - ✅ Passed Readiness Check: Check connectivity with the Panorama appliance
-INFO - ✅ Readiness Checks completed
-INFO - 🚀 Performing backup of houston's configuration to local filesystem...
-INFO - 🚀 Not a dry run, continue with upgrade...
-INFO - 🚀 Performing upgrade on houston to version 10.2.0-h2...
-INFO - 🚀 Attempting upgrade houston to version 10.2.0-h2 (Attempt 1 of 3)...
-INFO - Device 007054000123456 installing version: 10.2.0-h2
-INFO - ✅ houston upgrade completed successfully
-INFO - 🚀 Rebooting the firewall...
-INFO - 📝 Command succeeded with no output
-INFO - ⚙️ Firewall is responding to requests but hasn't finished its reboot process...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is rebooting...
-INFO - ⚙️ Firewall is responding to requests but hasn't finished its reboot process...
-INFO - ⚙️ Firewall is responding to requests but hasn't finished its reboot process...
-INFO - ✅ Firewall upgraded and rebooted in 343 seconds
-
+$ pan-os-upgrade --filter 'hostname=houston'
+Hostname or IP: panorama.cdot.io
+Username: cdot
+Password:
+Target PAN-OS version: 10.2.3-h2
+✅ Connection to Panorama established. Firewall connections will be proxied!
+📝 007054000123456 houston 192.168.255.211
+📝 Firewall HA mode: disabled
+📝 Current PAN-OS version: 10.2.3
+📝 Target PAN-OS version: 10.2.3-h2
+✅ Confirmed that moving from 10.2.3 to 10.2.3-h2 is an upgrade
+✅ PAN-OS version 10.2.3-h2 is available for download
+✅ Base image for 10.2.3-h2 is already downloaded
+🚀 Performing test to see if 10.2.3-h2 is already downloaded...
+🔍 PAN-OS version 10.2.3-h2 is not on the firewall
+🚀 PAN-OS version 10.2.3-h2 is beginning download
+Device 007054000123456 downloading version: 10.2.3-h2
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 8 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 42 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 75 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 110 seconds
+Downloading PAN-OS version 10.2.3-h2 - Elapsed time: 151 seconds
+✅ 10.2.3-h2 downloaded in 182 seconds
+✅ PAN-OS version 10.2.3-h2 has been downloaded.
+🚀 Performing snapshot of network state information...
+✅ Network snapshot created successfully
+🚀 Performing readiness checks to determine if firewall is ready for upgrade...
+✅ Passed Readiness Check: Check if there are pending changes on device
+✅ Passed Readiness Check: No Expired Licenses
+✅ Passed Readiness Check: Check if NTP is synchronized
+✅ Passed Readiness Check: Check if the clock is synchronized between dataplane and management plane
+✅ Passed Readiness Check: Check connectivity with the Panorama appliance
+✅ Readiness Checks completed
+🚀 Performing backup of houston's configuration to local filesystem...
+🚀 Not a dry run, continue with upgrade...
+🚀 Performing upgrade on houston to version 10.2.3-h2...
+🚀 Attempting upgrade houston to version 10.2.3-h2 (Attempt 1 of 3)...
+Device 007054000123456 installing version: 10.2.3-h2
+✅ houston upgrade completed successfully
+🚀 Rebooting the standalone firewall...
+📝 Command succeeded with no output
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+⚙️ Firewall is rebooting...
+📝 Firewall version: 10.2.3-h2
+✅ Firewall rebooted in 484 seconds
 ```
 
 </div>

docs/user-guide/docker/execution.md

@@ -1,6 +1,6 @@
 # Docker Execution for pan-os-upgrade
 
-The `pan-os-upgrade` tool can be conveniently run using Docker, offering a consistent and streamlined setup process across different systems. This guide will walk you through configuring and executing the tool within a Docker container.
+The `pan-os-upgrade` tool can be conveniently run using Docker, offering a consistent and streamlined setup process across different systems. This guide will walk you through configuring and executing the tool within a Docker container, including steps for connecting to firewalls through Panorama as a proxy.
 
 ## Pulling the Docker Image
 
@@ -42,12 +42,20 @@ docker run -v %CD%/assurance:/app/assurance -v %CD%/logs:/app/logs -it ghcr.io/c
 
 ## Interacting with the Docker Container
 
-The container runs interactively, prompting you for details like IP address, username, password, and target PAN-OS version.
+The container runs interactively, prompting you for details like IP address, username, password, and target PAN-OS version. If connecting to firewalls through Panorama as a proxy, you will also be prompted to provide a `--filter` option to specify the criteria for selecting the managed firewalls to upgrade.
+
+## Troubleshooting Panorama Proxy Connections
+
+When using Panorama as a connection proxy:
+
+- Ensure the `--filter` option is correctly formatted and corresponds to the criteria for selecting firewalls.
+- Verify network connectivity between the Docker container and the Panorama appliance.
+- Check the Panorama and firewall configurations to ensure proper communication and permissions.
 
 ## Output and Logs
 
 After running the container, you'll find all necessary outputs and logs in the `assurance` and `logs` directories on your host machine.
 
 ## Next Steps
 
-With `pan-os-upgrade` successfully executed using Docker, check the outputs and logs for insights into the upgrade process. For further assistance or troubleshooting, refer to the [Troubleshooting Guide](troubleshooting.md).
+With `pan-os-upgrade` successfully executed using Docker, check the outputs and logs for insights into the upgrade process. For detailed troubleshooting steps or further assistance, refer to the [Troubleshooting Guide](troubleshooting.md).

docs/user-guide/docker/getting-started.md

@@ -7,7 +7,7 @@ Welcome to the Docker-based workflow of the `pan-os-upgrade` library! This guide
 Before starting, make sure you have:
 
 - Docker installed on your system. Visit the [Docker installation guide](https://docs.docker.com/get-docker/) for instructions.
-- Access to a Palo Alto Networks firewall.
+- Access to a Palo Alto Networks firewall or Panorama appliance.
 - An active internet connection for pulling the Docker image.
 
 ## Pulling the Docker Image