Run the Upgrade playbookΒΆ
The upgrade.yml
playbook automates a number of actions related to upgrading
the software on a PAN-OS device. It will:
Back up the configuration of a PAN-OS device locally.
Download and install a new version of PAN-OS, then reboot the system.
Polls to see when the firewall is ready again (this is actually the same as the
check_ready.yml
playbook).
For more information, see the documentation on the modules used:
---
- hosts: lab_fw
connection: local
vars:
device:
ip_address: '{{ ip_address }}'
username: '{{ username | default(omit) }}'
password: '{{ password | default(omit) }}'
api_key: '{{ api_key | default(omit) }}'
# backup_config - Create a backup of the currently running config.
backup_config: true
# backup_filename - Filename for running config backup.
backup_filename: 'ansible-backup-{{ ansible_date_time.date }}.xml'
# version - Version of PAN-OS to install.
version: '9.0.8'
vars_files:
- creds.yml
tasks:
- name: Backup device config
paloaltonetworks.panos.panos_op:
provider: '{{ device }}'
cmd: 'save config to {{ backup_filename }}'
when: backup_config|bool
- name: Install target PAN-OS version
paloaltonetworks.panos.panos_software:
provider: '{{ device }}'
version: '{{ version }}'
restart: true
- name: Pause for restart
pause:
seconds: 30
- name: Check to see if device is ready
paloaltonetworks.panos.panos_op:
provider: '{{ device }}'
cmd: 'show chassis-ready'
changed_when: false
register: result
until: result is not failed and (result.stdout | from_json).response.result == 'yes'
retries: 30
delay: 60
Run the playbook with ansible-playbook
:
ansible-playbook -i inventory upgrade.yml --ask-vault-pass
Output:
The download and installation of PAN-OS software can be observed using the Tasks button in the bottom right corner of the firewall web UI. After the playbook has completed, login again to the web UI of the firewall and it will show the upgrade to the specified version was performed.