-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathupgrade_panorama_ha.yml
182 lines (161 loc) · 7.15 KB
/
upgrade_panorama_ha.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
---
# upgrade_ha.yml - Panorama HA upgrade playbook.
#
# Description
# ===========
#
# Upgrades a Panorama HA pair to the specified version. Upgrade must be a single step (i.e. 8.1.7 to 8.1.12). For
# major version upgrades requiring a base image to be downloaded to the device prior to performing the upgrade, see the
# 'download_panos_image.yml' playbook.
#
# This playbook requires connection details for the two members of the HA pair to be specified in the variables
# 'primary_ip_address', 'secondary_ip_address', 'username', and 'password'. These may be defined as host variables
# (see `host_vars/panorama_ha_pair.yml` for an example) or extra vars.
#
# Usage
# =====
#
# Required variables:
#
# target: Target Panorama HA pair. See `host_vars/panorama_ha_pair.yml` for sample definition of host variables.
#
# version: Version to install.
#
# See the VARS section of the playbook for additional customization options.
#
# Default run:
#
# $ ansible-playbook -i inventory upgrade_ha.yml --extra-vars "target=panorama_ha_pair version=9.0.5"
#
# Notes
# =====
#
# HA pairs with preemption enabled are not supported by this playbook.
- hosts: '{{ target | default("panorama_ha_pair") }}'
connection: local
vars:
primary:
ip_address: '{{ primary_ip_address }}'
username: '{{ username | default(omit) }}'
password: '{{ password | default(omit) }}'
api_key: '{{ api_key | default(omit) }}'
secondary:
ip_address: '{{ secondary_ip_address }}'
username: '{{ username | default(omit) }}'
password: '{{ password | default(omit) }}'
api_key: '{{ api_key | default(omit) }}'
# backup_config - Create a backup of the currently running config before upgrading on both devices.
backup_config: true
# backup_filename - Filename for running config backup.
backup_filename: 'ansible-backup-{{ ansible_date_time.date }}.xml'
# pause_mid_upgrade - Optionally pause for additional verification during upgrade. This playbook will perform
# basic checks for HA status and session sync, but this will wait for manual verification before
# upgrading the secondary firewall.
pause_mid_upgrade: false
# major_version_upgrade - Handles special case when one Panorama is on a different major version. Should only be
# set to true when performing a major version upgrade.
major_version_upgrade: false
tasks:
- name: Backup device config (primary)
paloaltonetworks.panos.panos_op:
provider: '{{ primary }}'
cmd: 'save config to {{ backup_filename }}'
when: backup_config|bool
- name: Backup device config (secondary)
paloaltonetworks.panos.panos_op:
provider: '{{ secondary }}'
cmd: 'save config to {{ backup_filename }}'
when: backup_config|bool
- name: Download target PAN-OS version
paloaltonetworks.panos.panos_software:
provider: '{{ primary }}'
version: '{{ version }}'
download: true
sync_to_peer: true
install: false
- name: Suspend primary device
paloaltonetworks.panos.panos_op:
provider: '{{ primary }}'
cmd: 'request high-availability state suspend'
- name: Check that secondary is now active
paloaltonetworks.panos.panos_op:
provider: '{{ secondary }}'
cmd: 'show high-availability state'
register: secondary_active
retries: 10
delay: 30
until: (secondary_active.stdout | from_json).response.result["local-info"].state == 'secondary-active' and
(secondary_active.stdout | from_json).response.result["peer-info"].state == 'primary-suspended' and
(secondary_active.stdout | from_json).response.result["peer-info"]["state-reason"] == 'User requested'
- name: Install target PAN-OS version and restart (primary)
paloaltonetworks.panos.panos_software:
provider: '{{ primary }}'
version: '{{ version }}'
download: false
restart: true
- name: Pause for restart
ansible.builtin.pause:
seconds: 30
- name: Check that primary is up and passive
paloaltonetworks.panos.panos_op:
provider: '{{ primary }}'
cmd: 'show high-availability state'
register: primary_passive
retries: 30
delay: 60
until: primary_passive is not failed and
(primary_passive.stdout | from_json).response.result.enabled == 'yes' and
(primary_passive.stdout | from_json).response.result["local-info"].state == 'primary-passive' and
(primary_passive.stdout | from_json).response.result["running-sync"] == 'synchronized'
when: not major_version_upgrade|bool
# Special case, Panorama HA doesn't work across major versions like firewalls, so primary will be non-functional.
- name: Check that primary is up and non-functional
paloaltonetworks.panos.panos_op:
provider: '{{ primary }}'
cmd: 'show high-availability state'
register: primary_nf
retries: 30
delay: 60
until: primary_nf is not failed and
(primary_nf.stdout | from_json).response.result.enabled == 'yes' and
(primary_nf.stdout | from_json).response.result["local-info"].state == 'primary-non-functional' and
(primary_nf.stdout | from_json).response.result["local-info"]["state-reason"] == 'Peer version not compatible'
when: major_version_upgrade|bool
- name: Pause for verification
ansible.builtin.pause:
prompt: 'Primary upgrade complete. Pausing for verification.'
when: pause_mid_upgrade
- name: Suspend secondary device
paloaltonetworks.panos.panos_op:
provider: '{{ secondary }}'
cmd: 'request high-availability state suspend'
- name: Check that primary is now active
paloaltonetworks.panos.panos_op:
provider: '{{ primary }}'
cmd: 'show high-availability state'
register: primary_active
retries: 10
delay: 30
until: (primary_active.stdout | from_json).response.result["local-info"].state == 'primary-active' and
(primary_active.stdout | from_json).response.result["peer-info"].state == 'secondary-suspended' and
(primary_active.stdout | from_json).response.result["peer-info"]["state-reason"] == 'User requested'
- name: Install target PAN-OS version and restart (secondary)
paloaltonetworks.panos.panos_software:
provider: '{{ secondary }}'
version: '{{ version }}'
download: false
restart: true
- name: Pause for restart
ansible.builtin.pause:
seconds: 30
- name: Check that secondary is up and passive
paloaltonetworks.panos.panos_op:
provider: '{{ secondary }}'
cmd: 'show high-availability state'
register: secondary_passive
retries: 30
delay: 60
until: secondary_passive is not failed and
(secondary_passive.stdout | from_json).response.result.enabled == 'yes' and
(secondary_passive.stdout | from_json).response.result["local-info"].state == 'secondary-passive' and
(secondary_passive.stdout | from_json).response.result["running-sync"] == 'synchronized'