Scripting offline updates.

cancel
Showing results for 
Search instead for 
Did you mean: 

Scripting offline updates.

L1 Bithead

I would REALLY like to find a way to automate offline dynamic updates.  I’ve been trying to script the process with a bat file and plink.  I can get it to login with SSH but nothing after that.   I found a post, link below, on here from about 5 years ago, that suggests what I’m trying to do may not be possible.  Hopefully something has changed.

 

Manually updating all our Paloaltos is taking up a lot of my time, there has to be better way.  I’m very limited on software that’s approved to be installed on our network.  ANY suggestions or help is welcome.

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

The NGFW supports automating almost everything through the API.  Here is a process to script uploading and installing dynamic updates -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfrCAG.

 

Using the API Browser (see the link on the bottom of the above URL), you can figure out how to modify the script for software updates.

 

What's not mentioned in the docs is enabling API access -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api....

 

@Bad_GoatSorry!  Not meaning to be a smart alec.  I probably should have mentioned this solution first as long as you don't mind working on the scripts.  Otherwise, the Panorama method will be easier.

Help the community: Like helpful comments and mark solutions.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello there

I have a question for you.. Why wouldn't you take advantage of the Schedule option to update your Dynamic Updates.

Look at the screen capture

SteveCantwell_0-1630182752298.png

The other option (as I do not know how many FWs you have) is an investment in Panorama, will helps to be a central mgmt appliance to manage/update/log all traffic/reports from your FWs.

Help the community: Like helpful comments and mark solutions

Wait, can I schedule updates from a local SCP server or the like?  Our FWs are on isolated networks that can't reach the internet.  I'm going to feel really dumb if I've been manually uploading updates for over a year now....I'm off of work until next Wednesday, but now i really want to go dig around in the schedule settings.

 

I'll look into Panorama.   But my employer is super slow about approving new software and spending money.

This would save you lots of time, but requires 2 Panoramas -> https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/install-content-and-s....

 

I wonder if you could do similar things on the NGFW?  [Edit.]  It looks like you cannot specify an SCP Server Profile or Dynamic Update source on the NGFW.

 

[Edit2.]  Or you could manually update the files to 1 Panorama if all files have to be checked in to an air gap environment.  The Panorama would dynamically push them out to the firewalls.  You could even use an SCP server if that helps you automate the upload.

Help the community: Like helpful comments and mark solutions.

L1 Bithead

THanks everyone.  Sounds like scripting is really limited, and manual uploads and installs are my future for awhile.  I'll look into the Panorama more.

The NGFW supports automating almost everything through the API.  Here is a process to script uploading and installing dynamic updates -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfrCAG.

 

Using the API Browser (see the link on the bottom of the above URL), you can figure out how to modify the script for software updates.

 

What's not mentioned in the docs is enabling API access -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api....

 

@Bad_GoatSorry!  Not meaning to be a smart alec.  I probably should have mentioned this solution first as long as you don't mind working on the scripts.  Otherwise, the Panorama method will be easier.

Help the community: Like helpful comments and mark solutions.

View solution in original post

L1 Bithead

Thanks @TomYoung I think that will get me going in the right direction.  Right now there are only windows machines on the network, but this gives me something to move forward with!

L4 Transporter

You're welcome @Bad_Goat !

You could look into WSL2, cURL for Windows, or others.  If you are going to go down the automation path a long way, I would learn Python with the requests module.  There are so many automation options out there, it can be hard to pick the one best for you.

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!